FIPS 140-2 Sunset September 2026: What Every Organization Must Do Before the Deadline
On September 21, 2026, the FIPS 140-2 sunset takes effect. Every active FIPS 140-2 certificate — across every vendor, every platform, every cryptographic module deployed in US and Canadian federal environments — moves to the CMVP Historical List. That transition is not symbolic. The Cryptographic Module Validation Program defines Historical-status modules as those federal agencies “should not include” in new procurements. For vendors without an active FIPS 140-3 certificate in place before that date, the impact is immediate: new federal business stops. The FIPS 140-2 sunset has been on the calendar since 2019. What many organizations are discovering in 2026 is that 18 to 30 months of validation lead time means the window is already closed for those who have not started.
TECHNICAL DISCLAIMER: This article is for educational and informational purposes only. It does not constitute professional compliance, legal, or cybersecurity advice. Organizations should engage qualified FIPS compliance specialists, accredited testing laboratories, and legal counsel to assess their specific obligations under applicable federal frameworks before taking action.
What the FIPS 140-2 Sunset Actually Means on September 21, 2026
The FIPS 140-2 sunset does not disable or invalidate existing systems. Cryptographic modules running on FIPS 140-2 validated code will continue to operate on that date. What changes is their compliance status within the CMVP framework and the procurement implications that follow.
NIST’s Cryptographic Module Validation Program [1] maintains three lists: Active, Historical, and Revoked. Active modules meet current standards and may be purchased for new federal systems. Historical modules have passed their validation lifecycle — NIST’s guidance specifies that federal agencies should not include Historical modules in new procurements, though continued operation in existing systems is permitted. Revoked modules indicate a specific security failure and may not be used.
From September 22, 2026, onward, any acquisition checklist, FedRAMP authorization review, CMMC assessment, or DFARS compliance verification that asks for FIPS 140-3 compliance will find a FIPS 140-2 certificate insufficient. CMMC Level 2 enforcement began on November 10, 2026 — seven weeks after the FIPS 140-2 sunset — and NIST SP 800-171 control 3.13.11 specifically requires FIPS-validated cryptography for protecting controlled unclassified information. [2] A Historical certificate as the basis for that control carries direct audit risk in any C3PAO assessment.
The scope of exposure is wider than many organizations assume. FIPS 140 requirements flow through CMMC 2.0, Common Criteria, DoDIN APL, FedRAMP, FISMA, NIST SP 800-53, and NIST SP 800-171. Organizations operating in any of these frameworks — defense contractors, cloud service providers, healthcare vendors handling federal data, financial institutions serving government clients — face direct implications from the September 2026 deadline.
Table 1: FIPS 140-2 Sunset Impact by Compliance Framework
| Framework | FIPS Requirement | Sunset Impact | Immediate Risk |
| CMMC Level 2 | NIST SP 800-171 control 3.13.11 | Historical cert creates audit gap | Failed C3PAO assessment |
| FedRAMP Moderate/High | SC-13 cryptographic controls | Module lifecycle risk triggers reassessment | Authorization delay or revocation |
| DFARS 252.204-7012 | CUI protection with FIPS-validated crypto | Historical status weakens the evidence chain | Contract compliance exposure |
| FISMA | NIST SP 800-53 SC-13 | Agencies must justify continued 140-2 use | IG audit findings |
| DoDIN APL | Procurement eligibility | 140-2 modules removed from the approved list | Loss of procurement eligibility |
| Common Criteria | Cryptographic module validation baseline | Indirect impact via FIPS cross-reference | Re-evaluation requirement |
Who Is Directly Affected by the FIPS 140-2 Sunset
The FIPS 140-2 sunset creates two distinct categories of affected organizations: vendors selling cryptographic products to federal buyers, and organizations deploying those products to meet their own compliance obligations. Both categories face different timelines, different actions, and different risk profiles.
