Cryptography Compliance Deadlines 2026–2027 (FIPS 140-2 sunset, CNSA 2.0/PQC)
Key Questions
What is the FIPS 140-2 sunset deadline and its impact on FedRAMP CSPs?
The FIPS 140-2 sunset occurs in September 2026 and is critical for FedRAMP CSPs still using legacy crypto modules. Outdated cryptography could block new ATOs or renewals for affected providers.
How do CNSA 2.0 and PQC timelines affect defense-adjacent FedRAMP providers?
CNSA 2.0/PQC timelines will impact defense-adjacent FedRAMP High providers, requiring updates to meet new cryptographic standards. Organizations must plan for these deadlines to maintain compliance.
What resources help with crypto-agility and post-quantum vulnerability management?
The talk 'Preparing Vulnerability Management for the Post-Quantum Era' offers a practical playbook for crypto-agility by treating cryptography as an inventory item. It provides actionable guidance directly relevant to FIPS 140-2 sunset and CNSA 2.0 deadlines.
FIPS 140-2 sunset in Sept 2026 is a critical deadline for FedRAMP CSPs still using legacy crypto modules. CNSA 2.0/PQC timelines will affect defense-adjacent FedRAMP High providers. Outdated crypto could block new ATOs or renewals. Practical checklist of hidden hurdles is useful for day-2 compliance planning. New reading: 'Preparing Vulnerability Management for the Post-Quantum Era' talk provides a practical playbook for crypto-agility, treating cryptography as an inventory item. Directly relevant to FIPS 140-2 sunset and CNSA 2.0 deadlines, offering actionable guidance for day-2 compliance planning.