Introduction: FIPS 140-3 Cryptographic Module Validation
FIPS 140-3, formally Federal Information Processing Standard Publication 140-3 (Security Requirements for Cryptographic Modules), is the mandatory United States and Canadian Federal standard governing the design, implementation and operational assurance of cryptographic modules that protect sensitive but unclassified (SBU) information. Approved by the U.S. Secretary of Commerce in March 2019 and effective from 22 September 2019, FIPS 140-3 supersedes FIPS 140-2 and represents a fundamental architectural shift: rather than defining its own security requirements text, FIPS 140-3 adopts the international standards ISO/IEC 19790:2012 (security requirements) and ISO/IEC 24759:2017 (test requirements) by reference, layering NIST-specific modifications on top through the SP 800-140x document series.
Validation is administered jointly by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) under the Cryptographic Module Validation Program (CMVP). Independent testing is performed by accredited third-party Cryptographic and Security Testing (CST) laboratories, and every validated module carries a certificate number published on the CMVP Validated Modules List. FIPS 140-3 is the gateway requirement for selling cryptographic products to the U.S. Federal Government, and it is increasingly demanded across regulated global sectors — finance, healthcare, critical infrastructure and defence supply chains — as objective, laboratory-verified evidence that a module's cryptography is correct, resistant to tampering and operated in an approved manner.
This guide is written for two audiences simultaneously. For the vendor / product team seeking validation, it maps the module design, documentation and testing lifecycle end to end. For the auditor, assessor or procurement officer, it provides a verification framework to confirm that a claimed FIPS 140-3 validation genuinely covers the deployed configuration, the correct security level and the operational assumptions of the environment. Throughout, we enumerate the eleven security requirement areas, the four security levels, the algorithm and self-test regime, and the CMVP submission process (including the FIPS 140-3 Implementation Guidance and the Entropy Source Validation requirement of SP 800-90B).
What is FIPS 140-3
FIPS 140-3 specifies the security requirements that a cryptographic module must satisfy to be trusted to protect sensitive information within a computer or telecommunications system. A 'cryptographic module' is the set of hardware, software, firmware, or some combination thereof that implements approved security functions (encryption, decryption, digital signatures, hashing, message authentication, key establishment, random bit generation) and is contained within a defined cryptographic boundary. The standard is deliberately technology-agnostic: the same requirement areas apply whether the module is a hardware security module (HSM), a smartcard, a software cryptographic library, a self-encrypting drive, a network appliance or a firmware component.
FIPS 140-3 differs from FIPS 140-2 in several material respects. It replaces the four Areas-of-old with eleven security requirement areas aligned to ISO/IEC 19790. It introduces non-invasive attack mitigation (side-channel resistance) as a formal requirement area. It strengthens the treatment of entropy through mandatory alignment with SP 800-90B for Level 2 and above (and requires an Entropy Source Validation, ESV, certificate). It mandates the concept of degraded operation and life-cycle assurance including a formal Cryptographic Module Security Policy. Modules must implement only CAVP-tested (Cryptographic Algorithm Validation Program) approved algorithms in the approved mode of operation, and any non-approved algorithms must be clearly delineated.
A key concept is the distinction between the 'approved mode of operation' and any non-approved mode. When a module is placed into its approved mode, only NIST-approved and allowed security functions may be invoked, self-tests must pass, and the module must enforce its security policy. Validation certifies the module at a specific overall security level (1 through 4), which is the minimum of the levels achieved across the eleven requirement areas — a module may claim higher levels in individual areas, but the overall rating is bounded by its weakest area.
