U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Announcing Approval and Issuance of FIPS 140-3, Security Requirements for Cryptographic Modules
May 01, 2019

On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules

FIPS 140-3 includes references to two existing international standards:

  • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules; and
  • ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules.

As permitted by those standards, the NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.

Here are some important milestones:

  • FIPS 140-3 becomes effective on September 22, 2019;
  • FIPS 140-3 testing, through the Cryptographic Module Validation Program (CMVP), will begin September 22, 2020; and
  • FIPS 140-2 testing will continue for at least a year after FIPS 140-3 testing begins.

On August 12, 2015, a Federal Register Notice requested public comments on the potential use of ISO/IEC standards for cryptographic algorithm and cryptographic module testing, conformance, and validation activities that were specified in FIPS 140-2.  NIST received comments from 17 entities.  A summary of the comments is available in the May 1, 2019 Federal Register Notice announcing FIPS 140-3; the complete set of comments is also available on CSRC.

See the FIPS 140-3 Development project for additional details about the implementation of FIPS 140-3 and its supporting SP 800-140 publications.


Also see the NIST News Article: NIST Links Federal Encryption Testing to International Standard for First Time
Created April 05, 2019, Updated June 22, 2020