# CMMC Level 2 and 3: Cryptography Controls Explained

**Source**: https://quantumsequrity.com/blog/cmmc-level-2-3-crypto
**Category**: Compliance & Regulation

---

[← Back to Blog](../../blog.html) Compliance & Regulation

# CMMC Level 2 and 3: Cryptography Controls Explained

10 min read

The Cybersecurity Maturity Model Certification (CMMC) is the United States Department of Defense framework for assessing and certifying the cybersecurity posture of contractors handling federal contract information (FCI) and controlled unclassified information (CUI). The CMMC 2.0 final rule was published by the DoD in October 2024 (32 CFR Part 170) with phased implementation through 2028. CMMC 2.0 has three levels: Level 1 (basic, self assessed), Level 2 (advanced, third party assessed for prioritized contracts), and Level 3 (expert, government assessed).

This article walks through the cryptographic controls at Levels 2 and 3, maps them to the NIST SP 800-171 Revision 2 control catalog (the foundation of Level 2) and the NIST SP 800-172 control catalog (the foundation of Level 3), and explains the post quantum implications for defense industrial base (DIB) contractors.

## CMMC 2.0 Levels

Level 1 protects FCI. The seventeen Level 1 practices come from FAR 52.204-21 and include basic safeguards. Cryptography is touched only lightly at Level 1, with FAR 52.204-21(b)(1)(viii) requiring identification of users on each information system.

Level 2 protects CUI. The 110 Level 2 practices come from NIST SP 800-171 Revision 2. CMMC 2.0 Level 2 aligns one to one with NIST SP 800-171 R2 control objectives, and the assessment uses the NIST SP 800-171A assessment methodology.

Level 3 adds practices from NIST SP 800-172 on top of Level 2. SP 800-172 is the catalog of enhanced security requirements designed to protect against advanced persistent threats (APTs).

## Level 2 Cryptographic Controls

NIST SP 800-171 Revision 2 contains fourteen control families. Cryptographic requirements appear primarily in the Identification and Authentication (3.5), System and Communications Protection (3.13), and Media Protection (3.8) families, with supporting practices in Audit and Accountability (3.3) and Configuration Management (3.4).

Specific cryptographic controls at Level 2 include:

- 3.5.10: Store and transmit only cryptographically protected passwords
- 3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards
- 3.13.10: Establish and manage cryptographic keys for cryptography employed in organizational systems
- 3.13.11: Employ FIPS validated cryptography when used to protect the confidentiality of CUI
- 3.13.16: Protect the confidentiality of CUI at rest
- 3.8.6: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards

Practice 3.13.11 is the FIPS pivot. CUI confidentiality protection requires FIPS validated cryptography, which means cryptographic modules listed on the NIST CMVP active list. We discuss CMVP and FIPS 140-3 in our [CMVP article](cmvp-fips-140-3.md).

## What FIPS Validated Means

FIPS validated cryptography refers to cryptographic modules that have been validated under the Cryptographic Module Validation Program (CMVP) jointly run by NIST and CSE (Communications Security Establishment Canada). The validation testifies that the module implements the algorithms correctly and protects key material to a defined assurance level.

FIPS 140-2 is being superseded by FIPS 140-3 (effective 2019), with sunset of FIPS 140-2 historical validations through 2026. Modules currently validated under FIPS 140-2 retain their certificates until expiry, and new validations are issued under FIPS 140-3.

For a DIB contractor, FIPS validation evidence comes from product documentation. Microsoft Windows BitLocker, OpenSSL FIPS modules, Boring Crypto, and many commercial cryptographic libraries provide FIPS validated configurations. The contractor's responsibility is to ensure FIPS mode is enabled in production and that configuration is documented.

## Level 2 Assessment

Level 2 contracts are assessed by Certified Third Party Assessor Organizations (C3PAOs) under the CMMC 2.0 program. The assessor validates each of the 110 Level 2 practices against the NIST SP 800-171A assessment objectives.

For cryptographic controls, the assessor will:

- Request the System Security Plan (SSP) showing how cryptography is implemented
- Verify FIPS validated cryptographic modules are in use
- Test transmission encryption configurations
- Verify encryption at rest is enabled for CUI repositories
- Review key management procedures
- Check password storage mechanisms

Findings of "not met" on cryptographic practices are usually high impact because cryptography protects multiple control families simultaneously.

