--- title: "FIPS 140-3 Certificate Maintenance FAQ" canonical_url: "https://www.sorena.io/artifacts/global/fips-140-3/faq/certificate-maintenance" source_url: "https://www.sorena.io/artifacts/global/fips-140-3/faq/certificate-maintenance" author: "Sorena AI" description: "How to maintain FIPS 140-3 certificate evidence after validation by checking module status, version, caveats, Security Policy, and revalidation records." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "FIPS 140-3" - "CMVP" - "certificate maintenance" - "revalidation" - "cryptographic module validation" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # FIPS 140-3 Certificate Maintenance FAQ How to maintain FIPS 140-3 certificate evidence after validation by checking module status, version, caveats, Security Policy, and revalidation records. *FAQ* *GLOBAL* *FIPS 140-3* ## FIPS 140-3 Certificate maintenance FAQ Maintain FIPS 140-3 certificate evidence by checking the current CMVP record, module version, Security Policy, caveats, and change history before repeating a validation claim. Use this page to separate valid module evidence from stale screenshots, algorithm-only certificates, and unsupported post-change claims. Short answer: maintain a FIPS 140-3 certificate claim against the current CMVP record, not a copied certificate image. After validation, module changes must be handled through a new validation or revalidation process submitted by a CSTL; a change outside those processes can invalidate the module. ## How should teams maintain a FIPS 140-3 certificate claim? Treat the CMVP certificate entry as living evidence. Before using it in procurement, customer trust, audit, or product-security material, verify the current validation status, certificate number, module name, vendor, version, tested configuration, caveats, Security Policy, and validation history on the official NIST CMVP site. Do not rely on a downloaded certificate image or a vendor slide as the only proof. The CMVP Management Manual says the database entry includes the version number and benchmark configuration from the original validation, and that users should refer to the NIST website for the latest validation information. - Record the official CMVP URL, certificate number, validation status, module name, vendor, module version, tested configuration, and date checked. - Compare the product or embedded module being offered with the certificate entry and the non-proprietary Security Policy. - Re-check the CMVP entry before renewing public claims, responding to procurement questionnaires, or accepting a vendor's updated module package. Sources for this answer: - [FIPS 140-3 CMVP Management Manual](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS-140-3-CMVP%20Management%20Manual.pdf?ref=sorena.io) - Supports using the current NIST database entry, not only certificate copies, because validation entries can be updated during the validation life cycle. - [CMVP validated modules search](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/search?ref=sorena.io) - Official search page for checking certificate number, vendor, module name, validation status, and certificate details. - [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Explains that CMVP validates cryptographic modules and that federal agencies use validated modules as a procurement metric. ## What changes trigger a maintenance review? Review the certificate whenever the module, product packaging, embedded validated module, operational environment, algorithm set, Security Policy wording, vendor evidence, or vulnerability status changes. The review question is whether the current certificate still describes the module and configuration being claimed. For validated modules, the maintenance path is not an internal memo. The CMVP Management Manual states that after validation the vendor manages post-module validation through a new validation or revalidation process submitted by a CSTL, and that changes outside validation or revalidation invalidate the module. - Check whether the offered product is the validated module itself or a product that incorporates a validated module. - Check whether module version, hardware version, software or firmware version, tested configuration, and caveats still match the deployed or supplied item. - If a validated module is embedded or bound to another module, watch for changes in the referenced module's status because CMVP guidance can make the dependent claim inherit Historical status. Sources for this answer: - [FIPS 140-3 CMVP Management Manual](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS-140-3-CMVP%20Management%20Manual.pdf?ref=sorena.io) - Grounds the post-validation maintenance rule: vendors use new validation or revalidation through a CSTL, and unhandled changes can invalidate the module. - [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports checking embedded or bound validated module status, including cases where an implementation under test inherits Historical status from an embedded validated module. - [CMVP validated modules overview](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules?ref=sorena.io) - Explains that certificate detail pages include module information, algorithm references, Security Policies, certificate images, and vendor links when provided. ## What evidence should be kept for certificate maintenance? Keep a compact evidence record that lets a reviewer repeat the check. It should show the official CMVP entry, the Security Policy used, the exact product