FIPS 140-3 is the new standard for cryptographic module validation. It replaces FIPS 140-2 and is now required by the U.S. government. This standard was published by NIST. It follows international rules from ISO/IEC 19790 and ISO/IEC 24759. FIPS 140-3 adds updates for physical security. It also improves testing and adds protection against side-channel attacks. Vendors that sell cryptographic tools to federal agencies must follow FIPS 140-3. The modules need to pass testing through NIST’s CMVP. Some systems still use FIPS 140-2, but those certificates will expire by September 2026. After that, only FIPS 140-3 will count. Organizations should start using tools that meet the new rules. This helps keep systems secure and ready for future audits.
Why FIPS 140-3 matters
FIPS 140-3 is the new standard for cryptographic modules. It replaces FIPS 140-2. The goal is to improve how systems use encryption. A lot of systems deal with sensitive info, so this helps protect it. FIPS 140-3 is built to match rules used in other countries too. That makes it easier to use in different places. The standard checks how strong the module is and how well it holds up. Organizations that use validated modules are better off. It helps them protect data and meet rules. It also helps with audits and legal mandates. FIPS 140-2 is being added to NIST’s historical list by September 2026, so now is the time to migrate. FIPS 140-3 matters because it:
- Becomes the required baseline for new federal and industry projects
- Modernizes validation by aligning with ISO/IEC 19790 standards
- Promotes consistent enforcement of cryptographic best practices
- Strengthens defenses against side-channel and physical attacks
- Supports interoperability across global regulatory landscapes
Staying current with FIPS 140-3 ensures long-term encryption integrity and reduces compliance risks.
FIPS 140-3 vs. FIPS 140-2
FIPS 140-2 and FIPS 140-3 both set rules for cryptographic module validation. FIPS 140-3 adds updates to match current practices and global standards. It makes a clearer split between physical and logical security. It also brings new testing steps and looks at how modules handle real-world threats. The move from 140-2 to 140-3 affects agencies and vendors. They will need to update their modules to stay certified. After September 2026, all 140-2 certificates will be marked as historical. That deadline means companies must plan ahead. FIPS 140-3 brings tighter rules and a more global way to protect sensitive data.
Cryptographic Module Validation Program (CMVP)
The Cryptographic Module Validation Program, or CMVP, is managed by NIST and Canada’s CSE. It is used to certify cryptographic modules under FIPS 140-3. Vendors that want validation must send their modules to approved labs. These labs test for things like key management, physical security and protection against side-channel attacks. Once a module passes, it gets listed on NIST’s public validation list. This helps government and business users see which tools meet the standard. CMVP certification adds trust and keeps the process consistent. It also matters in systems like managed file transfer (MFT), where secure encryption is required.
How FIPS 140-3 applies to MFT
FIPS 140-3 impacts managed file transfer systems in healthcare, finance and government. These systems use cryptographic modules to protect data in storage and during transfer. The standard brings updated testing for encryption tools. MFT platforms that follow it must also include secure key storage, user authentication and logging that meet federal rules. Using MFT software that meets FIPS 140-3 can make audits easier. It also lowers the chance of security issues. Following this standard builds trust with partners and clients. Since FIPS 140-2 is ending, organizations should start moving to 140-3. Doing that helps systems stay compliant and ready for new rules.
Who needs FIPS 140-3?
FIPS 140-3 applies to any organization, system or service implementing cryptographic functions for securing sensitive information.
U.S. federal agencies
Use FIPS 140-3-validated encryption modules to comply with NIST and FISMA requirements for securing sensitive and classified data.
Healthcare providers
Adopt FIPS 140-3-compliant tools to align with HIPAA encryption standards and protect patient data during file exchanges.
Financial institutions
Utilize FIPS-validated modules to comply with FFIEC, GLBA and other financial data protection frameworks.
SaaS and cloud providers
Integrate FIPS 140-3-compliant encryption in cloud services to meet FedRAMP, DoD IL and other security requirements.
Manufacturing and supply chains
Implement FIPS-certified modules to secure IP and sensitive logistics data exchanged with partners.
Retail enterprises
Use compliant tools to secure PII, payment data and internal communications across global retail operations.
FIPS 140-3 FAQs
Is FIPS 140-3 mandatory?
FIPS 140-3 is a required standard for cryptographic modules used in U.S. federal systems. Contractors that deal with government data also have to follow it. Private companies are not always required to use it, but many still do. Some industries use it to meet security rules. Others use it to show they follow best practices. As FIPS 140-2 goes away, 140-3 takes its place.
More organizations now want tools that meet the new standard. They need file transfer and encryption systems that are ready for what comes next. This is important for data stored in systems or moved between users. It also matters when files travel between countries or across networks. Using tools that follow FIPS 140-3 helps keep systems secure and meet future rules.
What is the difference between FIPS 140 Level 2 and Level 3?
FIPS 140 has four security levels. Level 2 adds tamper-evidence and role-based authentication. This means the system shows signs if someone tries to change it and only lets users do tasks based on their role. Level 3 goes further. It adds tamper-resistance and checks the user’s identity. It also requires stronger rules for how keys are stored and how the module stays secure.
Most businesses use Level 2. It covers common needs and fits many systems. But Level 3 is used in organizations that deal with highly sensitive or classified data. Choosing a level depends on the risk. It also depends on what rules an organization must follow and how much protection it needs in its daily work.
What is the difference between FIPS 140-3 and Common Criteria?
FIPS 140-3 and Common Criteria are both used to test security. They follow different rules and focus on different things. FIPS 140-3 looks only at cryptographic modules. It checks if they meet NIST’s standards for encryption and integrity. Common Criteria uses ISO/IEC 15408. It looks at full IT systems like firewalls, operating systems and software.
Some industries use both. That gives a bigger picture of how secure the system is. For file transfer software, FIPS 140-3 checks the encryption part. Common Criteria helps show that the system follows rules and has the right controls. Using both makes sure the software is safe and meets strict security needs.
Align your security with FIPS 140-3 standards
See how JSCAPE helps enterprises meet modern encryption standards with FIPS-validated capabilities and secure file transfer automation.
Encryption standards for modern compliance
Explore terms that help define encryption strategies aligned with FIPS standards.