With the recent focus in the cryptography industry on quantum computers and post-quantum algorithms, it could be easy to overlook a significant transition that will occur in less than a year from now. On September 21, 2026, the CMVP will declare all remaining active FIPS 140-2 certificates historical. That means in less than a year, vendors will no longer be able to use their FIPS 140-2 certificates to support new acquisitions by federal organizations.
For vendors that have already transitioned to FIPS 140-3, September 21, 2026, is no big deal. Their new FIPS 140-3 certificate has probably just begun its five-year lifespan. However, for vendors still relying on a FIPS 140-2 certificate, September 21, 2026, marks the date their new federal business could dry up if they don’t obtain a FIPS 140-3 certificate before then. Do these vendors still have time to pursue FIPS 140-3 certification? If they want to pursue their own certification and have not yet started, the answer is simple. It’s no. It’s simply too late. But fortunately, these vendors have another option, which we will cover below.
FIPS 140-2 was the second iteration of a standard established by NIST to establish a minimum level of cryptographic security for deployment in the U.S. federal government. NIST published the original standard, FIPS 140-1, in 1994. NIST published FIPS 140-2 in 2001. That means FIPS 140-2 will have been a foundational element of the cryptography industry for a full 25 years. Along the way, FIPS 140-2 became the gold standard for cryptography standards, quality, and certification. Numerous other security standards and frameworks, including Common Criteria, FedRAMP, DoDIN APL, CMMC 2.0, CSfC, FISMA, NIST SP 800-53, NIST SP800-171, and others, have adopted FIPS 140-2 as their standard for cryptography.
As foundational as the FIPS 140-2 standard has been, NIST has been working on its replacement for the better part of a decade. In 2019, NIST published FIPS 140-3, the successor to 140-2. They began 140-3 certification testing in 2020 and issued the first 140-3 certificate in 2023. FIPS 140-3 introduced several significant enhancements over FIPS 140-2, including alignment with international standards (based on FIPS 140-2), enhanced physical security requirements, improved key management practices, an increased focus on software security, and updated validation and testing processes.
How has the transition to FIPS 140-3 been going? After a slow start, the pace of 140-3 certifications definitely picked up in 2024. However, the already daunting 2+ year process to get FIPS 140 validation has gotten even longer, harder, and more complex as NIST has raised the bar on the software, documentation, testing, and laboratory procedures required for FIPS 140-3. And of course, the entire cryptography industry has simultaneously made the transition to 140-3 a high priority. According to recent data from the CMVP, FIPS validation times for its portion of the process have increased from an average of 367 days for FIPS 140-2 to 542 days for FIPS 140-3. That’s a 42% increase.
What about companies that want to begin FIPS 140-3 certification now? Given that FIPS 140 certification has stretched from 2 to 3 years, there is no way they will get certified by 9/21/26. Let’s assume they have their code and documentation ready to submit to a Cryptography and Security Testing Laboratory (CSTL) that the CMVP has accredited. Let’s also assume the total time from initial lab submission to final CMVP certificate goes back to 24 months. They will not receive their 140-3 certificate until October 2027. That means procurement officers will shut them out of all new federal business for at least a year. And that’s absolutely a best-case scenario. If the company lacks experience and expertise in navigating the FIPS 140 validation process, the 2-year duration could take significantly longer. Or if the processing time remains closer to the current 3-year duration, they could be out of the federal market for more like 2 years.
There is also another 140-3 migration scenario waiting to trap unsuspecting government vendors. Some companies attempt to bypass 140-3 certification completely by claiming their product uses cryptography that was FIPS 140-3 certified by another company, so they have ‘FIPS inside’. Also known as FIPS compatibility, this strategy is inherently risky because procurement officers cannot verify that the company actually uses the certified product, nor that its use aligns with the certified product’s security policy. As a result, they may choose to block the acquisition.
But what if that other company’s business strategy does not align with theirs? Software companies end-of-life old products to encourage users to upgrade to newer versions that are less expensive to support. Assume you have an application that runs on version 5 of a particular Linux distribution. That distribution has a 140-2 certified cryptography library. The Linux company proudly announces they have received 140-3 certification for their version 6 product. Great! Except they are not backporting their 140-3 certified cryptography library to version 5. Instead, they announce version 5 is EOL, and they will no longer support it. Now you are stuck. To get to 140-3, you must make extensive changes to your entire application suite to migrate to version 6. How long is that going to take? How much will that cost? How long are you going to be shut out of the federal market?
Fortunately, there is a better way. By switching to SafeLogic’s CryptoComply cryptography software, you can
To learn more about how SafeLogic can get you back in good graces with NIST, the CMVP, and your federal sales team, contact SafeLogic at sales@safelogic.com.