What is Cybersecurity Maturity Model Certification (CMMC) 2.0?

FIPS 140 Validated Cryptography for CMMC 2.0 Compliance

What is Cybersecurity Maturity Model Certification (CMMC) 2.0?

  • The Cybersecurity Maturity Model Certification (CMMC) is a significant initiative by the Department of Defense (DoD) aimed at fortifying the defense industrial base (DIB) against sophisticated and frequent cyber threats

  • Its central focus is on enhancing the security of controlled unclassified information (CUI) and federal contract information (FCI) shared within the DIB network

  • The Department of Defense (DoD) has recently introduced an updated version of the Cybersecurity Maturity Model Certification, known as CMMC 2.0

  • CMMC 2.0 brings a consolidation of levels - it will now consist of just three levels instead of the previous five. This change is aimed to simplify the process and reduce the burden on small and medium-sized businesses that may have struggled to meet the requirements of the higher levels in the previous model

cmm model structure


Who is Subject to CMMC 2.0?

US defense industrial base


  • All prime- and sub-contractors of the DoD intending to bid on future contracts containing the CMMC DFARS clause will need to secure a CMMC certification from a certified third-party assessment organization (C3PAO) before the contract is awarded

  • Prime- and sub-contractors who access, process, or store Federal Contract Information (FCI) will at least require a Level 1 CMMC 2.0 certification

  • Those that access, process, or store Controlled Unclassified Information (CUI) will be required to undergo a third-party assessment to obtain a Level 2 or Level 3 CMMC 2.0 certification

What is the Relationship Between CMMC 2.0 and FIPS 140?

  • The Cybersecurity Maturity Model Certification (CMMC) and the Federal Information Processing Standards (FIPS) 140 have a distinct but interconnected relationship in strengthening cybersecurity infrastructure, particularly in organizations dealing with sensitive government information

  • FIPS 140, developed by the National Institute of Standards and Technology (NIST), sets the benchmark for cryptographic modules intending to protect sensitive information. It is integral to the realization of CMMC goals.  It requires that cryptography modules be tested by third party laboratories and certified by NIST as meeting government standfards for encryption

  • CMMC incorporates NIST 800-171 security requirements, which in turn reference FIPS 140 for encryption standards. Essentially, to fulfill CMMC Level 2 or Level 3 requirements, organizations must use encryption methods that are FIPS 140 validated. This ensures that information, particularly Controlled Unclassified Information (CUI), is protected by strong, vetted cryptographic modules whenever it is transmitted or stored

CMMC Whitepaper


Learn More About NIST 880-171 Requirements for FIPS 140 Validated Cryptography

How Are Companies Seeking CMMC Certification Getting Tripped Up by FIPS 140 Validation?

DoD CMMC Website-1


  • In the past, FIPS 140 validation was only required for technology companies that sold their software and hardware to the federal government

  • With CMMC, the requirement for FIPS 140 validation now applies to every member of the DIB (an estimated 250,000 companies) that handle CUI.  Every system these companies use that performs encryption and touches CUI must use FIPS validated cryptography

  • Traditional FIPS 140 validations, achieved by working with a consultant, a certification lab and NIST, require significant technical resources, can take as long as two years, and require constant vigilance and effort as changes in requirements or newly discovered security vulnerabilities can cause NIST to de-certify an active FIPS certificate

How Does SafeLogic Overcome the FIPS 140 Problem for the CMMC Ecosystem?

  • Through its breakthrough FIPS 140 Validation-as-a-Service offering, SafeLogic can get your company a FIPS 140 certificate in your own names in just two months, not the 2+ years as is required for traditional FIPS 140 validations

  • SafeLogic also ensures your FIPS 140 certificate remains ‘active’ despite changing requirements or the discovery of security vulnerabilities, so you can continue using it to support procurements

  • Once a technology vendor obtains FIPS 140 validation for their product, they can now sell that product to not only federal agencies, but also all companies in the Defense Industrial Base that are pursuing CMMC contracts

Safe Logic FIPS 140 simplified logo


Speak with a SafeLogic Cryptography Expert

Four Ways Companies Pursuing CMMC 2.0 Certification Benefit from Working with SafeLogic

1.  SafeLogic provides you one-stop shopping. As opposed to working with a FIPS 140 consultant AND a FIPS certification lab AND NIST AND possibly open source, operating system or cloud vendors, companies only need to work with SafeLogic. Our FIPS 140 experts handle any necessary interaction with any third party. Your resources can then focus on other aspects of your CMMC initiative.

2.  SafeLogic helps you continue meeting your CMMC cryptography requirements as your FIPS 140 requirements change and their needs change. For instance, SafeLogic experts can test new algorithms, test new OEs, etc.


3.  Should you need one, RapidCert can get you a FIPS 140 certificate in your own name in two months. In the FIPS 140 world, vendors with their own CMVP certificates can have a distinct competitive advantage over those relying on an open source or operating system CMVP cert from another vendor.

4.  MaintainCert makes sure your underlying FIPS Validated module remains ‘Active’ using a white glove service model for a fixed cost. If a company relies on an open-source module or something that comes with the OS, and that module goes historical, that will put its CMMC status at risk.

Want to know more about how SafeLogic can help with your CMMC strategy? Speak with one of our FIPS 140 experts!