LLMpediaThe first transparent, open encyclopedia generated by LLMs

FIPS 140-3

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Cipher Block Chaining Hop 4
Expansion Funnel Raw 64 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted64
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
FIPS 140-3
NameFIPS 140-3
StatusActive
IssuedMarch 2019
SupersedesFIPS 140-2
JurisdictionUnited States
AuthorityNational Institute of Standards and Technology
RelatedCryptographic Module Validation Program

FIPS 140-3 is the Federal Information Processing Standard that specifies security requirements for cryptographic modules used by United States National Institute of Standards and Technology-affiliated systems, Department of Defense-connected programs, and other federal agencies such as the National Security Agency, Department of Homeland Security, and General Services Administration. The standard codifies technical criteria for cryptographic module design, implementation, and operation, drawing on international standards like ISO/IEC 19790 and on practices from standards bodies including International Organization for Standardization, International Electrotechnical Commission, and advisory input from industry stakeholders such as Microsoft Corporation, IBM, and Amazon Web Services. It is implemented in coordination with validation programs run by laboratories recognized by National Voluntary Laboratory Accreditation Program and organizations related to Common Criteria.

Overview

FIPS 140-3 defines security requirements for cryptographic modules addressing areas such as cryptographic module specification, ports and interfaces, roles and services, authentication, finite state model, physical security, operational environment, cryptographic key management, EMI/EMC considerations, and self-tests. The standard aligns conceptually with prior efforts from FIPS 140-2 and with international technical frameworks like ISO/IEC 19790 while incorporating implementation controls familiar to implementers from vendors such as Cisco Systems, Intel Corporation, Oracle Corporation, and Red Hat. Authorities including the National Institute of Standards and Technology and the National Institute of Standards and Technology Computer Security Division provide guidance to federal agencies, contractors, and accredited testing facilities including Underwriters Laboratories and other Common Criteria testing laboratories.

Scope and Requirements

FIPS 140-3 applies to cryptographic modules used to protect sensitive but unclassified and classified information processed, stored, or transmitted by agencies such as the Department of Defense, Department of State, Department of Justice, and Central Intelligence Agency. The requirements cover module boundaries, interfaces, roles, authentication methods (such as multi-factor approaches used by vendors like Symantec and Duo Security), key management procedures implemented by hardware security module providers including Thales Group, Gemalto (now Thales DIS) and Entrust Corporation, and physical security protections that mirror techniques used in secure hardware from Hewlett-Packard Enterprise, Dell Technologies, and Nokia. The standard defines four security levels, each imposing progressively stronger controls similar to assurance levels used in frameworks from Common Criteria and in deployment scenarios considered by organizations like Bank of America, JPMorgan Chase, and Goldman Sachs.

Validation and Certification Process

Certification under the Cryptographic Module Validation Program requires testing by accredited laboratories recognized by the National Voluntary Laboratory Accreditation Program and documentation submission to the National Institute of Standards and Technology and the Canadian Centre for Cyber Security where applicable. Vendors such as RSA Security, Cisco Systems, Microsoft Corporation, Amazon Web Services, and Google LLC have navigated the process to achieve module approvals for cloud and enterprise products. The process involves conformance testing to published test requirements, submission of Security Policy documents, and third-party evaluation of cryptographic algorithms often aligned with standards from NIST Special Publication 800-131A and Federal Information Processing Standards Publication 186-4. Accredited laboratories, which may include testing houses affiliated with Underwriters Laboratories, execute functional, boundary, and penetration assessments before modules are entered into validation lists maintained by NIST.

Transition from FIPS 140-2

The move from FIPS 140-2 to FIPS 140-3 reflects a transition similar to previous standard updates like FIPS 197 adoption of Advanced Encryption Standard; it preserves compatibility while updating requirements for contemporary deployment models such as cloud services offered by Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Agencies including the Department of Defense and the General Services Administration issued migration guidance to vendors, and several major vendors coordinated re-certification efforts to maintain continuity for customers including Lockheed Martin, Raytheon Technologies, and Northrop Grumman. The transition timeline involved periods of parallel acceptance and sunset plans analogous to other federal standard transitions overseen by NIST and informed by stakeholder input from consortia such as Trusted Computing Group.

Implementation and Use Cases

FIPS 140-3-certified modules appear across a range of deployments: hardware security modules from Thales Group and Entrust Corporation used by financial institutions like Wells Fargo and Citigroup; VPN and TLS accelerators in network equipment from Cisco Systems and Juniper Networks; secure elements in mobile devices from Apple Inc., Samsung Electronics, and Google LLC; cloud key management services offered by Amazon Web Services, Microsoft Azure, and Google Cloud Platform; and embedded systems in aerospace and defense platforms from Lockheed Martin and Northrop Grumman. Use cases include protection of payment card data in systems adhering to guidance from Payment Card Industry Security Standards Council, secure remote access for agencies such as the Department of Homeland Security, and critical infrastructure controls used by utilities overseen by entities like the North American Electric Reliability Corporation.

Criticisms and Compliance Challenges

Critiques of the standard and its validation process echo those raised during earlier transitions involving standards like FIPS 140-2 and international harmonization efforts with ISO/IEC 19790: long lead times for certification affect rapid-release development models practiced by companies such as GitHub, Docker, and Red Hat; cost and resource burdens on small vendors and startups resemble concerns voiced by members of Open Source Initiative and smaller cryptographic maintainers; and the focus on module-level assurance is sometimes seen as insufficient by proponents of systemic approaches advocated by entities like CISA and National Cybersecurity Center of Excellence. Compliance complexity also arises when integrating certified modules into larger systems used by organizations like NASA, NOAA, and Federal Aviation Administration, requiring policy and architectural work analogous to efforts seen in large-scale federal IT modernization programs. Category:Cryptography standards