VSA FIPS Certification Updates
October 2025 update
VSA 10
- FIPS 140-3 compliant cryptographic communication for agents and client applications (Remote Desktop, mobile application) will be supported for SaaS customers from November 2025 (v10.23). It will be extended to on-premises customers in a later release (this article will be updated when the release details are confirmed).
VSA 9
IMPORTANT Customers who require FIPS compliance are recommended to start planning their migration to VSA 10 today, or as soon as possible, to ensure continued compliance beyond March 2026.
- VSA 9 achieved FIPS 140-2 certification for cryptographic communication in December 2021, with a sunset date of October 15th, 2025.
- The 9.5.24 release contains an update enabling a new FIPS 140-2 certificate to be issued with a sunset date of March 8th, 2026.
- After March 8th, 2026, FIPS certification for VSA 9 will be classified as historic, meaning that:
- It will no longer be considered valid for new deployments or government procurements that require current FIPS validation.
- For existing government customers, continued use of the product may still be permitted at the discretion of the agency's Authorizing Official (AO), considering the environment remains unchanged. However, this status introduces compliance risk during contract renewals, program reauthorizations (e.g., FedRAMP, FISMA, CMMC Level 2), or if system changes trigger a reassessment.
- FIPS 140-3 supersedes FIPS 140-2 with updated security requirements, international alignment, testing procedures, and the underlying standards they reference. FIPS 140-2 is being phased out with full sunset by September 2026.