cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

For 2026, The Move Towards FIPS 140–3

Hi All

 

If your company is serious about cybersecurity and in protecting data, there’s a good chance that it will support FIPS (Federal Information Processing Standards Publications) 140–2. Currently, there are 946 certified modules for FIPS 140–2 [here]:

 

https://medium.com/asecuritysite-when-bob-met-alice/for-2026-the-move-towards-fips-140-3-cac79df0878...

 

Regards

 

Caute_Cautim

 

 

 

 

 

 

 

2 Replies
Kyaw_Myo_Oo
Contributor III

Thanks for sharing this information with us @Caute_cautim.

 

 

Kyaw Myo Oo
Manager , CB BANK PCL
CCIE #58769 | PCNSE | SAA-C03 | CCSM | CISSP | PMP
BRutan
Viewer

There are two transitions to be aware of here based on the company's role.

 

Product development: The only option at this point is 140-3.  Some updates can still be done for existing 140-2 devices, but if a company wishes to validate a new product to FIPS 140, FIPS 140-3 is their only option.

 

Product procurement: All 140-2 products will migrate to the historical list 2026 as this article states.  This does not mean they can no longer be used (unless company policy dictates this).  This means these devices can no longer be procured and only 140-3 devices will be procurable for compliance. 

 

Overall just because a device is 140-2 compliant does not mean it is inherently less secure than 140-3. This will come down to the specific device in question.  Cryptographic algorithms, for instance, are not necessarily different between 140-2 and 140-3. Approved cryptographic algorithms are added and removed in parallel to this program (algorithms fall under CAVP while the other requirements fall under CMVP).  The impact of 140-3 is more apparent in more complex and higher level devices.