---
title: "FIPS 140-3 Algorithm Certificates FAQ"
canonical_url: "https://www.sorena.io/artifacts/global/fips-140-3/faq/algorithm-certificates"
source_url: "https://www.sorena.io/artifacts/global/fips-140-3/faq/algorithm-certificates"
author: "Sorena AI"
description: "How CAVP algorithm certificates support, but do not replace, FIPS 140-3 cryptographic module validation evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "FIPS 140-3"
  - "CAVP"
  - "CMVP"
  - "algorithm certificates"
  - "cryptographic module validation"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# FIPS 140-3 Algorithm Certificates FAQ

How CAVP algorithm certificates support, but do not replace, FIPS 140-3 cryptographic module validation evidence.

*FAQ* *GLOBAL* *FIPS 140-3*

## FIPS 140-3 Algorithm certificates FAQ

Use CAVP algorithm certificates as scoped evidence for tested cryptographic algorithm implementations inside a FIPS 140-3 module claim.

This page explains what to check before reusing an algorithm certificate in module evidence, customer responses, or procurement reviews.

Short answer: an algorithm certificate is evidence that a particular cryptographic algorithm implementation was tested by CAVP for a stated implementation version and operational environment. It does not by itself prove that a product or module is validated to FIPS 140-3 under CMVP.

## What does an algorithm certificate prove under FIPS 140-3?

A CAVP algorithm certificate supports the algorithm part of a FIPS 140-3 evidence package. The CMVP implementation guidance says cryptographic algorithm implementations are tested and validated under CAVP, while cryptographic modules are tested and validated under CMVP.

That distinction matters in public claims. A product team should not describe a product as FIPS 140-3 validated merely because one embedded algorithm has a CAVP certificate. The module still needs its own CMVP validation record and Security Policy for the claimed module boundary.

- Use the CAVP certificate to identify the tested algorithm implementation, implementation version, and operational environment.
- Use the CMVP module certificate and Security Policy to support a FIPS 140-3 module-validation claim.
- Keep customer and procurement wording separate: CAVP-tested algorithm implementation is not the same claim as CMVP-validated cryptographic module.

Sources for this answer:

- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the distinction between CAVP testing for algorithm implementations and CMVP validation for cryptographic modules.
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Explains that CMVP validates cryptographic modules and that validated modules are the procurement metric for agencies.
- [NIST CAVP validation search](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?ref=sorena.io) - Public NIST search page for checking algorithm validation records used as supporting evidence.

## What should I check before reusing a certificate in module evidence?

Check the certificate number, algorithm name, implementation version, and tested operational environment, then compare those details with the module configuration that will rely on the algorithm. The CMVP guidance says the certificate serves as a benchmark for the configuration and operational environment used during validation.

For software, firmware, and hybrid modules, the tested operational environment matters. If the algorithm was tested on a different operating system, processor, platform, or hypervisor arrangement, do not assume the certificate automatically covers the module under test.

- Compare the certificate's implementation name and version with the implementation shipped in the module.
- Compare the certificate's operating system, platform, processor, and hypervisor details with the module's tested operational environment.
- Treat changed code, changed processor bit size, changed operating system, or changed hardware implementation as a reason to re-check CAVP testing coverage.

Sources for this answer:

- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Grounds the reuse rule for binding cryptographic algorithm validation certificates to modules under test.
- [NIST CAVP validation search](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?ref=sorena.io) - Public lookup for confirming the certificate entry, algorithm name, implementation details, and listed operating environment.

## What evidence should be kept with algorithm certificates?

Keep enough evidence to show why the certificate supports the current module claim. The record should connect the CAVP entry to the module boundary, the Security Policy table or service row where the algorithm is used, and the operational environment tested for the module.

Do not use stale certificate screenshots as the only evidence. Keep the public CAVP URL, certificate number, algorithm and implementation identifiers, module certificate or submission reference, Security Policy excerpt, and the date the evidence was checked.

- Record the CAVP certificate number, algorithm name, implementation name, implementation version, and tested operational environment.
- Map each certificate to the module service or Security Policy row that relies on that algorithm implementation.
- Re-check the evidence when the algorithm implementation, module version, operating environment, processor acceleration path, supplier component, or CMVP module status changes.
- For PAA or PAI use, verify whether the guidance requires testing in both software/firmware-only execution and accelerated execution.

