Skip to main content

 

Cisco Meraki Documentation

FIPS 140-2 Sunsetting Notice

  1. Last updated
  2. Save as PDF

Overview

FIPS 140-2 is a U.S. Government standard, published by the U.S. National Institute of Standards and Technology (NIST), that specifies security requirements for cryptographic modules used to protect sensitive information. It is a requirement for purchase of equipment for U.S. Government agencies and the Department of Defense, as well as many other public sector entities and contractors. This document is provided for public sector customers who require FIPS 140 certification of their networks.  

On January 6, 2026, CiscoSSL FOM 7.2a module’s Federal Information Processing Standard (FIPS) 140-2 certification expired.  Versions of firmware that use it are no longer recommended for use in networks requiring FIPS 140 Compliance, a requirement for many of the United States of America’s federal agencies and contractors.  

Frequently Asked Questions

What is changing for FIPS 140-2 certification?

On January 6, 2026, CiscoSSL FOM 7.2a module’s Federal Information Processing Standard (FIPS) 140-2 certification has expired, and versions of firmware that use it will no longer be recommended for use in networks requiring FIPS 140 compliance. 

Why is FIPS 140-2 certification expiring?

Cisco uses FIPS 140-2 and FIPS 140-3 validated firmware object modules (FOMs) in our software for FIPS 140 compliance. These validation certifications are good for a period of five years, then they expire. CiscoSSL FOM 7.2a, which holds the FIPS 140-2 validation, is nearing the 5-year mark on January 5, 2026. After that date, FOM 7.2a will be designated as “Historical” status with NIST and can be used only on a case-by-case basis. Cisco recommends customer networks update to FIPS 140-3 compliant versions of firmware to stay in compliance with FIPS 140 standards. 

What is the impact? 

The following FIPS 140-2 firmware versions will have their FIPS 140-2 compliance expire and move to the Historical list. The recommended FIPS 140-3 compliant versions to move to are shown to the right.   

Product 

FIPS 140-2 expired Historical versions 

FIPS 140-3 Compliant versions 

SD-WAN 

MX17, MX18.1 & MX18.2 

MX19.1 & MX19.2 

Cellular Gateways 

MG3.1 & MG3.2 

MG4.1 

Wireless 

MR29 

MR30, MR31 & MR32 

Switching 

MS16 & CS16 

IOS-XE 17.15 

CS17, MS17 & MS18  

IOS-XE 17.18 

 

See here for a complete list of devices compatible with the Meraki dashboard which also hold FIPS 140 compliance.  

What action do I need to take? 

If your organization requires FIPS 140 compliance for its networks, and you do not want to or are not allowed to use a Historical version, please update your device firmware to FIPS 140-3 versions no later than January 6, 2026. 

Check our documentation on Firmware Upgrade Management for more information. 

Who do I contact if I have additional questions? 

If you have questions not addressed in this FAQ, please contact our Public Sector Product Management team at meraki-for-government@cisco.com. 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.