FIPS 140-2 / 140-3

FIPS 140 is the U.S. federal standard for cryptographic module security. FIPS 140-2 is widely deployed; FIPS 140-3 is the current standard, with all new validations conducted against it since 2020.

What FIPS 140 validates

FIPS 140 (Federal Information Processing Standard) specifies security requirements for cryptographic modules — the hardware, firmware, or software components that perform cryptographic operations. Validation is performed under the Cryptographic Module Validation Program (CMVP) jointly run by NIST and the Canadian Centre for Cyber Security. Four security levels (1-4) reflect increasing physical and operational protection. FIPS 140-2 was the dominant standard from 2001 onward; FIPS 140-3 (based on ISO/IEC 19790:2012) is the current standard and all new validations are against 140-3 since September 2020.

When FIPS validation is required

FIPS 140 validated modules are required for U.S. federal information systems under FISMA, and by extension for any vendor pursuing FedRAMP authorization. They are commonly required by Department of Defense procurement (where DoD Impact Level 4-6 cloud environments must use FIPS validated cryptography) and by some state/local government buyers. Many regulated industries (healthcare, finance) reference FIPS validation as evidence of cryptographic rigor even when not strictly required.

Procurement nuance

A vendor claiming "FIPS 140-2 compliant" is making a weaker statement than "FIPS 140-2 validated." Only validation listed on the CMVP registry (with a certificate number) is provable. Many vendors use FIPS-validated libraries (OpenSSL FIPS module, AWS KMS, Azure Key Vault HSM-backed keys) without the vendor's product itself being separately validated; that is fine for most procurement purposes but should be stated honestly. FIPS 140-2 modules entered "historical" status on the CMVP registry in 2026, though existing validations remain valid for use; new procurements should prefer 140-3.