| Attribute | FIPS 140-3 detail |
|---|---|
| Full title | Security Requirements for Cryptographic Modules |
| Issuer / scheme owner | NIST and CCCS, administered under the CMVP |
| Effective date | 22 September 2019 (testing began), FIPS 140-2 sunset for new submissions April 2022 |
| Normative basis | ISO/IEC 19790:2012 + ISO/IEC 24759:2017, modified by NIST SP 800-140x |
| Testing bodies | NVLAP-accredited CST laboratories |
| Algorithm testing | CAVP (Cryptographic Algorithm Validation Program) via ACVTS |
| Entropy testing | ESV per SP 800-90B (required Level 2+) |
| Security levels | Four (Level 1 lowest to Level 4 highest) |
| Requirement areas | Eleven security requirement areas per ISO/IEC 19790 |
| Certificate validity | Up to 5 years from validation, subject to the transition sunset schedule |
Who must comply
FIPS 140-3 validation is legally mandatory for cryptographic modules used by U.S. Federal agencies to protect sensitive but unclassified information, and by extension for any vendor that wishes to sell such products into the Federal market. Its reach extends well beyond U.S. Government, however, because numerous downstream regulations, procurement frameworks and international schemes cite FIPS 140 validation as a prerequisite or a strong assurance signal.
- U.S. Federal Government departments and agencies — required by FISMA and NIST SP 800-53 control SC-13 to use FIPS-validated cryptography for SBU data.
- Vendors selling to Federal agencies — hardware and software cryptographic products must carry a valid CMVP certificate covering the procured configuration.
- U.S. Department of Defense supply chain — DFARS / CMMC and DoD policies require FIPS-validated modules for covered defense information.
- Government of Canada departments — CCCS mandates validated modules through the joint CMVP.
- Payment industry participants — PCI DSS and PCI PIN / PCI HSM commonly recognise FIPS 140 validation for HSMs and key-management devices.
- Healthcare and life sciences — HIPAA Security Rule encryption safe harbour is satisfied using FIPS-validated cryptography.
- Critical infrastructure and OT vendors — energy (NERC CIP), telecommunications and industrial control providers frequently specify FIPS 140.
- Global regulated enterprises and cloud providers — FedRAMP requires FIPS-validated modules for data at rest and in transit within authorised boundaries.
| Stakeholder | Obligation under / relationship to FIPS 140-3 |
|---|---|
| U.S. Federal agency (buyer) | Must procure and deploy only FIPS 140-3 (or still-valid 140-2) validated modules for SBU data (SP 800-53 SC-13). |
| Cryptographic module vendor | Must obtain a CMVP certificate; is responsible for the Security Policy, test evidence and maintaining the validated configuration. |
| CST laboratory | Accredited third party that performs conformance testing and prepares the test report submitted to the CMVP. |
| CMVP (NIST + CCCS) | Reviews the laboratory submission, issues the certificate and publishes the module on the validated list. |
| System integrator / product OEM | Must ensure embedded modules remain in validated configuration and invoke only the approved mode. |
| FedRAMP / DoD authorising official | Verifies that cloud or system offerings use validated modules within the authorisation boundary. |
Structure of FIPS 140-3
FIPS 140-3 organises its requirements into eleven security requirement areas derived from ISO/IEC 19790:2012, plus a set of cross-cutting concepts (approved mode, security policy, degraded operation, life-cycle assurance). For each area the standard defines graduated requirements across four security levels. The overall validation level equals the lowest level achieved in any single area. The table below summarises the eleven areas that structure both the module design and the assessment; these areas are elaborated control-by-control in the master assessment checklist that follows.
