16 Jul 2026FIPS 140

FIPS 140-2 sunsets in September 2026

Two fixed dates in September 2026 close out FIPS 140-2 for users of the OpenSSL FIPS Provider. The validated FIPS 140-3 replacement is available now, and the dates do not move.

By Kajal Sapkota6 min read
The short version
OpenSSL Library 3.0
7 Sep 2026
End of life — no further fixes from the project, security fixes included.
FIPS 140-2 · #4282
21 Sep 2026
Moves to the CMVP Historical List — a validation-status change, not a revocation.
The fix · FIPS 140-3
#4985
Validated through March 2030 and available now, across the 3.x series.

Two dates in September 2026 matter for anyone running a FIPS-validated deployment of the OpenSSL Library.

On 7 September 2026, the OpenSSL Library 3.0 series reaches end of life, after which the 3.0 line gets no further fixes from the OpenSSL project, security fixes included. Two weeks later, on 21 September 2026, the CMVP moves the remaining FIPS 140-2 validations to its Historical List, among them the OpenSSL FIPS Provider validated under FIPS 140-2 as CMVP certificate #4282, which is the provider that ships with the 3.0 series.

September 2026 · the FIPS sunset
07 SEP 2026
OpenSSL Library 3.0 — end of life
No further fixes from the project, security fixes included. A software support boundary.
21 SEP 2026
FIPS 140-2 → CMVP Historical List
Certificate #4282 is no longer Active. A validation-status change, not a revocation.
The validated path · available now
FIPS 140-3 module
CMVP #4985 — valid through March 2030
Supported lines
3.5 (LTS, fixes through 2030) · 4.0
Bridge
Engineering support contract, while you migrate
The two dates that close out FIPS 140-2 — two weeks apart — and the module that replaces it.

It helps to keep these two events apart. One is a software support boundary: the 3.0 library stops being maintained. The other is a validation-status change: the 140-2 certificate is no longer Active. A given deployment might be touched by one, the other, or both, and the right response depends on which of those constraints actually applies to you.

2separate constraints
A software support boundary — the 3.0 library stops being maintained — and a validation-status change — the 140-2 certificate is no longer Active. A deployment may face one, the other, or both.

What moving to the Historical List means

Historical status is not revocation. A certificate on the Historical List has not been withdrawn, and a system already running a module under it does not stop working on 21 September. The CMVP's guidance is narrower than that: modules on the Historical List should not be used in new procurements, and an organization relying on one in an existing deployment is expected to make a risk-based decision about continued use.

Two cases · one destination
A new procurement, authorization, or assessment?
No
Plan the move
An already-authorized system, kept running on a risk-managed basis.
Yes
Act now
A new procurement or assessment; Historical 140-2 will not satisfy it.
One destination
Active FIPS 140-3 module
Certificate #4985
Whether the Historical List date forces action depends on the obligation, not on the calendar alone.

In practice that splits in two. A team whose only obligation is to keep an already-authorized system running, with assessors who accept a risk-managed continuation, may not be forced into immediate action by Historical status alone. But where the obligation involves a new procurement, a new authorization, or an assessment that turns on a currently valid certificate, a 140-2 certificate on the Historical List will not satisfy it, and for most organizations carrying ongoing FISMA, FedRAMP, or comparable requirements, that is the case that governs. The conclusion is the same either way: you need a module with an active FIPS 140-3 validation.

Historical status is not revocation.

The validated path is already available

For users of the OpenSSL Library, that module exists today. The OpenSSL FIPS Provider is validated under FIPS 140-3 as CMVP certificate #4985, valid through March 2030, and per the project's stated compatibility it is usable across the 3.x series, including 3.5. The validated path for the September transition is therefore already in place.

