FIPS 140 / FIPS 140-3
What is FIPS 140 / FIPS 140-3?
FIPS 140 / FIPS 140-3US federal standard, maintained by NIST, that defines security requirements for cryptographic modules and their certification through accredited labs.
FIPS 140 is the family of US federal information-processing standards (FIPS 140-2 and the current FIPS 140-3, aligned with ISO/IEC 19790) that specify security requirements for cryptographic modules: approved algorithms, role-based authentication, key management, self-tests, physical security, side-channel resistance, and operating environment. Modules are validated by accredited CMVP labs at one of four security levels, from Level 1 (software with approved algorithms) to Level 4 (full envelope tamper detection). FIPS 140 is mandatory for cryptography handling US federal data and is widely required by FedRAMP, DoD, financial regulators, healthcare, and many enterprise buyers globally.
● Examples
- 01
An HSM validated under FIPS 140-3 Level 3 used to protect a root CA private key.
- 02
A FIPS 140-2 Level 1 validated TLS library required for selling to US federal agencies.
● Frequently asked questions
What is FIPS 140 / FIPS 140-3?
US federal standard, maintained by NIST, that defines security requirements for cryptographic modules and their certification through accredited labs. It belongs to the Cryptography category of cybersecurity.
What does FIPS 140 / FIPS 140-3 mean?
US federal standard, maintained by NIST, that defines security requirements for cryptographic modules and their certification through accredited labs.
How does FIPS 140 / FIPS 140-3 work?
FIPS 140 is the family of US federal information-processing standards (FIPS 140-2 and the current FIPS 140-3, aligned with ISO/IEC 19790) that specify security requirements for cryptographic modules: approved algorithms, role-based authentication, key management, self-tests, physical security, side-channel resistance, and operating environment. Modules are validated by accredited CMVP labs at one of four security levels, from Level 1 (software with approved algorithms) to Level 4 (full envelope tamper detection). FIPS 140 is mandatory for cryptography handling US federal data and is widely required by FedRAMP, DoD, financial regulators, healthcare, and many enterprise buyers globally.
How do you defend against FIPS 140 / FIPS 140-3?
Defences for FIPS 140 / FIPS 140-3 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for FIPS 140 / FIPS 140-3?
Common alternative names include: FIPS 140-2, FIPS 140-3.
● Related terms
- cryptography№ 461
Hardware Security Module (HSM)
Tamper-resistant hardware appliance that generates, stores, and uses cryptographic keys without ever exposing the raw key material to the operating system.
- cryptography№ 1178
Trusted Platform Module (TPM)
Standards-based security chip soldered to a mainboard or implemented in firmware that provides hardware-rooted key storage, attestation, and measured boot.
- cryptography№ 248
Cryptographic Key
A high-entropy secret or public value that parameterizes a cryptographic algorithm to encrypt, decrypt, sign or authenticate data.
- compliance№ 411
FedRAMP
A U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies.
- compliance№ 423
FISMA
A U.S. federal law that requires federal agencies and their contractors to implement risk-based information security programs for systems handling government data.
- cryptography№ 172
Cipher Suite
A named combination of cryptographic algorithms — key exchange, authentication, bulk encryption, and integrity — negotiated by protocols such as TLS for a given session.