| # | Security requirement area | Focus of the area |
|---|---|---|
| 1 | Cryptographic module specification | Boundary definition, approved/non-approved modes, security policy, versioning. |
| 2 | Cryptographic module interfaces | Logical and physical ports; data, control, status and power interfaces; trusted channel. |
| 3 | Roles, services and authentication | User/Crypto-Officer/Maintenance roles; role-based vs identity-based authentication. |
| 4 | Software / firmware security | Integrity of executable code, approved integrity techniques, load test. |
| 5 | Operational environment | Modifiable vs non-modifiable OE, OS assurance, separation and control. |
| 6 | Physical security | Tamper evidence, tamper response, opacity, EFP/EFT (Level 3/4). |
| 7 | Non-invasive security | Mitigation of side-channel / non-invasive attacks (timing, power, EM). |
| 8 | Sensitive security parameter (SSP) management | Generation, entry/output, storage, zeroisation of keys and CSPs/PSPs. |
| 9 | Self-tests | Pre-operational and conditional self-tests; error states. |
| 10 | Life-cycle assurance | Configuration management, design, FSM, delivery, guidance, secure operation. |
| 11 | Mitigation of other attacks | Documented countermeasures for attacks not covered by other areas. |
Master assessment checklist
This is the core section of the guide. It enumerates every FIPS 140-3 security requirement area and its constituent requirements, expressed as verifiable assertions. For each area a table lists what the assessor must verify and the typical evidence a vendor should produce. These map to the Derived Test Requirements (DTRs) of ISO/IEC 24759 as tailored by SP 800-140. Requirements marked Level 3/4 apply only at those security levels. No control area is omitted.
Area 1 — Cryptographic module specification
| What to verify | Typical evidence |
|---|---|
| The cryptographic boundary is precisely and unambiguously defined (physical perimeter and/or logical block diagram). | Block diagram, boundary drawing, hardware/firmware/software component list in the Security Policy. |
| The module type is declared (hardware, software, firmware, hybrid) and its embodiment identified. | Security Policy Section 1; datasheet; photographs of the physical module. |
| All approved security functions and the approved mode of operation are specified. | Table of approved algorithms with CAVP certificate numbers; approved mode indicator. |
| Non-approved and allowed (but not approved) algorithms are listed and separated from the approved mode. | Security Policy algorithm tables (approved, allowed, non-approved). |
| Module versioning (hardware p/n and version, firmware/software version) is exact and matches the tested artefact. | Version identifiers, part numbers, build hashes. |
| A degraded mode of operation (if implemented) is described with its restrictions. | Security Policy degraded operation description. |
Area 2 — Cryptographic module interfaces
| What to verify | Typical evidence |
|---|---|
| All physical and logical interfaces are identified and mapped to the four required interface types (data input, data output, control input, status output) plus power. | Interface specification, port/pin mapping table. |
| Data output is inhibited during self-tests, error states and key/CSP generation/zeroisation. | Design documentation; FSM transitions; test results demonstrating output inhibition. |
| A trusted channel is provided for plaintext SSP entry/output where required (Level 3/4). | Trusted channel design; authentication of endpoints. |
| Control and status interfaces are logically distinct from data interfaces. | Interface segregation description; API specification. |
| The module distinguishes data flows so that no information leaks across interface types. | Data flow diagrams; verification of separation. |
Area 3 — Roles, services and authentication
| What to verify | Typical evidence |
|---|---|
| The Crypto Officer, User and (optional) Maintenance roles are defined with their authorised services. | Roles and services table in the Security Policy. |
| Each service is listed with its inputs, outputs, the SSPs accessed and the type of access (read/write/execute/zeroise). | Services table mapping service to SSP access rights. |
| Authentication is role-based (Level 2) or identity-based (Level 3/4) as required by the claimed level. | Authentication mechanism description; strength-of-mechanism analysis. |
| Authentication strength meets the false-acceptance limits (e.g. <1 in 1,000,000 per attempt; <1 in 100,000 per minute). | Probability calculations for the authentication data space. |
| Self-initiated and unauthenticated services (e.g. show status, self-test, zeroise) are limited and justified. | List of services available without authentication. |
| Feedback of authentication data does not weaken the mechanism (no plaintext echo). | UI/API behaviour evidence; obscured entry. |
