Cryptography Compliance

FIPS 140 Validation

FIPS 140 is the U.S. government’s standard for validating cryptographic modules used in secure systems. It’s a core requirement across public sector frameworks—including CMMC 2.0, Common Criteria, DoDIN APL, FedRAMP, and GovRAMP.

Organizations selling to government agencies must use FIPS 140-validated cryptography to meet procurement and compliance expectations.

All FIPS 140-2 certifications must transition to FIPS 140-3 by September 21, 2026. After that date, 140-2 modules will no longer be considered compliant by government buyers. Delaying revalidation could jeopardize eligibility for federal contracts and put ongoing procurements at risk.

Explore FIPS 140 Validation

CNSA 2.0 Compliance

CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) defines the NSA’s approved set of quantum-resistant algorithms for use in National Security Systems (NSS). It includes AES-256, SHA-384/512, ML-KEM, and ML-DSA, with required adoption timelines extending through 2031 and full compliance expected by 2035.

CNSA 2.0 builds on NIST standards and mandates crypto-agile, post-quantum cryptography for protecting classified data and national security functions. Organizations supporting NSS must transition to approved CNSA 2.0 algorithms as validated solutions become available.

Explore CNSA 2.0 Compliance

DoDIN APL Compliance

The Department of Defense Information Network Approved Products List (DoDIN APL) is the official list of technology products authorized for use within the U.S. military’s network infrastructure. Inclusion on the DoDIN APL confirms that a product meets the Department of Defense’s strict security and interoperability requirements.

For products that use cryptographic software, such as network devices, firewalls, and cybersecurity tools, FIPS 140 validation is an essential part of the security assessment. FIPS 140 ensures that cryptographic components meet U.S. government standards for protecting sensitive data and is typically required for products seeking DoDIN APL listing.

Explore DoDIN APL Compliance

FedRAMP Compliance

FedRAMP (Federal Risk and Authorization Management Program) provides a standardized security framework for cloud service providers offering solutions to federal agencies. It helps streamline the adoption of secure, cost-effective cloud technologies across the U.S. government.

FedRAMP security controls are based on NIST SP 800-53, and encryption requirements reference FIPS 140 standards. Cloud solutions must use FIPS 140 validated cryptographic modules for key management, cryptographic protection, and authentication to meet FedRAMP authorization requirements.

Explore FedRAMP Compliance

GovRAMP Compliance

GovRAMP is a security framework that standardizes cloud security practices for state and local governments, modeled after the federal FedRAMP program. It provides a consistent approach for assessing and managing cybersecurity risk in cloud services.

Like FedRAMP, GovRAMP relies on NIST SP 800-53 controls and requires the use of FIPS 140 validated cryptographic modules for encryption, key management, and authentication. FIPS 140 validation ensures that cryptography in cloud solutions meets rigorous government standards for protecting sensitive data.

Explore GovRAMP Compliance

Post-Quantum Cryptography (PQC) Compliance

As quantum computing progresses, U.S. federal mandates now require agencies to begin migrating to quantum-resistant cryptographic algorithms. NSM-10, OMB M-23-02, and the Quantum Cybersecurity Preparedness Act collectively set timelines for identifying vulnerable systems and deploying post-quantum solutions.

NIST finalized three PQC standards in August 2024—ML-KEM, ML-DSA, and SLH-DSA—triggering updates to FIPS 140-3 validation procedures. Hybrid approaches combining traditional and PQC algorithms are now supported, while CNSA 2.0 outlines additional requirements for national security systems.

Explore PQC Compliance Standards