PreVeil Achieves 140-3 Certification, Removing Encryption Compliance Risk

FIPS 140-3 (Federal Information Processing Standards Publication 140-3) is the current gold standard for cryptographic module security, succeeding FIPS 140-2. Published in March 2019 and effective as of September 2024, FIPS 140-3 introduces several critical improvements:

• Modernized cryptographic algorithms that address current threat landscapes
• Enhanced physical security requirements for hardware implementations
• More rigorous testing and validation processes through NIST’s Cryptographic Module Validation Program (CMVP)
• Better alignment with international standards (ISO/IEC 19790)

FIPS stands for Federal Information Processing Standards. NIST requires implementation of FIPS standards to ensure cybersecurity levels remain consistent across federal agencies and the defense contractors who work with them.

Both FIPS 140-2 and 140-3 specify security requirements that must be met when encryption is used to protect sensitive government data, including Controlled Unclassified Information (CUI). FIPS 140-3 represents the evolution of these requirements to address modern security challenges.

If your organization handles CUI or has a DFARS 252.204-7012 clause in your contract, you must meet NIST 800-171 requirements, which mandate FIPS-validated cryptography for CUI protection.

NIST 800-171’s control 3.13.11 explicitly requires contractors to:

[E]mploy FIPS-validated cryptography when [cryptography is] used to protect the confidentiality of CUI.

Several other NIST 800-171 controls point toward the use of cryptography, which means control 3.13.11 becomes applicable. For example:

• Control 3.13.8 calls for cryptographic mechanisms to protect CUI during transmission
• Control 3.1.13 calls for cryptographic mechanisms to protect the confidentiality of remote access sessions

This requirement applies regardless of device type—desktop, mobile, endpoint, or peripheral. It doesn’t matter if the CUI exists as files, documents, images, or text. If encryption is used, FIPS validation is mandatory.

CMMC Level 2, which the vast majority of defense contractors must achieve, aligns completely with NIST 800-171’s 110 security controls. With recent CMMC program updates, FedRAMP Moderate equivalency is now explicitly required for cloud service providers.

Contractors fail NIST 800-171 control 3.13.11 (FIPS-validated cryptography) because they don’t properly verify their encryption modules are validated, they only check algorithms (not the complete module), or they acquire FIPS-capable technology but don’t configure it to run in FIPS mode.

PreVeil eliminates this compliance gap entirely. Our customers automatically inherit FIPS 140-3 compliance with zero additional configuration or validation required.

The easiest way to determine if your Cloud Service Provider has legitimate FIPS 140-3 certification is to check the NIST Cryptographic Module Validation Program (CMVP) website. Search for the company’s name in NIST’s Validated Modules database. If a vendor is listed there, they’ve been tested and validated by the NIST CMVP program—and you can implement their encryption technology with confidence.

Achieving NIST CMVP certification is no easy feat. The process typically takes 12-18 months and requires vendors to complete three rigorous steps in order:

1. Document all cryptographic methods and algorithms against FIPS standards. Any gaps in the vendor’s implementation must be closed either by creating necessary code or documentation.
2. Participate in the NIST Cryptographic Algorithm Validation Program (CAVP), where an independent NIST-approved lab tests and evaluates the algorithms implemented in the vendor’s code. Each algorithm that passes receives a CAVP certificate from NIST.
3. Submit for end-to-end NIST testing and evaluation of the cryptographic module, including the documentation and the CAVP-certified algorithms used in the module itself. When the testing is complete and approved, only then will NIST issue a CMVP certificate for the validated cryptographic module.

Only after this third step and being listed in the NIST Validated Modules database can a vendor truthfully claim they are using FIPS 140-3 validated cryptographic modules.

PreVeil’s CMVP certificate #5145 is publicly available. Any trustworthy vendor should be willing to show you theirs.

Some vendors claim FIPS compliance without undergoing NIST CMVP certification. They reference “FIPS Inside”—meaning they use FIPS-approved algorithms or crypto libraries—but their implementation has never been independently validated by NIST.

While it’s technically possible to meet FIPS standards without formal validation, it’s nearly impossible for defense contractors to verify these claims. You would need to:

• Audit the vendor’s code
• Validate all algorithms
• Test self-tests and error handling
• Verify entropy tests
• Examine service access controls
• Review dozens of other technical requirements beyond the encryption algorithms themselves

This testing process is complicated, time-consuming, and expensive—exactly why NIST provides independent validation through the CMVP program.

Be wary of vendors who self-attest to meeting FIPS standards. Only a CMVP certificate ensures you have independently verified encryption security. Otherwise, your organization runs the risk of wasting time and money, and introducing compliance deficiencies that will surface during CMMC as

Yes, PreVeil is FedRAMP Moderate Equivalent, meaning we meet 100% of FedRAMP Moderate baseline controls with zero outstanding Plan of Action and Milestones (POAMs). This is a higher bar than a FedRAMP Authorization to Operate (ATO), which typically permits POAMs and doesn’t require 100% compliance.

Our FedRAMP Moderate Equivalent status was achieved through:

• Assessment by an independent, authorized FedRAMP Third Party Assessment Organization (3PAO)
• Submission of a complete Body of Evidence to the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
• Multi-week review by DIBCAC assessors and concurrence from the DoD CIO and CMMC Program Management Office

Why this matters: DFARS 252.204-7012(b)(2)(ii)(D) and CMMC Level 2 require defense contractors to use cloud services that meet security requirements “equivalent” to FedRAMP Moderate baseline when storing, processing, or transmitting CUI.

PreVeil was the first CSP to meet the DoD’s stringent FedRAMP Moderate Equivalency requirement for CMMC and DFARS 7012 compliance. As Matt Travis, CEO of Cyber AB, stated during the 2025 CMMC Summit:

“FedRAMP or FedRAMP Moderate Equivalency: This is something that the PreVeil team knows very well. In fact, they were the trailblazers in getting this done first.”