or module version in scope, the claim being made, and any change or revalidation question that remains open. Separate active validation evidence from work-in-progress evidence. The CMVP Management Manual says IUT and MIP lists are informational, voluntary, and do not imply or guarantee FIPS 140 validation. They can support tracking, but they should not be used as proof that a module is already validated. - Save the CMVP certificate URL, certificate number, current status, validation date shown on the entry, Security Policy URL or file reference, caveats, and validation-history notes. - For vendor responses, keep the vendor's signed or written statement that identifies the validated module or incorporated validated module and its certificate number, then compare it with the CMVP entry. - Track open maintenance actions separately: CSTL revalidation question, algorithm transition check, vulnerability or flaw assessment, Security Policy update, or product-version mismatch. - Do not cite an IUT or MIP listing as completed FIPS 140-3 validation; wait for the module certificate to be issued and posted. Sources for this answer: - [FIPS 140-3 CMVP Management Manual](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS-140-3-CMVP%20Management%20Manual.pdf?ref=sorena.io) - Supports evidence fields for certificate checks and cautions that IUT and MIP list postings do not guarantee validation. - [CMVP validated modules overview](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules?ref=sorena.io) - Supports comparing vendor claims with CMVP certificate details and the posted Security Policy before accepting a validation claim. - [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports checking CAVP, approved service, embedded module, and operational-environment evidence when a certificate claim depends on those details. ## Primary sources - [FIPS 140-3 CMVP Management Manual](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS-140-3-CMVP%20Management%20Manual.pdf?ref=sorena.io) - Primary CMVP source for post-validation maintenance, validation-search evidence, IUT/MIP limitations, historical/revoked status, and certificate-entry updates. - Quote: "After the cryptographic module has been validated" - [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Primary implementation guidance for module validation evidence, embedded or bound validated modules, operational-environment checks, approved services, and algorithm certificate dependencies. - Quote: "the validation certificate serves as a benchmark" - [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Primary standard explaining FIPS 140-3 module validation, CMVP, security levels, federal applicability, and the role of validated modules. - Quote: "A test report for modules demonstrating compliance will be submitted to the CMVP" - [CMVP validated modules search](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/search?ref=sorena.io) - Official search page for checking current public certificate records before reusing a FIPS 140-3 validation claim. ## Topic Guides - [FIPS 140-3 algorithm certificate mapping: ACVTS certificates to module boundary](/artifacts/global/fips-140-3/algorithm-certificate-mapping.md): Map CAVP algorithm certificates to FIPS 140-3 module services, approved security functions, security policy tables, and validation evidence. - [FIPS 140-3 Algorithm Certificates FAQ](/artifacts/global/fips-140-3/faq/algorithm-certificates.md): How CAVP algorithm certificates support, but do not replace, FIPS 140-3 cryptographic module validation evidence. - [FIPS 140-3 Applicability Test](/artifacts/global/fips-140-3/applicability-test.md): Check whether FIPS 140-3 applies to a cryptographic module claim by testing agency use, module boundary, security level, approved functions, CMVP status, and procurement evidence. - [FIPS 140-3 Approved and Non-Approved Mode Workflow](/artifacts/global/fips-140-3/approved-and-non-approved-mode-workflow.md): Classify FIPS 140-3 module services by approved security service, allowed no-security-claimed use, and non-approved service evidence. - [FIPS 140-3 approved-mode evidence workflow](/artifacts/global/fips-140-3/approved-mode-evidence-workflow.md): A grounded workflow for collecting FIPS 140-3 approved-mode evidence: module boundary, approved services, service indicators, CAVP certificates, Security Policy entries, and change review. - [FIPS 140-3 Change Impact Review](/artifacts/global/fips-140-3/change-impact.md): Review FIPS 140-3 module changes against boundary, version, operational environment, embedded module, software loading, CVE, and certificate evidence. - [FIPS 140-3 compliance guide](/artifacts/global/fips-140-3/compliance.md): A grounded FIPS 140-3 compliance guide for cryptographic module scope, security-level claims, CMVP validation evidence, and procurement review. - [FIPS 140-3 Entropy and DRBG Evidence](/artifacts/global/fips-140-3/entropy-and-drbg.md): FIPS 140-3 entropy and DRBG guidance for module boundary decisions, entropy caveats, Security Policy evidence, ESV references, and DRBG CSP handling. - [FIPS 140-3 Entropy Evidence FAQ](/artifacts/global/fips-140-3/faq/entropy-evidence.md): How FIPS 140-3 entropy evidence should document entropy source location, GetEntropy access, SP 800-90B testing, Security Policy text, and certificate caveats. - [FIPS 140-3 FAQ for Cryptographic Modules](/artifacts/global/fips-140-3/faq.md): Answers to common FIPS 140-3 questions about scope, CMVP validation, algorithm certificates, module