About FIPS 140-3

What is FIPS 140

Federal Information Processing Standards (FIPS) are a collection of security standards publicly published by the US National Institute of Standards and Technology (NIST). The FIPS 140 regulation specifies requirements for cryptographic modules and covers both software and hardware components.

There are 11 areas of requirements the FIPS standard specifies:

  • cryptographic module specification,
  • cryptographic module ports and interfaces,
  • roles, services and authentication,
  • finite state model,
  • physical security,
  • operational environment,
  • cryptographic key management,
  • electromagnetic interference/electromagnetic compatibility (EMI/EMC),
  • self-tests,
  • design assurance, and
  • mitigation of other attacks.

The first FIPS 140 regulation, FIPS 140-1, was published on 11 January 1994. On 25 May 2001 FIPS 140-2 was issued and one year later FIPS 140-1 was withdrawn.

FIPS 140-3 and its Implementation

On 12 February 2005 the start of development of FIPS 140-3 was announced. In its early stages the new FIPS 140 series proposal suggested changing the previously used 4 levels of assurance to 5 (by adding Level 5), but the idea was later abbandoned. The finalised version of FIPS 140-3 now presents a significant change in the management of the FIPS standard by adopting two international standards instead of directly stating the cryptographic module requirements. The intention behind is to make it easier to satisfy the requirements for vendors and organisations, and to facilitate future updates.

The first standard FIPS 140-3 relies on is ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules, which covers security requirements for cryptographic modules in use in security computer and telecommunication systems.

The second is ISO 24759:2017 - Test Requirements for Cryptographic Modules. FIPS 140-3 made additional modification to both standards' annexes with so-called NIST Special Publications (SPs):






SP 800-140

FIPS 140-3 Derived Test Requirements (DTR)



§6.1 through §6.12

SP 800-140A

CMVP Documentation Requirements


Annex A


SP 800-140B

CMVP Security Policy Requirements


Annex B


SP 800-140C

CMVP Approved Security Functions


Annex C


SP 800-140D

CMVP Approved Sensitive Security Parameter Generation and Establishment Methods


Annex D


SP 800-140E

CMVP Approved Authentication Mechanisms


Annex E


SP 800-140F

CMVP Approved Non-Invasive Attack Mitigation Test Metrics


Annex F



These and other SP 800 documents can be located on NIST's official webpage. Currently only drafts of SP 800-140 are available, but according to the implementation schedule, their final versions are to be published on 22nd of March this year.

The official implementation schedule for FIPS 140-3 goes as follows:



March 22, 2019

FIPS 140-3 Approved

September 22, 2019

FIPS 140-3 Effective Date

Drafts of SP 800-140x  (Public comment closed 12-9-2019)

March 22, 2020

Publication of SP 800-140x documents

Implementation Guidance updates

Tester competency exam updated to include FIPS 140-3

Updated CMVP Program Management Manual

September 22, 2020

CMVP accepts FIPS 140-3 submissions

September 22, 2021

CMVP stops accepting FIPS 140-2 submissions for new validation certificates

September 22, 2026

Remaining FIPS 140-2 certificates moved to Historical List



Compiled by Nastja Cepak & CREAplus Cybersecurity team.


Technical Training for Hardware Security Module (HSM)

utimaco trainingCREAplus, authorized Utimaco training partner, is going to deliver an online hands-on technical training for hardware security module (HSM), on 28-29 October 2021.

Read more ...

From Fundamentals to Quantum-safe algorithms

 Cryptographic JourneyIn the modern, digital world cryptography is an indispensable tool for protecting our systems and data. Without knowing we rely on cryptography daily, be it to check our email, safely login to a computer, or drive a smart car, since the magic happens in the background, unseen. 

Read more ...

CREAplus awarded with AAA Creditworthiness Certificate of Excellence

AAACompany CREAplus has been classified into legal entities that have received highest AAA Creditworthiness Certificate of Excellence, awarded by Analytical House Bisnode.

Read more ...

Utimaco acquires Realsec to strengthen its solution portfolio and expand its regional presence

Utimaco acquires Realsec to strengthen its solution portfolio and expand its regional presenceUtimaco, a leading global provider of IT security solutions, announced that it has signed a Share Purchase Agreement with Realsec, the Spanish IT security company and Hardware Security Module (HSM) provider. The closing of the acquisition is expected in July.

Read more ...

CREAplus Successfully Delivered Training for Utimaco HSM

utimaco LAN V5 4CREAplus, authorized Utimaco training partner, successfully delivered another 2-day online hands-on technical training on hardware security module (HSM), in April 2021.

Read more ...