FIPS 140-3 today. PQC tomorrow. Engineered both.

The federal cryptography stack is changing under our feet

Three things are happening simultaneously in federal cryptography. FIPS 140-3 is now a direct cryptographic module validation NIST will issue, with FIPS 140-2 certificates moving to historical status by September 2026. NIST has finalized the first three post-quantum standards — FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA — and federal agencies have inventory and migration obligations under OMB M-23-02 and NSM-10. NSA has published CNSA 2.0 with mandatory PQC timelines for National Security Systems. The cryptography we deploy in 2026 will be replaced again before the end of the decade.

Precision Delivery Federal engineers federal cryptography for the transition. We deliver FIPS 140-3-validated modules in the production path today, build cryptographic agility into application code so algorithm changes do not require rewrites, inventory cryptographic dependencies through a Cryptographic Bill of Materials, and sequence PQC migration so the longest-lived data protection moves first.

FIPS 140-3 in production

FIPS 140-3 became effective September 22, 2019, aligned to ISO/IEC 19790:2012 and ISO/IEC 24759:2017. Validation differences from 140-2 include: non-invasive attack mitigations as a first-class requirement, refined module interface and roles definitions, updated operational and physical security requirements at each level (1 through 4), and the new Approved Security Functions list. The CMVP stopped accepting new FIPS 140-2 submissions on September 21, 2021. Existing FIPS 140-2 certificates remain valid for procurement until September 21, 2026, after which they move to historical status — usable for already-deployed systems but not for new procurement.

For federal procurement today we deliver only FIPS 140-3 modules in the cryptographic boundary, with the certificate number, validation level, and operational environment documented in the System Security Plan. Where a FIPS 140-3 validated module is not yet available for a given function, we document the compensating control and the migration plan rather than letting an unvalidated module slip into the boundary.

NIST Post-Quantum Cryptography

NIST finalized the first PQC standards on August 13, 2024:

• FIPS 203 — ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). Derived from CRYSTALS-Kyber. Three parameter sets: ML-KEM-512, ML-KEM-768, ML-KEM-1024, providing security category 1, 3, and 5 respectively. Replaces ECDH and RSA key establishment for quantum-resistant key transport.
• FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm). Derived from CRYSTALS-Dilithium. Three parameter sets: ML-DSA-44, ML-DSA-65, ML-DSA-87. Replaces RSA and ECDSA for general-purpose digital signatures.
• FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm). Derived from SPHINCS+. Conservative hash-only signature scheme as a backup to ML-DSA. Larger signatures, slower, but reliant only on hash function security assumptions.
• FIPS 206 — FN-DSA (FFT-based Falcon Digital Signature Algorithm). In draft. Smaller signatures than ML-DSA but more complex implementation. Useful where signature size is constrained.

NIST is continuing to evaluate additional KEM candidates in a fourth round, including HQC, to provide algorithmic diversity beyond lattice assumptions.

NSA CNSA 2.0 and federal civilian PQC mandates

NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), published in September 2022 and updated since, mandates PQC migration timelines for National Security Systems. CNSA 2.0 selects ML-KEM-1024 for key establishment and ML-DSA-87 (with LMS or XMSS for software/firmware signing) for signatures, with target migration deadlines that vary by use case — software/firmware signing, networking equipment, web browsers, and operating systems each have published timelines.

For federal civilian agencies, OMB Memorandum M-23-02 (November 2022) directs agencies to inventory cryptographic systems prioritized by sensitivity, with NSM-10 (May 2022) setting the broader national strategy. We help agencies meet the inventory deadline, classify cryptographic uses by criticality and lifetime, and build migration plans that are credible against the published timelines.

Hardware Security Modules

HSMs are the root of trust for high-assurance keys. We deploy and integrate:

• Thales Luna Network HSM 7 for on-prem and colo deployments. FIPS 140-3 Level 3 validation in progress; FIPS 140-2 Level 3 today.
• Entrust nShield Connect XC and nShield 5c for on-prem with strong cloud-bridging via nShield as a Service.
• AWS CloudHSM in AWS GovCloud — FIPS 140-3 validated single-tenant modules with KMIP and PKCS#11 interfaces.
• Azure Dedicated HSM and Azure Managed HSM in Azure Government — Thales-backed for Dedicated, Marvell LiquidSecurity for Managed HSM.
• Google Cloud HSM in Google Cloud Assured Workloads.
• Embedded roots of trust: TPM 2.0, Microsoft Pluton, Apple Secure Enclave, Google Titan, OpenTitan.

