FIPS 140-3: Testing of crypto modules and crypto algorithms

Contact us now

Your crypto product tested according to FIPS 140-3

If you want to sell products with encryption components in the USA, you generally need a FIPS 140-3 certification. The certificate attests that a cryptographic module meets specific security requirements and has been tested for compliance by an independent third party.

Our experts test your cryptographic algorithms and cryptographic modules in ac­cordance with the international standard FIPS 140-3. Our test laboratory is the only one in Germany that is approved by the National Institute of Standards and Tech­nology (NIST, USA) for testing and validation in accordance with FIPS PUB 140-3.

  Fulfillment of the requirements for cryptographic modules

An independent validation according to FIPS 140-3 shows that your product fulfills the special requirements for cryptographic modules.

  Increased trust & competitive advantages

With a validation, you prove that you meet the mandatory requirements for processing sensitive but unclassified (SBU) information.

  Demonstration of your commitment to cyber security 

You demonstrate your commitment to cyber security and your ability to support customers in ensuring a high level of system security.

What is FIPS 140-3?

FIPS (Federal Information Processing Standard) 140-3 is a standard developed by the US National Institute of Standards and Technology (NIST) that defines the basic requirements for cryptographic products.

It is mandatory for all US federal organizations and authorities that use cryptography-based security systems to protect sensitive data. Therefore, the standard should already be used as a basis for the development and implementation of cryptographic modules.

FIPS 140-3 has become a worldwide de facto standard and is used in various industries, such as the financial sector or healthcare. The standard contains 4 qualitatively increasing security levels that cover a wide range of possible applications and environments.

The 4 security levels according to FIPS 140-3:

Level 1

Use & correct implementation of at least one approved encryption algorithm

Basic security requirements on firmware or software level to prevent unauthorized access

Level 2

Requirements from Level 1

+ Use of role-based authentication

+ Implementation of physical security mechanisms

+ Use of a mechanism for detecting manipulation

Level 3

Requirements from Level 2

+ Use of identity-based authentication

+ Implementation of physical manipulation security & resistant housing/coating

+ Mechanism for detecting and reacting to voltage and temperature deviations

Level 4

Requirements from Level 3

+ Use of multi-factor authentication

+ Implementation of physical security mechanisms against the most sophisticated attacks

Your benefits at a glance

Independent proof of IT security
FIPS 140-3 certification proves that you take the cryptographic security standards seriously & fulfill them.

Compliance with legal requirements
With FIPS 140-3 certification, you fulfill the minimum requirements for cryptographic modules of the Information Technology Management Reform Act.

Access to the US & Canadian market
A FIPS 140-3 certificate is mandatory for many government applications in the US & Canada and beyond. 

Identification of vulnerabilities
As part of an audit, you will uncover existing security gaps and optimization potential.

Protection of sensitive, unclassified information
You prove that you protect sensitive, unclassified information in a special and successful way.

Increased trust among users
A product tested for IT security leads to greater trust among users & competitive advantages. 

Our services for FIPS 140-3

Workshop on pre-validation

 Overview of the requirements & the process 

 Assessment of the readiness for certification

 Identification of required module updates

 Review of ESV requirements, if necessary


Validation testing of crypto algorithm implementations (CAVP)

 Purely functional testing of your crypto implementation (only for "Approved Functions")

 Coordination with CAVP (CAVP certificates are a precondition for full module validation)


Validation testing of cryptographic modules (CMVP)

 Complete testing of functional requirements

 Review of the documentation

 Extensive testing of the source code

 Physical testing (depending on module type & desired security level)

■ Coordination with CMVP

Entropy validation tests (ESV)

 Testing of all types of entropy sources 
- NIST SP800-90B: Non-deterministic random bit generators (NRBGs)

 Coordination with CMVP


Supplementary services

 Gap analyses

Workshop on documentation

 Support after validation

 Maintenance of the certification


"FIPS Inside"

 Verification of the use of a validated cryptographic module

 Short-term validation of cryptographic modules (applicable if no additional security services are implemented & need to be validated)

 Analysis of the fulfillment of requirements

Further information on the official NIST website


The path to a FIPS certificate



You commission TÜVIT as an accredited test laboratory for Cryptographic & Security Testing with the testing according to FIPS 140-3.


Testing of the implementation

After you have provided us with the module to be tested, our experts carry out a conformity test & create a test report. 


Review by CMVP

In the next step, we submit the test report and other required documents to the CMVP, which are then assessed by assigned CMVP examiners. 


Coordination between TÜVIT & CMVP

Our experts communicate with the CMVP & receive feedback on the test report.


Successful validation

Finally, the CMVP confirms the successful validation of your crypto module according to FIPS 140-3.

CMVP, CAVP & ESV at a glance

Cryptographic Module Validation Program (CMVP)


The CMVP provides certification through validation testing of functional requirements and manufacturer documentation, source code examination & testing, and – depending on the module type and desired security level – physical testing.

Five different module types can be certified as part of the program:

 Hardware modules
■ Software modules
■ Firmware modules
 Hybrid software modules​​​​​​​
■ Hybrid firmware modules

Cryptographic Algorithm Validation Program (CAVP)


CAVP includes validation tests for approved (i.e. FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. CAVP can only be used for testing algorithms, but is mandatory and the first step of a cryptographic module validation according to CMVP.

Entropy Source Validation (ESV)

Entropy source validation is a new area within the Cryptographic Module Validation Program provided by NIST. The test is required if a module has its own entropy source. 

Corresponding validation tests may only be carried out by NIST/NVLAP-accredited test laboratories such as TÜVIT.

Frequently asked questions (FAQ):

How long does a FIPS 140-3 certification take?

Depending on the security level (and the associated tests), module validation within the framework of CMVP usually takes 4-8 months before the report can be submitted to CMVP.

What is a module type?

The FIPS 140-3 standard defines 5 different module types that can be certified as part of the CMVP program: Hardware, software, firmware, hybrid software or hybrid firmware modules.

What is an Implementation Guidance (IG)?

An Implementation Guidance contains binding interpretations of the standard, the derived test requirements and the referenced cryptographic standards and must be taken into account by the provider.

What is an operating environment (OE)?

The OE is the set of software and hardware, including an operating system, which is required for the secure operation of the module.

What is a physical security component?

Physical security components are physical representations of cryptographic modules. They can be used as a single chip (a single integrated circuit) as a stand-alone device or embedded in a package or product that may not be physically protected. Examples include single IC chips or smart cards with a single IC chip.

Embedded multi-chip cryptographic modules are physical components where two or more IC chips are interconnected and embedded in a housing or product that may not be physically protected. Examples include adapters and expansion cards.

Stand-alone multi-chip cryptographic modules are physical components where two or more IC chips are interconnected and the entire package is physically protected. Examples include encrypted routers, secure radios or USB tokens.

Interested in validation & certification according to FIPS 140-3?


Why we are a strong partner for you


Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.


The TÜVIT test laboratory is the only one in Germany that is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation in accordance with FIPS PUB 140-3.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.


You have questions? We are pleased to help!



Further services