S33D Technology

Want to hear about more about what it’s like working in GRC and are or will be in the Baltimore-DC area 5 September? Come on out. Let me know you’re coming and if you wanted to grab something afterwards, let’s chat.

Excited to be a part of this with Chris and the amazing crew he’s gathering.

Tech Woke Live: The Future of RMF & GRC · Luma Tech Woke Live Podcast: The Future of RMF & GRC 📍 Impact Hub Baltimore 🗓 September 5, 2025 🕕 6:00 PM – 9:00 PM Join us for a special live recording of the…

❓❓Ever wonder why you can still earn partial points on CMMC 3.13.11 – “Employ FIPS-validated cryptographic modules when used to protect CUI”? Spoiler: It’s Reality⁣
⁣
The answer is buried in the FIPS documentation — and it reveals a dose of real-world practicality from the DoD.⁣
⁣
The FIPS 140-3 Management Manual makes it clear:⁣
⁣
❌ Non-validated cryptographic modules do not meet the standard for protecting CUI, and data encrypted with them is essentially treated as plaintext.⁣
⁣
But we know the reality: it’s not plaintext. It’s still encrypted — just not validated.⁣
⁣
That’s why the DoD built in 𝘧𝘭𝘦𝘹𝘪𝘣𝘪𝘭𝘪𝘵𝘺. They recognized that not every implementation could maintain strict validation 100% of the time — so they allowed partial credit when you’re doing your best to secure CUI but aren’t fully FIPS-validated.⁣
⁣
✍🏾 It may also happen that 𝐲𝐨𝐮𝐫 𝐨𝐧𝐜𝐞 𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐞𝐝 𝐦𝐨𝐝𝐮𝐥𝐞 𝐛𝐞𝐜𝐨𝐦𝐞𝐬 𝐢𝐧𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐞𝐝 𝐝𝐮𝐞 𝐭𝐨 𝐩𝐚𝐭𝐜𝐡𝐢𝐧𝐠 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬. A 𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺-𝘳𝘦𝘭𝘦𝘷𝘢𝘯𝘵 𝘊𝘝𝘌 patch may cause that module to be revoked due to it no longer meeting its functional security objectives and security requirements derived from those objectives.⁣
⁣
✅ Bottom line: The requirement is strict, but 𝐭𝐡𝐞 𝐬𝐜𝐨𝐫𝐢𝐧𝐠 𝐫𝐞𝐟𝐥𝐞𝐜𝐭𝐬 𝐫𝐞𝐚𝐥𝐢𝐭𝐲. If you’re encrypting with strong algorithms but not yet validated, you’re not fully compliant — but you’re not starting from zero either. Also, this lends a reminder that you must 𝐩𝐞𝐫𝐢𝐨𝐝𝐢𝐜𝐚𝐥𝐥𝐲 𝐜𝐡𝐞𝐜𝐤 that the modules you’re using, and the validated module you’ve recorded are accurate.

S33D Technology is prepared to support you in navigating this and other topics.