Sources for this answer:

- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports evidence fields for certificate binding, operating environment checks, and PAA/PAI testing considerations.
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports retaining module-level CMVP validation evidence separately from algorithm-certificate evidence.
- [NIST CAVP validation search](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?ref=sorena.io) - Use this source to re-check the public certificate entry instead of relying only on copied text or screenshots.

## Primary sources

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Primary standard grounding for keeping algorithm-certificate claims tied to cryptographic modules and their required security areas.
  - Quote: "security requirements for cryptographic modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Primary guidance for algorithm certificate reuse, operational environments, and module evidence.
  - Quote: "the validation certificate serves as a benchmark"
- [NIST CAVP validation search](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation-search?ref=sorena.io) - Public search page for checking CAVP algorithm validation records referenced in module evidence.
  - Quote: "validation-search"

## Topic Guides

- [FIPS 140-3 algorithm certificate mapping: ACVTS certificates to module boundary](/artifacts/global/fips-140-3/algorithm-certificate-mapping.md): Map CAVP algorithm certificates to FIPS 140-3 module services, approved security functions, security policy tables, and validation evidence.
- [FIPS 140-3 Applicability Test](/artifacts/global/fips-140-3/applicability-test.md): Check whether FIPS 140-3 applies to a cryptographic module claim by testing agency use, module boundary, security level, approved functions, CMVP status, and procurement evidence.
- [FIPS 140-3 Approved and Non-Approved Mode Workflow](/artifacts/global/fips-140-3/approved-and-non-approved-mode-workflow.md): Classify FIPS 140-3 module services by approved security service, allowed no-security-claimed use, and non-approved service evidence.
- [FIPS 140-3 approved-mode evidence workflow](/artifacts/global/fips-140-3/approved-mode-evidence-workflow.md): A grounded workflow for collecting FIPS 140-3 approved-mode evidence: module boundary, approved services, service indicators, CAVP certificates, Security Policy entries, and change review.
- [FIPS 140-3 Certificate Maintenance FAQ](/artifacts/global/fips-140-3/faq/certificate-maintenance.md): How to maintain FIPS 140-3 certificate evidence after validation by checking module status, version, caveats, Security Policy, and revalidation records.
- [FIPS 140-3 Change Impact Review](/artifacts/global/fips-140-3/change-impact.md): Review FIPS 140-3 module changes against boundary, version, operational environment, embedded module, software loading, CVE, and certificate evidence.
- [FIPS 140-3 compliance guide](/artifacts/global/fips-140-3/compliance.md): A grounded FIPS 140-3 compliance guide for cryptographic module scope, security-level claims, CMVP validation evidence, and procurement review.
- [FIPS 140-3 Entropy and DRBG Evidence](/artifacts/global/fips-140-3/entropy-and-drbg.md): FIPS 140-3 entropy and DRBG guidance for module boundary decisions, entropy caveats, Security Policy evidence, ESV references, and DRBG CSP handling.
- [FIPS 140-3 Entropy Evidence FAQ](/artifacts/global/fips-140-3/faq/entropy-evidence.md): How FIPS 140-3 entropy evidence should document entropy source location, GetEntropy access, SP 800-90B testing, Security Policy text, and certificate caveats.
- [FIPS 140-3 FAQ for Cryptographic Modules](/artifacts/global/fips-140-3/faq.md): Answers to common FIPS 140-3 questions about scope, CMVP validation, algorithm certificates, module boundaries, approved mode, and validation evidence.
- [FIPS 140-3 Module Boundaries FAQ](/artifacts/global/fips-140-3/faq/module-boundaries.md): Understand how FIPS 140-3 module boundaries affect cryptographic module scope, interfaces, software and firmware components, and bound or embedded validated modules.
- [FIPS 140-3 Module Boundary Selector Workflow](/artifacts/global/fips-140-3/module-boundary-selector-workflow.md): A FIPS 140-3 workflow for selecting a cryptographic module boundary, separating embedded and bound modules, and collecting CMVP validation evidence.
- [FIPS 140-3 operational environments FAQ](/artifacts/global/fips-140-3/faq/operational-environments.md): Learn what a FIPS 140-3 operational environment means for software, firmware, and hybrid cryptographic modules, and what evidence to check before relying on a validation claim.
