All New Federal Cryptographic Hardware Procurement Must Be FIPS 140-3 Validated After September 21, 2026

Effective September 21, 2026, NIST moves all remaining FIPS 140-2 certificates to Historical status. After this date, federal procurement of HSMs, network appliances, VPN concentrators, and other cryptographic hardware must specify FIPS 140-3 validated products only. Products currently in procurement pipelines that are only FIPS 140-2 validated will be ineligible for new acquisitions after September. Current solicitations should be reviewed for cryptographic module requirements. (more)

Signal: This is an active procurement requirement, not a future planning item. Any federal data center infrastructure solicitation issued after September 21 must specify FIPS 140-3. Vendors with only FIPS 140-2 validation lose federal procurement eligibility for new buys. Hardware refresh cycles should be accelerated where needed.