In my previous blog post, I walked through how to map TLS 1.2 cipher suites to FIPS 140-3-approved algorithms and why that mapping is not static. The key point was that FIPS approval is tied to individual algorithms, not to protocol versions or cipher suite names. Because the set of FIPS-approved algorithms changes over time, there is no single fixed list of “FIPS-approved” cipher suites for TLS, only cipher suites whose components map to currently approved primitives.
In this post, I’ll apply the same approach to TLS 1.3. While TLS 1.3 simplifies the structure of cipher suites, the underlying requirement remains the same: each TLS component must map to a currently approved algorithm. Since TLS 1.3 cipher suites are minimal, I’ll also apply the same approach to TLS 1.3-compatible key exchange and signature algorithms. For simplicity, this blog lists only algorithms that are currently FIPS-approved (as of April 1, 2026) and applicable to TLS 1.3 cipher suites. It does not list algorithms that are no longer approved for new FIPS validations.
For more details on how FIPS-approved algorithms are defined, or for the full breakdown of FIPS-approved algorithms in the TLS 1.2 cipher suites, please refer to Part I of this blog series.
While TLS 1.2 cipher suites specify key exchange, signing, encryption, and hash algorithms, TLS 1.3 cipher suites specify only AEAD (Authenticated Encryption with Associated Data) and hash algorithms.
The table below lists the current FIPS 140-3 approved algorithms for each component of the TLS 1.3 cipher suites. The TLS 1.3 algorithms column lists only TLS 1.3 algorithms that have corresponding FIPS 140-3-approved algorithms.
| Cipher Suite Component | TLS 1.3 Algorithms | Corresponding FIPS 140-3 Approved Algorithms |
|---|---|---|
| AEAD |
|
|
| Hash Algorithm/KDF |
|
|
**AES-CCM with an 8-byte tag can be used, but is weaker.
**One of the elements of this KDF is the SP 800-56Cr2 HKDF.
The following is the full list of TLS 1.3 cipher suites that only use FIPS-approved algorithms:
Note that, for the strongest security, NIST SP 800-52r2 designates the first three cipher suites as preferred because CCM_8 has reduced tag strength.
As noted above, TLS 1.3 cipher suites only specify the AEAD and hash algorithms. For FIPS contexts, TLS 1.3 cipher suites should also use FIPS-approved algorithms for key exchange and digital signatures, negotiated via the supported_groups and key_share extensions (for key exchange) and the signature_algorithms extension (for digital signatures).
The table below specifies the FIPS-approved algorithms that can be used with TLS 1.3 for key exchange and digital signatures. The “TLS 1.3-Compatible Algorithms” column only lists TLS 1.3-compatible algorithms for which corresponding FIPS 140-3 approved algorithms exist.
| Cryptographic Element | TLS 1.3-Compatible Algorithms | Corresponding FIPS 140-3 Approved Algorithms |
|---|---|---|
| Key Exchange Algorithm |
|
|
|
|
|
| Signing Algorithm*** |
|
|
|
|
***Signing algorithms should use hashes with the same security strength.
****X25519 and X448 are disallowed algorithms in FIPS. They are included in the table above since their current conformance status is a frequent user question.
Post-quantum cryptography (PQC) is already FIPS approved. (See more details here.) ML-KEM is an approved key encapsulation algorithm, while ML-DSA and SLH-DSA are approved signing algorithms. However, given the long CMVP validation timelines and the relatively recent publication of these standards, this cryptography is not yet available in validated FIPS modules.
The IETF has also defined how these PQC algorithms can be used with TLS 1.3. While this guidance is still in draft, it specifies ML-KEM for key exchange via the supported_groups and key_share extensions, and ML-DSA and SLH-DSA for authentication via the signature_algorithms extensions.
The CMVP is still finalizing guidance for PQC/hybrid classical key exchange. Until this guidance is issued, there is no FIPS-approved hybrid key establishment method. Once this guidance is published, I anticipate that the IANA (Internet Assigned Numbers Authority) parameter sets SecP256r1MLKEM768, X25519MLKEM768, and SecP384r1MLKEM1024 will be FIPS approved under the conditions defined in FIPS 140-3 IG D.S.
TLS 1.3 simplifies cipher suites compared to TLS 1.2, but the core FIPS conformance requirement remains unchanged: each TLS component must map to a currently approved algorithm. The reduced cipher suite structure in TLS 1.3 shifts more of the compliance considerations to the negotiated key exchange and signature algorithms, rather than eliminating them.
As FIPS-approved algorithms and TLS standards continue to evolve to include PQC and other cryptographic changes, this mapping between them will also continue to change.
The SafeLogic CryptoComply validated FIPS modules already implement the approved algorithms listed above, making it straightforward to deploy TLS 1.3 configurations that meet these requirements without having to track these moving pieces yourself. Our RapidCert validations also enable certification in your company’s name within three months across a wide range of platforms (including Linux, UNIX, Windows, MacOS, Android, and iOS).