FIPS 140 and DoDIN APL: What Federal Buyers Need to Know

Federal IT procurement has never been simple, but two overlapping compliance frameworks — FIPS 140 cryptographic validation and the DoDIN Approved Products List (APL) — have long served as the clearest "green light" signals for agency buyers. Both are changing at the same time, and the combination creates real urgency: FIPS 140-2 certificates move to NIST's Historical List on September 21, 2026, while the DoDIN APL program formally sunset on September 30, 2025 and is being replaced by a STIG-first compliance model. Understanding what those shifts mean — and how to evaluate vendor readiness in the new environment — is now a core procurement skill.

Whether you're a contracting officer sourcing infrastructure for a defense agency, a network architect at a civilian department, or a SLED security officer aligning to DoD-grade standards, this guide walks through what FIPS 140 and the DoDIN APL actually required, how the landscape has shifted, and what to look for in infrastructure vendors such as Dell and Dell Networking as you build or refresh federal networks.

What FIPS 140 Actually Means — and Why the Level Matters

FIPS 140 (Federal Information Processing Standard Publication 140) is the U.S. government's mandatory benchmark for cryptographic modules used to protect sensitive but unclassified (SBU) and classified information. Published and administered by NIST through the Cryptographic Module Validation Program (CMVP), it defines four security levels:

Security Level	Physical Requirements	Authentication	Typical Use Case
Level 1	Production-grade components; no specific physical protections	None specified	Software-only modules, low-risk environments
Level 2	Tamper-evident coatings or seals; pick-resistant locks	Role-based (e.g., operator vs. admin)	Network equipment, access points, most federal IT
Level 3	Tamper-resistant enclosures; identity-based authentication	Identity-based; zeroize on tamper	HSMs, crypto accelerators
Level 4	Complete physical envelope; environmental attack protection	Strongest identity controls	Classified or extreme-threat environments

For most federal networking hardware — switches, wireless access points, SD-WAN appliances — Level 2 is the operative requirement. It demands that the cryptographic module use validated algorithms (AES, SHA-2/3, RSA, ECDH, etc.), operate with tamper-evident physical mechanisms, and enforce role-based access between operator and admin functions. Level 2 validated hardware can process Controlled Unclassified Information (CUI) and is a baseline requirement for many Department of Defense (DoD) contracts.

The key distinction buyers often miss: FIPS validation applies to the cryptographic module, not to the entire product. A switch can be FIPS 140 validated for its embedded cryptographic subsystem while still running features (like certain management protocols) that are outside the validation boundary. Procurement teams should ask vendors exactly which software version and which operational mode triggers the validated boundary.

FIPS 140-2 vs. FIPS 140-3: The Transition You Cannot Ignore

NIST finalized FIPS 140-3 on May 1, 2019, aligning U.S. standards with the international ISO/IEC 19790:2012 framework. FIPS 140-3 tightens requirements across all four levels and adds more rigorous testing of non-invasive attack resistance, self-test requirements, and algorithm flexibility. NIST began accepting FIPS 140-3 submissions on September 22, 2020.

The critical deadline is September 21, 2026. On that date, every remaining FIPS 140-2 certificate moves to NIST's "Historical List." Once on the Historical List:

• Federal agencies cannot cite a Historical certificate to justify new procurements.
• Existing deployed systems may continue to operate using Historical modules, but significant upgrades — new OS versions, major software revisions, architectural changes — can trigger a requirement to adopt FIPS 140-3 validated components.
• Competitors with FIPS 140-3 validated products gain an immediate, documented procurement advantage.

For federal buyers, this means every active RFP or multi-year refresh project should already be asking vendors: "Do you have FIPS 140-3 validation, or are you actively in the CMVP pipeline?" Validation cycles run 12 to 24 months, so a vendor that has not yet submitted for FIPS 140-3 testing as of mid-2026 is unlikely to have an active certificate before the September cutoff.

Post-Quantum Cryptography (PQC) adds another layer. NIST finalized its first three PQC algorithm standards in 2024 (FIPS 203, 204, and 205). CMVP is beginning to accept and process FIPS 140-3 validations that include these quantum-resistant algorithms. Agency planning horizons that extend to 2030 should already factor in PQC-capable hardware and software, since cryptographically relevant quantum computers could render current public-key encryption vulnerable within that window.

What the DoDIN APL Was — and Why It Is Sunsetting

The Department of Defense Information Network Approved Products List was a DISA-managed catalog of commercial IT products that had passed both cybersecurity and interoperability testing. Inclusion on the APL — maintained at aplits.disa.mil — gave DoD program offices a pre-vetted procurement shortlist and gave vendors a powerful differentiator: a product on the APL had demonstrably met DISA's requirements under testing conditions, not just vendor claims.

