Akeyless Achieves FIPS 140-3 Validation: What It Is and Why It Matters

Summary

Akeyless has achieved FIPS 140-3 validation (Certificate #5227) for its cryptographic module, confirming that its core cryptographic functions have been independently tested and verified against NIST standards. This validation strengthens the platform’s ability to support secure identity and access workflows across machines, AI agents, and human users, while helping organizations meet regulatory requirements and prepare for post-quantum cryptography.

We are excited to share that Akeyless has achieved FIPS 140-3 validation from the National Institute of Standards (NIST) for the Akeyless FIPS Cryptographic Module. The module is a software-based cryptographic library used across the Akeyless platform to protect sensitive data and support core cryptographic operations. The FIPS 140-3 certificate #5227 is now active and will remain in effect through July 10, 2029.

This milestone reflects the maturity and robust underpinnings of the Akeyless platform. It provides assurance that the cryptographic foundation used throughout Akeyless has been independently tested and verified. It also positions Akeyless to support the next phase of cryptographic evolution, as organizations begin adopting post-quantum–resistant algorithms.

What Is FIPS 140-3

FIPS 140-3 is the current NIST standard that defines how cryptographic modules must be designed and implemented. It applies to the components responsible for encryption, key management, random number generation, and other core cryptographic functions within a system.

Validation is performed through the Cryptographic Module Validation Program (CMVP), where accredited labs test a module against the standard and submit results to NIST for certification. FIPS 140-3 replaces the earlier 140-2 standard and reflects updated requirements for modern systems and threat models. It aligns with ISO/IEC 19790 and 24759, so that U.S. validation requirements map to international frameworks. It also introduces more rigorous testing procedures, clearer definitions of module boundaries, stricter documentation requirements, and emphasizes securing the full lifecycle.

FIPS 140-3 also reflects a broader change in how cryptography is evolving. Modern cryptographic modules need to support new primitives, new validation paths, and longer-term security assumptions. FIPS 140-3 supports post-quantum readiness, allowing validated modules to incorporate these newer algorithms as they become standard.

Why FIPS 140-3 Validation Matters

Cryptographic libraries are often configured once and rarely revisited unless something breaks. That makes it easy to assume that the underlying implementation behaves correctly.

FIPS 140-3 validation removes that assumption by testing how a cryptographic module actually behaves under defined conditions. It ensures that:

• Algorithms perform as intended
• Keys are protected against leakage through memory handling or side channels
• Security boundaries are enforced and cannot be bypassed
• The implementation aligns with its documented security properties

Small inconsistencies in any of these areas can introduce real risk, especially in distributed systems where cryptographic operations are performed at scale.

There is also a practical dimension. Many regulated environments, including Federal systems, financial services, and healthcare, require FIPS-validated cryptography. In fact, for  any organization, having a validated module  simplifies security reviews and establishes a known baseline. Teams don’t need to verify the correctness of the cryptographic core and can just focus on its use.

What Was Validated

The Akeyless FIPS Cryptographic Module (Certificate #5227) is the core cryptographic library used across the Akeyless platform. It underpins the operations that secure data and access throughout the system. This includes encryption and key management, as well as the protection of secrets, credentials, and certificates across cloud, SaaS, and on-prem environments.

These cryptographic functions are used continuously as the platform issues short-lived credentials, rotates secrets, and enforces identity-based access across machines, applications, and AI agents. The module is validated as a software implementation under FIPS 140-3 Level 1, with lifecycle assurance at Level 3, and is certified through July 10, 2029.

This means Akeyless customers can be assured that the cryptographic layer protecting keys, credentials, and access flows across the platform has been independently tested and verified to behave correctly under real conditions.

FIPS 140-3 Validation and the Akeyless Platform

In Akeyless, the validated cryptographic module underpins how identity, access, and sensitive data are handled across the platform. It is used whenever credentials are issued, services authenticate, or access is enforced through policy.

Within the platform, this foundation supports:

• Secure credential and secret handling: Encryption and key management are applied to secrets, API keys, and certificates across cloud, SaaS, and on-prem systems, with consistent protection regardless of where they reside.
• Dynamic, short-lived access: Credentials are generated on demand and expire automatically, reducing reliance on long-lived secrets and limiting exposure windows.
• Identity-based authentication across environments: Workloads, services, and AI agents authenticate using federated identity rather than embedded credentials, with access enforced through policy.
• Lifecycle control and auditability: Secret rotation, certificate management, and credential issuance are automated and consistently logged, supporting operational visibility and compliance requirements.

Akeyless builds on this with a zero-knowledge model based on Distributed Fragments Cryptography™ (DFC), where key material is split into independent fragments and never reconstructed in a single place. This allows the platform to enforce identity-driven access without relying on persistent secrets, while ensuring that the cryptographic layer supporting credential issuance and access control behaves consistently under defined conditions.

A Validated Foundation for Modern Identity Security

FIPS 140-3 validation establishes a verified cryptographic foundation for the Akeyless platform, supporting secure deployment across regulated and high-assurance environments.

Akeyless already supports a range of enterprise security and compliance requirements, including SOC 2 Type II and ISO 27001. This validation strengthens that foundation, making it easier for organizations to meet regulatory requirements without introducing additional tools or parallel security controls.To see how this fits into real-world identity and access workflows across AI agents, workloads, and human users, request a demo.

FAQs