Skip to content

discovered, explained

FIPS 140-3

FIPS 140-3 creates the conditions for uniform security standards for cryptographic modules and thus enables international comparability. The standard addresses current threats as well as modern cryptography and security technologies and thus provides a contemporary basis.

What is FIPS 140-3?

FIPS (Federal Information Processing Standard) 140-3 is a standard developed by the US National Institute of Standards and Technology (NIST) that defines the basic requirements for cryptographic products.

It is binding for all US federal organisations and authorities that use cryptography-based security systems to protect sensitive data. The standard should therefore be used as the basis for the development and implementation of cryptographic modules.

FIPS 140-3 has become a worldwide de facto standard and is used in various industries, such as the financial sector or healthcare. The standard contains 4 qualitatively increasing security levels that cover a wide range of possible applications and environments.

The 4 Security Levels According to FIPS 140-3

1

Level 1

Use and correct implementation of at least one authorised encryption algorithm.Basic security requirements at firmware or software level to prevent unauthorised access

2

Level 2

Requirements from Level 1+ Use of role-based authentication+ Implementation of physical security mechanisms+ Use of a tamper detection mechanism

3

Level 3

Requirements from Level 2+ Use of identity-based authentication+ Implementation of physical tamper protection & resistant housing/coating+ Mechanism for detecting and reacting to voltage and temperature deviations

4

Level 4

Requirements from Level 3+ Use of multi-factor authentication+ Implementation of physical security mechanisms against the most sophisticated attacks

On the safe side

That is why FIPS 140-3 is the right choice

Special features of FIPS 140-3

  • International standard with a set of security requirements for cryptographic modules & products
  • Supports the development and implementation of secure cryptographic modules
  • Contains mandatory requirements for the processing of sensitive but unclassified (SBU) information
  • Is in line with the minimum requirements for cryptographic modules of the Information Technology Management Reform Act

Your benefits at a glance

  • Independent proof of IT security
    FIPS 140-3 certification proves that you take cryptographic security standards seriously & fulfil them.
  • Access to the US & Canadian market
    A FIPS 140-3 certificate is mandatory for many government applications in the US & Canada and beyond
  • Protection of sensitive, unclassifiedinformation
    You prove that you protect sensitive, unclassified information particularly & successfully.
  • Compliance with legal requirements
    With FIPS 140-3 certification, you fulfil the minimum requirements for cryptographic modules of the Information Technology Management Reform Act.
  • Identification of vulnerabilities
    As part of an audit, you will uncover existing security gaps and potential for optimisation.
  • Increased trust among users
    A product tested for IT security leads to increased trust among users & competitive advantages.

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the test offers Contact us
Good to know

CMVP, CAVP & ESV at a glance

Cryptographic Module Validation Program (CMVP)

The CMVP offers certification through validation tests of the functional requirements and manufacturer documentation, source code examinations & tests and - depending on the module type and the desired security level - physical tests.

Five different module types can be certified under the programme:

  1. Hardware modules
  2. Software modules
  3. Firmware modules
  4. Hybrid software modules
  5. Hybrid firmware modules

Cryptographic Algorithm Validation Program (CAVP)

CAVP includes validation tests for approved (i.e. FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. CAVP can only be used for testing algorithms, but is mandatory and the first step of a cryptographic module validation according to CMVP.

Entropy Source Validation (ESV)

Entropy source validation is a new area within the Cryptographic Module Validation Programme provided by NIST. The test is required if a module has its own entropy source.

Corresponding validation tests may only be carried out by NIST/NVLAP-accredited test laboratories - such as TÜVIT.

Frequently Asked Questions (FAQ)

What you need to know about FIPS 140-3

Depending on the security level (and the associated tests), module validation within the framework of CMVP usually takes 4-8 months before the report can be submitted to CMVP.

With the Cryptographic Module Validation Program (CMVP), the Cryptographic Algorithm Validation Program (CAVP) and the Entropy Source Validation (ESV), NIST offers three different certification programmes in connection with FIPS 140-3.

Cryptographic Module Validation Programme (CMVP)

The CMVP offers certification through validation tests of the functional requirements and manufacturer documentation, source code examinations & tests and - depending on the module type and the desired security level - physical tests.

Five different module types can be certified as part of the programme: Hardware Modules, Software Modules, Firmware Modules, Hybrid Software Modules and Hybrid Firmware Modules.

Cryptographic Algorithm Validation Programme (CAVP)

CAVP includes validation tests for approved (i.e. FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. CAVP can only be used for testing algorithms, but is mandatory and the first step of a cryptographic module validation according to CMVP.

Entropy Source Validation (ESV)

Entropy source validation is a new area within the Cryptographic Module Validation Programme provided by NIST. The validation is required if a module has its own entropy source.

Corresponding validation tests may only be carried out by NIST/NVLAP-accredited test laboratories - such as TÜVIT.

The FIPS 140-3 standard defines 5 different module types that can be certified as part of the CMVP programme: Hardware, software, firmware, hybrid software or hybrid firmware modules.

An Implementation Guidance contains binding interpretations of the standard, the derived test requirements and the referenced cryptographic standards and must be taken into account by the provider.

The OU is the entirety of software and hardware, including an operating system, which is required for the safe operation of the module.

Physical security components are physical representations of cryptographic modules. They can be used as a single chip (a single integrated circuit) as a standalone device or embedded in a housing or product that may not be physically protected. Examples include single IC chips or smart cards with a single IC chip.

Embedded multi-chip cryptographic modules are physical components where two or more IC chips are interconnected and embedded in a housing or product that may not be physically protected. Examples include adapters and expansion cards.

Standalone multi-chip cryptographic modules are physical components where two or more IC chips are interconnected and the entire package is physically protected. Examples include encrypted routers, secure wireless devices or USB tokens.

Haven't found what you're looking for yet?

IT baseline protection
Information security for KRITIS