Adam Cady

September 22, 2026 is not a suggestion. It’s a hard deadline — and most organizations aren’t prepared.
On September 22, 2026, NIST will move all FIPS 140-2 certificates to the Historical List. Only FIPS 140-3 validated solutions will satisfy federal cryptographic requirements for new procurements.
If you manage network infrastructure for a federal agency, a defense contractor, a critical infrastructure operator, or any organization subject to FISMA, FedRAMP, CMMC, or NERC CIP — this date should already be on your planning calendar.
September 22, 2026 is 90 days away. Federal procurement cycles run 6–12 months. Authority to Operate (ATO) processes add more time on top of that. The math is straightforward: organizations that haven’t started evaluating FIPS 140-3 validated solutions are already behind.
FIPS 140 is the federal standard for cryptographic modules — the building blocks of encrypted communications and data protection. Since 2001, FIPS 140-2 has been the baseline for validated cryptography across U.S. government systems. FIPS 140-3, aligned to international standards ISO/IEC 19790 and 24759, is its successor — more rigorous, more current, and now the only standard NIST will recognize going forward.
Here’s what the September 22, 2026 deadline means in practice:
Security teams are thorough about FIPS compliance on their firewalls, VPNs, and primary network infrastructure. Out-of-Band (OOB) management — the secondary, independent access path engineers use when the primary network fails — often gets less scrutiny.
That’s a significant oversight. Your OOB management solution provides direct console access to every router, switch, and firewall in your infrastructure — bypassing the production network entirely. If that access path isn’t protected by validated, FIPS 140-3 cryptography, you have an unvalidated backdoor into your most critical systems. Auditors and ATO reviewers are increasingly asking about it.
In the OOB management market, FIPS language is used loosely. Many vendors claim their products are “FIPS compliant” or “FIPS capable” — often meaning they use a third-party cryptographic library that holds a FIPS 140-2 certificate, or they have tested their product against the standard without going through the formal validation process.
First-party FIPS 140-3 validation means the vendor’s own cryptographic implementation has been independently tested by an accredited laboratory and certified by NIST. The certificate is issued to the vendor’s product — not to a module they licensed from someone else.
Communication Devices, Inc. (CDI) is the only Out-of-Band management provider with first-party FIPS 140-3 validation. Not self-attested. Not a borrowed module. Validated.
CDI’s Port Authority console server family was designed from the ground up for secure, validated Out-of-Band management in the most demanding environments in the country — federal agencies, defense contractors, energy infrastructure, transportation networks, and remote industrial sites. Here’s what that means for your compliance posture:
If your Out-of-Band management solution is running on FIPS 140-2 validated cryptography — or on a vendor’s self-attested “compliance” claim — now is the time to evaluate your options. The September 22, 2026 deadline is 90 days out. Procurement timelines are not.
CDI is FIPS 140-3 validated today. Our solutions are on the shelf, TAA compliant, Made in USA, and ready to support your ATO process. We have been manufacturing secure OOB management hardware for over 50 years and we work with some of the largest and most security-conscious organizations in the country.
Don’t let a deadline drive your security architecture. Contact CDI at sales@commdevices.com or visit www.commdevices.com to learn how FIPS 140-3 Validated Out-of-Band Management fits your environment.
Share this article
Related Content
United States Office
© 2023 Communication Devices, Inc.