Federal Information Processing Standards (FIPS) 140-3 marks the third revision of the U.S. cryptographic module standard and replaces FIPS 140-2 as of September 2021. Overseen by the U.S. National Institute of Standards and Technology (NIST), FIPS 140-3 establishes cryptographic requirements for makers of secure hardware and software, as well as processes for third-party validation that a cryptography solution meets these standards.
Within the United States and Canada, any federal agency, its contractors, its service providers and any other organization that handles sensitive data or protected information in the administration of a federal program must be FIPS compliant. This requirement includes:
- Contractors and vendors who store or work with any sensitive data provided by federal programs
- Organizations that receive federal funding
- State organizations, agencies and their subcontractors that administer federal programs
Managed file transfer (MFT) and file transfer protocol (FTP) servers use FIPS-validated cryptography modules to meet these standards.
Testing requirements for FIPS 140-3
Modules must go through testing by accredited labs. This process happens under NIST’s Cryptographic Module Validation Program (CMVP). The goal is to confirm that the modules follow FIPS rules. FIPS 140-3 uses stricter testing standards than FIPS 140-2. Testing focuses on multiple operational areas.
FIPS 140-3 testing requirements include:
- Known answer tests now only run prior to using an algorithm
- A pre-operational self-test (POST) and the conditional algorithm self-test.
- A POST that now focuses on memory integrity
In addition to these changes, FIPS requires that:
- Cryptographic algorithms must be NIST-approved and implemented correctly
- Key management methods must meet strict generation, distribution and destruction rules
- Modules must undergo self-tests during startup and operation to detect failures
- Physical security features must be evaluated for tamper evidence or resistance
- Role-based access control must be enforced to limit cryptographic function access
FIPS 140-3 security levels
FIPS 140-3 outlines four separate security levels. Each level reflects the strength and type of protection offered by a cryptographic module. These levels help organizations assess their needs. They also support selecting modules that match specific risks or operational settings. Each level builds on the one before it, increasing in technical and physical requirements.
The functions of each level are:
- Level one: Basic security with at least one approved algorithm and production-grade components
- Level two: Adds role-based authentication and tamper-evident physical mechanisms
- Level three: Requires identity-based authentication and physical tamper-resistance
- Level four: Designed for high-risk environments and requires significant protections against physical and environmental attacks
These levels provide a structured approach to assessing which cryptographic modules are suitable for specific MFT or FTP use cases.
FIPS 140-3 compliance standards
FIPS 140-3 sets strict requirements for cryptographic modules in secure data systems. A module must pass lab checks before it can claim compliance. The process confirms integrity and reliability. It also verifies correct implementation in both software and hardware.
These FIPS 140-3 standards help protect sensitive file transfers:
- Authentication must meet requirements for either role-based or identity-based access
- Documentation must follow strict formatting defined by NIST for test reports and security policies
- Key management processes must comply with NIST standards for lifecycle control
- Modules must pass lab validation through the CMVP
- Modules must use approved algorithms such as the AES, SHA-2 and RSA
These compliance standards support the consistent and trusted implementation of encryption technologies in MFT and FTP environments.
Benefits of being FIPS 140-3 compliant
FIPS 140-3 provides organizations with clear standards for checking cryptographic security, along with validation that the tools they use to do so will meet the required standard.
While not required for all file transfers, using FIPS 140-3 validated encryption for your transfers ensures that you meet a high-level of third-party validated data protection.
Other benefits of using a solution that’s FIPS 140-3 compliant are that it:
- Confirms consistent implementation of encryption and authentication controls
- Enables eligibility for government procurement and regulated industry use
- Meets federal and industry security mandates for cryptographic validation
- Provides assurance that modules were independently tested by accredited labs
- Supports internal risk management and security audit readiness
These benefits help organizations maintain compliance and strengthen the security posture of MFT and FTP operations.
FIPS 140-3 FAQs
FIPS 140-3 is the successor to FIPS 140-2. The revision adds tougher documentation, testing and validation of cryptographic modules.
NIST moved all implementation guidance to the SP 800-140 series. The standard adds stronger physical safeguards and additional rules for software-only modules. It also allows more hybrid module testing, which brings U.S. requirements in line with global practices under ISO/IEC 19790:2012.
SSL alone is not enough to meet FIPS 140-3 requirements, as encryption is only one part of FIPS compliance. Compliance requirements extend to system access, physical security and other features outside of SSL.
NIST granted its ultimate approval of FIPS 140-3 on March 22, 2019, and it became effective on September 22 of the same year. The new rule replaced FIPS 140-2 for vetting cryptographic modules that protect sensitive government data.
Vendors received a buffer period to finish work under the older standard. NIST ceased accepting FIPS 140-2 submissions as of April 1, 2022. Every new validation now runs through FIPS 140-3.
