FIPS 140-3 Is Here!

Jason Lawlor FIPS 140-3

The countdown is on. As of September 22, 2021, FIPS 140-2 will be sunset and only FIPS 140-3 validations can be submitted to the Cryptographic Module Validation Program (CMVP). In this latest post, we cover the key differences in the versions and where to find additional information. Special thanks to James Ramage from our FIPS team for compiling the information.

FIPS 140-3 – Good to Know

If you are familiar with the technical requirements of 140-2, here are some key changes that come into effect with the new version of the standard, 140-3:

  • Normal and optional support of a degraded operating mode
  • New Logical Interfaces:
    • Software or Firmware Module Interface (SFMI)
    • Hardware Module Interface (HMI)
    • Hybrid Software or Hybrid Firmware Module Interface (HSMI or HFMI)
    • Control Output Interface
    • Trusted Channel (SL3 – SL4)
  • Mandatory services are show module name, version & zeroization
  • New section on Software/Firmware Security
  • Physical security now includes testing over the full operating range and EFP/EFT
  • New section Non-Invasive Security – mitigate against non-invasive attacks
  • Sensitive Security Parameter (SSP) management where an SSP is either a Critical Security Parameter (CSP) or a Public Security Parameter (PSP)
  • Pre-operational and conditional self-tests – most self-tests are now conditional
  • Life-Cycle Assurance covers design, CMS and the Finite State Model (FSM)

Key FIPS 140-3 Documents:

FIPS 140-3 Summary

(Source: INCITS/ISO/IEC 19790:2012(2014))


Lightship Security are FIPS 140 testing experts and one of the fastest growing FIPS test labs in the program. If you need support on your upcoming FIPS 140 validation or would like to be on our FIPS updates distribution list, contact us.