What is FIPS 140?
In cryptographic security, adherence to standards is paramount to ensure the protection of sensitive data and to meet compliance and regulatory needs. FIPS 140 (Federal Information Processing Standard), is a set of security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST) and managed by both the United States and Canada, as part of the Cryptographic Module Validation Program (CMVP). FIPS 140-validated modules are mandatory for protecting cryptographic keys and performing cryptographic operations for many government applications.
FIPS 140-2, the predecessor to FIPS 140-3, has been widely adopted as a security benchmark and best practice for organizations to follow over the past two decades. It has also become the de facto standard in many other countries outside of North America for setting in-country regulations, across both government and private sectors.
What is FIPS 140-3?
FIPS 140-3 is a standard any organization that manages, collects, or stores sensitive data will likely need to comply with, particularly those operating in highly regulated industries.
FIPS 140-3 will allow the certification of Post-Quantum Cryptography (PQC) algorithms, as it will ensure cryptographic modules are prepared to address the challenges and threats posed by quantum attacks. Implementing FIPS 140-3 validated security solutions is an essential part of building a quantum-safe crypto agile security posture, ensuring organizations stay data protected today, and into the future.
What’s the difference between FIPS 140-2 and FIPS 140-3?
FIPS 140-3 is the latest iteration for validating the effectiveness of cryptographic hardware, aligns with international ISO/IEC 19790 standards and introduces new enhancements to the security requirements of the FIPS 140-2 standard, including:
- Stricter integrity test requirements.
- New required service: to output the module name/identifier and version that can be mapped to validation records/certificates.
- Key zeroization is required for ALL unprotected “Sensitive Security Parameters” (SSP) at all levels, including public keys.
- Roles, services, and authentication: must be met by a cryptographic module’s implementation (not through policy, rules, etc.), for example password size restrictions.
- Lifecycle assurance: vendors need to demonstrate adequate internal testing on a module, in addition to the validation lab testing.
Organizations should use the FIPS 140-3 standard to ensure that the hardware they select meets specific security requirements. The FIPS 140-2 certification standard defines four increasing, qualitative levels of security, which remain the same in FIPS 140-3.
Transitioning to FIPS 140-3
Organizations currently adhering to FIPS 140-2 need to plan their transition to FIPS 140-3 to ensure continued compliance. The goal of FIPS 140-3 is to be more closely aligned to international ISO / IEC standards and better suited to today's technologies:
ISO/IEC 19790:2012: lists the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems. This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million-dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).
ISO/IEC 24759:2017: outlines the test requirements for cryptographic modules. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.
This alignment to international standards allows for a seamless transition to FIPS 140-3, greater interoperability and ensures consistent security practices across the globe. Existing FIPS 140-2 certificates will not be revoked but will be moved to the Historical List as of September 21, 2026.
Thales Support for FIPS 140-3 Security Standard
Thales develops cryptographic products and subsystems that conform to the FIPS 140-3 security standard. Thales solutions that meet the standard include Luna Hardware Security Modules (HSM), High Speed Encryptors (HSE) and Authentication Solutions.
FIPS 140-3 Validated Hardware Security Modules
Luna HSMs are the first in the industry to receive the FIPS 140-3 Level 3 validation and provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more.
FIPS 140-3 Validated High Speed Encryption Solutions
Thales Network Encryption solutions provide a single platform to encrypt everywhere — from network traffic between data centers and the headquarters to backup and disaster recovery sites, whether on premises or in the cloud. Rigorously tested and certified, Thales’ Network Encryption solutions have been vetted by such organizations as the Department of Defense Information Systems Agency (DoDIN APL) and NATO.
FIPS 140-3 Validated* SafeNet IDCore 230/3230 Java- Based Smart Cards
SafeNet IDCore smart cards using a Java Operating System incorporate advanced microcontrollers with strong security certification. The SafeNet IDCore Java Card OS was developed by an industry-leading security team that designed it to implement counter measures against various threats, including side channel, invasive, advanced fault, and other types of attacks. The SafeNet IDCore Java Card OS meets the industry’s most stringent security certifications, such as FIPS 140 and CC EAL5+ / PP Javacard.
2024 Thales Data Threat Report
Read more about Navigating New Threats and Overcoming Old Challenges
