So I’m having trouble finding any real concrete answer that isn’t buried under mountains of legalese.
When it comes to CMMC there is a requirement that any network device doing cryptographic functions needs to be using FIPS validated encryption. So far as I understand it, that means that Firewalls/Routers, Level 3 Switches, and Wireless APs need to be FIPS validated because they are either encrypting/decrypting traffic (if you’re using SSL packet inspection like we do for example) or in the case of Wireless APs configuring a secured wireless connection by exchanging keys. So given this understanding that would mean that managed level 2 switches and un-managed switches would not need to have FIPS validation correct?
Management connections, via SSH or HTTP, also need to use FIPS level encryption, so yes L2 switches will need to be FIPS compliant. They probably already are though, just have to make sure they’re using strong settings. Any AES128, with a SHA2 HMAC, and using DH with at least (or higher, preferably groups 19-21 should be used) than group 14 should be fine.
This is not actually true. The text of the requirement (from NIST SP 800-171) is that you need to use FIPS-validated cryptography “when used to protect the confidentiality of CUI.”
There may be several layers of encryption involved, for example:
Encryption between the device and access point, as you mentioned.
Encryption provided by a VPN.
Encryption provided by HTTPS.
Perhaps the file itself is also encrypted.
Perhaps only one of those layers requires FIPS validation; it will depend on how you have written your system security policy and how you have decided to protect the confidentiality of and control the flow of CUI. There could be incidental uses of encryption in your system which are not in scope.
Scoping is important because:
This is not sufficient. FIPS validated encryption is by definition implemented by a FIPS validated cryptographic module, as listed on the CMVP site. This means devices which do not have a validated module provided by the vendor cannot be made compliant. It is true that the device must additionally be configured according to the security policy accompanying the certificate, which will typically involve at a minimum disabling cryptographic algorithms which are not approved by NIST. For software or firmware-based modules, the security policy will also include the version(s) which need to be used.
This means that any devices which need to use FIPS validated encryption are likely to be 1) expensive and/or 2) lacking features which are present in the latest version or when operating in non-validated modes.
Typically, when organizations encounter this compliance framework they will build a new enclave to meet the requirements rather than try to retrofit their existing network. You only need “just enough” functionality in this enclave to be able to perform the parts of the contract which require you to handle CUI.