WinMagic achieves FIPS 140-3 validation, continuing 24 years of unbroken cryptographic certification as identity moves to the endpoint

WinMagic today announced FIPS 140-3 validation for its SecureDoc and MagicEndpoint cryptographic modules (CMVP Certificates #5204 and #5214). The validation extends an unbroken 24-year record across all three generations of the FIPS standard — an engineering continuity that is, on its own, the longest in the full-disk encryption industry. It also arrives at a moment when that record matters in a new way: as passkeys, hardware-bound keys, and Zero Trust extend identity verification to the endpoint itself, the cryptographic integrity of the endpoint is becoming the foundation of online access, not just a requirement for data at rest.
 

Twenty-Four years of continuous cryptographic validation

WinMagic's FIPS 140-3 certification extends an unbroken record that began in 2000:
 

• 2000 — Common Criteria certification. The world's first full-disk-encryption solution to achieve Common Criteria certification, presented at the inaugural global ceremony.
   
• 2000 — NSA certification for SECRET level Full-Disk-Encryption with FORTEZZA PC-card. The first disk encryption certified by the NSA for US Government agencies to SECRET level.

 

• March 2002 — AES Certificate #1. The first AES algorithm validation issued by NIST to any commercial vendor. The implementation was the SecureDoc Cryptographic Engine.

 

• May 2002 — FIPS 140-1 Certificate (#209). Cryptographic module validation under the original FIPS 140 standard.

 

• 2006 — FIPS 140-2 Levels 1 and 2. The first full-disk encryption technology to achieve FIPS 140-2 validation, and the first to certify at both Level 1 (#699) and the more demanding Level 2 (#698), which requires tamper-evidence mechanisms and role-based authentication.

 

• 2006 — 2026 — Continuous FIPS 140-2 revalidation. WinMagic has maintained active FIPS 140-2 certifications continuously for 20 years.

 

• 2026 — FIPS 140-3. Certificates #5204 and #5214. Continuous validation across all three generations of the FIPS standard. Achieving these validations ensure that WinMagic's products remain at the absolute forefront of modern cryptography and cryptographic compliance.

 

Why this validation matters differently in 2026

For most of the FIPS standard's history, the question it answered was narrow: is the cryptography that protects data at rest mathematically sound and correctly implemented? That is still the question. But passkeys, hardware-bound credentials, and continuous endpoint attestation have widened what depends on the answer.
 
When the endpoint generates identity-bearing keys in a TPM, asserts user presence on behalf of a remote service, and continuously attests to its own posture, the cryptographic integrity of the endpoint is no longer adjacent to identity — it is identity. An endpoint that cannot prove boot integrity, cannot protect its key material, or cannot maintain verified state is not qualified to authenticate anything. FIPS 140-3, with TPM 2.0 and continuous attestation, is what "endpoint as trust anchor" looks like under the hood.
 
“We've held FIPS validation continuously since 2002 because cryptographic rigor is an engineering discipline, not a marketing claim. The discipline mattered for data at rest. It matters more now. Passkeys, Live Key, and every hardware-bound identity scheme rest on the same assumption: that the device generating the key, protecting the key, and asserting identity is cryptographically sound. As identity moves to the endpoint, that assumption stops being adjacent to compliance and starts being the whole game.”
 
— Thi Nguyen-Huu, Founder & CEO, WinMagic

 

Where the validation applies

• CMMC Level 2. SecureDoc meets NIST SP 800-171 IA.L2-3.13.11 & 3.13.16 with FIPS 140-3 validation, ahead of the September 2026 transition that moves FIPS 140-2 modules to the CMVP Historical List.

 

• Critical infrastructure and OT. CISA's April 2026 guidance on Zero Trust for operational technology calls for hardware-anchored, continuously-attested identity.

 

• Federal and defense procurement. DOD, DOE, and federal agency requirements where FIPS 140-3 is the current standard.

 

• International deployments. Common Criteria and FIPS together address the cryptographic certification requirements of European government and sovereignty-aligned procurements.

 

• Endpoint-centric identity architectures. Passkeys, Live Key, and TPM-bound credentials all depend on cryptographically sound endpoints. FIPS validates that foundation.

 

Beyond certification: Active standards work

WinMagic's engineering posture extends beyond product certification. The company is currently engaged with the standards bodies whose work will shape the next decade of identity architecture:
 

• W3C — Submissions to the WebAuthn and WebAppSec working groups, March 2026.
• IETF — Internet-Draft draft-winmagic-lit-00, published March 5, 2026.
• DIF — Submission to the Decentralized Identity Foundation, March 25, 2026.
• Open-source reference implementation. github.com/WinMagic/LIT

 
“What mTLS, TPM, and passkeys started, the standards work completes — embedding identity in the secure channel itself, so there is no token to steal and no session to hijack.”
— Thi Nguyen-Huu