If you handle CUI on a DoD contract and you run QuickBooks Desktop, one Windows setting can stall your CMMC work, and most people don't find it until they flip the switch. Turn on FIPS mode to meet the encryption requirement, and QuickBooks Desktop stops opening. That's not a rumor. Intuit says QuickBooks Desktop doesn't support FIPS mode and has no plan to add it. So the real question isn't whether QuickBooks is "CMMC compliant." What matters is whether this conflict applies to your environment, and what to do when it does.
NIST SP 800-171 control 3.13.11 requires FIPS-validated cryptography to protect the confidentiality of CUI. That means more than a FIPS-approved algorithm. The module itself has to be tested and certified by a NIST-approved lab. One common way to get there on Windows endpoints is to enable FIPS mode. The moment you do, Windows forces every application to use only FIPS-validated algorithms, and QuickBooks Desktop isn't built to comply, so it crashes on launch. The same toggle has been known to break other business software too, including some CAD tools your engineers depend on. Flip one setting for compliance and two of your most-used programs can go dark.
You may have seen this pitched as "QuickBooks fails CMMC, period." That's the fear version, and it isn't accurate. The conflict is real, but it's situational. It only bites under specific conditions, and being straight about that is the point, because a claim that collapses under a knowledgeable buyer's questions isn't worth much.
The QuickBooks and FIPS conflict is a live problem, not a hypothetical, when all of these are true:
If all four are true, the conflict is real and worth closing before an assessment. Plenty of contractors run this check and find only one or two apply, which changes the fix entirely. And even when it does apply, pulling QuickBooks out is rarely the first move. Often the right answer is scoping the CUI boundary so QuickBooks sits outside it, or documenting a compensating control and a POA&M while you plan the change. The wrong move is guessing.
We're a Registered Practitioner Organization, so we run CMMC readiness and know exactly what 3.13.11 asks for and what it doesn't. To be clear on the roles, an RPO prepares you. A C3PAO runs the certification assessment. We're the prep, not the exam.
We also build our own PCs and servers on our own line, so we control the endpoint and the compliance config down to the machine. When FIPS has to go on, we know what it will break before you find out the hard way, and we set the environment up so your accounting and your CAD tools keep running inside a compliant boundary. Most firms advising on this have never configured the hardware underneath it. We do both.
And when the worry is CUI touching a tool you can't control, we run Private AI, so sensitive data never has to leave for a public service to process it. Managed IT, CMMC readiness, and the hardware, all under one roof, serving the Wichita aerospace supply chain and Southcentral Kansas since 1997.
QuickBooks and FIPS do conflict. Whether it threatens your compliance depends on your data, your contract, and your boundary, and those are answerable in one conversation. Level 2 third-party assessments start phasing in November 10, 2026, contract by contract, so the time to find these conflicts is now, not during the assessment. We'll tell you straight whether it bites you, and if it does, we'll close it without a rip-and-replace.
If you want to know where you actually stand, book a call and we'll walk your setup. If you're weighing the on-prem-versus-cloud cost of the fix, our Infrastructure Cost Reality Check is a good place to start.
Comments