Area 4 — Software / firmware security
| What to verify | Typical evidence |
|---|---|
| Integrity of all software/firmware components within the boundary is verified using an approved integrity technique (approved digital signature or approved MAC / HMAC / hash-based). | Integrity mechanism specification; the pre-operational software/firmware integrity test. |
| A load test verifies externally loaded code before execution (where the OE permits loading). | Design of secure load; verification of signature on load. |
| The integrity test covers all executable code within the boundary, not a subset. | Mapping of components to integrity coverage. |
| The module operates only after the integrity test passes; failure forces an error state. | FSM; error-state behaviour evidence. |
| Executable form and source correspondence is maintained under configuration control. | Build reproducibility; hash of the tested binary. |
Area 5 — Operational environment
| What to verify | Typical evidence |
|---|---|
| The operational environment is classified as non-modifiable, limited or modifiable and the correct requirements applied. | OE classification statement; platform description. |
| For a modifiable OE, the underlying OS provides process separation and the module runs in its own protected space. | OS assurance description; tested platform (OE) list. |
| The specific tested operational environments (OS + processor) are enumerated and match the deployment. | Tested OE table with OS versions and CPU. |
| Where operational equivalence / porting is claimed, it is within CMVP rules. | Vendor affirmation / rebranding or porting documentation. |
| Sensitive data in memory is protected and not exposed to other processes. | Memory protection / zeroisation on release evidence. |
Area 6 — Physical security
| What to verify | Typical evidence |
|---|---|
| Physical security mechanisms match the claimed level: production-grade (L1), tamper-evidence (L2), tamper-detection/response and identity-based (L3), envelope protection with EFP/EFT (L4). | Physical security description; photographs; tamper-evidence samples. |
| Tamper-evident coatings, seals or enclosures cover all removable covers and doors (L2+). | Seal placement diagram; tamper-evidence test results. |
| Tamper response actively zeroises plaintext SSPs on intrusion detection (L3/L4). | Tamper-response circuit design; zeroisation-on-tamper test. |
| Environmental Failure Protection (EFP) or Environmental Failure Testing (EFT) addresses temperature/voltage extremes (L3 EFT / L4 EFP). | EFP/EFT test reports across the specified range. |
| Opacity prevents visual probing of internal circuitry as required by level. | Opacity assessment; enclosure inspection. |
Area 7 — Non-invasive security
| What to verify | Typical evidence |
|---|---|
| Non-invasive attack mitigations (timing analysis, simple/differential power analysis, electromagnetic emanation) are documented for claimed protections. | Non-invasive attack mitigation description; SP 800-140F referenced methods. |
| The effectiveness of each mitigation is testable and, where CMVP test metrics exist, has been evaluated. | Test methodology and results per applicable metric. |
| Constant-time or masked implementations are used where the module claims side-channel resistance. | Source-level design notes; leakage assessment results. |
Area 8 — Sensitive security parameter (SSP) management
| What to verify | Typical evidence |
|---|---|
| All SSPs — critical security parameters (CSPs: keys, seeds, authentication data) and public security parameters (PSPs) — are enumerated with their type, strength and lifecycle. | SSP table listing every key/CSP/PSP. |
| Random bit generation uses an approved DRBG (SP 800-90A) seeded by a validated entropy source (SP 800-90B, ESV certificate) at required levels. | DRBG selection; ESV / entropy report and certificate. |
| Key generation, establishment, agreement and derivation use approved methods (SP 800-56A/B/C, SP 800-108, SP 800-133). | Key-generation design; CAVP certificates for KAS/KDF. |
| Plaintext CSP entry/output is prohibited or protected by a trusted channel / split knowledge as required. | CSP entry/output procedures; split-knowledge design (L3/4). |
| SSP storage protects confidentiality and integrity; keys are associated with entities and modes. | Key storage design; access control on stored keys. |
| Zeroisation of all unprotected SSPs is provided, procedurally and/or on tamper, and is verified. | Zeroisation procedure; zeroisation test evidence. |
Area 9 — Self-tests
| What to verify | Typical evidence |
|---|---|
| Pre-operational self-tests (software/firmware integrity, and bypass/critical function tests as applicable) run before the module enters the operational state. | Self-test inventory; execution log; FSM pre-operational state. |