Federal PKI and DoD PKI

The Federal PKI is anchored by the Federal Common Policy CA, operated by the GSA Federal PKI Management Authority. Subordinate CAs are operated by agencies and by FPKI-cross-certified Shared Service Providers — Entrust, IdenTrust, DigiCert, and ORC are among the current SSPs. PIV credentials chain to the Federal Common Policy CA. The Federal PKI Common Policy Framework specifies certificate profiles, key algorithm requirements, and lifecycle obligations.

DoD PKI is operated by DISA with the DoD Root CA hierarchy and the DoD Interoperability Root CA for cross-agency trust. CAC credentials chain to DoD PKI. We engineer enterprise certificate authority deployments — Microsoft AD CS, EJBCA, Entrust Authority Security Manager, DigiCert ONE, Venafi TLS Protect — that chain to the appropriate trust anchor, handle OCSP and CRL distribution correctly, and integrate certificate lifecycle management for everything from PIV to TLS server certificates to code signing to S/MIME.

Key management and cryptographic agility

Cryptographic agility — the ability to swap algorithms without rewriting applications — is the engineering principle that makes PQC migration tractable. We engineer for agility by:

• Abstracting cryptographic operations through validated providers: OpenSSL 3 with the FIPS provider, BouncyCastle FIPS for Java, Microsoft CNG with FIPS-only mode, Go crypto with the Microsoft Go fork or BoringCrypto.
• Inventorying every cryptographic dependency through a Cryptographic Bill of Materials (CBOM) aligned to the IBM/CycloneDX CBOM standard.
• Centralizing key management in HSM-backed key vaults (HashiCorp Vault Enterprise FIPS edition, AWS KMS with CloudHSM-backed CMKs, Azure Key Vault Premium, Google Cloud KMS with HSM protection level).
• Building hybrid TLS for the migration period — classical plus PQC in a single handshake, supported in OpenSSL via the OQS provider and in major TLS stacks under draft IETF specifications.
• Prioritizing migration of long-lived protections (signature trust anchors, archived data) ahead of ephemeral session protection that re-keys naturally.

How we build

1. Cryptographic inventory. Build the CBOM for the agency's software supply chain. Identify every algorithm, key length, and cryptographic dependency.
2. Risk-rank by lifetime. Long-lived signatures, archived encrypted data, and embedded device keys move first. Ephemeral session keys move with the next major release cycle.
3. Validated module replacement. Migrate FIPS 140-2 modules to FIPS 140-3 ahead of the September 2026 historical-status transition.
4. HSM consolidation. Centralize key custody in FIPS 140-3 HSMs with KMIP and PKCS#11 interfaces. Decommission shadow keystores.
5. PQC pilot. Stand up hybrid TLS in a non-production environment using ML-KEM combined with classical key establishment. Measure performance, validate interoperability.
6. Migration roadmap. Map each cryptographic use to a target algorithm, validation, and timeline aligned to CNSA 2.0 and OMB M-23-02.

Federal context and past performance

Bo Peng holds Kaggle Top 200 global ranking and seven cloud certifications. Precision Delivery Federal delivered production data engineering on SAMHSA platforms and is SAM.gov registered (UEI Y2JVCZXT9HP5, CAGE 1AYQ0). We pursue SBIR PQC migration topics across CDAO, DISA, NSA-adjacent civilian work, and HHS. See our DoD playbook, FedRAMP LLM deployment, and PQC migration guide.

Tooling we work with

• HSMs: Thales Luna 7, Entrust nShield 5c, AWS CloudHSM, Azure Dedicated/Managed HSM, Google Cloud HSM, YubiHSM 2 FIPS.
• Key management: HashiCorp Vault Enterprise FIPS, AWS KMS, Azure Key Vault Premium, Google Cloud KMS, Thales CipherTrust Manager, Entrust KeyControl.
• PKI: Microsoft AD CS, EJBCA Enterprise, Entrust Authority Security Manager, DigiCert ONE, Venafi TLS Protect.
• Cryptographic libraries: OpenSSL 3 with FIPS provider, BouncyCastle FIPS, Microsoft CNG, BoringCrypto, OQS provider for PQC experimentation.
• Code signing: Sigstore (cosign), DigiCert KeyLocker, Venafi CodeSign Protect, AWS Signer, Azure Trusted Signing.