06 Aug 2019

Security Requirements for Cryptographic Modules

On May 1st, NIST announced the signing of FIPS 140-3 via a Federal Register notice. This has been in the works for a long time. Those who have been in the industry for a while will remember that first discussion on FIPS 140-3 began in 2005! FIPS 140-3 will supersede FIPS 140-2 but will not be mandatory for a year. Manufacturers can continue testing to FIPS-2 during that period.

A schedule in place for the transition to FIPS 140-3:

  • September 22, 2019: FIPS 140-3 becomes effective
  • September 22, 2020: CMVP starts accepting FIPS 140-3 testing reports
  • September 22, 2021: FIPS 140-3 becomes mandatory

What's Changed from FIPS 140-2?

FIPS 140-3 is an adoption of ISO 19790 and includes references to two existing international standards: ISO 19790 on information technology, security techniques and requirements and ISO 24759 on testing requirements for cryptographic modules. These updates, replacements and additions are necessary and will guide ISO/IEC standards for cryptographic algorithms, module testing, conformance, and validation activities that were originally cited in FIPS 140-2.

Although there are still 14 months or so before FIPS 140-3 goes into effect, there are activities to take now to prepare for the change. During this time the Cryptographic Module Validation Program (CMVP) will be putting various processes and annexes etc. in place. More information can be found on NIST FIPS 140-3 development page.

What does this mean to the product developer?

Once the processes and annexes are developed, it will be a good idea to perform a gap analysis of current validated modules against the FIPS 140-3 requirements to help plan development priorities. Manufacturers should aim to have products be FIPS 140-3 validated prior to September 22, 2021. For safety it would also be prudent to do one last validation against FIPS 140-2 requirements, to ensure you are not stuck with long development timelines to make products FIPS 140-3 compliant.

The good news is that there is now a path forward, with a schedule in place to help work on a transition plan to FIPS 140-3. 


Ashit Vora,
Vice President,
Intertek Acumen Security

As the co-founder of Acumen in 2014, Ashit grew the company to be one of the largest FIPS and Common Criteria labs in the world before it was acquired by Intertek.  He now oversees business development, strategy and policy for Intertek Acumen Security. Ashit's areas of expertise include FIPS 140-2, Common Criteria, international crypto certification requirements, cryptography, and networking. He holds a Master of Science degree from the University of