This video from Amira Armond and Jillian Wright (both Kieri Solutions Provisional Assessors and Instructors), explains when FIPS 140-2 validated modules are required to be used by CMMC Level 2 / NIST SP 800-171.
It also explains when FIPS is NOT required. Hint: you do not need FIPS for everything.
Enjoy!
Reference:
I just watched the video on FIPS and CUI. This is a good video. https://www.cmmcaudit.org/when-is-a-fips-validated-module-required/
If an organization uses wireless access points and internally passes CUI to and from a server, how can you ensure the traffic is encrypted with a validated module?
Thank you