The State of PQC Support from HSM OEMs: FIPS Validation, Firmware Updates, and Production Readiness

A general-purpose Hardware Security Module’s (HSM) adoption in the market relies heavily on whether it has been certified by the U.S. National Institute of Standards and Technology’s (NIST) Federal Information Processing Standard (FIPS)—previously 140-2, now superseded by 140-3—for the Cryptographic Module Validation Program (Level 3 and 4 for HSMs specifically). The new Post Quantum Cryptographic (PQC) algorithms—ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205)—also need to go through the NIST Automated Cryptographic Validation Protocol (ACVP). The algorithms’ ACVP certification is a prerequisite anyway for compliance with FIPS 140-3, which essentially means HSM vendors will have to do ACVP if they want to obtain FIPS 140-3. However, due to the novelty of PQC algorithms, FIPS 140-3 certification can be provided while PQC ACVP validation is still ongoing.

To date, only two HSM vendors have obtained both: Thales for its Luna HSM and Marvell’s LiquidSecurity 2. Aside from these two, only Entrust has FIPS 140-3 for its nShield 5, but it is still in the process of obtaining ACVP for ML-DSA, ML-KEM, and SLH-DSA. A few other HSM vendors already have ACVP certification for those PQC algorithms: Crypto4A, Kryptus, Securosys, and Utimaco, and all are in the process for obtaining FIPS 140-3. Those that have yet to obtain either, but are also in process include Futurex and IBM.

While the PQC algorithm standards FIPS 203, FIPS 204, and FIPS 205 were published last August (2024) by NIST, it will take some time for HSM vendors to get up to speed. Not only does FIPS 140-3 require separate ACVP for all the algorithms, but doing this for the novel PQC standards requires more time and greater preparation. While the NIST fee test is nil, there are costs associated for internal preparation, consulting/support, and then for the accredited test lab, which, all together, can easily reach US$100,000+. The time frame for obtaining ACVP validation is about 12 to 18 months. And this is not counting the separate, costlier, and lengthier FIPS 140-3 certification process, which can easily reach US$200,000+ (NIST recovery fees, lab, and consultancy costs) in an 18 to 30-month time frame. Currently, the backlog is significant; the Cryptographic Module Validation Program (CMVP) queue status is close to 2 years before review can begin.

Well aware of the national pressures for PQC migration, NIST set up the interim validation process for modules submitted to the CMVP queue prior to January 2024, but still, certification is being drip-fed into the market. The transition from FIPS 140-2 (which sunsets in September 2026) and the publication of new PQC standards, which are more complex, and therefore required more preparation and documentation, and longer review (and consequently, updates and corrections to test tools and schemas) add delays and lengthen an already extended validation process. As demand builds for validated HSMs in the regulated and federal environments, those already certified will have an advantage in those first procurement processes.

There’s not much that HSM OEMs can do about speeding up the certification process. But they can be ready to launch, as soon as that process is completed. The first step is to be able to provide support (in non-FIPS boundary operating mode) for not just the published standards, but also for the candidate algorithms that have been selected and are currently being standardized (notably FN-DSA and HQC). For the published standards, at a minimum, the vendors should already be providing early access and pilot project support. Crypto4A obtained ACVP for ML-KEM, ML-DSA, and SLH-DSA in January 2025, and released its firmware updated (v.5.0) the same month—they are already in production for its QxHSM and QxEdge. The firm also provides support for FN-DSA, Classic McEliece, as well as LMS (with ACVP support as of July 2024), XMSS/XMSSMT, and HSS.

All the vendors have various firmware updates or software packages already available with PQC algorithms, some in early access, and others in production, pending the conclusion of the various NIST processes in which they are engaged. These are crucial to staying competitive. There is still a 1-year window before FIPS 140-2 becomes irrelevant, which in view of NIST’s current backlog, is not long at all. In the interim, vendors can remain top of mind for those clients and prospects who value FIPS 140-3 certification by being transparent on the progress of their FIPS validation process. They need to be able to run proofs-of-concept and other pilot programs in their test environments for early adopters. Importantly, they can stay relevant by trying to target other parallel concerns that are core to PQC, such as migration strategies and delivering on HSM, which have PQC roots of trust, for example (and not just PQC algorithm support). All vendors will eventually obtain certification, but during this small window pending certification, HSM OEMs that can show value in PQC through innovation and support, beyond simply obtaining certification, will go a longer way in offsetting the wait for NIST.