FIPS 140-3 is the current NIST standard for cryptographic module validation, approved March 22, 2019. It replaced FIPS 140-2 by adopting ISO/IEC 19790:2012 as its technical foundation, adding non-invasive attack testing and enhanced lifecycle assurance requirements. FIPS 140-3 maintains the same four security levels (1-4). NIST's CMVP stopped accepting new FIPS 140-2 submissions in September 2021. As of September 21, 2026, all remaining FIPS 140-2 active validations transition to Historical status.
FIPS 140-3 represents a significant update to the Cryptographic Module Validation Program. Here is what changed and what stayed the same.
What changed: FIPS 140-3 adopts ISO/IEC 19790:2012 and ISO/IEC 24759:2017 as its technical basis, replacing the standalone FIPS 140-2 specification and aligning the US standard with international practice. FIPS 140-3 adds new requirements for non-invasive attack testing (such as side-channel analysis), enhanced documentation, and additional software and firmware security testing.
What stayed the same: The four security levels (1 through 4) remain, with roughly equivalent requirements at each level. The basic validation process through an accredited NIST CMVP laboratory continues.
Timeline of the transition: The CMVP began accepting FIPS 140-3 testing in September 2020. After September 22, 2021, the CMVP stopped accepting new FIPS 140-2 submissions. Existing FIPS 140-2 validations were given a five-year transition period. On September 21, 2026, all remaining FIPS 140-2 active module validations transition to Historical status in the CMVP database - meaning the CMVP no longer considers them as actively validated for new procurement purposes.
All new cryptographic module procurements should specify FIPS 140-3 validated products.
Keep Exploring
References