3 min read

Understanding The New FIPS 140-3

Understanding The New FIPS 140-3

FIPS 140 (“Federal Information Processing Standard”) is a series of security standards published by the U.S. government that specify security requirements for the evaluation of cryptographic modules. This article explores various aspects of the latest release of FIPS 140-3.

This standard covers the implementation of cryptographic modules including hardware and/or software modules or a combination of both. It is mandatory in the USA, Canada, and some other countries to only incorporate the FIPS 140 certified/validated cryptographic modules in the business solutions. Many corporate organizations dealing in the financial and payment industry follow the same standard practice across the globe. This article enlightens various aspects of the latest release of FIPS 140-3 (see Federal Information Processing Standards FIPS).

History of FIPS 140 and Implementation Timeline of FIPS 140-3

The security requirements defined in the FIPS series of standards are based on the guidance provided by the Federal Government of the US and the corporate private sector. The core aim of these requirements is to provide assistance in defense against malicious attacks. The 1st release/edition FIPS 140-1 was released on 11th January 1994. FIPS 140-2 was released on the 25th May 2001 and last updated on 3rd December 2002. FIPS 140-3 titled “Security Requirements for Cryptographic Modules” was approved on March 22, 2019. The release and implementation timeline (along with additional proposed milestones) of FIPS 140-3 is as follows:



March 22, 2019

FIPS 140-3 Released

September 22, 2019

FIPS 140-3 Effective Date

October 9, 2019

Drafts of the SP 800-140 documents were released for public comment. The comment period will be 60 days, from October 9th to December 9th

March 22, 2020

CMVP program updates completed:

  • Final Publication of SP 800-140x documents
  • Update Pearson competency test
  • Implementation Guidance updates
  • Resolve applications Changes

September 22, 2020

FIPS 140-3 Testing Begins

September 22, 2021

NIST will stop accepting the FIPS 140-2 validation/testing submissions.

FIPS 140-3 is not going to immediately replace FIPS 140-2. It will work alongside FIPS 140-2. The validation process for FIPS 140-2 will carry on for a year after the FIPS 140-3 validation starts.

The Finalization of FIPS 140-3

The finalization and launching of FIPS 140-3 represent the formal adoption of two existing international standards along with some modifications to its annexes:

  • ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules
    • It specifies the detailed requirements for the security evaluation of the cryptographic module for the protection of sensitive information. ISO/IEC 19790:2012 Standard defines four security levels for each of eleven requirement areas with each security level increasing security over the preceding level.
  • ISO 24759:2017 - Test Requirements for Cryptographic Modules
    • This specifies the mechanism and procedures to be employed by the testing labs to ensure that the cryptographic module follows the specified requirements of ISO/IEC 19790:2012. The core aim of the development of this standard is to deliver authenticity and conformation to the testing process to be the same across all the testing labs. It also highlights the information format (subsidiary evidence for demonstration of compliance to ISO/IEC 19790:2012) that is provided by the vendors/developers to the testing labs.

Since the FIPS 140-3 is now more thoroughly aligned with the international ISO/IEC standards, vendors and organizations will be less impacted with the changes/updates and they can easily cope with them. Just like FIPS 140-2, FIPS 140-3 also provisions four security levels with the aim to cover a large spectrum of potential application architectures and deployment platforms. FIPS 140-2 dealt with the security requirements once it has been finalized, but FIPS 140-3 spans the security requirements starting from the design phase, implementation and final operational deployment of a cryptographic module. The security requirements identified in FIPS 140-3 are purely envisioned for the security provisioned by a particular cryptographic module, not for the overall security of architecture in which the crypto module is being deployed.

FIPS 140-3 Special Publications (SP)


SP Title

SP 800-140

FIPS 140-3 Derived Test Requirements (DTR)

SP 800-140 Annex A

CMVP Documentation Requirements

SP 800-140 Annex B

CMVP Security Policy Requirements

SP 800-140 Annex C

CMVP Approved Security Functions

SP 800-140 Annex D

CMVP Approved Sensitive Security Parameter Generation and Establishment Methods

SP 800-140 Annex E

CMVP Approved Authentication Mechanisms

SP 800-140 Annex F

CMVP Approved Non-Invasive Attack Mitigation Test Metrics


FIPS 140-3 has been finally approved and launched as the latest standard for the security evaluation of cryptographic modules. It covers a large spectrum of threats and vulnerabilities as it defines the security requirements starting from the initial design phase leading towards the final operational deployment of a cryptographic module. FIPS 140-3 requirements are primarily based on the two previously existing international standards ISO/IEC 19790:2012 “Security Requirements for Cryptographic Modules” and ISO 24759:2017 “Test Requirements for Cryptographic Modules”.


Read White Paper

References and Further Reading