FIPS 140-3 Validation Gap: Why No PQC Algorithm Has a Validated Module Yet

As of Q1 2026, no cryptographic module supporting a post-quantum algorithm has achieved FIPS 140-3 validation through the NIST Cryptographic Module Validation Program (CMVP).^{[NIST CMVP]} That fact is not widely understood-and the gap between what vendors are marketing and what compliance requires is actively producing misrepresentation in procurement documentation and audit submissions. Organizations documenting hybrid PQC deployments as FIPS-compliant, or treating algorithm-level certifications as module validations, are building audit findings into their infrastructure today.

The Certification Ladder Most Teams Are Misreading

FIPS 140-3 compliance operates on a two-stage hierarchy. The first stage is the Cryptographic Algorithm Validation Program (CAVP), which tests that an implementation correctly executes a specific algorithm against NIST-approved test vectors. Passing CAVP confirms algorithmic correctness only. The second stage is the CMVP itself, which validates the complete cryptographic module-covering physical security, key management, entropy sources, interfaces, authentication mechanisms, and operational environments-across one of four security levels.^{[NIST FIPS 140-3 Implementation Guidance]} A CAVP certificate is a prerequisite for CMVP submission, not a substitute for it. Vendors that have achieved CAVP certification for ML-KEM or ML-DSA have cleared the first rung-they have not achieved FIPS 140-3 module compliance. Compliance officers who treat these two designations as equivalent will misrepresent their organization's posture to auditors.

NIST finalized ML-KEM as FIPS 203 and ML-DSA as FIPS 204 in August 2024, and SLH-DSA as FIPS 205 in the same release cycle.^{[NIST PQC Standardization Project]} Standardization of the algorithms is therefore complete. The validation infrastructure for modules implementing those standards is not. Understanding the difference between those two statements is the foundational competency this gap requires. Security architects planning PQC migration timelines need to account for where the FIPS 140-3 process currently stands before committing to procurement or deployment schedules.

What the CMVP Active List Actually Shows as of Q1 2026

A direct search of the NIST CMVP validated modules list confirms zero validated modules supporting any PQC algorithm as of Q1 2026.^{[NIST CMVP Validated Modules List]} This is the authoritative record. Any claim to the contrary requires a citation to a specific CMVP certificate number-not a vendor press release or CAVP announcement.

Two concrete milestones do mark progress in the CAVP pipeline. In January 2026, the CIQ NSS module received CAVP certification covering ML-KEM and ML-DSA-the first such certification for those algorithms. Separately, SafeLogic's CryptoComply FIPS 140-3 Provider achieved its 158th CAVP certification, covering all NIST-approved PQC algorithms. Both represent meaningful technical progress. Neither constitutes FIPS 140-3 module validation. A presentation delivered at the PKI Consortium's PQC Conference in Austin in 2025 by NIST's Jonathan Smith had projected the first FIPS 140-3 validated PQC module arriving in summer or fall 2025.^{[PKI Consortium / NIST Roadmap Presentation, Jonathan Smith, Austin 2025]} That projection has not been met. NIST has not publicly committed to a revised timeline. The gap must currently be treated as having no fixed closing date.

Why PQC Modules Face Elevated Scrutiny in the CMVP Process

Classical algorithm modules-RSA, AES, ECDSA-accumulated decades of test precedent within the CMVP framework. Laboratory testing methodologies, side-channel resistance benchmarks, and entropy source assessment criteria were refined over many validation cycles. PQC algorithms introduce novel mathematical structures-lattice-based operations for ML-KEM and ML-DSA, hash-based constructions for SLH-DSA-for which no prior module validation precedent exists within the CMVP.^{[NIST FIPS 140-3 Implementation Guidance]} Testing laboratories accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) must develop and calibrate new testing procedures for these constructions before validation can proceed reliably.

The FIPS 140-3 Implementation Guidance specifies requirements for physical security, key zeroization, entropy assessment, and non-invasive attack resistance that apply regardless of the underlying algorithm.^{[NIST FIPS 140-3 Implementation Guidance]} For lattice-based algorithms specifically, the community is actively working through open questions about implementation-level side-channel exposures-a discussion visible in the NIST PQC Forum.^{[NIST PQC Forum]} These are not theoretical concerns; they directly affect what laboratory testing must demonstrate before CMVP will issue a certificate. The delay reflects the thoroughness of the process, not a procedural failure.

The Hybrid Mode Trap: When "PQC-Capable" Becomes a Compliance Liability

Many organizations deploying PQC today are doing so in hybrid configurations-pairing a classical algorithm such as ECDH with ML-KEM so that the session key depends on both. This is a technically defensible migration posture, and it is broadly recommended by standards bodies including NIST and NCSC as an interim approach. It is not, however, documentable as FIPS 140-3 compliant in the absence of a validated module covering the PQC component.^{[NIST CMVP]} The classical component of a hybrid deployment may sit within an existing validated module boundary. The PQC component does not. Representing the combined configuration as FIPS 140-3 compliant conflates two separate module boundaries and is not supportable under current CMVP requirements.