Cryptographic Product Vendors
Vendors whose products are embedded in federal IT systems — VPN appliances, hardware security modules, secure communication platforms, operating systems with cryptographic libraries — require an active CMVP certificate to appear on federal procurement-approved lists. Without a FIPS 140-3 compliance certificate in place after September 21, 2026, those products become ineligible for new federal acquisitions. Traditional FIPS 140-3 validation efforts typically require 18 to 30 months from initiation to certificate issuance. [3] Vendors that had not initiated the validation process by early 2025 face a high probability of missing the transition window with a full validation. Accelerated pathways exist through module rebranding and inheritance approaches, but they require specific technical prerequisites.
Federal Agencies and Their Contractors
Federal agencies and DoD contractors operating systems that rely on FIPS 140-2 validated modules must inventory those systems before the deadline. After September 21, 2026, continued operation in existing systems is technically permitted under CMVP guidance — but any cryptographic module validation question arising in an audit, contract renewal, or new procurement will require a 140-3 answer. Organizations must distinguish between systems they are maintaining versus new systems they are procuring or modernizing. New systems acquired after the deadline must use Active-status modules.
.
FIPS 140-3 Compliance: What Changed and Why It Matters
FIPS 140-3 is not an incremental update to FIPS 140-2. Significant portions of the standard were rewritten when NIST approved it in March 2019. The most consequential change is architectural: rather than defining cryptographic requirements directly, FIPS 140-3 references ISO/IEC 19790:2012 and ISO/IEC 24759:2017 as its technical foundation. [4] This harmonization means a single FIPS 140-3 validation now satisfies both US federal requirements and international standards — a significant operational benefit for multinational organizations and vendors serving multiple regulated markets.
The substantive technical changes in FIPS 140-3 affect how modules are tested and what they must demonstrate at runtime. Key additions include: runtime self-tests that execute during module operation rather than only at initialization; stricter entropy source documentation and testing; key zeroization requirements for all unprotected Sensitive Security Parameters at all security levels, including public keys; and lifecycle assurance provisions requiring vendors to demonstrate adequate internal testing independently of the validation lab process.
For organizations managing FedRAMP FIPS requirements, the 140-3 transition also changes how compliance is documented and maintained. Even a minor firmware update or configuration change to a validated module can trigger a revalidation obligation under 140-3’s stricter lifecycle rules. [5] FedRAMP’s updated policy requires cloud service providers to submit updated major module versions to the CMVP within six months of release. Organizations that previously treated FIPS certification as a one-time achievement must now treat it as an ongoing operational discipline.
Table 2: FIPS 140-2 vs. FIPS 140-3 — Key Differences
| Dimension | FIPS 140-2 (Sunset Sept 2026) | FIPS 140-3 (Current Standard) |
| Published | 2001 | 2019 (effective September 22, 2019) |
| Technical basis | Self-contained NIST requirements | References ISO/IEC 19790:2012 + 24759:2017 |
| International alignment | US/Canada only | Global — single validation covers multiple jurisdictions |
| Runtime self-tests | Initialization only | Required during operation at all security levels |
| Entropy requirements | Basic documentation | Stricter entropy source testing and documentation |
| Key zeroization | Higher security levels only | Required for ALL Sensitive Security Parameters at all levels |
| Lifecycle assurance | Lab testing only | Vendor internal testing is required in addition to the lab |
| Validation timeline | Typically 12-18 months | Typically 18-30 months (higher complexity) |
| CMVP status after 9/21/2026 | Historical — new procurement blocked | Active — 5-year certificate lifespan |
Six Steps Every Organization Must Complete Before September 21, 2026
The following steps apply to both vendors seeking to maintain federal market access and organizations operating systems under FIPS-dependent compliance frameworks. Steps 1 through 3 are time-critical for vendors. Steps 4 through 6 apply to all organizations regardless of vendor status.