| Conditional self-tests run when triggered: cryptographic algorithm self-tests (CAST) for each approved algorithm, pairwise consistency test on key-pair generation, entropy health tests, and load tests. | List of CASTs; DRBG health tests; pairwise consistency test evidence. |
| A known-answer test (KAT) or comparable CAST exists for every approved algorithm used before first operational use. | KAT vectors and results per algorithm. |
| On any self-test failure the module enters an error state, inhibits data output and cryptographic operations, and indicates the error via status. | Error-state design; status output evidence. |
| The module can be recovered from the error state only by defined means (reset/reboot). | Recovery procedure documentation. |
Area 10 — Life-cycle assurance
| What to verify | Typical evidence |
|---|---|
| A configuration management system uniquely identifies and controls all module components and documentation. | CM plan; versioned repository; item identifiers. |
| Design documentation completely and accurately describes the module and satisfies the finite state model (FSM). | Design specification; FSM diagram with states and transitions. |
| Secure delivery procedures protect the module and SSPs from origin to operator (tamper-evident shipping, delivery verification). | Delivery and operation guidance; shipping controls. |
| Administrator (Crypto-Officer) and user guidance documents secure installation, initialisation and approved-mode operation. | Crypto Officer Guidance and User Guidance. |
| Vendor testing (functional and where applicable low-level) demonstrates correct implementation. | Vendor test plan and results. |
| End-of-life / sanitisation guidance ensures SSPs are destroyed at decommissioning. | End-of-life procedures in the Security Policy. |
Area 11 — Mitigation of other attacks
| What to verify | Typical evidence |
|---|---|
| Attacks not addressed by Areas 1–10 (e.g. fault injection, differential fault analysis, specific side channels beyond the non-invasive metrics) are identified. | Threat analysis of applicable other attacks. |
| Where the module claims mitigation, the countermeasure is documented and, if a CMVP test metric exists, tested; otherwise mitigation is described in the Security Policy. | Countermeasure description; test results where available. |
| If no such attacks are claimed to be mitigated, this is explicitly stated (N/A justified). | Security Policy statement of applicability. |
Scoping
Scoping a FIPS 140-3 validation is the single most consequential early decision, because the cryptographic boundary determines what is tested, what evidence is required, the achievable security level and ultimately the cost and duration of validation. A boundary drawn too wide pulls non-cryptographic code and hardware into the assessment, inflating effort; a boundary drawn too narrow may exclude functions the operator relies on and produce a certificate that does not cover the real deployment.
- Define the cryptographic boundary — the explicit set of hardware, firmware and software that will be validated. Everything inside must meet the requirements; everything outside is untrusted.
- Choose the module embodiment — single-chip, multi-chip embedded, or multi-chip standalone — as this drives the physical security requirements.
- Select the target overall security level (1–4) and, where beneficial, higher per-area levels, balancing market demand against cost.
- Enumerate the approved security functions in scope and confirm each has (or will obtain) a CAVP certificate.
- Identify the operational environments (OS + processor) to be listed on the certificate; each tested OE must be exercised.
- Determine the entropy source strategy — internal validated entropy (ESV) versus external entropy — and its impact on the achievable level.
- Delineate approved vs non-approved modes so the certificate scope and Security Policy are unambiguous.
- Confirm whether porting, rebranding (OEM) or sub-chip scenarios apply, and follow the relevant CMVP Implementation Guidance.
Implementation approach
A FIPS 140-3 validation is best run as a phased engineering and documentation programme executed in partnership with an accredited CST laboratory. The phases below sequence the work from readiness through certificate issuance and maintenance, with concrete activities and deliverables for each.
Phase 1 — Readiness and gap analysis
Activities: appoint a validation lead; select the CST laboratory; hold a scoping workshop to fix the cryptographic boundary, module embodiment and target level; perform a gap analysis of the current design against the eleven requirement areas; inventory algorithms against CAVP coverage; assess the entropy source against SP 800-90B. Deliverables: scoping document, boundary diagram, gap-analysis report, remediation backlog, project plan and budget.