boundaries, approved mode, and validation evidence. - [FIPS 140-3 Module Boundaries FAQ](/artifacts/global/fips-140-3/faq/module-boundaries.md): Understand how FIPS 140-3 module boundaries affect cryptographic module scope, interfaces, software and firmware components, and bound or embedded validated modules. - [FIPS 140-3 Module Boundary Selector Workflow](/artifacts/global/fips-140-3/module-boundary-selector-workflow.md): A FIPS 140-3 workflow for selecting a cryptographic module boundary, separating embedded and bound modules, and collecting CMVP validation evidence. - [FIPS 140-3 operational environments FAQ](/artifacts/global/fips-140-3/faq/operational-environments.md): Learn what a FIPS 140-3 operational environment means for software, firmware, and hybrid cryptographic modules, and what evidence to check before relying on a validation claim. - [FIPS 140-3 security levels: how to choose and evidence them](/artifacts/global/fips-140-3/faq/security-levels.md): A practical FAQ on FIPS 140-3 security levels, module scope, CMVP evidence, bound or embedded modules, and common claim mistakes. - [FIPS 140-3 Security Policy Template](/artifacts/global/fips-140-3/security-policy-template.md): Build a FIPS 140-3 module Security Policy with sections for boundary, roles, services, approved algorithms, SSP handling, self-tests, and CMVP evidence. - [FIPS 140-3 Validation Checklist](/artifacts/global/fips-140-3/fips-140-3-validation-checklist.md): Checklist for preparing a cryptographic module for FIPS 140-3 validation: boundary, levels, services, approved algorithms, entropy, tests, security policy, and change evidence. - [FIPS 140-3 Validation Maintenance](/artifacts/global/fips-140-3/validation-maintenance.md): Maintain FIPS 140-3 validation claims by checking module identity, certificate status, boundary changes, operational environments, and CAVP evidence. - [FIPS 140-3 Validation Maintenance Change Workflow](/artifacts/global/fips-140-3/validation-maintenance-change-impact-workflow.md): A FIPS 140-3 workflow for triaging module changes against CMVP validation scope, Security Policy evidence, CAVP certificates, software loading, and CVE records. - [FIPS 140-3 Vendor Affirmation FAQ](/artifacts/global/fips-140-3/faq/vendor-affirmation.md): When vendor affirmation can support a FIPS 140-3 module claim, what it does not supersede, and which Security Policy, CAVP, CSTL, and test-report evidence to keep. - [FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759](/artifacts/global/fips-140-3/fips-140-3-vs-iso-19790.md): Compare FIPS 140-3 with ISO/IEC 19790 and ISO/IEC 24759 for cryptographic module validation scope, evidence, testing, and procurement claims. - [FIPS 140-3: CMVP Lifecycle Timeline](/artifacts/global/fips-140-3/cmvp-lifecycle-timeline.md): Practical FIPS 140-3 guidance for CMVP Lifecycle Timeline: scope, controls, evidence, source-linked decisions, and implementation checkpoints. - [FIPS 140-3: FIPS 140-2 vs FIPS 140-3](/artifacts/global/fips-140-3/fips-140-2-vs-fips-140-3.md): Compare FIPS 140-2 legacy references with FIPS 140-3 requirements, ISO/IEC 19790 alignment, CMVP testing evidence, and guidance mappings. - [FIPS 140-3: Module Boundary and Service Mapping](/artifacts/global/fips-140-3/module-boundary-and-service-mapping.md): Map a FIPS 140-3 cryptographic module boundary to services, approved algorithms, operational environments, and CMVP validation evidence. - [FIPS 140-3: Module Boundary Selector](/artifacts/global/fips-140-3/module-boundary-selector.md): Select and document a FIPS 140-3 cryptographic module boundary across hardware, software, firmware, operational environment, services, and validation evidence. - [FIPS 140-3: Operational Environment](/artifacts/global/fips-140-3/operational-environment.md): FIPS 140-3 operational environment guidance for software, firmware, hybrid, CAVP certificate, EVM, and PAA/PAI validation claims. - [FIPS 140-3: Security Levels Explained](/artifacts/global/fips-140-3/security-levels-explained.md): Explain FIPS 140-3 Security Levels 1 through 4, what they cover, and how to document level claims for cryptographic module validation. - [FIPS 140-3: step-by-step workflow for mapping algorithm certificates to CMVP modules](/artifacts/global/fips-140-3/algorithm-certificate-mapping-workflow.md): Map CAVP algorithm certificates to a FIPS 140-3 module by matching implementation identity, operational environment, module services, and security policy evidence. - [How should teams handle approved mode under FIPS 140-3?](/artifacts/global/fips-140-3/faq/approved-mode.md): Answer the FIPS 140-3 approved-mode question with service-level indicators, Security Policy evidence, and limits on non-approved functions. *Recommended next step* *Placement: after practical guidance* ## Keep FIPS 140-3 validation claims current Map each certificate claim to the CMVP entry, Security Policy, module version, caveats, and revalidation questions that need an owner. - [Maintain certificate evidence](/solutions/assessment.md): Convert CMVP checks into accountable evidence tasks, renewal triggers, and customer-response records. - [Check a validation claim](/solutions/research-copilot.md): Review whether a certificate supports the exact module, version, configuration, and public wording. - [Talk through FIPS 140-3 maintenance](/contact.md): Review certificate status, Security Policy evidence, caveats, and revalidation questions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/fips-140-3/faq/certificate-maintenance