FIPS 140-3 Certification

Thales can help you meet your needs for data security compliance with FIPS 140-3 certified solutions.

What is FIPS 140?

In cryptographic security, adherence to standards is paramount to ensure the protection of sensitive data and to meet compliance and regulatory needs. FIPS 140 (Federal Information Processing Standard), is a set of security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST) and managed by both the United States and Canada, as part of the Cryptographic Module Validation Program (CMVP). FIPS 140-validated modules are mandatory for protecting cryptographic keys and performing cryptographic operations for many government applications.

FIPS 140-2, the predecessor to FIPS 140-3, has been widely adopted as a security benchmark and best practice for organizations to follow over the past two decades. It has also become the de facto standard in many other countries outside of North America for setting in-country regulations, across both government and private sectors.

What is FIPS 140-3?

FIPS 140-3 is a standard any organization that manages, collects, or stores sensitive data will likely need to comply with, particularly those operating in highly regulated industries.

FIPS 140-3 Badge

FIPS 140-3 will allow the certification of Post-Quantum Cryptography (PQC) algorithms, as it will ensure cryptographic modules are prepared to address the challenges and threats posed by quantum attacks. Implementing FIPS 140-3 validated security solutions is an essential part of building a quantum-safe crypto agile security posture, ensuring organizations stay data protected today, and into the future.

What’s the difference between FIPS 140-2 and FIPS 140-3?

FIPS 140-3 is the latest iteration for validating the effectiveness of cryptographic hardware, aligns with international ISO/IEC 19790 standards and introduces new enhancements to the security requirements of the FIPS 140-2 standard, including:

  1. Stricter integrity test requirements.
  2. New required service: to output the module name/identifier and version that can be mapped to validation records/certificates.
  3. Key zeroization is required for ALL unprotected “Sensitive Security Parameters” (SSP) at all levels, including public keys.
  4. Roles, services, and authentication: must be met by a cryptographic module’s implementation (not through policy, rules, etc.), for example password size restrictions.
  5. Lifecycle assurance: vendors need to demonstrate adequate internal testing on a module, in addition to the validation lab testing.

Organizations should use the FIPS 140-3 standard to ensure that the hardware they select meets specific security requirements. The FIPS 140-2 certification standard defines four increasing, qualitative levels of security, which remain the same in FIPS 140-3.

Transitioning to FIPS 140-3

Organizations currently adhering to FIPS 140-2 need to plan their transition to FIPS 140-3 to ensure continued compliance. The goal of FIPS 140-3 is to be more closely aligned to international ISO / IEC standards and better suited to today's technologies:

ISO/IEC 19790:2012: lists the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems. This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million-dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).

ISO/IEC 24759:2017: outlines the test requirements for cryptographic modules. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.

This alignment to international standards allows for a seamless transition to FIPS 140-3, greater interoperability and ensures consistent security practices across the globe. Existing FIPS 140-2 certificates will not be revoked but will be moved to the Historical List as of September 21, 2026.

Thales Support for FIPS 140-3 Security Standard

Thales develops cryptographic products and subsystems that conform to the FIPS 140-3 security standard. Thales solutions that meet the standard include Luna Hardware Security Modules (HSM), High Speed Encryptors (HSE) and Authentication Solutions.


FIPS 140-3 Validated Hardware Security Modules

Luna HSMs are the first in the industry to receive the FIPS 140-3 Level 3 validation and provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more.

Thales Luna 7 HSMs (Network and PCIe*) are now FIPS 140-3 Level 3 validated, providing customers with the following benefits:

  • Flexibility for HSM Users: FIPS 140-3 allows for the concurrent support of approved and non-approved services on the same platform. This flexibility enables users to meet legacy application constraints while adopting new standards for new applications.
  • Enhanced Module Self-Testing: At Level 3, FIPS 140-3 adds periodic self-tests for modules, like HSMs, which often have long uptime periods stretching into years. This ensures continuous secure operation.
  • Rigorous Testing by Laboratories: The standard imposes more rigorous requirements on test labs to review and ensure adequate vendor testing of modules. This results in a more consistent security level across different labs and different countries.
  • CVE Tracking and Code Quality: FIPS 140-3 requires demonstrating the ability to review and track Common Vulnerabilities and Exposures (CVE) that may impact the libraries used by the module. This strengthens the rules for maintaining the quality of internal codes, even if they are not directly exposed to the external environment and therefore cannot be scanned and detected by HSM users.

Rely on FIPS 140-3 Level 3 validated Luna HSMs as the market-leading crypto agile foundation of digital trust to reduce risk, ensure flexibility, easily manage keys, and simplify integrations.

*FIPS 140-3 Level 3 currently in review for Luna USB and Luna Backup HSMs.

Thales Luna K7 Cryptographic Module (used in the Luna Network and Luna PCIe HSMs) is now FIPS 140-3 Level 3 validated (NIST certificate #4684)


FIPS 140-3 Validated High Speed Encryption Solutions

Thales Network Encryption solutions provide a single platform to encrypt everywhere — from network traffic between data centers and the headquarters to backup and disaster recovery sites, whether on premises or in the cloud. Rigorously tested and certified, Thales’ Network Encryption solutions have been vetted by such organizations as the Department of Defense Information Systems Agency (DoDIN APL) and NATO.

Thales High Speed Encryptors have been FIPS certified for over a decade and continue to meet NIST advancements such as FIPS 140-3 and Post Quantum Cryptography (PQC). The network encryption solutions are FIPS 140-2 Level 3 validated and currently pending review for FIPS 140-3.


FIPS 140-3 Validated* SafeNet IDCore 230/3230 Java- Based Smart Cards

SafeNet IDCore smart cards using a Java Operating System incorporate advanced microcontrollers with strong security certification. The SafeNet IDCore Java Card OS was developed by an industry-leading security team that designed it to implement counter measures against various threats, including side channel, invasive, advanced fault, and other types of attacks. The SafeNet IDCore Java Card OS meets the industry’s most stringent security certifications, such as FIPS 140 and CC EAL5+ / PP Javacard.

SafeNet IDCore 230/3230 are public key Java Cards (supporting both RSA and elliptic curves) that meet the most advanced security requirements of long-term, multi- application programs, including the ones deployed by large global organizations, including:

  • Java Card 3.1.0
  • Global Platform 2.2.1
  • ISO 7816
  • ISO 14443 for SafeNet IDCore 3230 only

* NIST certification is in process: IDCore 3230 / 230 Platform by Thales

Talk to a specialist about FIPS 140-3 solutions

Global Edition

2024 Thales Data Threat Report

Read more about Navigating New Threats and Overcoming Old Challenges

2024 Data Threat Report