Phase 2 — Design and remediation
Activities: implement design changes to close gaps (self-tests/KATs, zeroisation, integrity mechanism, role/authentication logic, output inhibition, tamper mechanisms for L3/4); implement or integrate an approved DRBG and validated entropy source; build the finite state model; enforce the approved mode. Deliverables: updated module firmware/software/hardware, FSM, updated design documentation, configuration-management baseline.
Phase 3 — Algorithm and entropy validation
Activities: run CAVP algorithm testing through the Automated Cryptographic Validation Test System (ACVTS) for every approved algorithm; obtain CAVP certificates; run entropy analysis and submit for an ESV certificate under SP 800-90B. Deliverables: CAVP algorithm certificates, ESV/entropy assessment report and certificate, algorithm-to-service mapping.
Phase 4 — Documentation and Security Policy
Activities: author the Non-Proprietary Cryptographic Module Security Policy (mandatory, published with the certificate), Crypto-Officer and User guidance, delivery and secure-operation procedures; assemble vendor test evidence; map every requirement to the ISO/IEC 24759 DTRs. Deliverables: Security Policy, guidance documents, complete evidence package.
Phase 5 — Laboratory testing
Activities: the CST laboratory performs conformance testing, source-code and design review, physical security testing (L3/4), operational testing across each tested OE, and produces the test report and functional test evidence; iterate on findings. Deliverables: laboratory test report (per ISO/IEC 24759), physical security test results, resolved finding log.
Phase 6 — CMVP submission and certificate
Activities: the laboratory submits the package to the CMVP; the module enters the Modules In Process (MIP) list; NIST/CCCS review, raise comments, and on resolution issue the certificate and publish the module on the Validated Modules List. Deliverables: CMVP certificate number, published Security Policy, entry on the validated list.
Phase 7 — Maintenance and change management
Activities: manage post-validation changes through the appropriate SP 800-140B scenario; monitor algorithm transitions and sunset dates; plan re-validation before certificate expiry. Deliverables: change scenario submissions, updated certificates, re-validation plan.
Capability and level model
FIPS 140-3 defines four security levels of increasing rigour. The overall validation level is the minimum level attained across all eleven areas. Levels are cumulative — each higher level adds requirements to the one below. The table summarises the defining characteristics of each level.
| Level | Physical security | Authentication | Operational environment | Typical use |
|---|---|---|---|---|
| Level 1 | Production-grade components; no specific physical protection required. | No operator authentication required (role assumed). | Modifiable OE permitted (e.g. general-purpose OS / software module). | Software crypto libraries; low-risk data. |
| Level 2 | Tamper-evidence (seals/coatings) on removable covers; opacity. | Role-based authentication. | Modifiable OE with an evaluated / CC-assured or equivalent OS. | Appliances, disk encryption, general enterprise HSM/software. |
| Level 3 | Tamper detection and response (zeroisation on intrusion); strong enclosure; EFT. | Identity-based authentication; trusted channel for plaintext SSPs. | Separation of critical parameters enforced. | HSMs, payment devices, high-value key management. |
| Level 4 | Complete envelope of protection; immediate zeroisation on any penetration; EFP across environmental range. | Identity-based authentication; multi-factor where applicable. | Robust protection against all physical/environmental compromise. | Highest-assurance HSMs; hostile/unattended deployment. |
Assessment and audit approach
Whether performed by the CST laboratory for validation or by an internal/procurement auditor confirming a claimed validation, the assessment follows a disciplined sequence anchored in the ISO/IEC 24759 test requirements and the CMVP process.
- Confirm the scope: identify the exact module name, hardware/firmware/software versions and the cryptographic boundary being assessed.
- Verify the certificate: locate the CMVP certificate on the Validated Modules List (or MIP status) and confirm it covers the versions and operational environments in use.
- Confirm the security level: check the overall level and per-area levels against the deployment's assurance needs.