## Level 3 Cryptographic Controls

Level 3 adds practices from NIST SP 800-172, the enhanced security requirements catalog. SP 800-172 was developed for situations where adversaries are advanced persistent threats with significant resources and patience. Level 3 cryptographic enhancements include:

- 3.5.3e (Multifactor Authentication enhancement): Employ automated mechanisms to protect against the use of compromised authentication
- 3.13.4e: Employ physical isolation techniques or logical isolation techniques or both in organizational systems
- 3.14.2e: Apply distinct safeguards for high impact assets to defend against APTs

The exact Level 3 practice list is finalized in 32 CFR 170 Subpart B. Level 3 assessments are conducted by the Defense Counterintelligence and Security Agency (DCSA) rather than C3PAOs.

For cryptographic controls, Level 3 demands more rigorous practices including hardware backed key storage, formally verified algorithms where available, and tighter integrity controls for cryptographic operations. Level 3 also expects active threat hunting around cryptographic anomalies, such as unusual cipher suite negotiations or certificate replacements.

## Mapping to CNSA 2.0

CMMC and CNSA 2.0 are separate but interrelated frameworks. CMMC focuses on cybersecurity maturity for the defense supply chain. CNSA 2.0 focuses on cryptographic algorithm choices for National Security Systems. Most CMMC contractors do not handle NSS data and therefore do not need to follow CNSA 2.0 strictly. However, contractors that handle CUI under CMMC and also process NSS data must comply with both.

For contractors that touch both, the CNSA 2.0 algorithm catalog (ML-KEM-1024, ML-DSA-87, AES-256, SHA-384/512) takes precedence over generic FIPS validated cryptography for NSS workloads. The CMMC SSP needs to identify which workloads fall in which scope. We cover the CNSA 2.0 timeline in our [CNSA 2.0 article](cnsa-2-0-timeline-detailed.md).

## NIST SP 800-171 Revision 3

NIST published SP 800-171 Revision 3 in May 2024, replacing Revision 2. Revision 3 reorganized control families, added new requirements, and aligned more tightly with NIST SP 800-53 Revision 5. CMMC 2.0 currently uses SP 800-171 Revision 2 as its baseline; the DoD has indicated that future CMMC updates will incorporate Revision 3.

For cryptographic controls, Revision 3 strengthens requirements around:

- Cryptographic key management lifecycle (3.13.10 expanded)
- Authentication cryptography (added requirements for replay resistance)
- Cryptographic protection during processing in untrusted environments
- Mobile device cryptography

Contractors planning their CMMC posture should track Revision 3 adoption in CMMC and update their SSPs accordingly.

## Post Quantum Cryptography in CMMC Practice

Neither SP 800-171 Revision 2 nor Revision 3 yet specifically requires PQC. The cryptographic controls reference FIPS validation as the gate, and FIPS modules with PQC support are now appearing through the CMVP queue.

Defense Industrial Base contractors handling long lived CUI should consider PQC migration sooner rather than later. The reasons include:

- DoD is actively migrating its own infrastructure under CNSA 2.0
- Adversaries are presumed to be conducting harvest now decrypt later collection on DIB networks (we discuss this in our [harvest now decrypt later article](harvest-now-decrypt-later.md))
- DFARS clauses (such as 252.204-7012) are evolving and may add PQC expectations
- Prime contractors are starting to flow down PQC requirements to subcontractors

Forward looking DIB contractors are documenting PQC migration plans in their SSPs and Plans of Action and Milestones (POAMs).

## Key Management at CMMC Levels

Cryptographic key management gets attention at all CMMC levels but is most stringent at Level 3. The practices include:

- Key generation using approved random number generators
- Secure key distribution using authenticated channels
- Key storage with appropriate access controls (often hardware security modules)
- Key rotation according to documented cryptoperiods
- Key destruction when no longer needed
- Key escrow and recovery procedures where appropriate

Hardware security modules (HSMs) appear frequently in Level 3 environments because they provide hardware backed key protection. FIPS 140-3 Level 3 or Level 4 HSMs are increasingly the expectation for high value CUI environments.

