FIPS 140‑3: Cryptographic Module Validation

FIPS 140‑3 is the U.S. and Canadian government standard for validating cryptographic modules, and in the United States it is legally required for Federal systems that use cryptography. Any product deployed into a U.S. Federal environment that performs cryptographic functions is generally expected to use a FIPS‑validated module, making FIPS 140‑3 a mandatory compliance target for vendors serving that market.

FIPS 140‑3 replaces FIPS 140‑2 and aligns with the international standard ISO/IEC 19790:2012 and the associated testing standard ISO/IEC 24759. Validation is managed jointly by the Cryptographic Module Validation Program (CMVP), operated by NIST (USA) and CSE (Canada).

What FIPS 140‑3 Covers

• Module boundary and interfaces
• Roles, services, and authentication
• Finite State Model
• Physical security (for hardware modules)
• Operational environment requirements
• Key management lifecycle
• Self‑tests and integrity checks
• Entropy sources and random number generation

How Rycombe Consulting Can Help

I provide specialist support for organisations preparing for FIPS 140‑3 validation, including:

• Module boundary definition
• Security level selection
• Documentation development
• Entropy and DRBG review
• Algorithm compliance checks
• Readiness assessments
• Lab liaison and support during CMVP review

Get in Touch

You can reach me at contact@rycombe.com. A full contact page is available here.