FIPS 140-2 Sunset September 2026: What Procurement Teams and CISOs Must Do Before the Deadline

On September 21, 2026, every active FIPS 140-2 certificate transitions to Historical status under the NIST Cryptographic Module Validation Program (CMVP).^{[NIST CMVP]} After that date, Historical modules may only be used in existing legacy systems-they cannot be specified in new federal procurements. For procurement teams mid-solicitation and CISOs managing vendor portfolios today, this is an active contract risk, not a future planning item.

The submission window for new FIPS 140-2 validations closed on March 31, 2022, with no extensions on record.^{[NIST CMVP]} FIPS 140-3 became the only accepted validation standard from September 22, 2020.^{[NIST CMVP]} What that sequence means in practice is examined below.

What "Historical Status" Actually Means for Your Agency After September 21, 2026

CMVP assigns one of several statuses to validated cryptographic modules: Active, Historical, or Revoked. When a FIPS 140-2 certificate moves to Historical status on September 21, 2026, the module does not become immediately prohibited everywhere-but its permitted use narrows significantly.^{[NIST CMVP]} Historical modules may continue operating in systems where they were already deployed, but they cannot be used to satisfy cryptographic requirements in new acquisitions or system upgrades that require a currently validated module.

The practical procurement consequence: any RFP or contract award that specifies a FIPS-validated cryptographic module after September 21, 2026 must reference a FIPS 140-3 certificate. A vendor presenting a FIPS 140-2 certificate will not satisfy that requirement. "Grandfathering" applies only to already-deployed systems, not to new contracts. This distinction matters because agency auditors reviewing FedRAMP authorization packages, DFARS clause compliance, or agency-specific security requirements will apply it strictly.

The Validation Timeline Problem Procurement Teams Cannot Afford to Ignore

FIPS 140-3 validation runs 24 to 36 or more months from laboratory submission to certificate issuance.^[SafeLogic] A vendor that has not already submitted a module for FIPS 140-3 testing today cannot realistically hold a valid certificate before September 2026-and may not hold one until 2027 or 2028. FIPS 140-3 certificates carry a five-year validity window from the date of issuance.^{[NIST CMVP]}

The real-world impact is already visible. Cisco Meraki's FIPS 140-2 module expired on January 6, 2026-before the formal sunset date-requiring customers to plan transitions ahead of the September deadline.^{[Cisco Meraki FIPS 140-2 Sunsetting Notice]} That case illustrates a broader pattern: individual module certificates expire on their own schedules, which may precede the September 2026 program-wide sunset. Procurement teams should check both the certificate expiry date and the broader sunset deadline when assessing vendor status.

For context on how FIPS 140-3 validation intersects with post-quantum cryptography readiness, FIPS 140-3 validation status for PQC-capable modules remains an open compliance gap that compounds the September 2026 transition challenge.

How to Audit Your Current Vendor Portfolio Before the Deadline

The CMVP certificate search at csrc.nist.gov allows procurement teams to query by vendor name, module name, or certificate number and filter by standard (FIPS 140-2 vs. 140-3) and status (Active, Historical, Revoked).^{[NIST CMVP]} A structured audit should proceed as follows:

1. Extract your cryptographic vendor list. Pull every vendor supplying hardware security modules, TLS termination, VPN appliances, disk encryption, or PKI infrastructure from active contracts and pending solicitations.
2. Query each vendor in the CMVP database. Record the standard version (140-2 or 140-3), certificate status, and expiry date for every listed module.
3. Flag transition-risk vendors. Any vendor holding only FIPS 140-2 certificates with no FIPS 140-3 certificate in Active status is a transition risk. Vendors with certificates expiring before September 21, 2026 are an immediate risk.
4. Request roadmaps from flagged vendors. Ask each transition-risk vendor for their FIPS 140-3 laboratory submission date and projected certificate issuance date. A vendor that cannot provide both figures should be treated as unqualified for new awards dependent on FIPS compliance.

This audit should be completed and results shared with the CISO and contracting officer before any pending solicitations close. Discovering a vendor's FIPS gap after contract award creates significantly more remediation cost than filtering them out during evaluation.

Updating RFP and Contract Language to Require FIPS 140-3 Compliance

Existing boilerplate referencing "FIPS 140-2 validated" or "FIPS 140-2 or higher" should be updated in all new solicitations. The appropriate language specifies FIPS 140-3 validation with an Active certificate in the CMVP database at the time of delivery, not merely at the time of contract award.^{[NIST CMVP]} This distinction matters because a vendor could hold an Active certificate at award but allow it to expire or transition to Historical before delivering the module.