The correct framing for hybrid deployments-one that will withstand auditor scrutiny-is risk-acceptance documentation: the organization is implementing PQC capability ahead of validated module availability, acknowledging the compliance gap, and accepting residual risk pending CMVP validation. This is defensible. Asserting full FIPS 140-3 compliance for a hybrid configuration is not. Compliance frameworks for CISOs should explicitly distinguish between algorithm deployment status and module validation status in all internal documentation.

How to Brief Auditors on CAVP vs. CMVP Without Misrepresenting Your Posture

Compliance officers briefing internal auditors, external assessors, or federal regulators on PQC implementation status should use language that maps precisely to the CMVP hierarchy. The following distinctions are necessary in any compliance communication:

• Algorithm validation (CAVP): The implementation has been tested for algorithmic correctness against NIST test vectors. This does not constitute module validation.
• Module submission: A vendor has submitted a module for CMVP review. Submission does not imply imminent certification, and submission status is not public for all vendors.
• Module validation (CMVP): A FIPS 140-3 certificate has been issued and is listed on the NIST validated modules database. As of Q1 2026, no PQC-supporting module holds this status.
• Hybrid deployment posture: The organization has deployed PQC capability within a classical + PQC hybrid, with the PQC component not currently covered by a validated module. This posture is documented under risk acceptance, not compliance attestation.

Auditors who receive these distinctions clearly stated are in a better position to assess organizational posture accurately. Auditors who receive conflated terminology are likely to either over-credit the compliance posture or flag it as a finding upon closer review.

Building a Migration Plan Around a Gap That Has No Fixed Closing Date

The absence of a confirmed CMVP validation timeline for PQC modules does not suspend migration planning obligations. NIST IR 8547 signals RSA and ECC deprecation by 2030, with a final deadline of 2035.^{[NIST IR 8547]} Cryptographic migration cycles average seven to ten years across enterprise environments. Organizations that defer planning until the first validated PQC module appears will compress an already constrained timeline further. The 2030 and 2035 deprecation deadlines in NIST IR 8547 remain in force regardless of CMVP availability.

Practically, security architects should structure migration plans to track three pipeline indicators. First, monitor the NIST CMVP modules-in-process list, which identifies modules under active review-though not all submissions appear there immediately.^{[NIST CMVP]} Second, track NVLAP laboratory accreditation updates, which signal when testing infrastructure for PQC modules has been formally approved. Third, follow NIST PQC Forum activity for community consensus on open implementation questions that affect testing readiness.^{[NIST PQC Forum]} Additional algorithms including those covered by FIPS 206 and stateful hash-based signature schemes are also in scope for future CMVP validation, expanding the surface area compliance teams will eventually need to address.^{[NIST PQC Standardization Project]}

For procurement decisions, the actionable posture is to require CAVP certifications as a baseline selection criterion for PQC-capable products while explicitly excluding CAVP status from FIPS 140-3 compliance attestations in contracts and audit documentation. Procurement language should commit vendors to providing CMVP certificate numbers upon issuance rather than accepting algorithm validation as a compliance proxy. Structured PQC readiness assessments should include a module validation status field that is explicitly marked unresolved until a CMVP certificate is in hand.

The immediate next action for compliance officers is to query the NIST CMVP validated modules search interface directly-filtering for each PQC algorithm by name-and screenshot the results as of the date of any audit or compliance submission. This creates a defensible contemporaneous record that your posture documentation is grounded in the authoritative source, not vendor claims.

Key Takeaways

• No FIPS 140-3 validated cryptographic module supporting any PQC algorithm exists as of Q1 2026. The NIST CMVP validated modules list is the authoritative check.
• CAVP certification-algorithm-level correctness testing-is a prerequisite for CMVP submission, not a substitute for module validation. The two designations are not interchangeable in compliance documentation.
• The first FIPS 140-3 validated PQC module was projected for summer or fall 2025 per NIST's own roadmap presentation. That projection has not been met, and no revised public timeline has been issued.
• Hybrid classical + PQC deployments cannot be documented as FIPS 140-3 compliant in the absence of a validated module. The correct documentation frame is risk acceptance, not compliance attestation.
• Auditor briefings must distinguish between algorithm validation, module submission, and module validation as three discrete states. Conflating them produces findings.
• NIST IR 8547's 2030 and 2035 deprecation deadlines for RSA and ECC are unaffected by CMVP availability. Migration planning should proceed against those horizons regardless.
• Procurement language should require vendors to provide CMVP certificate numbers upon issuance and must not treat CAVP status as a compliance proxy in contract attestations.

Related Reading

On this site:

• FIPS 140-3 compliance status for PQC modules and interim guidance
• NIST IR 8547 deprecation deadlines for RSA and ECC explained
• Step-by-step PQC readiness assessment framework for compliance teams

Primary sources:

• NIST CMVP searchable validated modules database
• NIST FIPS 140-3 Implementation Guidance: full module testing requirements
• NIST PQC validation roadmap presentation, PKI Consortium Austin 2025

This article draws on primary documentation from the NIST Cryptographic Module Validation Program, the NIST FIPS 140-3 Implementation Guidance, the NIST Post-Quantum Cryptography Standardization Project, the PKI Consortium PQC Conference Austin 2025 (Jonathan Smith, NIST), and the NIST PQC Forum. All claims verified against official sources as of April 2026.