Step 1: Audit Your CMVP Certificate Status
Access the NIST CMVP database and identify every cryptographic module your organization uses or distributes that holds a FIPS 140-2 certificate. Record the certificate number, expiration date, and current status for each module. This inventory is the foundation of every subsequent action. For vendors, this list represents your federal market access exposure. For operators, it defines the scope of your migration workload.
Step 2: Determine Vendor FIPS 140-3 Roadmaps
For each FIPS 140-2 module in your inventory, contact the vendor to request their FIPS 140-3 compliance roadmap. Ask specifically: Does an active FIPS 140-3 certificate exist for this module or a functionally equivalent replacement? If not, what is the projected certification date? Vendors without a clear answer or a certificate already in progress are unlikely to deliver a validated module before September 21, 2026. Begin evaluating alternatives for any module in that category.
Step 3: Classify Systems by Procurement Status
Separate your deployed systems into two categories: existing systems in operation and new systems being procured or modernized. Existing systems running FIPS 140-2 modules may continue operating after the sunset date under CMVP guidance — but they carry audit risk in any compliance review. New procurements must use Active-status modules from October 2026 onward. This classification determines the urgency and sequencing of your migration effort.
Step 4: Prioritize High-Compliance-Risk Systems
Not all systems carry equal compliance risk from the FIPS 140-2 sunset. Systems directly assessed under CMMC, FedRAMP, or DFARS carry the highest immediate exposure because auditors will scrutinize their cryptographic module validation status directly. Systems in environments where FIPS compliance is a contractual rather than regulatory requirement carry lower but still material risk. Prioritize migration planning for systems with the earliest upcoming audit or contract renewal date.
Step 5: Validate Patch and Update Procedures
Under FIPS 140-3’s stricter lifecycle rules, any unapproved change to a validated cryptographic module can break its certification status. Establish or verify patching procedures that confirm updates preserve the module’s validation scope. For Linux-based systems, kernel updates that modify cryptographic libraries require particular care. Some organizations use live-patching technologies to apply security fixes without modifying the cryptographic execution environment.
Step 6: Update Compliance Documentation
Auditors increasingly require organizations to demonstrate awareness of and active response to the FIPS 140-2 sunset. Update your System Security Plans, System Security and Privacy Plans, and compliance documentation to reflect: the inventory of FIPS 140-2 modules currently deployed, the planned migration timeline to FIPS 140-3 validated replacements, and the rationale for any continued use of Historical modules in existing systems. [6] Documented awareness with a defined migration plan carries meaningfully lower audit risk than undocumented continued reliance on sunset certificates.
Table 3: FIPS 140-2 Sunset Action Priority Matrix by Organization Type
| Organization Type | Primary Exposure | Urgency | Key Action Before Sept 21, 2026 |
| DoD Contractor (CMMC L2) | NIST SP 800-171 control 3.13.11 audit failure | Critical | Verify FIPS 140-3 cert for all CUI-handling modules |
| FedRAMP Cloud Service Provider | SC-13 control + FedRAMP module policy FRR7 | Critical | Submit updated module versions to CMVP; confirm Active status |
| Federal Agency IT Team | FISMA/NIST SP 800-53 SC-13 | High | Inventory 140-2 modules; document migration plan in SSP |
| Cryptographic Product Vendor | Federal procurement eligibility loss | Critical | Obtain FIPS 140-3 certificate or initiate validated module inheritance |
| Healthcare / Financial (FIPS as benchmark) | Contract and audit exposure | Medium | Audit vendor roadmaps; document risk acceptance for non-migrated modules |
| State/Local Government | Indirect — FISMA-aligned frameworks | Medium-Low | Monitor vendor timelines; include 140-3 in next procurement cycle |
Counter-Arguments
Objection: FIPS 140-2 modules still work after September 21, 2026. The sunset is administrative, not a technical failure — our systems are still secure.