Suggested elements for updated RFP language include:

• A requirement that cryptographic modules comply with FIPS 140-3 with an Active certificate in the NIST CMVP database
• A delivery requirement that the specific module and version number listed in the CMVP certificate match the deliverable
• A contract clause requiring the vendor to notify the contracting officer within 30 days if their FIPS 140-3 certificate status changes
• Evaluation criteria in technically acceptable determinations that treat FIPS 140-2-only vendors as non-compliant for new system deployments post-September 2026

For agencies operating under FedRAMP, these requirements integrate directly with the POA&M tracking obligations already required for cryptographic controls. FedRAMP's RFC-0026 POA&M requirements for cryptographic migration provide a documented framework for tracking module-level compliance gaps through the authorization lifecycle.

Special Considerations for Cloud, SaaS, and Software-Only Modules

FIPS 140-3 introduced materially more stringent requirements for software and virtualized cryptographic modules compared to FIPS 140-2.^{[NIST CMVP]} Testing under FIPS 140-3 adopts the ISO/IEC 19790 framework, which includes enhanced controls for software security, key management, and operational environment documentation.^{[NIST CMVP]} For cloud-deployed or SaaS vendor modules, this means the validation scope explicitly covers the virtual or containerized execution environment.

Procurement teams evaluating cloud vendors should request the CMVP certificate number and verify that the operational environment listed in the certificate matches the deployment configuration being procured. A FIPS 140-3 certificate issued for a bare-metal appliance does not automatically extend to the same vendor's software running in a virtualized cloud environment.

A 90-Day Action Plan for Procurement Teams and CISOs

The following sequence is designed to be operationalized within a single quarter without waiting for agency-level policy directives.

Days 1-15: Audit

• Run CMVP database queries for all cryptographic vendors in active contracts and open solicitations
• Document FIPS standard version, certificate status, and expiry date for each module
• Produce a transition-risk register segmented by: (a) certificates expiring before September 21, 2026; (b) FIPS 140-2-only vendors with no 140-3 certificate; (c) vendors with FIPS 140-3 Active certificates

Days 16-30: Vendor Engagement

• Issue formal requests to all transition-risk vendors for their FIPS 140-3 laboratory submission date and projected certificate issuance date
• Document responses and escalate non-responses to the contracting officer
• Begin identifying qualified FIPS 140-3 alternatives for vendors who cannot provide a credible pre-September 2026 certificate date

Days 31-60: Language Updates

• Update all open RFP templates, base contract clauses, and technically acceptable thresholds to specify FIPS 140-3 with Active certificate status
• Brief contracting officers on the changed evaluation criteria
• Add FIPS 140-3 certificate verification to vendor onboarding checklists

Days 61-90: Governance

• Present the transition-risk register to the CISO with remediation owners and target dates assigned
• Establish a recurring (quarterly) CMVP status review for all cryptographic vendors in the portfolio
• Integrate FIPS 140-3 certificate status into the broader cryptographic compliance roadmap that maps CMVP cutoffs alongside NIST IR 8547 and CNSA 2.0 deadlines

As your immediate next step this week, go to the NIST CMVP certificate search at csrc.nist.gov/projects/cryptographic-module-validation-program and run queries for your top 10 cryptographic vendors. Filter results by FIPS 140-3 and Active status. Any vendor absent from those results should receive a formal written request for their certification roadmap by end of week.

Key Takeaways

• All FIPS 140-2 certificates transition to Historical status on September 21, 2026; Historical modules cannot satisfy cryptographic requirements in new federal procurements after that date.
• New FIPS 140-2 validation submissions closed on March 31, 2022; no vendor can obtain a new FIPS 140-2 certificate.
• FIPS 140-3 validation takes 24 to 36 or more months, meaning the effective procurement decision deadline for many vendors has already passed.
• Individual module certificates may expire before September 2026-procurement teams must check both the certificate expiry date and the broader sunset deadline.
• Updated RFP language should require an Active FIPS 140-3 certificate at time of delivery, not merely at award, and should include a notification clause if certificate status changes.
• Cloud and software-only modules face more stringent FIPS 140-3 testing requirements; the operational environment listed in the certificate must match the actual deployment configuration.
• The NIST CMVP database is the authoritative source for real-time certificate status and is publicly searchable by vendor name.

Related Reading

On this site:

• FIPS 140-3 validation gaps for post-quantum cryptographic modules
• Sequenced compliance roadmap covering CMVP cutoffs, CNSA 2.0, and NIST IR 8547
• FedRAMP POA&M requirements for cryptographic module migration

Primary sources:

• NIST Cryptographic Module Validation Program - official certificate database and transition policy
• FIPS 140-3 standard - Security Requirements for Cryptographic Modules

This article draws on primary documentation from the NIST Cryptographic Module Validation Program (CMVP) and published vendor transition notices. All claims verified against official sources as of April 2026.