FIPS 140-3 is the de-facto standard to certify cryptography implemented in ICT products
What is FIPS 140-3?
FIPS 140-3 is the latest U.S. government standard that defines the security requirements for cryptographic modules, including the hardware, software, and firmware used to encrypt and protect sensitive data. Published by the National Institute of Standards and Technology (NIST), FIPS 140-3 replaces FIPS 140-2 and aligns with international standards such as ISO/IEC 19790, making it more globally applicable.
The standard establishes a comprehensive framework for evaluating the design and implementation of cryptographic technologies. It addresses critical areas such as encryption algorithms, key management, authentication, and both physical and logical security controls. FIPS 140-3 also introduces four increasing levels of security—from basic protections to advanced safeguards against sophisticated physical attacks—allowing organizations to select the appropriate level based on their risk profile.
FIPS 140-3 validation is essential for organizations operating in regulated environments. It is mandatory for U.S. federal agencies and widely recognized across industries such as finance, healthcare, and defense. Achieving validation demonstrates that cryptographic modules have been independently tested and meet stringent security requirements, helping organizations build trust, ensure compliance, and protect sensitive information in an evolving threat landscape.
Key facts about FIPS 140-3
- Full name: Federal Information Processing Standard Publication 140-3
- Issued by: National Institute of Standards and Technology (NIST)
- Effective date: September 22, 2019
- Supersedes: FIPS 140-2 (2001)
- Basis: ISO/IEC 19790:2012 and ISO/IEC 24759:2017
Background and Scope of FIPS 140-3
FIPS 140-3 sets criteria for the design and testing of cryptographic modules—components providing encryption, decryption, digital signatures, and key management. It applies to modules used in federal information systems that handle sensitive but unclassified data. Non-federal organizations often adopt it voluntarily for compatibility or to meet industry regulations.
FIPS 140-3 Validation process and Ongoing relevance
To achieve FIPS 140-3 compliance, vendors submit their modules to accredited Cryptographic and Security Testing (CST) Laboratories. These labs perform standardized tests covering areas such as roles, services, physical security, key management, and self-tests. Successful modules receive a validation certificate published on the NIST CMVP website.
FIPS 140-3 underpins trust in U.S. government encryption systems and influences commercial security certifications worldwide. Its alignment with ISO standards facilitates mutual recognition, supporting global interoperability in cryptographic assurance.
- In the U.S., the DoD and NIAP NSTISSP No. 11 require FIPS 140 validation for cryptographic modules used by federal government agencies to store, transmit or protect sensitive, but unclassified information (see section 3.2 of the FIPS 140-3 FAQ for details).
- In Canada, the CSEC recommends federal agencies use FIPS 140 validated cryptographic modules to secure data designated as Protected A or Protected B.
- In the U.K., the Communications-Electronics Security Group (CESG) recommends the use of FIPS 140 validated cryptographic modules.
Major changes from FIPS 140-2
The update aligns the U.S. standard with international cryptographic standards (ISO/IEC 19790 and 24759). It refines the four security levels, enhances physical and logical protection requirements, and introduces concepts such as non-invasive attack mitigation. Testing and validation now follow international procedures coordinated by the Cryptographic Module Validation Program, jointly managed by NIST and the Communications Security Establishment.
| Feature | FIPS 140-2 | FIPS 140-3 |
| Basis | U.S. specific | International (ISO/IEC aligned) |
| Testing | Older methodology | Updated, more rigorous |
| Flexibility | More prescriptive | More modular and adaptable |
| Status | Phasing out | Current standard |
Intertek FIPS 140 Solutions
We seek to engage early on and adopt risk mitigating processes whereby non-compliance is identified early on, fixes are discussed and planned, testing methodology is defined in advance to allow your teams to plan accordingly and schedule is tracked religiously to ensure our progress is in step with your development and test plans.
We have leveraged our considerable experience in FIPS 140 validation to develop custom tools and processes to offer a best-of-breed certification experience to our clients.
Algorithm Testing
Algorithm testing is an important step for the FIPS module validation process. While it is the most objective part of the validation process, it does not require specialized tools or skills to execute.
Design Consulting
Discuss requirements needing to be met and if the module under consideration is likely to pass analysis and conformance to those requirements.
Gap Analysis & Strategy Workshop
Educate vendor on the Cryptographic Module Validation Program (CMVP), FIPS, and identify requirements that need to be met in order to support testing of the cryptographic module.
Documentation Development
Work with vendor to collect already existing information from the developer and put it in documents for our lab to carry out analysis and testing.
Evaluation Services
Execute algorithm tests and develop functional and physical tests of product conformance to FIPS requirements.
Post-Certification Support
Monitor changes to the validation program requirements and provide updates to vendors on changes to the program or standard through implementation guidance issues by CMVP.
FIPS 140-3 - Frequently Asked Questions (FAQs)
FIPS 140-3 is the third and current version of the Federal Information Processing Standard governing the security requirements for cryptographic modules. It specifies how cryptographic hardware and software protecting sensitive data must be designed, implemented, and validated for federal use.
The standard matters because it establishes a widely recognized benchmark for cryptographic assurance, influencing both government procurement and global cybersecurity compliance frameworks.
FIPS 140-3 ensures that cryptographic technologies meet strict security requirements, helping organizations protect sensitive data, meet regulatory obligations, and build trust with customers and stakeholders.
FIPS 140-2 certificates remain valid for existing modules for a limited time, but the standard is being phased out. New validations are required to meet FIPS 140-3 requirements.
FIPS 140 defines four increasing levels of security assurance:
| Security Level | Description |
| Level 1 | Basic security requirements using approved cryptographic algorithms and production-grade components. |
| Level 2 | Adds tamper-evidence and role-based authentication to help detect unauthorized access. |
| Level 3 | Requires tamper-resistant hardware, stronger identity-based authentication, and separation of critical security parameters. |
| Level 4 | The highest level, providing robust physical security and environmental protection, designed to detect and respond to physical attacks. |
A cryptographic module is any hardware, software, or firmware component that performs cryptographic functions such as encryption, decryption, key generation, or secure authentication.
Related Links
FIPS 140-3 Process and Service Offerings
Connected World Complimentary Webinars
Knowledge Center
- Cybersecurity Awareness Training Fact Sheet
- Common Criteria Certification Process Fact Sheet
- FIPS 140-3 Process and Service Offerings Fact Sheet
- Cyber Security Risk in a Mass Remote Working Environment Webinar
- Intertek Cyber Assured Fact Sheet
- Consumer Product Focused Cyber Security Test and Certification Program
- PCI PIN Transaction Security (PTS) Cyber Security Fact Sheet
- Cyber Security Assurance Overview
- ANSI/UL 2900 Cyber Security Assessments Fact Sheet
Upcoming Events
Cybersecurity Assurance Overview
Intertek provides tailor-made security solutions designed and executed based upon risk factors commonly associated with your specific product and industry.
