Update: Key_Management_Cheat_Sheet

[daidoji]

What is missing or needs to be updated?

FIPS 140-2 is recommended consistently through the Key Management Cheat Sheet however FIPS 140-3 has been available since 2019 and should have many validated modules by this time. FIPS 140-2 is set to be sunset in September of next year. It seems like the recommendation should be FIPS 140-2 or FIPS 140-3 validated modules on this cheat sheet, but I'm not familiar enough with the operational side to know if this choice was intentional (like its hard to get FIPS 140-3 certified modules or something).

How should this be resolved?

"FIPS 140-2 or 140-3" should be used everywhere? Or only 140-3 as it seems the more recent standard and one likely to be applicable the longest.

Like I said above, this may be ignorance on my part though, so feel free to close the issue and clarify why 140-2 is the right choice if this is the case.

[jmanico]

Good catch and this is an excellent observation.

FIPS 140-3 supersedes FIPS 140-2, and the NIST Cryptographic Module Validation Program (CMVP) officially transitioned in September 2021, with 140-2 validations scheduled for sunset in September 2026. After that date, new modules will only be validated under FIPS 140-3, and existing 140-2 validations will move to the “historical” list.

However, operationally, most production-grade crypto libraries in current enterprise and cloud deployments are still FIPS 140-2 validated because:

1. Many widely used modules (OpenSSL FIPS Object Module, BoringCrypto, AWS Crypto SDK, Microsoft CNG, etc.) are still listed under 140-2 and will remain valid until the sunset.

2. FIPS 140-3 validation has a much longer and more resource-intensive review cycle, so adoption across vendors has been slower than expected.

Best practice language:
Until FIPS 140-2 validations are officially sunset and 140-3 adoption is universal, the cheat sheet should recommend:

“Use only FIPS 140-2 or FIPS 140-3 validated cryptographic modules.”

Once NIST completes the 140-2 transition and the ecosystem stabilizes around 140-3, we can tighten the language to reference only FIPS 140-3.

Would you like to PR with this in mind?

[daidoji]

@jmanico sure, will do.