Discussion: Correct that modules continue operating. The risk is not technical failure on the deadline date — it is compliance status. A Historical certificate no longer satisfies active procurement requirements under CMMC, FedRAMP, or DFARS. The next C3PAO assessment, FedRAMP annual review, or contract award evaluation that asks for FIPS-validated cryptography will find a Historical module insufficient. Organizations that treat the sunset as administrative without updating their compliance posture convert a preventable risk into an audit finding.
Objection: Our cloud provider handles FIPS compliance. We don’t need to manage cryptographic module validation ourselves.
Discussion: Cloud providers handle platform-level FIPS validation, but organizations retain responsibility for the compliance posture of their specific configurations and applications running on that platform. FedRAMP authorization belongs to the cloud service provider, not the customer. Under SC-13, the customer organization must still verify that the specific modules protecting their data hold an active status validation. Inherited controls reduce the burden but do not eliminate the requirement to verify the currency of the underlying certificates.
Objection: FIPS 140-3 validation takes 18 to 30 months. It’s too late for vendors who haven’t started. The deadline is effectively unachievable for many.
Discussion: For full independent validation from scratch, the timeline concern is accurate. However, FIPS 140-3 certificate inheritance and module rebranding pathways exist that can significantly compress timelines for vendors whose products are built on already-validated cryptographic libraries. These pathways require the underlying library to hold an Active FIPS 140-3 certificate, which many major cryptographic library vendors have already obtained. The option is not universally available, but for vendors using mainstream cryptographic libraries, it represents a viable path that does not require a full validation cycle.
Objection: We’re a private-sector company. FIPS standards apply to federal agencies, not commercial organizations.
Discussion: FIPS validation is legally mandatory for federal agencies and their direct contractors. For private-sector organizations without federal contracts, it is not a legal requirement. However, FIPS 140 validation has become a widely adopted trust signal in healthcare, financial services, and technology sectors — used by procurement teams, enterprise buyers, and security auditors as a practical security benchmark. Organizations selling to regulated-sector buyers who require FIPS-validated cryptography in their supply chain are indirectly affected by the sunset regardless of their own federal contract status.
FAQ
Q1: What exactly happens to FIPS 140-2 certificates on September 21, 2026?
A: Every active FIPS 140-2 certificate moves to the CMVP Historical List on September 21, 2026. Historical status means the modules may continue operating in existing systems, but federal agencies should not include them in new procurements. Any compliance framework that requires FIPS-validated cryptography — including CMMC, FedRAMP, DFARS, and FISMA — will require an Active FIPS 140-3 compliance certificate for new system acquisitions and updates from that date forward.
Q2: Can we keep using our FIPS 140-2 validated systems after the sunset date?
A: Continued operation in existing systems is permitted under CMVP guidance. The FIPS 140-2 sunset does not disable running systems. However, the compliance evidence those systems provide weakens in any audit or assessment that asks for current FIPS-validated cryptography. Organizations must be prepared to justify continued reliance on Historical modules with a documented migration plan when audited.
Q3: How long does FIPS 140-3 validation take, and is it too late to start now?
A: Full FIPS 140-3 validation from scratch typically requires 18 to 30 months. For organizations beginning in mid-2026, a complete independent validation will not be completed before the deadline. However, certificate inheritance and rebranding pathways through established cryptographic module validation programs can compress timelines to three to six months for eligible products. Organizations should assess whether their modules qualify for these accelerated paths immediately.
Q4: Which compliance frameworks require FIPS 140-3 after September 2026?
A: CMMC Level 2 (via NIST SP 800-171 control 3.13.11), FedRAMP Moderate and High (via SC-13), DFARS 252.204-7012, FISMA, and DoDIN APL all require FIPS-validated cryptography. After the September 2026 deadline, these frameworks will expect Active-status FIPS 140-3 certificates for new procurements and modernized systems. Organizations under any of these frameworks should treat the deadline as a hard compliance date.
