I wonder if it's bad form to reply to my own post.
I just (?) received a response via the DISA OKC help desk that the default encryption strength (40bits) is used in FOP and that Tenable is "investing an upgrade to FOP [but] it is not on the currently (sic) on the product road map. There is unfortunately no way to upgrade FOP on your own, as this could cause problems in the way SecurityCenter reporting works."
I wanna ask why it might take ten weeks to get that level of detail on a reply, but I imagine my organization has its own ... quirks.