What Is FIPS 140-3 and Why Does It Matter for Security Compliance?
What Is FIPS 140-3?
FIPS 140-3 is the current U.S. government standard for validating cryptographic modules used to protect sensitive information. Developed by the National Institute of Standards and Technology (NIST), it replaces FIPS 140-2 and aligns with international encryption standards, specifically ISO/IEC 19790:2012 and ISO/IEC 24759. A government and industry working group first developed FIPS 140-1 in 1994.
Federal Information Processing Standard (FIPS) 140-3 defines how encryption modules must operate to ensure strong, tamper-resistant protections for sensitive data. It can be applied broadly—from federal agencies and defense contractors to healthcare providers, financial institutions, and cloud platforms.
As of September 22, 2021, FIPS 140-3 became mandatory for all new validations under the Cryptographic Module Validation Program (CMVP). The governments of both the United States and Canada each accept the standard.
Why FIPS 140-3 Matters
Encryption is only as strong as the modules that implement it. If cryptographic modules are flawed or improperly configured, attackers can intercept sensitive data, forge communications, or exploit vulnerabilities in software updates.
FIPS 140-3 ensures that encryption modules:
- Use approved algorithms and cryptographic key management techniques
- Operate securely under controlled conditions
- Resist both logical and physical tampering
- Undergo independent testing by accredited laboratories
Many compliance frameworks require or recognize FIPS-validated encryption as a best practice. Federal agencies charged with protecting federal information systems and data, for instance, must use cryptographic modules that are validated to comply with FIPS 140 under FedRAMP.
In 2025, FIPS 140-3 is particularly important for orgnizations to pay attention to as FIPS 140-2 validations will remain active until early 2026, at which point they will be moved to a historical list.
The Four Security Levels of FIPS
FIPS 140-3 defines four levels of the standard, each of which builds on the previous one and presents increasing requirements for authentication, from basic protections, to tamper-evident seals and role-based authentication.
Other recent additions include physical requirements, including hardness of modules at certain temperatures.
Evaluating Third-Party Cryptographic Risk
Many organizations unknowingly rely on third-party libraries and products with weak or unvalidated cryptographic implementations. Common risks include:
- Open-source librarie not operating in FIPS mode
- VPNs and TLS servers using outdated or deprecated cipher suites
- Weak or self-signed certificates
- Misconfigured firmware or insecure boot processes
Cryptographic risk doesn’t stop at your firewall. It can potentially extend into every tool your vendors use. Organizations should require validated cryptographic modules in vendor contracts to ensure robust security practices that impact your digital supply chain.
To reduce supply chain risk:
- Require validated cryptographic modules in all vendor contracts
- Reassess supplier encryption tools during renewals or major updates
- Replace any hardware or software unable to meet your standards
FIPS 140-3 Validation Process
To achieve validation, a cryptographic module must pass formal testing by an accredited Cryptographic and Security Testing Laboratory (CSTL). The process includes:
- Vendor submits cryptographic module to an accredited CST Laboratory
- The Lab may request clarification
- The Lab passes the information on to the CMVP
- Two reviewers assess the module
- The results are shared on the CMVP Validation List on the CMVP site
Final Thoughts
FIPS 140-3 raises the bar for cryptographic validation. It ensures your encryption tools are resilient, independently tested, and aligned with international standards in a marked leap from FIPS 140-2, the previous standard. Aligning with FIPS 140-3 in 2025 is crucial for organizations as FIPS 140-2 validations will move to a historical list in early 2026.
Even in non-regulated industries, using validated cryptographic modules demonstrates maturity, can improve audit readiness, and help reduce risk overall.
Protect Your Supply Chain with Real-Time Threat Detection
SecurityScorecard’s SCDR solution offers continuous monitoring of your third-party ecosystem, enabling swift identification and mitigation of cyber threats. Enhance your organization’s resilience by proactively managing supply chain risks.
Frequently Asked Questions
Is FIPS 140-3 required for federal agencies or companies?
Federal agencies protecting federal information systems and data must use cryptographic modules that are validated to comply with FIPS 140 under FedRAMP.
Can I still use FIPS 140-2 certified modules?
FIPS 140-2 validations will be active until early 2026, after which they will be moved to a historical list. NIST recommends transitioning to FIPS 140-3.
