FIPS 140-2 Sunsets on September 21, 2026. Here Is How to Transition to FIPS 140-3 Without Disrupting Your DoD Contracts.

What Is Actually Happening on September 21

FIPS 140-3 was approved in March 2019 and replaced FIPS 140-2 as the active standard for cryptographic module validation. NIST gave vendors and agencies several years to make the transition. September 21, 2026 is the end of that runway.

Here is what happens on that date and what follows:

• ✓NIST stops accepting new FIPS 140-2 validation submissions. Any vendor that has not already submitted for FIPS 140-3 validation cannot get a new FIPS 140-2 certificate after this date.
• ✓Existing FIPS 140-2 validated modules on the active list are moved to historical status. They are not revoked, but they are no longer listed as actively validated.
• ✓Going forward, only FIPS 140-3 validated modules appear on the active validation list.

The practical question for contractors is whether a CMMC assessor will accept a product whose cryptographic module is in historical status. NIST has not issued a blanket prohibition on using historical modules, but the safer and cleaner position is to be running products with active FIPS 140-3 validation before your assessment window.

Why This Matters for CMMC Compliance

CMMC Level 2 control SC.3.177 requires the use of FIPS-validated cryptography when protecting the confidentiality of CUI. The control language is explicit: FIPS-validated. Not just strong encryption, not just AES-256 in general, but cryptography that has been validated under an active FIPS standard.

That requirement touches more of your environment than most contractors realize. VPN gateways, full-disk encryption tools, TLS termination on web servers and proxies, encrypted email, file sharing platforms, identity and access management systems, cloud storage with encryption at rest — all of these rely on cryptographic modules that need to carry FIPS validation to satisfy SC.3.177.

If your VPN appliance is running firmware whose cryptographic module was validated under FIPS 140-2 and that module moves to historical status before your C3PAO assessment, you have a gap. The assessor may flag it, may ask for compensating controls, or may accept documentation showing a current upgrade path. What they will not do is ignore the control entirely.

What Changed Between FIPS 140-2 and FIPS 140-3

FIPS 140-3 is based on the ISO/IEC 19790:2012 standard and its testing requirements companion ISO/IEC 24759. The structure is similar to FIPS 140-2, with four security levels, but the requirements at each level were tightened and clarified in several areas.

For most defense contractors, these changes are vendor problems to solve, not something you implement yourself. The practical implication is that your vendors need to have gone through the FIPS 140-3 validation process and received a current certificate. Your job is to verify they have done that before your assessment.

How to Find Out If Your Products Are Affected

Start with the NIST CMVP validated modules search. You can look up any vendor or product and see which standard their module was validated under, what the current status is, and when the certificate was issued.

For each product in your system boundary that handles CUI encryption, you want to confirm three things:

1. 01The product has an active CMVP certificate. If it only has a FIPS 140-2 certificate, check whether the vendor also has a FIPS 140-3 certificate or has one in process.
2. 02The firmware or software version you are running matches the version covered by the certificate. A validated module certificate covers specific version numbers. Running an older or newer version that was not part of the validation puts you outside the boundary of the certificate.
3. 03The cryptographic module is operating in approved mode. FIPS validated products often support both FIPS mode and non-FIPS mode. The validation only applies when the module is configured and operating in FIPS mode.

If any of your key products only have FIPS 140-2 certificates, contact the vendor directly and ask for their FIPS 140-3 roadmap. Most major vendors have published timelines. If a vendor cannot give you a clear answer, that is worth documenting in your SSP as a known risk with a mitigation plan.

Steps to Get Through the Transition Cleanly

This is not a complicated process if you start now. It gets complicated if you leave it for August.

1. 01Build a cryptographic product inventory. List every product in your environment that performs encryption, key management, or authentication and sits inside your CMMC system boundary. VPN, endpoint encryption, email security, file sharing, identity platform, cloud storage, network appliances. All of it.
2. 02Look up each product on the CMVP. Use the NIST search to find the certificate for each product. Note whether it is FIPS 140-2 or 140-3, what version it covers, and current status. Build a simple spreadsheet with this for your SSP documentation.
3. 03Contact vendors with FIPS 140-2 only certificates. Ask specifically: do you have a FIPS 140-3 certificate in process, and when will a 140-3 validated version be available? Get the answer in writing if you can. This becomes evidence in your SSP that you have a managed transition plan.
4. 04Schedule firmware and software updates. Once vendors release FIPS 140-3 validated versions, plan the updates before September. Do not wait until the last week of September to push firmware updates across your environment.
5. 05Update your SSP. Your System Security Plan should document which cryptographic modules you rely on, that they are FIPS-validated, and which standard they are validated under. After the transition, update the relevant SC.3.177 documentation to reflect FIPS 140-3 validated modules.

The Timeline You Need to Work Backwards From

The contractors who will have problems are the ones who find out in August that a critical product does not have a FIPS 140-3 certificate yet and the vendor is not shipping one until Q1 2027. That is a real scenario and it requires either a compensating control, a product replacement, or a frank conversation with your C3PAO about how to document it. None of those conversations are easier under time pressure.

If you are also thinking about longer-term cryptographic planning, this transition connects directly to the post-quantum picture. The FIPS 203/204/205 standards for quantum-resistant cryptography are finalized and vendors are already beginning to build support for them. Contractors who build out a clear cryptographic inventory now for the FIPS 140-3 transition will have exactly the asset map they need when post-quantum requirements start showing up in assessments.