FIPS 140-3Free Resource

FIPS 140-3 Cryptographic Module Validation

Use this FIPS 140-3 resource to understand how cryptographic modules are scoped, tested, documented, and maintained under the Cryptographic Module Validation Program.

The guides focus on module boundaries, interfaces, roles, services, approved modes, algorithm certificates, operational environments, and security-policy evidence.

FIPS 140-3 validation checklist
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Start with these FIPS 140-3 decisions
FIPS 140-3 validation checklist
Review the requirement areas a module package must address before CMVP testing: specification, interfaces, roles, software or firmware, physical security, self-tests, lifecycle assurance, and attack mitigation.
FIPS 140-3 module boundary selector
Separate the cryptographic boundary from excluded components, operational environment assumptions, ports, interfaces, and services that must appear in the security policy.
FIPS 140-3 algorithm certificate mapping
Map each approved security function and service to the algorithm validation evidence needed to support an approved mode claim.
Grounded in official NIST and CCCS sourcesCMVP validation and laboratory contextNo signup required
Quick start
FIPS 140-3
FIPS 140-3 validation checklist
Crawlable guide page at /artifacts/global/fips-140-3/fips-140-3-validation-checklist.
FIPS 140-3 module boundary selector
Crawlable guide page at /artifacts/global/fips-140-3/module-boundary-selector.
FIPS 140-3 algorithm certificate mapping
Crawlable guide page at /artifacts/global/fips-140-3/algorithm-certificate-mapping.
Use this FIPS 140-3 set to prepare boundary, service, operating-environment, security-policy, and change-impact questions before validation planning.
19
Topics
8
FAQs
2
Comparisons
4
Security levels
Define boundary
Map services
Prove approved mode

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
FIPS 140-3 algorithm certificate mapping: ACVTS certificates to module boundary
Map CAVP algorithm certificates to FIPS 140-3 module services, approved security functions, security policy tables, and validation evidence.
Read Guide
2
FIPS 140-3 Applicability Test
Check whether FIPS 140-3 applies to a cryptographic module claim by testing agency use, module boundary, security level, approved functions, CMVP status, and procurement evidence.
Read Guide
3
FIPS 140-3 Approved and Non-Approved Mode Workflow
Classify FIPS 140-3 module services by approved security service, allowed no-security-claimed use, and non-approved service evidence.
Read Guide
4
FIPS 140-3 approved-mode evidence workflow
A grounded workflow for collecting FIPS 140-3 approved-mode evidence: module boundary, approved services, service indicators, CAVP certificates, Security Policy entries, and change review.
Read Guide
5
FIPS 140-3 Change Impact Review
Review FIPS 140-3 module changes against boundary, version, operational environment, embedded module, software loading, CVE, and certificate evidence.
Read Guide
6
FIPS 140-3 compliance guide
A grounded FIPS 140-3 compliance guide for cryptographic module scope, security-level claims, CMVP validation evidence, and procurement review.
Read Guide
7
FIPS 140-3 Entropy and DRBG Evidence
FIPS 140-3 entropy and DRBG guidance for module boundary decisions, entropy caveats, Security Policy evidence, ESV references, and DRBG CSP handling.
Read Guide
8
FIPS 140-3 FAQ for Cryptographic Modules
Answers to common FIPS 140-3 questions about scope, CMVP validation, algorithm certificates, module boundaries, approved mode, and validation evidence.
Read Guide
9
FIPS 140-3 Module Boundary Selector Workflow
A FIPS 140-3 workflow for selecting a cryptographic module boundary, separating embedded and bound modules, and collecting CMVP validation evidence.
Read Guide
10
FIPS 140-3 Security Policy Template
Build a FIPS 140-3 module Security Policy with sections for boundary, roles, services, approved algorithms, SSP handling, self-tests, and CMVP evidence.
Read Guide
11
FIPS 140-3 Validation Checklist
Checklist for preparing a cryptographic module for FIPS 140-3 validation: boundary, levels, services, approved algorithms, entropy, tests, security policy, and change evidence.
Read Guide
12
FIPS 140-3 Validation Maintenance
Maintain FIPS 140-3 validation claims by checking module identity, certificate status, boundary changes, operational environments, and CAVP evidence.
Read Guide
13
FIPS 140-3 Validation Maintenance Change Workflow
A FIPS 140-3 workflow for triaging module changes against CMVP validation scope, Security Policy evidence, CAVP certificates, software loading, and CVE records.
Read Guide
14
FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759
Compare FIPS 140-3 with ISO/IEC 19790 and ISO/IEC 24759 for cryptographic module validation scope, evidence, testing, and procurement claims.
Read Guide
15
FIPS 140-3: CMVP Lifecycle Timeline
Practical FIPS 140-3 guidance for CMVP Lifecycle Timeline: scope, controls, evidence, source-linked decisions, and implementation checkpoints.
Read Guide
16
FIPS 140-3: FIPS 140-2 vs FIPS 140-3
Compare FIPS 140-2 legacy references with FIPS 140-3 requirements, ISO/IEC 19790 alignment, CMVP testing evidence, and guidance mappings.
Read Guide
17
FIPS 140-3: Module Boundary and Service Mapping
Map a FIPS 140-3 cryptographic module boundary to services, approved algorithms, operational environments, and CMVP validation evidence.
Read Guide
18
FIPS 140-3: Module Boundary Selector
Select and document a FIPS 140-3 cryptographic module boundary across hardware, software, firmware, operational environment, services, and validation evidence.
Read Guide
19
FIPS 140-3: Operational Environment
FIPS 140-3 operational environment guidance for software, firmware, hybrid, CAVP certificate, EVM, and PAA/PAI validation claims.
Read Guide
20
FIPS 140-3: Security Levels Explained
Explain FIPS 140-3 Security Levels 1 through 4, what they cover, and how to document level claims for cryptographic module validation.
Read Guide
21
FIPS 140-3: step-by-step workflow for mapping algorithm certificates to CMVP modules
Map CAVP algorithm certificates to a FIPS 140-3 module by matching implementation identity, operational environment, module services, and security policy evidence.
Read Guide
Next step

Prepare a FIPS 140-3 validation package

Use the FIPS 140-3 guides to align product, engineering, security, and compliance teams before engaging a Cryptographic and Security Testing laboratory or updating an existing validation.

What this unlocks
  • Document the cryptographic module boundary, ports, interfaces, roles, services, and approved mode behavior.
  • Tie each approved security function to algorithm validation evidence and security-policy language.
  • Identify operating-environment assumptions, physical-security claims, self-test behavior, lifecycle controls, and change-impact questions.
  • Keep validation evidence separated from unsupported claims about certificate status, transition timing, or acceptance.
Recommended route
Open Assessment Autopilot
Organize FIPS 140-3 scope, evidence requests, owners, and review checkpoints for a validation-readiness assessment.
Supporting route
Open Research Copilot
Research CMVP guidance, approved-mode questions, and change-impact issues with cited outputs.
Talk to Sorena
Talk through implementation
Review your module scope, laboratory-readiness questions, and validation evidence model.
Discuss your setup