CMMC and FIPS 140-2: How to Enable FIPS 140-2 Compliant Mode for RDP & BitLocker

CMMC includes the security requirements from NIST 800-171, which reference FIPS 140 for encryption standards. Therefore, organizations aiming to meet CMMC Level 2 or Level 3 must employ encryption methods validated by FIPS 140. This guarantees that Controlled Unclassified Information (CUI) is safeguarded by robust, approved cryptographic modules during transmission or storage. Hence, the relationship between FIPS 140-2 (Federal Information Processing Standards Publication 140-2) and CMMC (Cybersecurity Maturity Model Certification) revolves around the emphasis on safeguarding and securing sensitive federal information.

This document describes how to enable Microsoft Windows OS to operate in FIPS 140-2 Compliant Mode.

Important Notes
Microsoft's current guidance is that there is not a compelling reason for customers that are not subject to government regulations to enable FIPS mode. Please see Microsoft Guidance.
TruGrid SecureRDP does not make any change to the Microsoft RDP protocol and therefore supports production implementations of Microsoft RDP
Since the Microsoft RDP protocol is native to the Windows OS, the process of enabling FIPS 140-2 for the RDP protocol also enables FIPS 140-2 for other built-in Windows functions that use cryptography, such as BitLocker and some .NET functions
TruGrid recommends that you properly test your implementation of FIPS 140-2 before allowing for production use. If you enable FIPS 140-2 according to Microsoft’s guidance below and TruGrid SecureRDP does not properly function, please try to connect over native RDP before contacting TruGrid for assistance.

Enable FIPS 140-2 for Windows (including RDP and BitLocker)

Login to Microsoft Active Directory Domain Controller
A. For the environment that you wish to enable FIPS 140-2 for RDP, connect to a domain controller
B. Open Group Policy Management Console (GPMC.MSC)
C. Edit the DEFAULT DOMAIN POLICY. As shown below, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. Open System Cryptography: Use FIPS Compliant algorithms for encryption, hashing, and signing. Enable the policy.
D. Click the EXPLAIN tab and read the information provided by Microsoft
E. Run GPUPDATE /FORCE on all RDP hosts on the domain or wait for the policy to apply




Validate your FIPS 140-2 configuration
A. Connect via native RDP between an external RDP client and an RDP host on your domain
B. Connect via TruGrid between an external RDP client and an RDP host on your domain
C. Enable for production use

Relationship between FIPS 140-2 and CMMC:

FIPS 140-2: This is a U.S. government computer security standard used to approve cryptographic modules. The primary goal of FIPS 140-2 is to ensure that cryptographic tools used in software and hardware products provide a consistent level of security. This standard is crucial for government agencies and contractors that handle sensitive but unclassified information.

CMMC: The Cybersecurity Maturity Model Certification is a standard designed to protect controlled unclassified information (CUI) on non-federal systems. This certification is a requirement for all suppliers at all tiers of the Defense Industrial Base, including subcontractors. CMMC sets specific levels of cybersecurity readiness, from basic to advanced, that contractors must meet to be considered for DoD contracts.

The connection between FIPS 140-2 and CMMC lies in their shared goal of protecting sensitive information, though they approach it from slightly different angles:

FIPS 140-2 focuses specifically on the security of cryptographic modules and is a requirement that may be encompassed within various aspects of cybersecurity frameworks, including those required by CMMC.

CMMC, in broader terms, includes an assessment of a company’s overall cybersecurity maturity and capabilities, which can involve implementing cryptographic solutions that are FIPS 140-2 validated as part of its cybersecurity practices.

In practice, a contractor needing to comply with CMMC may need to use cryptographic products that meet FIPS 140-2 standards to protect the integrity and confidentiality of CUI. This ensures a base level of security is maintained across all defense-related projects and information handling.

For additional details, please review the Microsoft document on FIPS 140-2 Validation. https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation

Updated on: 11/04/2024