topic Re: For 2026, The Move Towards FIPS 140–3 in Tech Talk

For 2026, The Move Towards FIPS 140–3

Caute_cautim — Wed, 10 Apr 2024 06:08:36 GMT

Hi All

If your company is serious about cybersecurity and in protecting data, there’s a good chance that it will support FIPS (Federal Information Processing Standards Publications) 140–2. Currently, there are 946 certified modules for FIPS 140–2 [here]:

https://medium.com/asecuritysite-when-bob-met-alice/for-2026-the-move-towards-fips-140-3-cac79df08789

Regards

Caute_Cautim

Re: For 2026, The Move Towards FIPS 140–3

Kyaw_Myo_Oo — Tue, 16 Apr 2024 10:59:31 GMT

Thanks for sharing this information with us @Caute_cautim.

Re: For 2026, The Move Towards FIPS 140–3

BRutan — Thu, 02 May 2024 14:57:10 GMT

There are two transitions to be aware of here based on the company's role.

Product development: The only option at this point is 140-3. Some updates can still be done for existing 140-2 devices, but if a company wishes to validate a new product to FIPS 140, FIPS 140-3 is their only option.

Product procurement: All 140-2 products will migrate to the historical list 2026 as this article states. This does not mean they can no longer be used (unless company policy dictates this). This means these devices can no longer be procured and only 140-3 devices will be procurable for compliance.

Overall just because a device is 140-2 compliant does not mean it is inherently less secure than 140-3. This will come down to the specific device in question. Cryptographic algorithms, for instance, are not necessarily different between 140-2 and 140-3. Approved cryptographic algorithms are added and removed in parallel to this program (algorithms fall under CAVP while the other requirements fall under CMVP). The impact of 140-3 is more apparent in more complex and higher level devices.