A Federal Register Notice has been issued for the “Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules”.

Having now been signed by the U.S. Commerce Secretary, it is official, FIPS 140-3 has been approved!

“This notice announces the Secretary of Commerce’s issuance of Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules. FIPS 140-3 includes references to two existing international standards: International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules, and ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules. As permitted by those standards, NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.”

Key Dates:

Companies actively working on or planning a FIPS validation will inevitably face decisions around which standard to work towards. The following dates will be critical for those projects:

  • Draft For Comments: Complete
  • Effective Date: Complete
  • Publication of the Standard: Complete
  • Supporting Documents for FIPS 140-2 & the CMVP Released: Complete
  • New Testing Begins: 9/22/20
  • 140-3 Mandated & The Last Day for 140-2 Submissions: 9/22/21 (This means Labs must submit their Lab reports to CMVP by this date)


CMVP wants to minimize the content in the series of NIST SP 800-140 documents because they hope to be as close to the international standard as possible. These are the documents that we believe will replace the existing FIPS 140-2 DTR, Appendices, and Annexes:

A notable omission from the new SP 800-140 series is any reference document for Approved Protection Profiles from Common Criteria (a CC-certified operating system was required for software validations at level 2 and above).

Early Review and Analysis:

This release has been a long time coming. We still expect additional updates and changes to come, but Corsec has reviewed the public documents and found the following areas to be of interest:

  • Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012. The testing for these requirements will be in accordance with ISO/IEC 24759:2017
  • This version of FIPS 140-3 retains the 4 levels of validation
  • The sections in FIPS 140-3 are now as follows:
    1. Cryptographic Module Specification
    2. Cryptographic Module Interfaces
    3. Roles, Services, And Authentication
    4. Software/Firmware Security
    5. Operating Environment
    6. Physical Security
    7. Non-Invasive Security
    8. Sensitive Security Parameter Management*
    9. Self-Tests
    10. Life-Cycle Assurance
    11. Mitigation of Other Attacks

*Sensitive Security Parameters is a new category – SSPs include both CSPs and PSPs (Public Security Parameters)

**Finite State Model was removed but may have been absorbed into section 11

***EMI/EMC was removed. There was no mention of EMI/EMC in the draft ISO 24759 either

Moving Forward:

  1. Get Ahead: Be the first to complete the new standard (FIPS 140-3)
  2. Revalidate Early: Avoid the new requirements prior to the mandated transition date and add 5 years to your current FIPS 140-2 validation
  3. Plan Accordingly – Products being evaluated against FIPS 140-2 during testing transition may face problems completing their certification under old requirements.

Corsec participates in numerous committees, technical working groups, certification leadership positions, and industry events. As more information develops, we will deliver updates. Stay informed on all the program details, requirements, and timelines associated with FIPS 140-3 – Subscribe

For more information on the current FIPS 140-2 program, requirements, and process – visit here.

For any questions on how this will affect current or future FIPS projects, contact Corsec!


Press Contact:

Jake Nelson
Corsec Director of Marketing