Q5: Does our cloud provider’s FIPS 140-3 certificate cover our organization’s compliance?
A: Partially. FedRAMP authorization belongs to the cloud service provider, and inherited controls reduce — but do not eliminate — the customer’s compliance obligations. Under SC-13, organizations must still verify that the specific modules protecting their data hold an active status validation. Customers should request their cloud provider’s FIPS 140-3 compliance documentation and verify that the modules applicable to their data processing environment are on the Active CMVP list.
Q6: What should our compliance documentation include to address the FIPS 140-2 sunset?
A: System Security Plans and related compliance documentation should include: an inventory of all FIPS 140-2 modules currently deployed; the current CMVP status of each certificate; a migration timeline to FIPS 140-3 validated replacements; and a risk acceptance statement for any modules that will remain on Historical status in existing systems beyond the FIPS 140-2 sunset date. Auditors treat documented awareness with a defined plan significantly more favorably than undocumented continued reliance.
Key Points
What Every Organization Needs to Know About the FIPS 140-2 Sunset
- On September 21, 2026, every active FIPS 140-2 certificate moves to the CMVP Historical List — blocking new federal procurements for vendors without an Active FIPS 140-3 certificate.
- CMMC Level 2 enforcement began on November 10, 2026 — seven weeks after the deadline — and directly references FIPS-validated cryptographic module validation under NIST SP 800-171 control 3.13.11.
- FIPS 140-3 introduces runtime self-tests, global ISO/IEC alignment, stricter entropy requirements, and lifecycle assurance obligations that fundamentally change how FIPS 140-3 compliance is maintained.
- Full FIPS 140-3 validation takes 18 to 30 months. Vendors that have not initiated validation or an inheritance pathway are at high risk of missing the September 2026 deadline.
- The six-step action framework — from CMVP audit through documentation update — provides the structured path every organization needs before the deadline.
Continue your PQC and cryptographic compliance research:
- Read the previous article: Q-Day 2026: How Google’s Breakthrough Just Compressed the Quantum Threat Timeline
- Read the pillar article: Year of Quantum Security 2026: The Complete Action Plan for CISOs
- Subscribe to the PQC series for structured updates as cryptographic compliance deadlines approach.
PQC Series Overview
This article is part of the Post-Quantum Security Series — a technical collection of guides exploring cryptographic vulnerabilities exposed by quantum computing, migration strategies for organizations, and the steps required to protect sensitive data before quantum decryption becomes operationally viable.
References
- [1] National Institute of Standards and Technology. (2026). Cryptographic Module Validation Program — Active and Historical Lists. NIST CSRC.
https://csrc.nist.gov/projects/cryptographic-module-validation-program - [2] National Institute of Standards and Technology. (2024). NIST SP 800-171 Revision 3 — Protecting Controlled Unclassified Information. NIST CSRC.
https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/final - [3] SafeLogic. (2026). The fastest path to FIPS 140-3 certificate ownership. SafeLogic Blog. https://www.safelogic.com/blog/the-fastest-path-to-fips-140-3-certificate-ownership
- [4] National Institute of Standards and Technology. (2019). FIPS 140-3 Transition Effort. NIST CSRC. https://csrc.nist.gov/projects/fips-140-3-transition-effort
- [5] SafeLogic. (2026). FedRAMP and FIPS 140-2 vs. 140-3 — What teams miss. SafeLogic Blog. https://www.safelogic.com/blog/fips-140-2-vs-fips-140-3-for-fedramp-what-teams-miss
- [6] TuxCare. (2026). 2026 FIPS compliance: Requirements, certifications, and migration guidance. TuxCare Blog.
https://tuxcare.com/blog/fips-compliance/ - [7] Chainguard. (2025). FIPS 140-2 vs FIPS 140-3: What’s the difference? Chainguard Supply Chain Security.
https://www.chainguard.dev/supply-chain-security-101/fips-140-2-vs-140-3-whats-the-difference
