Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Announcing Approval and Issuance of FIPS 140-3, Security Requirements for Cryptographic Modules

FIPS 140-3, "Security Requirements for Cryptographic Modules," was approved on March 22, 2019 and announced in the Federal Register on May 1, 2019. FIPS 140-3 supersedes FIPS 140-2.

On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules

FIPS 140-3 includes references to two existing international standards:

  • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules; and
  • ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules.

As permitted by those standards, the NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.

Here are some important milestones:

  • FIPS 140-3 becomes effective on September 22, 2019;
  • FIPS 140-3 testing, through the Cryptographic Module Validation Program (CMVP), will begin September 22, 2020; and
  • FIPS 140-2 testing will continue for at least a year after FIPS 140-3 testing begins.

On August 12, 2015, a Federal Register Notice requested public comments on the potential use of ISO/IEC standards for cryptographic algorithm and cryptographic module testing, conformance, and validation activities that were specified in FIPS 140-2.  NIST received comments from 17 entities.  A summary of the comments is available in the May 1, 2019 Federal Register Notice announcing FIPS 140-3; the complete set of comments is also available on CSRC.

See the FIPS 140-3 Development project for additional details about the implementation of FIPS 140-3 and its supporting SP 800-140 publications.

 

Released May 1, 2019, Updated May 22, 2019