About FIPS 140-3

What is FIPS 140

Federal Information Processing Standards (FIPS) are a collection of security standards publicly published by the US National Institute of Standards and Technology (NIST). The FIPS 140 regulation specifies requirements for cryptographic modules and covers both software and hardware components.

There are 11 areas of requirements the FIPS standard specifies:

  • cryptographic module specification,
  • cryptographic module ports and interfaces,
  • roles, services and authentication,
  • finite state model,
  • physical security,
  • operational environment,
  • cryptographic key management,
  • electromagnetic interference/electromagnetic compatibility (EMI/EMC),
  • self-tests,
  • design assurance, and
  • mitigation of other attacks.

The first FIPS 140 regulation, FIPS 140-1, was published on 11 January 1994. On 25 May 2001 FIPS 140-2 was issued and one year later FIPS 140-1 was withdrawn.

FIPS 140-3 and its Implementation

On 12 February 2005 the start of development of FIPS 140-3 was announced. In its early stages the new FIPS 140 series proposal suggested changing the previously used 4 levels of assurance to 5 (by adding Level 5), but the idea was later abbandoned. The finalised version of FIPS 140-3 now presents a significant change in the management of the FIPS standard by adopting two international standards instead of directly stating the cryptographic module requirements. The intention behind is to make it easier to satisfy the requirements for vendors and organisations, and to facilitate future updates.

The first standard FIPS 140-3 relies on is ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules, which covers security requirements for cryptographic modules in use in security computer and telecommunication systems.

The second is ISO 24759:2017 - Test Requirements for Cryptographic Modules. FIPS 140-3 made additional modification to both standards' annexes with so-called NIST Special Publications (SPs):






SP 800-140

FIPS 140-3 Derived Test Requirements (DTR)



§6.1 through §6.12

SP 800-140A

CMVP Documentation Requirements


Annex A


SP 800-140B

CMVP Security Policy Requirements


Annex B


SP 800-140C

CMVP Approved Security Functions


Annex C


SP 800-140D

CMVP Approved Sensitive Security Parameter Generation and Establishment Methods


Annex D


SP 800-140E

CMVP Approved Authentication Mechanisms


Annex E


SP 800-140F

CMVP Approved Non-Invasive Attack Mitigation Test Metrics


Annex F



These and other SP 800 documents can be located on NIST's official webpage. Currently only drafts of SP 800-140 are available, but according to the implementation schedule, their final versions are to be published on 22nd of March this year.

The official implementation schedule for FIPS 140-3 goes as follows:



March 22, 2019

FIPS 140-3 Approved

September 22, 2019

FIPS 140-3 Effective Date

Drafts of SP 800-140x  (Public comment closed 12-9-2019)

March 22, 2020

Publication of SP 800-140x documents

Implementation Guidance updates

Tester competency exam updated to include FIPS 140-3

Updated CMVP Program Management Manual

September 22, 2020

CMVP accepts FIPS 140-3 submissions

September 22, 2021

CMVP stops accepting FIPS 140-2 submissions for new validation certificates

September 22, 2026

Remaining FIPS 140-2 certificates moved to Historical List



Compiled by Nastja Cepak & CREAplus Cybersecurity team.


Blog: NIST’s Standardisation of PQC

graph data breachesBlog post: The World of Quantum Computing - NIST’s Standardisation of PQCCybersecurity 

Blog: Zerologon Vulnerability

graph data breachesBlog post: Cybersecurity - Zerologon Vulnerability 

Technical Training for Utimaco HSM

shutterstock 298735595CREAplus, authorized Utimaco training partner, is going to deliver an online hands-on technical training for Utimaco HSM, on 5-6 November 2020.

Read more ...