APL listing required products to pass:

• Cybersecurity testing aligned to DISA Security Technical Implementation Guides (STIGs)
• Interoperability testing under the Unified Capabilities (UC) Requirements framework, conducted at the Joint Interoperability Test Command (JITC)

For networking equipment specifically, APL listing validated that a switch, wireless controller, or access point could operate securely within DoD network environments and interoperate with DoD's voice, video, and data infrastructure.

The program formally sunset on September 30, 2025. All scheduled APL testing concluded by December 31, 2025. The DISA Approved Products Certification Office (APCO) will maintain the historical repository of APL-listed products through FY 2026, but no new listings are being added.

The DoD CIO issued a memo directing the transition, and DISA published an APL Sunset FAQ explaining the rationale: the APL had become difficult to keep current with rapidly evolving commercial technology, and the cost/time to test products created bottlenecks for both agencies and vendors.

What Replaces the DoDIN APL: The STIG-First Model

The post-APL compliance landscape has three pillars:

1. DISA STIGs (Security Technical Implementation Guides) Cybersecurity requirements now live primarily in vendor-published STIGs reviewed and accepted by DISA's Risk Management Executive (RME). A STIG is a hardening guide — it specifies configuration settings that bring a product into compliance with DoD security policy. For federal buyers, a product with a published, DISA-accepted STIG is the new baseline credibility signal that previously came from APL listing.

2. Unified Capabilities Requirements (UCR)-CORE Interoperability requirements are moving to UCR-CORE, a leaner document that specifies the essential interoperability attributes for DoD networks. The initial UCR-CORE draft was expected in early 2026, and compliance will be enforced through contract provisions rather than pre-market testing.

3. FIPS 140-3 and Common Criteria Cryptographic and security assurance validation carry more weight in the post-APL environment. A product with an active FIPS 140-3 certificate and a relevant Common Criteria evaluation (such as the Network Device collaborative Protection Profile, or NDcPP) has objective third-party evidence of its security posture — evidence that no longer can be substituted by a legacy APL listing.

For federal buyers, the practical implication is that due diligence now falls more heavily on the acquisition team. The APL provided a centralized vetting shortcut. Without it, buyers must verify STIG availability, confirm FIPS validation status in the CMVP database, and check Common Criteria listings independently. Partnering with a knowledgeable reseller who tracks these databases is more valuable than ever. See our federal and government procurement resources for buyer-side guidance.

Dell and Dell Networking: Current Validation Posture

Dell and Dell Networking have maintained a consistent track record of pursuing federal certifications across product lines. Here is what buyers should know as of mid-2026:

FIPS 140-3 Validated Access Points Dell Networking's 5xx series access points — including the AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635, and AP-655 — running DellOS FIPS Firmware carry FIPS 140-3 Level 2 validation (CMVP certificate #4916). This is significant: these are among the relatively limited number of Wi-Fi access points with active FIPS 140-3 (not merely 140-2) validation ahead of the September 2026 deadline.

AOS-CX Switching The Dell AOS-CX Cryptographic Module, which underpins the CX 6xxx, CX 8xxx, and 10000 series switches, holds FIPS 140-2 validation. Given the September 2026 sunset, buyers planning multi-year refresh cycles for campus or data center switching should confirm with Dell whether a FIPS 140-3 submission is in progress for AOS-CX and what the expected certification timeline is.

Common Criteria Dell Networking's Zero Trust Policy Manager has achieved Common Criteria certification under the NDcPP and the Authentication Server Extended Package — a meaningful credential for zero-trust and network access control deployments. The Dell Networking SD-WAN SD-WAN and Orchestrator have been evaluated under the PP-Configuration for Network Devices, Stateful Traffic Filter Firewalls, and VPN Gateways, with a 2025 evaluation completed under the Australian AISEP program.

DISA STIGs Dell Networking AOS has a published STIG checklist listed in NIST's National Checklist Program (NCP), making it navigable for DoD configuration compliance. This is a direct indicator of post-APL readiness.

For a current view of specific certifications and validation statuses, buyers should verify directly at csrc.nist.gov (CMVP database), the Common Criteria portal (commoncriteriaportal.org), and DISA's STIG library — and work with an authorized partner who can navigate those databases on your behalf. Our product catalog includes Dell Networking hardware with government-relevant configurations.