Current posture → durable posture
Current posture
Library line
OpenSSL Library 3.0 series
End of life · 7 Sep 2026
FIPS module
FIPS 140-2 module · #4282
Historical List · 21 Sep 2026
Move both
the provider can move first
Durable posture
Library line
3.5 (LTS) or 4.0
Supported to 2030
FIPS module can move first
FIPS 140-3 module · #4985
Active to March 2030
Both moves together: onto a supported library line and onto the 140-3 module. The provider can move first, but the 3.0 series is ending and is not a place to stay.

Because the FIPS provider and the rest of the OpenSSL Library are separate components, in many cases you can move to the 140-3 module without replacing your whole library line at once, since the provider is the part that carries the validation. That does not retire the 7 September deadline, though. With the OpenSSL Library 3.0 series at end of life, staying on the 3.0 library indefinitely is not a supported posture whichever provider you load. The supported LTS line is 3.5, with security fixes through 2030, and the current major release is 4.0, so the durable targets are 3.5 or 4.0; the 1.x lines and the 3.1, 3.2 and 3.3 series are already past upstream support. So the durable position is both moves together: adopt the FIPS 140-3 module, and get onto 3.5 or 4.0.

2030supported through
The durable targets run for years: 3.5 (LTS) carries security fixes through 2030, and the validated module #4985 is valid through March 2030.

For teams that cannot make that move before 3.0 goes end of life, extended support through an Engineering support contract continues security fixes for the older line, which buys time to migrate without running unmaintained cryptography in production. The same upgrade that gets a team onto 3.5 or 4.0 also brings the NIST post-quantum algorithms, with hybrid post-quantum key exchange enabled by default for TLS 1.3 in those releases, so the FIPS migration and the start of post-quantum readiness can be one piece of work rather than two. For FIPS-validated use, the module carrying those post-quantum algorithms is still completing its FIPS 140-3 validation, so validated PQC follows once it lists.

OpenSSL Library · support lifecycle
2019
2023
2026
2030
Today
3.0
End of life · 7 Sep 2026
3.5
LTS · fixes through 2030
4.0
Current major release
Earlier lines — 1.0.2, 1.1.1, and the 3.1, 3.2 and 3.3 series — are already past upstream support. Extended support through an Engineering support contract back-ports security fixes to an end-of-life line while you migrate.
Where each OpenSSL Library line stands. The durable targets are the two that run past today: 3.5 (LTS) and 4.0.

The timeline is the hard part

None of this is difficult in isolation. The difficulty is schedule. Changing the cryptographic module under a validated system is rarely a drop-in swap in a regulated environment: it means re-testing against your own integration, re-producing whatever validation evidence your compliance program requires, updating documentation and authorization artifacts, and fitting the change into change-control windows that often run to months. The dates themselves are fixed and were published years ago, so the only real variable is whether a team gives itself runway or runs the migration against the deadline in September.

The difficulty is schedule.

The migration work, and the module itself, come from the people who maintain the OpenSSL Library. OpenSSL Corporation employs the developers and is the largest single contributor to the OpenSSL Library, with the per-release contribution breakdown published at status.openssl.org, so it can be checked rather than taken on trust.

Both certificates are searchable by number in the CMVP Validated Modules database, #4282 for the 140-2 module and #4985 for the 140-3 module, and the 3.0 end-of-life date is in the OpenSSL Library release strategy.

Plan the move
Work directly with the maintainers on your FIPS 140-3 migration.
Contact us →

References

CMVP certificate #4282 (OpenSSL FIPS Provider, FIPS 140-2), sunset date 21 September 2026:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282
CMVP certificate #4985 (OpenSSL FIPS Provider, FIPS 140-3), Active, sunset date 10 March 2030:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4985
OpenSSL Library, FIPS 140-3 validation announcement, compatibility across 3.0 through 3.5:
https://openssl-library.org/post/2025-03-11-fips-140-3/
OpenSSL Library release strategy, 3.0 end of life on 7 September 2026 and current supported releases:
https://openssl-library.org/policies/releasestrat/
OpenSSL contributor breakdown, published per release:
https://status.openssl.org/versions/4.0/