FIPS 140-2/FIPS 140-3 FAQ
What is FIPS 140-2?
FIPS 140-2, Security Requirements for Cryptographic Modules, is a Federal Information Processing Standard that spells out the cryptographic requirements for products used in the Federal Government. FIPS 140-2 was released on May 25, 2001 and supersedes FIPS 140-1. Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information in computer and telecommunication systems (including voice systems). Vendors of cryptographic modules use independent, accredited Cryptographic and Security Testing (CST) laboratories to test their modules. The CST laboratories use the Derived Test Requirements [DTR] for FIPS PUB 140-2, Security Requirements for Cryptographic Modules and Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program to test cryptographic modules against FIPS 140-2. NIST’s Computer Security Division (CSD) and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE) jointly serve as the Validation Authorities for the program, validating the test results and issuing certificates.
How much does a FIPS 140-2 Validation Cost?
The cost associated with a FIPS 140-2 validation can vary depending on the following variables:
- The type of Cryptographic module – Software, Hardware, Firmware, or Hybrid
- The overall Security Level of the Cryptographic Module – 1, 2, 3, or 4
Additionally, the cost of the NIST recovery fee can vary depending on the Security Level. See NIST cost recovery for updated fees.
Typically, a re-validation can cost less then a new module that has not been FIPS 140-2 validated before.
How long does FIPS 140-2 Testing Take?
Obtaining a FIPS 140-2 Certification can take several months. The time frame is typically between 2-4 months with the lab (depending on the type of module to be tested and the overall security level) after the lab receives all the required documentation and module(s) to be tested from the vendor. These are high-end time frames and can be shorter depending on the completeness of the documentation, product meeting and passing all the requirements. On the other hand, they could be longer if issues are found during reviews and testing depending on how quickly the vendor can remediate those issues. Then, another 2-6 months currently, once it is submitted to the CMVP for validation and placement onto the Module Validation List depending on the length of CMVP’s queue once the final report is submitted to CMVP. If we feel that your product is not yet ready for validation testing, we will help you determine what the appropriate steps are to prepare for validation testing. FIPS 140-2 Validation Phases:
- Module/Implementation Under Testing (IUT)
- Documentation Review
- Cryptographic Algorithm Testing through CAVP
- Functional and Physical Testing (if applicable)
- Source Code Review
- Report Submission and CMVP Review
- Coordination between CMVP and COACT
- Certificate Finalization
What is FIPS 140-3?
On March 22, 2019, the Secretary of Commerce approved the Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019, and becomes effective September 22, 2019.
The new standard introduces some significant changes in the management of the standard. Rather than encompassing the module requirements directly, FIPS 140-3 references the existing standard International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E), Information technology—Security techniques—Security requirements for cryptographic modules. The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), Information technology— Security techniques—Test requirements for cryptographic modules.
The Draft NIST Special Publications (the SP 800-140x “subseries”) documents have been released for public comment. They directly support the Federal Information Processing Standards (FIPS) Publication 140-3 and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The documents will be used to specify updates, replacements, or additions to requirements as allowed by ISO/IEC 19790:2012(E). These documents will consolidate current FIPS 140-2 implementation guidance (IG) and administrative guidance. Current IGs will need to be revisited, some may be modified, some deprecated, etc.
The SP 800–140x subseries consists of:
- SP 800–140, FIPS 140–3 Derived Test Requirements (DTR)
- SP 800–140A, CMVP Documentation Requirements
- SP 800–140B, CMVP Security Policy Requirements
- SP 800–140C, CMVP Approved Security Functions
- SP 800–140D, CMVP Approved Sensitive Security Parameter Generation and Establishment Methods
- SP 800–140E, CMVP Approved Authentication Mechanisms
- SP 800–140F, CMVP Non-Invasive Attack Mitigation Test Metrics
Documents above lettered as A-F, will correspond to the ISO Annex requirements A – F. These documents are available on the NIST website for download at https://csrc.nist.gov/publications/.
What is the timeline for FIPS 140-3?
- March 22, 2019: FIPS 140-3 approved.
- May 01, 2019: FIPS 140-3 publication date.
- September 22, 2019: FIPS 140-3 is effective.
- March 22, 2020: CMVP program & publication updates completed.
- September 22, 2020: FIPS 140-3 testing will begin.
- September 22, 2021: FIPS 140-2 testing ends. Existing FIPS 140-2 certificates will still be valid until their sunset date when they are up for archiving.
Where can I find more information about FIPS 140-3?
Federal Register Notice announcing FIPS 140-3 (May 1, 2019):
FIPS 140-3 publication details:
FIPS 140-3 Development project:
FIPS 140-3 Transition: