FIPS 140-2 validated cryptographic modules transition to Historical status on September 21, 2026. Historical status means the NIST CMVP no longer lists these modules as actively validated for procurement verification purposes. Organizations relying on FIPS 140-2 validated products for regulatory compliance should review their applicable agency or contractual requirements to determine whether Historical-status modules remain acceptable for existing deployments and whether new procurements must specify FIPS 140-3 validated products.
The September 21, 2026 date is a firm deadline set by NIST's Cryptographic Module Validation Program (CMVP). On that date, any cryptographic module holding an active FIPS 140-2 validation automatically moves to Historical status in the CMVP module database. Historical status does not mean the product is insecure or defective - it means the CMVP no longer considers the validation active for new procurement verification. What this means in practice varies by context.
Federal agencies: OMB and agency-specific guidance determines whether Historical-status modules can remain in production. Agencies should be consulting their IT security teams now, well before the September deadline.
DoD and national security systems: Given the intersection with CNSA 2.0 requirements, most classified and national security use cases will require FIPS 140-3 or higher-assurance products.
Commercial and contractual requirements: Many contracts and audit frameworks reference FIPS 140-2 compliance without specifying Historical vs. active status - review specific contracts and consult legal counsel if needed.
New procurements: Any organization procuring new cryptographic modules or products with embedded cryptographic functions should require FIPS 140-3 validation going forward.
Organizations should check the NIST CMVP module search at csrc.nist.gov to verify current validation status of specific products they rely on.
Keep Exploring
References