2025-10-08 –, Belvedere I/ Security, Compliance & the Law
With all FIPS 140-2 certificates scheduled to sunset by September 2026, developers and integrators must now transition to the more structured and demanding FIPS 140-3 certification process. This 30-minute session provides a high-level, experience-based overview of the current validation landscape, tailored for technical and compliance teams preparing for engagement with the Cryptographic Module Validation Program (CMVP).
With all FIPS 140-2 certificates scheduled to sunset by September 2026, developers and integrators must now transition to the more structured and demanding FIPS 140-3 certification process. This 30-minute session provides a high-level, experience-based overview of the current validation landscape, tailored for technical and compliance teams preparing for engagement with the Cryptographic Module Validation Program (CMVP).
Drawing on our experience as an accredited FIPS 140 test lab, we’ll outline the certification lifecycle—from module scoping and documentation preparation, through algorithm testing and submission, to final CMVP review. We’ll share practical strategies to reduce delays and mitigate risk, including tips for aligning documentation early, incorporating tooling, managing change control, and avoiding common points of rejection.
We’ll highlight key programmatic changes from FIPS 140-2 to 140-3, such as more structured reviews, expanded documentation requirements, and closer integration with supporting programs. Attendees will gain insight into how the Cryptographic Algorithm Validation Program (CAVP) and Entropy Source Validation (ESV) fit into the overall process, and how to coordinate module testing to minimize bottlenecks.
The session will also touch on CMVP’s evolving efforts to support post-quantum cryptography (PQC) and its growing focus on test automation, including pilot initiatives aimed at improving review efficiency.
Additional topics include managing CVEs, supporting module rebranding, and sustaining validations over time—especially for open-source and resource-constrained projects.
This session equips teams with the practical insight needed to navigate FIPS 140-3 confidently and prepare for long-term compliance.
For the past 15+ years, Jason has been involved in the leadership of different cyber security companies, including being responsible for the accreditation, management and profitable growth of several government-accredited IT security laboratories. Since 2015, Jason has been the co-founder and President of Lightship Security, a leading product certification lab in North America. Jason is responsible for driving the Lightship vision of modernizing the product certification landscape – with a focus on building and deploying smart automation to allow certification in parallel with development. Better certification outcomes for Lightship clients is the overriding mandate for Jason and team.