Three cryptographic deadlines, five months apart: What to do before 2027

September 21, 2026. November 2026. January 2027. Three regulatory deadlines, five months apart, each with a distinct cryptographic requirement for Linux infrastructure. They form a dependency sequence, and the organizations that address all three share one trait: an active FIPS 140-3 baseline with post-quantum readiness already in progress.

Missing the September deadline compounds through November and January

The requirements stack in one direction. FIPS 140-2 modules will no longer qualify for new procurement after September 21. CMMC Level 2 requires FIPS 140-3 validated modules for protecting Controlled Unclassified Information (CUI). CNSA 2.0 requires those modules to include post-quantum algorithms with full CMVP validation: not just algorithm support, not just a vendor announcement. Each deadline is harder than the last, and each assumes the one before it has already been addressed.

September 21, 2026: what "Historical status" changes for your deployments

NIST's FIPS 140-2 program closes on September 21, 2026. Cryptographic module certificates issued under FIPS 140-2 move to Historical status on that date. The modules don't stop working; a system running FIPS 140-2 validated modules will continue to function. But NIST's CMVP defines "Historical" modules as modules that "should not be included by Federal Agencies in new procurements."

Defense contractors under CMMC face the most direct impact: the NIST CMVP directive states Historical modules "should not be included by Federal Agencies in new procurements," which maps to CMMC evidence requirements.

For healthcare organizations under HIPAA, financial services firms under GLBA and PCI DSS, and utilities under NERC CIP, the consequence is different in mechanism but similar in practice: each of those frameworks independently requires FIPS validation as evidence of adequate cryptographic controls.

After September 21, a Historical certificate raises the same question in any audit: is this the current validated standard? Whether it passes review depends on the program and the examiner. For new system builds and renewed compliance attestations, the answer will be harder to defend.

The first question to answer is whether your Linux infrastructure has active FIPS 140-3 certificates today. This is a different question from whether your systems are running in FIPS mode. FIPS mode is a configuration. FIPS 140-3 validation is a CMVP certificate tied to a specific module and version. The two can exist independently of each other. An organization that has only verified its FIPS mode configuration has not verified its FIPS 140-3 certificate status. The distinction between the two is exactly what September 21 brings into focus.

November 2026: CMMC Level 2 requires a CMVP certificate, not a configuration flag

CMMC Level 2 enforcement begins in November 2026. Control 3.13.11 of NIST SP 800-171 specifies: "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." That phrase, FIPS-validated, means a current CMVP certificate, not FIPS mode configuration.

A system running in FIPS mode with no active CMVP certificate fails 3.13.11. A certificate that has moved to Historical status on September 21 raises the same question. Defense contractors who discover their module status during a C3PAO assessment rather than before will have fewer options at that point.

A common reading of 3.13.11 treats it as a configuration task: enable FIPS mode; document the configuration; mark the control satisfied. The requirement asks for a validated module. The evidence chain runs from your running system to a certificate number in the NIST CMVP database.

The evidence chain starts with your module inventory.

January 2027: CNSA 2.0 requires validated PQC, and validation takes two years

CNSA 2.0 requires post-quantum algorithms for new operating system acquisitions starting January 2027. The specific algorithms: ML-KEM-1024 for key establishment and ML-DSA-87 for digital signatures. For systems performing signature generation, the requirement is full CMVP validation: a certificate in the NIST database, tied to a specific module version.

The CMVP process takes more than 18 months from submission to active certificate; FIPS 140-3 validations averaged 542 days as of early 2024, according to CMVP queue analysis published by Keypair.us, and the average has since increased. A distribution that adds post-quantum algorithm support in 2026 has not delivered a CMVP-validated PQC module; it has delivered a starting point. Organizations waiting on OpenSSL 3.5.4's CMVP submission (filed October 2025) are waiting for a certificate that will not arrive before the January 2027 deadline.

What's available before full CMVP validation: CAVP certification and MIP (Module in Process) status. CAVP certification confirms that the individual algorithms passed NIST's Cryptographic Algorithm Validation Program. MIP status confirms the full module has been submitted for CMVP review. Rocky Linux from CIQ is the first Enterprise Linux with CAVP-certified ML-KEM and ML-DSA in its NSS module, with active CMVP MIP status for its PQC modules. Full CNSA 2.0 compliance requires a CMVP certificate. For organizations documenting their post-quantum posture before that certificate arrives, CAVP certification and MIP status represent the most advanced documentable state available in Enterprise Linux today.

One FIPS 140-3 baseline covers all three deadlines

The common thread: certificates in the NIST CMVP database, tied to the specific module version running on your systems.

Organizations running RLC Pro can point to active certificates for all three rows in that table.

For the first two deadlines, RLC Pro ships with five active FIPS 140-3 certificates: #5200 (OpenSSL, Rocky 8), #5117 (libgcrypt), #5116, #5113, and #5095 (kernel), tied to specific module versions and verifiable in the NIST CMVP database today, with LTS version pinning that keeps those certificates valid across routine update cycles.

For the third, RLC Pro's NSS module carries CAVP-certified ML-KEM and ML-DSA with active CMVP MIP status, the most advanced post-quantum baseline documentable before full CMVP validation arrives.

The deadline sequence doesn't offer a choice about ordering. September 21 lands first. The organizations ready for January 2027 are the ones whose FIPS 140-3 baseline is already solid.

Ready to verify your current posture? Request a technical briefing