--- title: "FIPS 140-3 (CMVP Cryptographic Module Validation, Approved Mode, Transition)" canonical_url: "https://www.sorena.io/artifacts/global/fips-140-3" source_url: "https://www.sorena.io/artifacts/global/fips-140-3" author: "Sorena AI" description: "Practical FIPS 140-3 guidance for CMVP cryptographic module validation: security levels, module boundary, approved mode, transition timing, documentation." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "FIPS 140-3" - "FIPS 140-3 compliance" - "CMVP" - "cryptographic module validation" - "FIPS 140-3 validation checklist" - "FIPS 140-3 security levels" - "cryptographic module boundary" - "approved mode of operation" - "FIPS 140-3 security policy" - "NIST CMVP" - "NVLAP CSTL" - "FIPS 140-2 transition 2026" - "Cryptographic boundary" - "Security levels" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # FIPS 140-3 (CMVP Cryptographic Module Validation, Approved Mode, Transition) Practical FIPS 140-3 guidance for CMVP cryptographic module validation: security levels, module boundary, approved mode, transition timing, documentation. ![FIPS 140-3 artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-global-fips-140-3-small.jpg?v=cheatsheets%2Fprod) *FIPS 140-3* *Free Resource* ## FIPS 140-3 Cryptographic Module Validation Use these guides to plan a defensible FIPS 140-3 validation: define the module boundary, choose the right security level, map services to approved security functions, and build the documentation and evidence a CST laboratory and the CMVP will actually use. Grounded in FIPS 140-3, the CMVP program pages, the current FIPS 140-3 Management Manual, and current Implementation Guidance. FIPS 140-2 active modules remain usable for new systems only through 21 September 2026. [Jump to guides](#topics) ## What this artifact helps you do - **Define the cryptographic boundary**: Draw the module boundary correctly so test scope, interfaces, and evidence remain consistent. - **Build an approved-mode story**: Map services, algorithms, self-tests, and indicators so approved mode is provable. - **Prepare the validation evidence pack**: Deliver a security policy and test evidence that a CSTL can execute without rework loops. Grounded in official NIST and CCCS sources | Current CMVP transition dates | No signup required ### Quick start *FIPS 140-3* - **Current program state**: FIPS 140-3 validations are the live path. FIPS 140-2 active modules remain usable for new systems only through 21 September 2026. - **Where teams fail**: Most validation delays come from boundary drift, weak service maps, and approved-mode claims that do not match the Security Policy. - **What current work depends on**: You need the base standard, the SP 800-140 series, the current Management Manual, and the current Implementation Guidance revision. FIPS 140-3 success depends on boundary discipline, current-program awareness, and evidence traceability. These guides focus on those practical failure points. | Value | Metric | | --- | --- | | 5 | Guides | | 4 | Levels | | 11 | Areas | | 2026-09-21 | 140-2 active | **Key highlights:** Define boundary | Map services | Prove approved mode ## Topic Guides - [FIPS 140-3 Compliance (CMVP Validation Playbook, Approved Mode, Transition)](/artifacts/global/fips-140-3/compliance.md): A practical FIPS 140-3 compliance and validation playbook for CMVP cryptographic module validation: boundary, security level selection, approved mode. - [FIPS 140-3 FAQ (CMVP Validation, Approved Mode, Embedded Modules, Transition)](/artifacts/global/fips-140-3/faq.md): FIPS 140-3 FAQ for cryptographic module teams: what FIPS 140-3 covers, how CMVP validation works, what approved mode means. - [FIPS 140-3 Module Boundary and Services Mapping (Approved Mode, Embedded Modules)](/artifacts/global/fips-140-3/module-boundary-and-service-mapping.md): Advanced guide to FIPS 140-3 cryptographic module boundary definition and services mapping: boundary diagrams, approved-mode indicators, SSP access. - [FIPS 140-3 Security Levels (Level 1 to Level 4) Explained](/artifacts/global/fips-140-3/security-levels-explained.md): FIPS 140-3 security levels explained: what Level 1, Level 2, Level 3, and Level 4 mean, how they affect boundary and deployment assumptions. - [FIPS 140-3 Validation Checklist (CMVP Lab Readiness, Approved Mode, Transition)](/artifacts/global/fips-140-3/fips-140-3-validation-checklist.md): A practical FIPS 140-3 validation checklist for CMVP lab readiness: boundary, services, approved mode, documentation, self-tests, SSP management. ## Explore FIPS 140-3 guides *Guides* Use these subpages for implementation deep dives: compliance, checklist, boundary mapping, security levels, and FAQ. ## How to execute FIPS 140-3 *Navigation* Use the guides to translate FIPS 140-3 requirement areas into owned controls, current-program decisions, and lab-ready evidence. *Next step* ## Turn FIPS 140-3 Cryptographic Module Validation into an operational assessment workflow FIPS 140-3 Cryptographic Module Validation should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into Research Copilot when the artifact needs deeper research, evidence governance, or supporting analysis. - Start from FIPS 140-3 Cryptographic Module Validation and route the work by entity, product, team, or control owner. - Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints. - Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs. - Move from artifact reading to accountable execution without rebuilding the guidance in separate files. - [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for FIPS 140-3 Cryptographic Module Validation. - [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs from the same artifact. - [Talk through FIPS 140-3 Cryptographic Module Validation](/contact.md): Review your current process, evidence model, and next steps for FIPS 140-3 Cryptographic Module Validation. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/fips-140-3