Tech Support
Documentation
Login
Contact Us
- AlmaLinux 9.6 is on track for full FIPS 140-3 validation, with all five cryptographic modules already on NIST’s “Implementation Under Test” list and availability expected within 60 days.
- TuxCare enables secure, compliant upgrades between FIPS-validated AlmaLinux versions, ensuring continuous FIPS 140-3 compliance with no gaps in certification or security coverage.
- Organizations in regulated industries can maintain FIPS compliance long term with continuous patching, predictable support, and a clear upgrade path – backed by TuxCare’s deep commitment to security and certification.
TuxCare has officially announced its intent to pursue AlmaLinux FIPS 140-3 validation for version 9.6, reinforcing its role as a critical enabler of secure, compliant Linux environments. This next step builds on the successful validation of AlmaLinux 9.2 and extends the promise of certified cryptographic assurance to the latest stable release.
But this isn’t just about checking a compliance box – for organizations in defense, government, healthcare, and finance, FIPS 140-3 validation is the gatekeeper to deploying open-source systems in mission-critical settings. Ensuring those systems remain compliant over time – without losing validation status or security coverage – is where TuxCare’s long-term support strategy truly stands out.
What Is FIPS 140-3 and Why Does It Matter?
FIPS 140-3 (Federal Information Processing Standards Publication 140-3) is the U.S. government’s standard for cryptographic module security. It’s required for federal agencies and increasingly demanded by any organization handling sensitive or regulated data.
Validation confirms that a system’s cryptographic components – like the kernel’s Crypto API – have undergone rigorous third-party testing and meet strict security standards defined by NIST and the CMVP (Cryptographic Module Validation Program).
Without FIPS validation, systems cannot be considered compliant with frameworks like:
- FedRAMP (for cloud providers to the U.S. government)
- FISMA (for federal information systems)
- HIPAA (for healthcare data privacy)
- PCI DSS (for payment card industry security)
Road to AlmaLinux FIPS Validation
As described in our FIPS Validation for AlmaLinux OS blog post, the journey to validation includes:
- Updating the cryptographic source code to comply with the latest standards.
- Building and testing the crypto modules.
- Submitting them to a NIST-accredited lab for review.
- Waiting in the validation queue (which can take several months).
- Final approval and listing on NIST’s official validation site.
Each validation effort also comes with significant financial cost, often reaching hundreds of thousands of dollars per version. This includes lab fees, test infrastructure, and the cost of maintaining strict module consistency throughout the process.
The AlmaLinux FIPS validation process – successfully completed for version 9.2 with active certificates (#4750 for Kernel Crypto API and #4823 for OpenSSL) and with NSS, GnuTLS, and Libcrypt currently in review – has already proven it works. Now AlmaLinux 9.6 is on the same path, with TuxCare once again leading the validation effort.
Upgrading AlmaLinux while Maintaining FIPS Compliance
One of the most important aspects of TuxCare’s FIPS strategy is that it enables compliant, low-risk upgrades from one validated AlmaLinux release to the next (e.g., from 9.2 to 9.6), ensuring that systems stay secure, auditable, and supported – without disrupting long-term compliance strategies.
Key benefits include:
- Seamless FIPS-validated upgrades: Each new version is submitted for FIPS 140-3 validation through NIST’s official process, so organizations can upgrade to a newer release and remain in validated FIPS mode once the new version is certified.
- Predictable, overlapping support: TuxCare offers Extended Security Updates (ESU) for validated AlmaLinux versions – currently available for 9.2, and planned for 9.6 and 9.10. Each ESU release includes at least a one-year overlap with the previous one, giving organizations a stable window to plan and execute upgrades without time pressure.
- Sustained compliance through the full certificate lifecycle: Once validation is achieved, a FIPS 140-3 certificate remains active for up to five years. TuxCare’s Extended Security Updates (ESU) are synchronized with that window, delivering FIPS-compliant patches for the lifetime of the certificate. This ensures systems remain secure and audit-ready, even as upstream support ends, without forcing early upgrades or costly revalidation efforts.
- Audit simplicity: Staying on an “Active” validated version avoids the need for waivers, POA&Ms, or temporary exceptions – making audits smoother and documentation cleaner.
- Performance and compatibility gains: Newer AlmaLinux releases typically include better hardware support, performance improvements, and updated cryptographic modules – all without giving up validation.
- Minimized operational risk: While a maintenance window is required to perform the upgrade and reboot into the new kernel, TuxCare ensures a clean, validated path forward. There’s no scrambling for revalidation or dealing with cryptographic modules in a non-compliant state.
Looking Ahead
With all five cryptographic modules for AlmaLinux 9.6 already on NIST’s “Implementation Under Test” list – and expected to move to the official “Modules In Process” list soon – full FIPS 140-3 validation is just around the corner. TuxCare expects reviewed builds to be available for purchase in less than 60 days.
This upcoming milestone will further solidify AlmaLinux’s position as a secure, stable, and FIPS-compliant RHEL-compatible OS – ideal for organizations that can’t afford trade-offs between long-term security, compliance, and operational stability.
Now is the time to prepare your environment, validate your compliance roadmap, and align with a vendor that delivers on both security and support.
???? Explore TuxCare’s FIPS-validated AlmaLinux solutions and get ready for Day 1 compliance:
https://tuxcare.com/fips-for-almalinux/
