The U.S. federal government’s transition to the FIPS 140-3 cryptography standard has begun, with NIST announcing that all FIPS 140-2 certificates will be retired in September 2026. Cerberus FTP Server versions 12.11 and higher have moved to OpenSSL 3, which will extend FIPS validation through the end of 140-2’s lifecycle, and future versions of Cerberus will include FIPS 140-3 validation.   

This post will discuss the reasons behind NIST’s transition and the benefit of FIPS 140-3 validation for data transfer. 


What’s new in FIPS 140-3?   


FIPS 140-3 extends cryptography standards beyond hardware to include both firmware, software, and hybrid modules.  

  • Block ciphers must use AES 128 or higher algorithms for encryption. Older algorithms such as TDEA and SKIP JACK may only be used for legacy decryption  
  • Digital signatures must use security greater than or equal to 112 bits for any new signature generation  
  • Hash functions have received further guidance on appropriate use cases in the FIPS 140-3 Transition Documentation  

Additionally, FIPS 140-3 now includes a “Self-Initiated Cryptographic Output Capability,” which is an automated functioning module that can execute cryptographic operations or other approved security functions autonomously.  


Roles & Authentication  

Adherence to ISO 19790‘s authentication levels remains in place, but level 4 authentication must now be performed via multi-factor identify-based authentication. This requirement has changed due to the upgrade from 140-2’s trusted path to 140-3’s trusted channel and its effort to secure communications between the cryptographic module and the endpoint device.   

140-3 also adds a fifth control output interface that will indicate the state of an operation, which can help troubleshoot.   

The only required role in FIPS 140-3 is the crypto officer role, although the user and maintenance roles remain options.   


Validation and Testing  

Because hybrid modules (hybrid firmware, hybrid software, etc.) are included in FIPS 140-3, a wider variety of vendors and resources will be able to apply for validation beyond level 1. This should open up a more extensive toolset for secure transfer, which is always a positive.   

Testing has changed as well:  

  • FIPS 140-3 now requires a Pre-Operational Self-Test (POST) and the Conditional Algorithm Self-Test.   
  • Known Answer Tests now only run prior to using an algorithm.   
  • The POST now focuses on memory integrity.   

Cryptography is complex, and we hope this blog has helped you understand what is changing in the transition to FIPS 140-3. Click here to learn more about FIPS 140 compliance with Cerberus FTP Server. To learn more about Cerberus FTP Server, visit