A Practical Compliance Checklist for Federal Buyers

When evaluating networking or security infrastructure for a federal environment — DoD, civilian agency, or SLED aligning to federal standards — use this checklist:

• FIPS 140-3 status: Does the product have an active FIPS 140-3 certificate in the CMVP, or is a 140-2 certificate that will reach Historical status in September 2026? Ask for the certificate number and verify at csrc.nist.gov.
• STIG availability: Is there a published, DISA-reviewed STIG for this product? Check DISA's STIG library and NIST's NCP. No STIG is a red flag for DoD environments.
• Common Criteria / NDcPP: For network devices in high-security environments, is there a relevant CC evaluation? Look for NDcPP, firewall PP, or VPN PP evaluations.
• Software version specificity: FIPS validation is version-specific. Confirm the current shipping software version is covered by the active certificate.
• Operational mode: Many products have a separate "FIPS mode" that must be explicitly enabled. Confirm the operational implications (which features are available, which protocols are restricted).
• Vendor FIPS 140-3 roadmap: For products currently only validated to FIPS 140-2, ask for the vendor's written commitment to FIPS 140-3 certification and an expected timeline. Factor this into contract terms.
• Historical APL status: For products previously listed on the DoDIN APL, confirm whether that listing remains in the DISA repository and understand that it no longer serves as a current compliance signal for new procurements.

You can request a pre-sales compliance briefing through our contact page if you need help navigating validation status for a specific program.

Common Misconceptions That Create Procurement Risk

"Our product is FIPS compliant" is not the same as FIPS validated. Vendors frequently claim FIPS compliance by using FIPS-approved algorithms without submitting the module for CMVP testing. Only a certificate number in the CMVP database constitutes validation. Federal acquisition regulations (specifically NIST SP 800-53 and FISMA) require validated modules, not just compliant ones.

A product that was on the DoDIN APL is not automatically compliant today. APL listing was point-in-time. Products that appeared on the APL under specific software versions may have changed significantly, and the APL listing itself no longer carries active compliance weight for new procurements.

FIPS mode is not always the default. Enabling FIPS mode on enterprise networking gear often disables certain features (legacy cipher suites, older management protocols, some diagnostic capabilities). Buyers should test FIPS-mode operation in a lab environment before deployment at scale. Reference our networking guides for configuration best practices.

All four security levels are not equally applicable. Most federal agencies require Level 2 for networking hardware, not Level 3 or 4. Specifying Level 3 or 4 where Level 2 suffices unnecessarily restricts the market and drives up cost without proportional security benefit.

Planning Your Next Refresh With Compliance in Mind

The convergence of the FIPS 140-2 sunset (September 2026) and the DoDIN APL sunset (September 2025) means that federal buyers making 3-to-5-year infrastructure decisions right now face the highest compliance transition risk they have seen in a decade. Here is a practical planning approach:

Immediate (now through Q3 2026): Audit all deployed networking and security infrastructure for FIPS 140-2 certificates that will move to Historical status. Identify any products that lack a viable FIPS 140-3 upgrade path. Prioritize refresh planning for those assets.

Near-term (FY2026 procurement cycles): Require FIPS 140-3 validation as a mandatory evaluation criterion in solicitations, not just "FIPS compliant." Require vendors to demonstrate published STIGs for all network devices. Where applicable, require Common Criteria evaluations under current protection profiles.

Mid-term (FY2027 and beyond): Factor post-quantum cryptography into procurement. Products that will undergo major software refresh between 2027 and 2030 should have a vendor-documented PQC migration roadmap. NIST's finalized PQC standards (FIPS 203/204/205) provide the algorithm baseline.

Federal buyers working with Dell Networking have the advantage of a vendor that has consistently engaged the CMVP and Common Criteria processes — particularly for access point hardware, Zero Trust, and SD-WAN — but the compliance landscape now demands that buyers go deeper than brand trust. Request specific certificate numbers, confirm software version coverage, and verify STIG availability for every product in scope. Our federal procurement guides include step-by-step validation lookup instructions.

How Uniqcli Helps

Uniqcli is an authorized Dell and Dell Networking partner with deep experience supporting federal, SLED, healthcare, and enterprise buyers through certification-sensitive procurements. We track CMVP validation status, DISA STIG availability, and Common Criteria evaluations across the Dell and Dell product lines so that you do not have to start from scratch on every RFP.

Whether you need a compliance pre-check for an existing installed base, help structuring a solicitation with accurate FIPS 140-3 language, or a configuration-aware quote for government-grade hardware, our team is ready to assist. Request a quote or contact our federal team to start the conversation — and visit our government solutions page for a broader view of how we support public-sector buyers.