What happens to FIPS 140-2 on September 21, 2026?

On September 21, 2026, NIST's Cryptographic Module Validation Program (CMVP) moves all FIPS 140-2 module certificates to the Historical List. Once a certificate is on the Historical List, federal agencies cannot rely on it to justify a new procurement. Existing deployments are not instantly broken — CMVP still supports the continued use of those modules in systems already running them — but they are no longer a basis for new purchases.

Does FIPS 140-2 going historical break my CMMC compliance?

Not automatically for systems already in production using those modules. NIST SP 800-171 control 3.13.11 requires FIPS-validated cryptography to protect CUI, and a module that was validated remains validated cryptography. The practical risk is for new systems and new procurement: standing up a fresh environment on a module that is about to move to the Historical List is a poor choice, because agencies and assessors will increasingly expect current FIPS 140-3 validations going forward.

What is the difference between FIPS 140-2 and 140-3?

FIPS 140-3 is the current standard for cryptographic modules and supersedes FIPS 140-2. It was approved in 2019 and CMVP began issuing 140-3 validations in September 2020. For the typical NIST 800-171 use case — encrypting CUI — both represent validated cryptography; the key practical difference now is lifecycle: 140-2 certificates are moving to the Historical List, while 140-3 is the forward-looking validation.

FIPS 140-2 → 140-3: The Sept 21, 2026 Sunset & Control 3.13.11

Q: What should I do for a new deployment?

For any environment you are standing up now to protect CUI, prefer cryptographic modules with a current FIPS 140-3 validation, and confirm the module on NIST's CMVP validated modules list rather than trusting a vendor's marketing claim of being FIPS compliant. Validated and compliant are not the same thing — only a module on the CMVP list counts for control 3.13.11.

If you handle CUI, one NIST 800-171 control quietly depends on a date most people haven't noticed: September 21, 2026. That's when NIST's Cryptographic Module Validation Program (CMVP) moves all FIPS 140-2 certificates to its Historical List. It won't break your existing systems overnight — but it changes the math for anything new you stand up. Here's the practical version.

Why this matters for CMMC at all

NIST SP 800-171 control 3.13.11 requires you to employ FIPS-validated cryptography when used to protect the confidentiality of CUI. The operative word is validated — not "encrypted," not "FIPS-compliant," but cryptography from a module that NIST's CMVP has actually validated and listed. That's why the status of FIPS 140-2 certificates is a CMMC question, not just an IT trivia question.

Validated ≠ compliant. A vendor saying their product is "FIPS compliant" is not the same as a module appearing on the CMVP validated list. For control 3.13.11, only a module on the CMVP list counts. Always confirm the specific module and certificate, not the marketing.

What actually happens on September 21, 2026

On that date, every FIPS 140-2 module certificate moves to the Historical List. Two consequences matter:

New procurement: federal agencies cannot rely on a Historical-List certificate to justify a new purchase. Going forward, the expectation tilts toward current FIPS 140-3 validations.
Existing systems: CMVP still supports the continued use of those modules in systems that already run them. A 140-2 module you deployed and documented doesn't suddenly become "unvalidated" the next morning.

So the honest framing is: not a cliff for what you already run, but a closing door for what you build next.

140-2 vs 140-3, briefly

	FIPS 140-2	FIPS 140-3
Status	Superseded; certificates moving to Historical List (Sept 21, 2026)	Current standard going forward
Timeline	Long-standing; new validations stopped	Approved 2019; CMVP validating modules since Sept 2020
For control 3.13.11	Counts while validated; lifecycle now limited	The forward-looking choice for new deployments

For the everyday CUI use case — encrypting data at rest and in transit — both represent validated cryptography. The difference that matters today is lifecycle, not capability.

What to do about it

For new environments, prefer modules with a current FIPS 140-3 validation, and verify the exact module on the CMVP validated modules list before you commit.
For existing systems, don't panic-rip-and-replace. Document what you run, confirm it was validated, and plan refreshes toward 140-3 on your normal lifecycle — not in a fire drill.
Mind your boundary. Wherever CUI is processed, stored, or transmitted (your CUI scope), the cryptography protecting it needs to be validated. That includes the cloud and endpoints in scope, not just the file server.
Keep your SSP honest. Your System Security Plan should name the specific validated modules you rely on for 3.13.11 — vague "we use encryption" language is exactly what fails at assessment.

Related control to check while you're here: 3.13.8 (protect the confidentiality of CUI in transit). FIPS-validated cryptography is how you satisfy both 3.13.8 and 3.13.11 in practice.

See where your cryptography controls actually stand

3.13.11 is one of 110. Run the full self-assessment free and find out which controls — crypto or otherwise — are costing you the most points. About 10 minutes, no signup.

Calculate your SPRS score free →

The bottom line

September 21, 2026 isn't a reason to tear apart a working environment. It's a reason to stop deploying new systems on cryptography that's about to age out, and to make sure your 3.13.11 story names real, validated modules. Treat it as a lifecycle planning date, document accurately, and you're ahead of most.

FIPS 140-2 sunset — frequently asked

What happens on September 21, 2026?

NIST's CMVP moves all FIPS 140-2 certificates to the Historical List. Agencies can't rely on them for new procurement; existing deployments can keep using them.

Does this break my CMMC compliance?

Not automatically for systems already running validated 140-2 modules. The real impact is on new systems and new procurement, where current 140-3 validations are increasingly expected.

What's the difference between 140-2 and 140-3?

140-3 is the current standard and supersedes 140-2 (approved 2019; CMVP validating since Sept 2020). For encrypting CUI, both are validated cryptography; the difference now is lifecycle.

What should I do for a new deployment?

Prefer modules with a current FIPS 140-3 validation and confirm them on the CMVP validated list — validated and "compliant" are not the same thing for control 3.13.11.