Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Announcing Approval and Issuance of FIPS 140-3, Security Requirements for Cryptographic Modules

FIPS 140-3, "Security Requirements for Cryptographic Modules," was approved on March 22, 2019 and announced in the Federal Register on May 1, 2019. FIPS 140-3 supersedes FIPS 140-2.

On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules

FIPS 140-3 includes references to two existing international standards:

  • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules; and
  • ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules.

As permitted by those standards, the NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.

Here are some important milestones:

  • FIPS 140-3 becomes effective on September 22, 2019;
  • FIPS 140-3 testing, through the Cryptographic Module Validation Program (CMVP), will begin September 22, 2020; and
  • FIPS 140-2 testing will continue for at least a year after FIPS 140-3 testing begins.

On August 12, 2015, a Federal Register Notice requested public comments on the potential use of ISO/IEC standards for cryptographic algorithm and cryptographic module testing, conformance, and validation activities that were specified in FIPS 140-2.  NIST received comments from 17 entities.  A summary of the comments is available in the May 1, 2019 Federal Register Notice announcing FIPS 140-3; the complete set of comments is also available on CSRC.

See the FIPS 140-3 Development project for additional details about the implementation of FIPS 140-3 and its supporting SP 800-140 publications.

 

Released May 1, 2019, Updated May 22, 2019