## Transmission Cryptography

Practice 3.13.8 requires cryptographic protection of CUI in transmission. The implementation typically involves:

- TLS 1.2 or 1.3 for application traffic
- IPsec for network layer protection
- SSH for remote access management
- Secure email gateways with TLS or S/MIME

Level 2 contractors must use FIPS validated cryptographic modules for these protocols. The configuration must enforce TLS 1.2 or higher, strong cipher suites only, and certificate validation.

For Level 3, additional controls apply including stricter cipher suite restrictions, mandatory mutual TLS for certain flows, and cryptographic monitoring.

## Storage Cryptography

Practice 3.13.16 requires confidentiality protection of CUI at rest. Implementation patterns include:

- Full disk encryption on workstations and servers (BitLocker, FileVault, dm-crypt)
- Database transparent data encryption with FIPS validated modules
- Application level encryption for high value records
- Encrypted backup repositories

Cloud hosted CUI requires additional considerations. The DoD has FedRAMP equivalent or higher requirements for cloud services hosting CUI under DFARS 252.204-7012. The cloud service must be FedRAMP Moderate equivalent at minimum, with stronger requirements for high impact CUI. Cryptographic controls flow through the FedRAMP authorization. We cover [FedRAMP cryptographic requirements](fedramp-rev-5-cryptography.md) in a separate article.

## Plans of Action and Milestones

CMMC 2.0 allows POAMs for some practices that are not yet fully met, with limitations. Cryptographic practices typically must be fully implemented at the time of assessment, because the gap is direct CUI exposure. POAMs are most useful for documentation gaps, training catch up, or pending FIPS module updates.

For PQC migration, a POAM might document the contractor's migration plan with milestones for vendor selection, pilot deployment, and full rollout.

## What This Means for DIB Contractors

DIB contractors preparing for or maintaining CMMC compliance should:

1. Verify FIPS validated cryptography is in active use for all CUI at rest and in transit.
2. Document the cryptographic algorithm inventory and key management procedures in the SSP.
3. Track CMVP queue status for cryptographic modules used.
4. Plan PQC migration in the cybersecurity roadmap, with realistic milestones.
5. Prepare for flow down of PQC requirements from prime contractors.

## FAQ

**Q: Is CMMC mandatory?**
A: CMMC 2.0 is being phased into DoD contracts through 2028 per the 32 CFR Part 170 final rule and the DFARS 252.204-7021 contract clause. By the end of the phase in, all DoD contracts handling FCI or CUI will require CMMC certification at the appropriate level.

**Q: Does Level 2 require PQC?**
A: Level 2 currently requires FIPS validated cryptography. PQC is not yet specifically mandated but is expected to enter the framework as NIST and DoD update their guidance.

**Q: What is the difference between FIPS 140-2 and FIPS 140-3?**
A: FIPS 140-3 (effective 2019) replaces FIPS 140-2. FIPS 140-3 aligns more closely with ISO/IEC 19790 and includes additional requirements around side channel resistance and physical security. New module validations are under FIPS 140-3; legacy FIPS 140-2 validations expire by 2026.

**Q: Can I use cloud services for CUI?**
A: Yes, with FedRAMP Moderate equivalent or higher cloud services and appropriate DFARS 252.204-7012 contract terms.

**Q: What happens at Level 3 assessment?**
A: Level 3 is assessed by the Defense Counterintelligence and Security Agency (DCSA), not by C3PAOs. The assessment is more rigorous and includes review of advanced security practices from NIST SP 800-172.

## Sources

1. DoD, 32 CFR Part 170, Cybersecurity Maturity Model Certification (CMMC) Program Final Rule (October 2024). https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
2. NIST SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
3. NIST SP 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. https://csrc.nist.gov/pubs/sp/800/171/r3/final
4. NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. https://csrc.nist.gov/publications/detail/sp/800-172/final
5. NIST SP 800-171A Revision 3, Assessing Security Requirements for Controlled Unclassified Information. https://csrc.nist.gov/publications/detail/sp/800-171a/rev-3/final
6. DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting

## Related Articles

- [CMVP and FIPS 140-3](cmvp-fips-140-3.md)
- [CNSA 2.0 Detailed Timeline](cnsa-2-0-timeline-detailed.md)
- [FedRAMP Rev 5 Cryptography](fedramp-rev-5-cryptography.md)
- [PQC for Government and Defense](pqc-government-defense.md)
- [Harvest Now Decrypt Later](harvest-now-decrypt-later.md)

---

### Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

[Try QNSQY](../../pricing.html)