Skip to main content
purple hex pattern

FIPS 140-3 Comprehensive Guide

FIPS (Federal Information Processing Standard) 140-3 is the latest benchmark for validating the effectiveness of cryptographic hardware. If a product has a FIPS 140-3 certificate you know that it has been tested and formally validated by the U.S. and Canadian Governments. Although FIPS 140-3 is a relatively new U.S./Canadian Federal standard, its predecessor, FIPS 140-2 compliance has been widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and realistic best practice.

What does FIPS 140-3 have that FIPS 140-2 doesn’t?

FIPS 140-3 is the latest version of the U.S. government computer security standard used to validate cryptographic modules. FIPS 140-3 aligns with the ISO/IEC 19790 standard and introduced several new enhancements to the security requirements relative to the FIPS 140-2 standard including:

  • The approved mode of operation indicator is applicable to all levels and must be reported by each service offered by the module.
  • Stricter zeroization requirements on Critical Security Parameters (CSPs).
  • Authentication data complexity is no longer allowed to the enforced by procedural means and must be enforced by the module.
  • Physical security at Level 3 now requires the module to detect and react to out-of-range voltage or temperature (environmental failure protection, or EFP), or alternatively undergo environmental failure testing (EFT). For Level 4, EFP and protection against fault injection is now required.
  • New multi-factor authentication (MFA) requirements for Level 4.
  • New assurance requirements for the development lifecycle of the module that introduce key security practices such as developer testing of the module and the use of automated security diagnostic tools (e.g., static analysis)
  • Non-invasive security is introduced as an optional requirement and will cover guidance for testing against side channel attacks.

As of April 1, 2022, FIPS PUB 140-3 Security Requirements for Cryptographic Modules supersedes FIPS 140-2 for new submissions.

Products certified to FIPS 140-2 can remain valid for 5 years after validation. See NIST transition page for more details.

FIPS 140-3 levels

Organizations use the FIPS 140-3 standard to ensure that the hardware they select meets specific security requirements. The FIPS certification standard defines four increasing, qualitative levels of security:

  • Level 1: Requires production-grade equipment and externally tested algorithms.
  • Level 2: Adds requirements for physical tamper-evidence and role-based authentication.
  • Level 3: Adds requirements for physical tamper-resistance and identity-based authentication. There must also be physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module. Private keys can only enter or leave in encrypted form. Level 3 also requires the module to detect and react to out-of-range voltage or temperature (environmental failure protection, or EFP), or alternatively undergo environmental failure testing (EFT).
  • Level 4: This level makes the physical security requirements more stringent, requiring the ability to be tamper-active, erasing the contents of the device if it detects various forms of environmental attack. EFP and protection against fault injection is required as well as multi-factor authentication.

For many organizations, requiring FIPS certification at FIPS 140-2 and FIPS 140-3 level 3 is a good compromise between effective security, operational convenience, and choice in the marketplace.

When FIPS 140-3 was published in 2019, a five-year sunset period was announced for FIPS 140-2 certificates.