Secure Controls Framework
Download The SCF
Quantum Security

What is FIPS 140-3 and how does it replace FIPS 140-2?

Direct Answer

FIPS 140-3 is the current NIST standard for cryptographic module validation, approved March 22, 2019. It replaced FIPS 140-2 by adopting ISO/IEC 19790:2012 as its technical foundation, adding non-invasive attack testing and enhanced lifecycle assurance requirements. FIPS 140-3 maintains the same four security levels (1-4). NIST's CMVP stopped accepting new FIPS 140-2 submissions in September 2021. As of September 21, 2026, all remaining FIPS 140-2 active validations transition to Historical status.

FIPS 140-3 represents a significant update to the Cryptographic Module Validation Program. Here is what changed and what stayed the same.

 

What changed: FIPS 140-3 adopts ISO/IEC 19790:2012 and ISO/IEC 24759:2017 as its technical basis, replacing the standalone FIPS 140-2 specification and aligning the US standard with international practice. FIPS 140-3 adds new requirements for non-invasive attack testing (such as side-channel analysis), enhanced documentation, and additional software and firmware security testing.

 

What stayed the same: The four security levels (1 through 4) remain, with roughly equivalent requirements at each level. The basic validation process through an accredited NIST CMVP laboratory continues.

 

Timeline of the transition: The CMVP began accepting FIPS 140-3 testing in September 2020. After September 22, 2021, the CMVP stopped accepting new FIPS 140-2 submissions. Existing FIPS 140-2 validations were given a five-year transition period. On September 21, 2026, all remaining FIPS 140-2 active module validations transition to Historical status in the CMVP database - meaning the CMVP no longer considers them as actively validated for new procurement purposes.

 

All new cryptographic module procurements should specify FIPS 140-3 validated products.

Keep Exploring

Relevant Resources

References

Authoritative Sources