FIPS 140-2 Sunset Presents Compliance Challenges for Government Contractors

The impending sunset of FIPS 140-2 on September 21, 2026, poses a significant compliance challenge for government contractors utilizing Windows 11 and BitLocker cryptographic modules. The Federal Information Processing Standards (FIPS) are critical for maintaining cybersecurity in federal agencies, as they define the security requirements for cryptographic modules utilized for sensitive data. As we approach the sunset date, contractors must strategically mitigate risks associated with the transition to FIPS 140-3. In particular, current certifications under FIPS 140-2 will no longer suffice, which might disrupt the operational security protocols in place within various government contracts.

Recognizing this shift, the role of Cybersecurity Maturity Model Certification (CMMC) Third Party Assessment Organizations (C3PAOs) becomes increasingly pertinent. These organizations are led by an evolving understanding of compliance as they oversee assessments that incorporate the transitional risks linked to the FIPS 140-2 sunset. To address these complexities, contractors are actively documenting their operational plans to articulate their actions aimed at maintaining compliance during this transition phase. This proactive approach helps in establishing a risk management framework that not only adheres to compliance expectations but also minimizes operational disruptions.

The Defense Counterintelligence and Security Agency (DCSA) is also keenly aware of these compliance shifts. DCSA auditors are adopting a flexible posture in their assessments. They are increasingly focusing on evidence of ongoing FIPS compliance rather than strictly demanding adherence to the newly established FIPS 140-3 standard. This flexibility indicates an understanding of the challenges contractors face in achieving timely compliance while also ensuring that contractors do not operate in a completely uncertain security environment. By maintaining robust documentation and establishing clear communication channels between assessors and contractors, both parties can navigate these challenging waters effectively.

With these changes on the horizon, procurement professionals should play a pivotal role in ensuring that contract requirements accurately reflect the transitional risk posture contractors face. For instance, focusing on the requirement for risk management strategies that align with the evolving compliance landscape will be vital. Encouraging contractors to furnish clear and credible evidence of their compliance efforts can streamline the audit process and help minimize delays in contract execution.

Organizations involved in the CMMC assessments should remain attuned to the expectations of assessors as they develop their operational plans. Proactive alignment will help these organizations avoid audit issues and ensure a smooth transition for their compliance operations as the FIPS standards evolve. As stated by a leading compliance expert, "If it has a 140-2 historical cert and a 140-3 cert in the queue, we accept risk because the risks of unpatched systems or unencrypted CUI is too great." This highlights the critical balance between accepting reasonable risks while rapidly working toward compliance with the updated standards.