Uniqcli
Compliance

The FIPS 140-2 Sunset Is a Procurement Problem, Not a Recall

On September 21, 2026, every remaining FIPS 140-2 certificate moves to CMVP's Historical List. Nothing already deployed breaks — but what a contracting officer will accept as proof changes.

Uniqcli Newsroom · · 6 min read

Compliance

What actually happens on September 21, 2026

On that date, NIST's Cryptographic Module Validation Program moves every remaining active FIPS 140-2 validation certificate to its Historical List. It is not a shutoff switch: nothing already deployed stops working, and the sunset is not retroactive. What changes is narrower and, for anyone buying encrypted hardware, more consequential — a FIPS 140-2 certificate stops being usable to justify a new purchase, even though the module inside the box is technically unchanged.

How we got here

The sunset is the tail end of a policy that has been visible for years. CMVP's five-year validation rule, effective February 1, 2017, set every FIPS 140-2 certificate to expire five years after issuance or on the September 21, 2026 hard cutoff — whichever comes first. On the intake side, CMVP stopped accepting new FIPS 140-2 submissions as of April 1, 2022, an extension from the original September 21, 2021 cutoff granted only to projects already under contract with a test lab by May 28, 2021.

Throughout the transition, CMVP's guidance to agencies has been consistent: keep using FIPS 140-2 modules for now, but move to FIPS 140-3 modules as they become available, ahead of the 2026 cutover. The direction of travel was never ambiguous. What is easy to miss is that 'keep using' and 'keep buying' are two different permissions — and only one of them survives the sunset.

Why 'Historical' is an evidence problem, not an operational one

CMVP defines Historical status plainly: federal agencies should not include these modules in new procurements, but existing systems using them may continue to operate. The certificate already issued is not invalidated. So the encrypted drive in a laptop or the HSM in a rack does not fail on September 22 — it keeps doing exactly what it did the day before.

The exposure shows up the next time you have to prove something to an assessor. After the sunset, compliance frameworks that require FIPS-validated cryptography for new acquisitions or system updates — CMMC, FedRAMP Moderate and High (control SC-13), DFARS 252.204-7012, and FISMA — will treat a FIPS 140-2-only certificate as insufficient. Only an Active FIPS 140-3 certificate satisfies them going forward. Guidance also draws a line between 'FIPS mode enabled,' which is a configuration setting, and 'FIPS validated,' which is an Active CMVP certificate; a Historical certificate does not disable a product, but it weakens the evidence a contracting officer or C3PAO can rely on.

That reframes the buyer's question. The useful thing to ask a vendor is no longer 'is this FIPS validated' but 'is the certificate Active under 140-3, or will it be Historical before my contract's period of performance ends' — and to get that answer in writing before September.

The stacked calendar

Three deadlines inside roughly 100 days

The sunset does not land in isolation. Federal and DoD buyers are facing three separate compliance gates in close succession, and each one raises the cost of showing up with a Historical-status certificate.

  • September 21, 2026 — Every remaining FIPS 140-2 certificate moves to CMVP's Historical List. New procurements should no longer cite it as validation evidence.
  • November 10, 2026 — CMMC Level 2 enforcement begins, about seven weeks later. DoD contractors are assessed against the same FIPS-validation expectations that just tightened.
  • January 1, 2027 — Under NSA's CNSA 2.0 suite, new acquisitions for National Security Systems must support post-quantum algorithms (ML-KEM-1024, ML-DSA-87) to be deployable, with a hybrid transition period running roughly 2025 to 2030.

The CMVP queue is the real constraint

The reason 'get it in writing before September' matters is arithmetic. Independent FIPS 140-3 validation has historically run about 12 to 18 months of CMVP queue time on top of lab testing, and one industry estimate puts full validation, from initiation to certificate, at 18 to 30 months for vendors without an inheritance shortcut. Average time-in-process reportedly rose from roughly 367 days under 140-2 to about 542 days under 140-3 — a 42% jump in cycle time. A vendor who only recently entered the queue is unlikely to hold an Active certificate by the time you need to certify a purchase.

The backlog is real but not static. CMVP has introduced a two-year interim validation pathway for modules submitted before January 1, 2024, and automated processing of SP 800-140Br1-formatted submission packages, both aimed at cutting the queue. Context helps calibrate the pressure: CMVP maintains roughly 1,000-plus actively validated modules out of more than 5,000 validated since the program began. And 140-3 was only about 3% of all FIPS 140 certificates issued in 2023 before rising to roughly 45% of issuances in the first half of 2024 — the transition accelerated, but late.

There is a shortcut that changes shortlists. A vendor whose product inherits its cryptographic module from an already-validated underlying library — rather than pursuing a fully independent validation — can compress its own timeline to roughly 3 to 6 months instead of 18 to 30. When you evaluate drives, HSMs, or network gear, asking whether the 140-3 path is independent-and-in-queue or inherited-and-nearly-done tells you how soon there will be a clean certificate to cite in a contract file.

Buyer questions

If my agency already has encrypted drives or HSMs with FIPS 140-2 certificates, do we have to rip and replace them before September 2026?

No. The sunset moves certificates to CMVP's Historical List, but it does not invalidate them retroactively or disable products already deployed — systems using FIPS 140-2 validated modules can keep operating. The practical risk is narrower: agencies are advised not to rely on a Historical certificate to justify new procurements or system changes, and audit frameworks like CMMC or FedRAMP may treat continued reliance on Historical modules as something that needs a documented migration plan rather than a closed item.

Does a vendor's product being 'in the CMVP queue' for FIPS 140-3 count as compliant for a purchase we need to make this year?

No. An in-process CMVP submission is not equivalent to an Active certificate, and assessors — FedRAMP reviewers, CMMC C3PAOs, auditors — generally do not accept in-process status as a valid compliance state. Given that CMVP validation has historically taken roughly 12 to 30 months, a vendor who only entered the queue recently is unlikely to have an Active FIPS 140-3 certificate in hand by the time you need to certify a purchase. Get the actual certificate number and status, not a roadmap promise.

Is there a shortcut for vendors to get FIPS 140-3 validated faster, and should that change which products we shortlist?

Yes. A vendor whose product inherits its cryptographic module from an already-validated underlying library, rather than seeking a fully independent validation, can potentially compress the process to roughly 3 to 6 months instead of 18 to 30. When evaluating encrypted drives, HSMs, or network gear, ask vendors directly whether their FIPS 140-3 path is an independent validation still in the CMVP queue or an inherited, library-based validation that is closer to done — the answer materially affects how soon you will have a clean Active certificate to cite in a contract file.

Where Uniqcli fits

Screen the certificate before the contract, not after

Uniqcli reads the CMVP status behind every encrypted line item — Active 140-3 versus Historical-bound 140-2 — and pulls the certificate number and validation path from the vendor so it lands in your contract file, not your migration plan.

Ready to scope your program?

Talk to a Uniqcli engineer, or send a bill of materials for a TAA-verified quote — no payment up front.