FIPS PUB 140-3, Cryptographic Module Validation Program (CMVP)


The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security in its computer and telecommunication systems.  The FIPS PUB 140-3 standard is applicable to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in 

  • Section 5131 of the Information Technology Management Reform Act of 1996, 
  • Public Law 104-106 and the Federal Information Security Management Act of 2002, 
  • Public Law 107-347. 

The standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information (hereafter referred to as sensitive information). The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. (detail refer to the latest ISO/IEC 19790

Levels Brief description
Level 1 the lowest level, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
Level 2 adds requirements for physical tamper-evidence and role-based authentication.  
Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to the sensitive information contained in the module) and identity-based authentication and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.

The standard does not specify in detail what level of security is required by any particular application. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. 

The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include 

  • cryptographic module specification; 
  • cryptographic module interfaces; 
  • roles, services, and authentication; 
  • software/firmware security; 
  • operating environment; 
  • physical security; 
  • non-invasive security; 
  • sensitive security parameter management; 
  • self-tests; 
  • life-cycle assurance; and 
  • mitigation of other attacks.


The FIPS PUB 140-3 is a well-known standard for testing crypto modules, specifically for the United States and Canadian public authorities. Therefore, IT product developers who want to market their products with encryption components in the USA, generally require the certification according to FIPS PUB 140-3.

The ICT product with crypto functions used by public authorities in the USA shall be certified according to FIPS PUB 140-3. BUT, not just the public authorities in the USA, the banking and financial sectors also required the critical data shall be cryptographically protected

The cryptographic mechanisms are being used in almost every ICT product to protect critical information. In addition to the classic hardware security modules (HSM), storage media with hardware encryption, software modules, VPN solutions, and smart cards are often also certified according to FIPS PUB 140-3. This involves not only the security requirements for cryptographic algorithms but also physical security.


  • Validation tests on implementations of cryptographic algorithms with the aim of certification with CAVP (Cryptographic Algorithm Validation Program)
  • Validation tests on crypto modules (hardware, firmware, software, or hybrid) according to FIPS PUB 140-3 with the aim of certification with CMVP (Cryptographic Module Validation Program)
  • Pre-validation workshops to clarify the extent to which an existing or planned crypto module fulfills the requirements or what amendments need to be made
  • Project supporting and document creation
  • (options), we offer side-channel analyses since FIPS PUB 140-3 does not provide for vulnerability analysis. 

Initiate and contact

The following information is required to initiate the service discussion: 

  1. Development or production plan/status
  2. Technical specification of the cryptographic algorithm and/or module. 


   Philip KU  PGP Public Key ]

   (PGP Fingerprint: BE11 C1CC BFE2 A3A9 4929  3D1C 10FF C3BE A51C 92F7)

Last modified: Tuesday, 13 July 2021, 4:16 PM