Do you know how to document a FIPS-based Temporary Deficiency for your CMMC & NIST SP 800-171 compliance efforts?

At the end of April, we completed our Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) Assessment as a C3PAO, which included claiming a Temporary Deficiency for 3.13.11, “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”  We are using Apple iOS/iPadOS & MacOS, plus Windows 11 devices that are technically not FIPS validated.

According to our DIBCAC assessors, we were the first C3PAO to present a Temporary Deficiency for FIPS-related issues, and they liked our method for meeting the intent of 32 CFR Part 170.

This “As the CMMC Churns” episode explains why we did what we did and how we documented our Temporary Deficiency. Bottom line: We were MET on 3.13.11 and scored 110 on our assessment.