About FIPS 140-3

What is FIPS 140

Federal Information Processing Standards (FIPS) are a collection of security standards publicly published by the US National Institute of Standards and Technology (NIST). The FIPS 140 regulation specifies requirements for cryptographic modules and covers both software and hardware components.

There are 11 areas of requirements the FIPS standard specifies:

  • cryptographic module specification,
  • cryptographic module ports and interfaces,
  • roles, services and authentication,
  • finite state model,
  • physical security,
  • operational environment,
  • cryptographic key management,
  • electromagnetic interference/electromagnetic compatibility (EMI/EMC),
  • self-tests,
  • design assurance, and
  • mitigation of other attacks.

The first FIPS 140 regulation, FIPS 140-1, was published on 11 January 1994. On 25 May 2001 FIPS 140-2 was issued and one year later FIPS 140-1 was withdrawn.

FIPS 140-3 and its Implementation

On 12 February 2005 the start of development of FIPS 140-3 was announced. In its early stages the new FIPS 140 series proposal suggested changing the previously used 4 levels of assurance to 5 (by adding Level 5), but the idea was later abbandoned. The finalised version of FIPS 140-3 now presents a significant change in the management of the FIPS standard by adopting two international standards instead of directly stating the cryptographic module requirements. The intention behind is to make it easier to satisfy the requirements for vendors and organisations, and to facilitate future updates.

The first standard FIPS 140-3 relies on is ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules, which covers security requirements for cryptographic modules in use in security computer and telecommunication systems.

The second is ISO 24759:2017 - Test Requirements for Cryptographic Modules. FIPS 140-3 made additional modification to both standards' annexes with so-called NIST Special Publications (SPs):






SP 800-140

FIPS 140-3 Derived Test Requirements (DTR)



§6.1 through §6.12

SP 800-140A

CMVP Documentation Requirements


Annex A


SP 800-140B

CMVP Security Policy Requirements


Annex B


SP 800-140C

CMVP Approved Security Functions


Annex C


SP 800-140D

CMVP Approved Sensitive Security Parameter Generation and Establishment Methods


Annex D


SP 800-140E

CMVP Approved Authentication Mechanisms


Annex E


SP 800-140F

CMVP Approved Non-Invasive Attack Mitigation Test Metrics


Annex F



These and other SP 800 documents can be located on NIST's official webpage. Currently only drafts of SP 800-140 are available, but according to the implementation schedule, their final versions are to be published on 22nd of March this year.

The official implementation schedule for FIPS 140-3 goes as follows:



March 22, 2019

FIPS 140-3 Approved

September 22, 2019

FIPS 140-3 Effective Date

Drafts of SP 800-140x  (Public comment closed 12-9-2019)

March 22, 2020

Publication of SP 800-140x documents

Implementation Guidance updates

Tester competency exam updated to include FIPS 140-3

Updated CMVP Program Management Manual

September 22, 2020

CMVP accepts FIPS 140-3 submissions

September 22, 2021

CMVP stops accepting FIPS 140-2 submissions for new validation certificates

September 22, 2026

Remaining FIPS 140-2 certificates moved to Historical List



Compiled by Nastja Cepak & CREAplus Cybersecurity team.


Webinar on Post-Quantum Cryptography (PQC)

the risk 03Cryptographic algorithms that proved to be secure for decades may be breached by quantum computers within minutes. 

Read more ...

Cynet Chooses CREAplus as a New Distributor for Cynet 360

Cynet SecurityCynet Security and CREAplus join forces to bring Cynet 360, the industry's first autonomous breach protection platform, to the Southeastern European market.

Read more ...

Technical Trainings for Cryptographic Solutions

Training Ljubljana 20190725 110441sml2CREAplus, authorized Utimaco training partner, has expanded its range of technical trainings for additional Utimaco cryptographic solutions.

Read more ...