FIPS 140-3, or the Federal Information Processing Standard 140-3, is the current U.S. government standard that specifies the security requirements for cryptographic modules protecting sensitive but unclassified information. It supersedes FIPS 140-2 and aligns testing with the international ISO/IEC 19790 standard, introducing stricter requirements for module software security, non-invasive physical attacks, and lifecycle assurance.
Glossary
FIPS 140-3

What is FIPS 140-3?
The mandatory U.S. government standard defining four progressive security levels for cryptographic modules that protect sensitive information in federal systems.
The standard defines four ascending Security Levels—from Level 1 (basic algorithm and production-grade component requirements) to Level 4 (complete physical envelope protection with environmental failure testing). Compliance is validated through the Cryptographic Module Validation Program (CMVP), jointly run by NIST and the Canadian Centre for Cyber Security, and is mandatory for all federal agencies procuring cryptographic systems.
Key Features of FIPS 140-3
FIPS 140-3 introduces a harmonized, globally aligned framework for validating the security of cryptographic modules, replacing the legacy FIPS 140-2 standard with more rigorous, tiered assurance levels.
ISO/IEC 19790 Harmonization
FIPS 140-3 directly aligns with the international standard ISO/IEC 19790:2012, creating a unified testing framework. This replaces the divergent FIPS 140-2 standard, allowing vendors to achieve compliance with both U.S. and international requirements through a single, coherent evaluation process.
- Base Standard: Derives all core security requirements from ISO/IEC 19790.
- Global Recognition: Facilitates mutual recognition of certifications across borders.
- Consistency: Eliminates conflicting requirements between domestic and international markets.
Mandatory Software Security Annex
A critical addition to the base ISO standard is the FIPS 140-3 Annex, which imposes mandatory software and firmware security requirements. This annex addresses modern attack vectors that were not covered by the older FIPS 140-2.
- Runtime Integrity: Requires self-tests to verify the integrity of executable code.
- Side-Channel Mitigation: Mandates protections against timing and power analysis attacks.
- Non-Modifiable Logic: Enforces that security functions cannot be altered post-validation.
Five Distinct Security Levels
FIPS 140-3 defines a tiered hierarchy of five security levels (Level 1 through Level 4, plus a new Level 5) for each of 11 functional requirement areas. This allows a module to be certified at different levels for different functions.
- Level 1: Basic encryption algorithm and production-grade component requirements.
- Level 2: Adds tamper-evidence coatings and role-based authentication.
- Level 3: Requires tamper-resistance and zeroization of critical security parameters on breach.
- Level 4: Demands environmental failure protection against voltage and temperature fluctuations.
- Level 5: A new level for non-physical modules, requiring runtime software protection.
Non-Invasive Attack Mitigation
FIPS 140-3 introduces explicit requirements for defending against non-invasive side-channel attacks. Unlike its predecessor, the standard mandates testing and documentation of countermeasures against attacks that observe a module's physical emissions without penetrating its enclosure.
- Timing Analysis: Must demonstrate resistance to key extraction via execution time measurement.
- Power Analysis: Requires mitigation of Simple Power Analysis (SPA) and Differential Power Analysis (DPA).
- Electromagnetic Emanations: Mandates testing for information leakage via radio frequency emissions.
Algorithmic Transition and Deprecation
The standard enforces a strict cryptographic algorithm lifecycle, formally deprecating legacy algorithms and mandating transitions to quantum-resistant primitives. This is enforced through the SP 800-140 series of implementation guidance documents.
- Deprecated Algorithms: Formally prohibits the use of SHA-1 and non-compliant random number generators.
- Transition Symmetry: Requires modules to support both current and next-generation algorithms during transition periods.
- Quantum Readiness: Establishes a framework for the eventual mandatory adoption of post-quantum cryptographic algorithms.
Rigorous Operational Testing
FIPS 140-3 mandates a comprehensive suite of pre-operational self-tests that must be executed automatically before any cryptographic service is made available. This ensures the module has not been corrupted and is functioning correctly.
- Known Answer Tests (KAT): Verifies the integrity of each approved algorithm by comparing output to a known correct value.
- Pairwise Consistency Tests: Validates the mathematical relationship between public and private keys for asymmetric algorithms.
- Firmware Integrity Test: Computes a cryptographic hash over the module's firmware and compares it to a stored, validated digest.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the FIPS 140-3 cryptographic module validation standard and its role in sovereign infrastructure.
FIPS 140-3 is the current U.S. government standard that specifies the security requirements for cryptographic modules protecting sensitive but unclassified information, superseding FIPS 140-2. The critical architectural difference is that FIPS 140-3 harmonizes with the international standard ISO/IEC 19790:2012, making it a globally aligned framework rather than a purely U.S.-centric specification. Key technical changes include mandatory non-invasive physical security testing, stricter side-channel attack mitigation requirements (such as differential power analysis resistance), and a new software/firmware security section that mandates runtime integrity verification. The standard also introduces five distinct module types—from hardware-only to hybrid software-firmware—each with tailored security functional requirements. For sovereign infrastructure operators, FIPS 140-3's alignment with ISO standards simplifies multi-jurisdictional compliance while maintaining the rigorous validation regime enforced by the Cryptographic Module Validation Program (CMVP).
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
FIPS 140-3 does not exist in isolation. These related standards, frameworks, and concepts form the operational ecosystem for validating, deploying, and maintaining compliant cryptographic modules in sovereign infrastructure.
ISO/IEC 19790:2012
The international standard upon which FIPS 140-3 is directly based. It defines the security requirements for cryptographic modules across four increasing qualitative levels. FIPS 140-3 adopts this standard verbatim while adding U.S.-specific SP 800-140 series annexes for implementation guidance. This harmonization allows vendors to pursue joint CMVP and international CC validation, reducing redundant testing for global deployments.
ISO/IEC 24759:2017
Specifies the test methods used by accredited laboratories to validate cryptographic modules against ISO/IEC 19790. FIPS 140-3 mandates the use of this standard's procedures, replacing the legacy Derived Test Requirements (DTR) used under FIPS 140-2. This shift introduces a more rigorous, evidence-based testing methodology where vendors must supply comprehensive test evidence including design documentation, source code, and operational proofs.
FIPS 140-2 Transition
The predecessor standard, FIPS 140-2, was published in 2001 and remained active for over two decades. NIST established a sunset timeline: FIPS 140-2 submissions were no longer accepted after September 22, 2021, and all existing FIPS 140-2 certificates will move to the Historical List by September 21, 2026. Organizations with deployed FIPS 140-2 modules must plan migration to FIPS 140-3 validated replacements before this deadline to maintain compliance posture.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us