Skip to main content

Understand FIPS 140-2 and 140-3

Federal Information Processing Standards (FIPS) 140 are U.S. government criteria that provide a benchmark for the security of cryptographic modules. Both government and commercial sectors leverage these standards to ensure the secure handling of sensitive data.

TrustCore SDK compliance with FIPS 140-2/3

TrustCore SDK NanoCrypto maintains active NIST FIPS 140-2 certification (certificates #4298 and #4299) and FIPS 140-3 certification (interim certificates #4761, #4818)*1.

*1 Final FIPS 140-3 certificates pending.

FIPS compliance requirements

US federal agencies (both civilian and military) are required by law to use FIPS 140-certified cryptographic modules. Additionally, government procurement policies mandate that commercial products obtain FIPS 140-3 certification specific to their operating environment. This certification requirement is standard in most federal RFPs and necessary for government contract eligibility.

FIPS validation as a service

DigiCert's FIPS Validation as a Service offering provides end-to-end support for achieving FIPS 140 certification. Our service streamlines the complex validation process, from initial assessment through final certification. Contact DigiCert​​®​​ Sales for detailed information on certification requirements and timelines.

Migration and future-proofing support

  • FIPS 140-2 to 140-3 migration: TrustCore SDK includes migration tools and documentation to facilitate the transition from FIPS 140-2 to 140-3 standards. Our validation service provides guidance throughout the upgrade process.

  • Post-Quantum Cryptography (PQC) readiness: TrustCore SDK supports quantum-resistant algorithms, including ML-KEM (FIPS-203) and ML-DSA (FIPS-204). DigiCert​​®​​ is currently pursuing FIPS 140-3 certification for these post-quantum algorithms to ensure continued compliance as cryptographic standards evolve.

FIPS 140-2: Established framework

FIPS 140-2, introduced in 2001, has served as a cornerstone in cryptographic module security, laying out stringent requirements across four levels of security, ensuring varying degrees of data protection suitable for different scenarios:

  • Security Level 1 Ensures basic security for general applications.

  • Security Level 2 Adds role-based authentication to prevent unauthorized access.

  • Security Level 3 Enhances protections for module identity and authentication data.

  • Security Level 4 Provides the highest degree of security against environmental and physical attacks.

FIPS 140-3: Next-Gen security

In 2019, FIPS 140-3 was introduced to keep up with evolving security demands, setting the stage for more robust protection mechanisms and reinforcing the relevance of FIPS standards in the face of advanced threats:

  • Security Level 1 Maintains basic security principles.

  • Security Level 2 Introduces tamper-evidence for enhanced physical security.

  • Security Level 3 Strengthens defenses against complex algorithmic attacks.

  • Security Level 4 Ensures comprehensive protection against high-level assault attempts.

Importance of FIPS validation

While FIPS standards are a government mandate, their influence extends far beyond, with many private and commercial organizations adopting them for improved trust, security, and regulatory advantages.

  • Defense Contractors Protecting national security information through encrypted communications and data storage.

  • Healthcare Providers Safeguarding patient information and ensuring the confidentiality and integrity of medical records.

  • Financial Institutions Securing financial transactions and sensitive customer data against fraud and breaches.

  • Cloud Service Providers Offering FIPS-validated cryptographic modules to clients who require compliance for their services.

Additional resources

Explore the following resources for a deeper understanding of FIPS 140-2 and 140-3: