Inferensys

Glossary

FIPS 140-3

FIPS 140-3 is the latest U.S. federal standard specifying security requirements for cryptographic modules that protect sensitive but unclassified information within a security system.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
CRYPTOGRAPHIC MODULE VALIDATION

What is FIPS 140-3?

The mandatory U.S. government standard defining four progressive security levels for cryptographic modules that protect sensitive information in federal systems.

FIPS 140-3, or the Federal Information Processing Standard 140-3, is the current U.S. government standard that specifies the security requirements for cryptographic modules protecting sensitive but unclassified information. It supersedes FIPS 140-2 and aligns testing with the international ISO/IEC 19790 standard, introducing stricter requirements for module software security, non-invasive physical attacks, and lifecycle assurance.

The standard defines four ascending Security Levels—from Level 1 (basic algorithm and production-grade component requirements) to Level 4 (complete physical envelope protection with environmental failure testing). Compliance is validated through the Cryptographic Module Validation Program (CMVP), jointly run by NIST and the Canadian Centre for Cyber Security, and is mandatory for all federal agencies procuring cryptographic systems.

CRYPTOGRAPHIC MODULE VALIDATION

Key Features of FIPS 140-3

FIPS 140-3 introduces a harmonized, globally aligned framework for validating the security of cryptographic modules, replacing the legacy FIPS 140-2 standard with more rigorous, tiered assurance levels.

01

ISO/IEC 19790 Harmonization

FIPS 140-3 directly aligns with the international standard ISO/IEC 19790:2012, creating a unified testing framework. This replaces the divergent FIPS 140-2 standard, allowing vendors to achieve compliance with both U.S. and international requirements through a single, coherent evaluation process.

  • Base Standard: Derives all core security requirements from ISO/IEC 19790.
  • Global Recognition: Facilitates mutual recognition of certifications across borders.
  • Consistency: Eliminates conflicting requirements between domestic and international markets.
02

Mandatory Software Security Annex

A critical addition to the base ISO standard is the FIPS 140-3 Annex, which imposes mandatory software and firmware security requirements. This annex addresses modern attack vectors that were not covered by the older FIPS 140-2.

  • Runtime Integrity: Requires self-tests to verify the integrity of executable code.
  • Side-Channel Mitigation: Mandates protections against timing and power analysis attacks.
  • Non-Modifiable Logic: Enforces that security functions cannot be altered post-validation.
03

Five Distinct Security Levels

FIPS 140-3 defines a tiered hierarchy of five security levels (Level 1 through Level 4, plus a new Level 5) for each of 11 functional requirement areas. This allows a module to be certified at different levels for different functions.

  • Level 1: Basic encryption algorithm and production-grade component requirements.
  • Level 2: Adds tamper-evidence coatings and role-based authentication.
  • Level 3: Requires tamper-resistance and zeroization of critical security parameters on breach.
  • Level 4: Demands environmental failure protection against voltage and temperature fluctuations.
  • Level 5: A new level for non-physical modules, requiring runtime software protection.
04

Non-Invasive Attack Mitigation

FIPS 140-3 introduces explicit requirements for defending against non-invasive side-channel attacks. Unlike its predecessor, the standard mandates testing and documentation of countermeasures against attacks that observe a module's physical emissions without penetrating its enclosure.

  • Timing Analysis: Must demonstrate resistance to key extraction via execution time measurement.
  • Power Analysis: Requires mitigation of Simple Power Analysis (SPA) and Differential Power Analysis (DPA).
  • Electromagnetic Emanations: Mandates testing for information leakage via radio frequency emissions.
05

Algorithmic Transition and Deprecation

The standard enforces a strict cryptographic algorithm lifecycle, formally deprecating legacy algorithms and mandating transitions to quantum-resistant primitives. This is enforced through the SP 800-140 series of implementation guidance documents.

  • Deprecated Algorithms: Formally prohibits the use of SHA-1 and non-compliant random number generators.
  • Transition Symmetry: Requires modules to support both current and next-generation algorithms during transition periods.
  • Quantum Readiness: Establishes a framework for the eventual mandatory adoption of post-quantum cryptographic algorithms.
06

Rigorous Operational Testing

FIPS 140-3 mandates a comprehensive suite of pre-operational self-tests that must be executed automatically before any cryptographic service is made available. This ensures the module has not been corrupted and is functioning correctly.

  • Known Answer Tests (KAT): Verifies the integrity of each approved algorithm by comparing output to a known correct value.
  • Pairwise Consistency Tests: Validates the mathematical relationship between public and private keys for asymmetric algorithms.
  • Firmware Integrity Test: Computes a cryptographic hash over the module's firmware and compares it to a stored, validated digest.
FIPS 140-3 COMPLIANCE

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the FIPS 140-3 cryptographic module validation standard and its role in sovereign infrastructure.

FIPS 140-3 is the current U.S. government standard that specifies the security requirements for cryptographic modules protecting sensitive but unclassified information, superseding FIPS 140-2. The critical architectural difference is that FIPS 140-3 harmonizes with the international standard ISO/IEC 19790:2012, making it a globally aligned framework rather than a purely U.S.-centric specification. Key technical changes include mandatory non-invasive physical security testing, stricter side-channel attack mitigation requirements (such as differential power analysis resistance), and a new software/firmware security section that mandates runtime integrity verification. The standard also introduces five distinct module types—from hardware-only to hybrid software-firmware—each with tailored security functional requirements. For sovereign infrastructure operators, FIPS 140-3's alignment with ISO standards simplifies multi-jurisdictional compliance while maintaining the rigorous validation regime enforced by the Cryptographic Module Validation Program (CMVP).

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.