- Review the Security Policy: read the published Non-Proprietary Security Policy for approved mode, roles/services, SSPs, self-tests and operator obligations.
- Validate algorithm coverage: cross-check each approved algorithm to its CAVP certificate and confirm the entropy source has an ESV certificate where required.
- Examine design and source evidence: for validation, perform source-code and design review against each of the eleven areas' DTRs.
- Perform functional and self-test verification: exercise the module in approved mode, trigger self-tests and confirm error-state and output-inhibition behaviour.
- Conduct physical security testing (L2+): inspect tamper evidence, and for L3/4 exercise tamper-response zeroisation and EFP/EFT.
- Verify SSP lifecycle: confirm key generation, protected entry/output, storage and zeroisation operate as specified.
- Assess operational configuration: confirm the module is deployed in approved mode on a tested OE and that operator guidance is followed.
- Document findings and remediate: record non-conformities, obtain corrective evidence and re-test.
- Confirm ongoing validity: verify the certificate has not lapsed and that no unvalidated change has been introduced (change management).
Evidence request list
The following categorised evidence set supports either a validation submission or an audit of a claimed validation.
- Scope and specification: cryptographic boundary diagram, module version identifiers (HW p/n, FW/SW versions), module embodiment declaration, tested operational environment list.
- Certificates: CMVP certificate number and validated-list entry, CAVP algorithm certificates, ESV/entropy certificate.
- Security Policy: the published Non-Proprietary Cryptographic Module Security Policy including approved-mode indicators.
- Roles and services: roles/services table, authentication mechanism description and strength analysis, service-to-SSP access matrix.
- Interfaces: interface specification and port mapping, output-inhibition and trusted-channel design.
- Software/firmware: integrity mechanism specification, build hashes, secure-load design, source-to-binary correspondence.
- Physical security: tamper-evidence placement, tamper-response circuit design, EFP/EFT test reports, photographs.
- SSP management: SSP inventory, DRBG and entropy design, key generation/establishment methods, zeroisation procedures and test results.
- Self-tests: pre-operational and conditional self-test inventory, KAT/CAST vectors and results, error-state behaviour evidence.
- Life-cycle assurance: configuration-management plan, finite state model, design documentation, delivery and operator guidance, vendor test results.
- Non-invasive / other attacks: mitigation descriptions and any applicable test results.
- Change management: any SP 800-140B change scenario submissions and updated certificates.
Roles and responsibilities
| Role | Responsibilities in the FIPS 140-3 lifecycle |
|---|---|
| Validation lead / product owner (vendor) | Owns scope, boundary and level decisions; coordinates engineering, documentation and the laboratory; owns the project plan and budget. |
| Cryptographic engineer | Implements approved algorithms, DRBG/entropy, self-tests, zeroisation and approved-mode enforcement. |
| Documentation / compliance author | Produces the Security Policy, FSM, guidance documents and DTR evidence mapping. |
| Configuration manager | Maintains version control and the validated baseline; manages change scenarios. |
| CST laboratory | Performs conformance testing and prepares the CMVP submission report. |
| CMVP (NIST + CCCS) | Reviews the submission, issues and publishes the certificate. |
| Crypto Officer (operator) | Installs, initialises and operates the module in approved mode per guidance; manages keys and zeroisation. |
| Auditor / assessor | Independently verifies certificate coverage, approved-mode operation and evidence for a deployment. |
KPIs to track
- Percentage of approved algorithms with current, in-scope CAVP certificates.
- Entropy source status — ESV certificate obtained and current (Level 2+).
- Number of open gap-analysis findings versus closed, by requirement area.
- Self-test coverage — proportion of approved algorithms with a KAT/CAST.
- Time in the Modules In Process (MIP) queue and time to certificate issuance.
- Number of laboratory findings raised and mean time to remediation.
- Days remaining to certificate expiry / next re-validation trigger.
- Number of deployed configurations confirmed to match the validated versions and tested OEs.
- Count of change scenarios initiated and their CMVP acceptance rate.