- [FIPS 140-3 security levels: how to choose and evidence them](/artifacts/global/fips-140-3/faq/security-levels.md): A practical FAQ on FIPS 140-3 security levels, module scope, CMVP evidence, bound or embedded modules, and common claim mistakes.
- [FIPS 140-3 Security Policy Template](/artifacts/global/fips-140-3/security-policy-template.md): Build a FIPS 140-3 module Security Policy with sections for boundary, roles, services, approved algorithms, SSP handling, self-tests, and CMVP evidence.
- [FIPS 140-3 Validation Checklist](/artifacts/global/fips-140-3/fips-140-3-validation-checklist.md): Checklist for preparing a cryptographic module for FIPS 140-3 validation: boundary, levels, services, approved algorithms, entropy, tests, security policy, and change evidence.
- [FIPS 140-3 Validation Maintenance](/artifacts/global/fips-140-3/validation-maintenance.md): Maintain FIPS 140-3 validation claims by checking module identity, certificate status, boundary changes, operational environments, and CAVP evidence.
- [FIPS 140-3 Validation Maintenance Change Workflow](/artifacts/global/fips-140-3/validation-maintenance-change-impact-workflow.md): A FIPS 140-3 workflow for triaging module changes against CMVP validation scope, Security Policy evidence, CAVP certificates, software loading, and CVE records.
- [FIPS 140-3 Vendor Affirmation FAQ](/artifacts/global/fips-140-3/faq/vendor-affirmation.md): When vendor affirmation can support a FIPS 140-3 module claim, what it does not supersede, and which Security Policy, CAVP, CSTL, and test-report evidence to keep.
- [FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759](/artifacts/global/fips-140-3/fips-140-3-vs-iso-19790.md): Compare FIPS 140-3 with ISO/IEC 19790 and ISO/IEC 24759 for cryptographic module validation scope, evidence, testing, and procurement claims.
- [FIPS 140-3: CMVP Lifecycle Timeline](/artifacts/global/fips-140-3/cmvp-lifecycle-timeline.md): Practical FIPS 140-3 guidance for CMVP Lifecycle Timeline: scope, controls, evidence, source-linked decisions, and implementation checkpoints.
- [FIPS 140-3: FIPS 140-2 vs FIPS 140-3](/artifacts/global/fips-140-3/fips-140-2-vs-fips-140-3.md): Compare FIPS 140-2 legacy references with FIPS 140-3 requirements, ISO/IEC 19790 alignment, CMVP testing evidence, and guidance mappings.
- [FIPS 140-3: Module Boundary and Service Mapping](/artifacts/global/fips-140-3/module-boundary-and-service-mapping.md): Map a FIPS 140-3 cryptographic module boundary to services, approved algorithms, operational environments, and CMVP validation evidence.
- [FIPS 140-3: Module Boundary Selector](/artifacts/global/fips-140-3/module-boundary-selector.md): Select and document a FIPS 140-3 cryptographic module boundary across hardware, software, firmware, operational environment, services, and validation evidence.
- [FIPS 140-3: Operational Environment](/artifacts/global/fips-140-3/operational-environment.md): FIPS 140-3 operational environment guidance for software, firmware, hybrid, CAVP certificate, EVM, and PAA/PAI validation claims.
- [FIPS 140-3: Security Levels Explained](/artifacts/global/fips-140-3/security-levels-explained.md): Explain FIPS 140-3 Security Levels 1 through 4, what they cover, and how to document level claims for cryptographic module validation.
- [FIPS 140-3: step-by-step workflow for mapping algorithm certificates to CMVP modules](/artifacts/global/fips-140-3/algorithm-certificate-mapping-workflow.md): Map CAVP algorithm certificates to a FIPS 140-3 module by matching implementation identity, operational environment, module services, and security policy evidence.
- [How should teams handle approved mode under FIPS 140-3?](/artifacts/global/fips-140-3/faq/approved-mode.md): Answer the FIPS 140-3 approved-mode question with service-level indicators, Security Policy evidence, and limits on non-approved functions.

*Recommended next step*

*Placement: after practical guidance*

## Build a clean FIPS 140-3 certificate evidence map

Connect each CAVP certificate to the module boundary, Security Policy row, operational environment, and customer-facing claim it supports.

- [Map certificates to controls](/solutions/assessment.md): Turn certificate checks into accountable evidence tasks and review triggers.
- [Check a scoped claim](/solutions/research-copilot.md): Review whether a certificate supports the exact module, environment, and customer claim.
- [Talk through implementation](/contact.md): Review the certificate evidence map, public wording, and next validation questions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/fips-140-3/faq/algorithm-certificates