OpenSSL Blog

FIPS 140-3 Plans


The OpenSSL Management Committee (OMC) on behalf of the OpenSSL Project is pleased to announce that the project is partnering with KeyPair Consulting and Acumen Security to validate OpenSSL to meet the requirements of the FIPS 140-3 standard.

The FIPS 140 standards define the minimum requirements for the Canadian and USA government agencies’ use of cryptography.

The project recently finished a FIPS 140-2 validation which will satisfy any immediate needs for NIST approved cryptography. However, beginning in September 2021, NIST is transitioning to the more recent FIPS 140-3 standard which means that a FIPS 140-3 validation will be required before the FIPS 140-2 validation is subject to their sunsetting policy - which is typically five years after the validation is granted.

Once the FIPS 140-3 validation is completed, premium support customers will be able to re-brand our certificate. If they have not already used their free re-branding, this will be cost free as per our earlier blog post.

As announced at the ICMC22 conference, the project has updated its roadmap to include FIPS 140-3 as the major feature in the OpenSSL 3.1 release series. At this stage, we do not have a timeline for submission let alone for the validation process and issuing of the FIPS 140-3 certificate. However, it is unlikely to complete before 2024.