- Algorithm-transition exposure — approved functions with an announced sunset date affecting the module.
Readiness checklist
- Cryptographic boundary and module embodiment are formally defined and documented.
- Target overall security level and per-area levels are agreed and justified.
- Every approved algorithm has a CAVP certificate covering the implementation.
- The DRBG is SP 800-90A approved and seeded by an SP 800-90B validated entropy source with an ESV certificate (Level 2+).
- Pre-operational and conditional self-tests (including a KAT/CAST per algorithm) are implemented and pass.
- Software/firmware integrity is enforced by an approved technique before operation.
- Roles, services and authentication meet the claimed level (role-based L2, identity-based L3/4).
- SSP generation, protected entry/output, storage and zeroisation are implemented and testable.
- Physical security mechanisms match the level (tamper-evidence L2; tamper-response and EFP/EFT L3/4).
- Data output is inhibited during self-tests, error states and key operations.
- The finite state model and design documentation are complete and consistent.
- The Non-Proprietary Security Policy, Crypto-Officer and User guidance are drafted.
- A configuration-management baseline fixes all tested versions.
- An accredited CST laboratory is engaged and the DTR evidence mapping is under way.
Common gaps
- Deploying a firmware/software version or operating environment that is not the one listed on the certificate, silently voiding the FIPS claim.
- Using an algorithm in the approved mode that lacks a matching CAVP certificate, or using a non-approved algorithm without delineating it from the approved mode.
- Inadequate entropy justification — no SP 800-90B assessment / ESV certificate, or an entropy source that under-delivers the claimed min-entropy.
- Missing or incomplete self-tests, particularly absent known-answer tests for one or more approved algorithms and missing pairwise consistency tests on key generation.
- Failure to inhibit data output during self-tests, error states or key generation/zeroisation.
- Weak or absent zeroisation of plaintext CSPs, especially on tamper events at Level 3/4.
- Authentication strength below the required false-acceptance limits, or plaintext feedback of authentication data.
- An imprecise cryptographic boundary that mixes validated and non-validated components.
- Physical security shortfalls — tamper-evidence not covering all removable covers, or EFP/EFT not exercised across the specified range.
- Operating the module outside its approved mode in production, or operator guidance that does not describe how to invoke approved mode.
- Neglecting change management, so post-validation updates are shipped without an SP 800-140B scenario.
- Confusing algorithm (CAVP) validation with module (CMVP) validation and claiming full FIPS 140-3 on the basis of algorithm testing alone.
FIPS 140-3 mapped to other frameworks
| Framework / control | Relationship to FIPS 140-3 |
|---|---|
| ISO/IEC 19790:2012 & 24759:2017 | Normative basis of FIPS 140-3 — the security and test requirements are adopted by reference. |
| NIST SP 800-53 (SC-12/SC-13) | Requires use of FIPS-validated cryptography for key establishment and cryptographic protection. |
| NIST SP 800-90A/B/C | Approved DRBGs and validated entropy sources required for FIPS 140-3 SSP management. |
| Common Criteria (ISO/IEC 15408) | Complementary; a CC evaluation may rely on a FIPS-validated module for cryptographic assurance. |
| FedRAMP | Mandates FIPS-validated modules for data at rest and in transit within the authorisation boundary. |
| PCI DSS / PCI HSM / PCI PIN | Recognise FIPS 140 validation for HSMs and secure cryptographic devices in payment environments. |
| HIPAA Security Rule | Encryption safe harbour is met using FIPS-validated cryptography. |
| DFARS / CMMC (DoD) | Require FIPS-validated cryptography to protect covered defense information. |
| NERC CIP | Critical-infrastructure programmes reference FIPS-validated modules for cryptographic controls. |
| ISO/IEC 27001 (A.8.24) | Use of validated cryptographic modules provides objective evidence for cryptography controls. |
How CyberSigma helps
Frequently asked questions
Need help with FIPS 140-3?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
