What is the Federal Information Processing Standards (FIPS) 140-3?

The Federal Information Processing Standards (FIPS) 140-3 is the updated version of the U.S. government’s cryptographic module validation standard, replacing FIPS 140-2. Published by NIST, FIPS 140-3 aligns more closely with international cryptographic standards, particularly ISO/IEC 19790:2012, enhancing global compatibility for cryptographic security requirements.

FIPS 140-3 retains the same four security levels as FIPS 140-2 but introduces improvements, including:

• Updated testing and evaluation criteria to address evolving cybersecurity threats.
• Stronger requirements for entropy sources, ensuring more secure cryptographic key generation.
• Enhanced software security testing, including protections against emerging attack vectors.
• More precise definitions for physical security requirements, improving hardware-based encryption security.

As of September 2021, FIPS 140-3 officially replaced FIPS 140-2, though a transition period allows agencies and vendors to continue using FIPS 140-2 validated products until they expire. FIPS 140-2 modules can remain active for 5 years after validation or until September 21, 2026.

Organizations working with federal data, especially cloud service providers seeking FedRAMP authorization, must now adopt FIPS 140-3-compliant cryptographic modules to maintain compliance.