---
title: "FIPS 140-3: FIPS 140-2 vs FIPS 140-3"
canonical_url: "https://www.sorena.io/artifacts/global/fips-140-3/fips-140-2-vs-fips-140-3"
source_url: "https://www.sorena.io/artifacts/global/fips-140-3/fips-140-2-vs-fips-140-3"
author: "Sorena AI"
description: "Compare FIPS 140-2 legacy references with FIPS 140-3 requirements, ISO/IEC 19790 alignment, CMVP testing evidence, and guidance mappings."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "FIPS 140-3"
  - "FIPS 140-2"
  - "CMVP"
  - "cryptographic module validation"
  - "ISO/IEC 19790"
  - "FIPS 140-2 vs FIPS 140-3"
  - "security levels"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# FIPS 140-3: FIPS 140-2 vs FIPS 140-3

Compare FIPS 140-2 legacy references with FIPS 140-3 requirements, ISO/IEC 19790 alignment, CMVP testing evidence, and guidance mappings.

*Artifact Guide* *GLOBAL* *FIPS 140-3*

## FIPS 140-3 FIPS 140-2 vs FIPS 140-3

A NIST-grounded comparison of what changed when FIPS 140-3 superseded FIPS 140-2 for cryptographic module validation.

Use it to separate legacy certificate language from current FIPS 140-3 scope, testing, approved functions, and CMVP guidance.

Use this page when a product brief, procurement response, security policy, or customer questionnaire mixes FIPS 140-2 and FIPS 140-3 language. The comparison focuses on facts supported by NIST and CMVP sources: FIPS 140-3 supersedes FIPS 140-2, is based on ISO/IEC 19790 and ISO/IEC 24759 with NIST modifications, and is validated through CMVP testing by accredited laboratories.

## FIPS 140-3 vs FIPS 140-2 legacy validation: what changes operationally?

Use this comparison to separate legacy FIPS 140-2 references from FIPS 140-3 module requirements, CMVP testing evidence, approved-function evidence, and guidance mappings.

- **FIPS 140-3**: FIPS 140-3 is the current standard column: use it for cryptographic module scope, security levels, ISO/IEC 19790 and 24759 basis, approved functions, and CMVP validation evidence.
- **FIPS 140-2 legacy validation**: FIPS 140-2 is the legacy-reference column: use it only to understand superseded standard language, older certificate wording, and CMVP guidance topics that need mapping before reuse.

| Dimension | FIPS 140-3 | FIPS 140-2 legacy validation | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Standard basis | FIPS 140-3 supersedes FIPS 140-2 and is based on ISO/IEC 19790:2012/Cor.1:2015 for requirements and ISO/IEC 24759:2017 for testing, with NIST modifications. | FIPS 140-2 is the superseded standard in this comparison; use its wording only to interpret legacy certificates, old customer language, or mapped implementation guidance. | Start with the standard basis before reusing text. A FIPS 140-2 clause may describe useful history, but FIPS 140-3 controls current requirement and testing structure. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Validation route | FIPS 140-3 modules are validated through CMVP; vendors use independent, accredited Cryptographic and Security Testing laboratories, and NVLAP-accredited laboratories perform compliance or conformance testing. | A FIPS 140-2 reference does not by itself prove a current CMVP result. Treat it as a legacy validation reference until the certificate, module boundary, and status evidence are checked separately. | Compare validation evidence, not only standard names. The useful record names the module, laboratory-tested evidence, certificate context, and whether the claim is legacy or FIPS 140-3. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Requirement areas | FIPS 140-3 names requirement areas for module specification, interfaces, roles, services, authentication, software and firmware security, operating environment, physical security, non-invasive security, sensitive security parameters, self-tests, life-cycle assurance, and mitigation of other attacks. | FIPS 140-2 comparisons should not be reduced to a same-name checklist. FIPS 140-3 states that major changes are limited to non-invasive physical requirements and uses ISO-based requirement and test structures. | Build the crosswalk by requirement area, then mark where FIPS 140-3 adds, renames, or relocates evidence expectations instead of copying a legacy checklist. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Approved functions | FIPS 140-3 requires conforming cryptographic modules to employ Approved security functions, including approved algorithms, key management techniques, and authentication techniques. | A FIPS 140-2-era algorithm or certificate reference must be checked against the applicable approved-function and CAVP evidence before it is used for a FIPS 140-3 claim. | Keep algorithm evidence linked to the module validation record. CAVP evidence can support the module file, but it is not a standalone statement that the module is FIPS 140-3 validated. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Implementation guidance | FIPS 140-3 evidence should cite the applicable FIPS 140-3 IG or management manual section, such as certificate binding, approved-service indicators, entropy caveats, SSP establishment, self-tests, or mitigation of other attacks. | FIPS 140-2 IG citations need mapping. CMVP provides tables that map FIPS 140-2 IG topics to FIPS 140-3 IG entries or FIPS 140-3 Management Manual sections. | Do not translate legacy IG names by hand. Use the CMVP mapping table, then verify the mapped FIPS 140-3 guidance text before reusing old evidence. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Transition language | FIPS 140-3 states relative implementation milestones: effectiveness after Secretary of Commerce approval, a lab preparation transition period, FIPS 140-3 testing beginning later, and FIPS 140-2 testing ending. | FIPS 140-2 legacy references should not be turned into calendar-date claims unless the date comes from a separate verified source for the certificate, transition page, or procurement file. | Use the relative schedule only as context on this page. Verify exact dates and module status elsewhere before publishing a deadline or validation-status statement. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Procurement use | FIPS 140-3 says agencies should develop plans to acquire products compliant with FIPS 140-3 and may purchase products on the CMVP validated modules list. | FIPS 140-2 legacy evidence should not rely on the CMVP Historical list for procurement decisions; the FIPS 140-3 standard says the Historical list is provided for reference only. | For procurement language, separate a current CMVP validated-module-list check from legacy certificate background. Do not present historical-list presence as procurement-ready evidence. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Evidence reuse | FIPS 140-3 evidence must still match the tested module: boundary, security level, operational environment, services, approved functions, and relevant security policy content. | FIPS 140-2 evidence may be useful background only when it describes the same module facts or maps cleanly through the CMVP FIPS 140-2 to FIPS 140-3 guidance tables. | Reuse facts before conclusions. Reuse diagrams or service tables only after confirming they still describe the tested module and the mapped FIPS 140-3 evidence question. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |
| Practical decision rule | Use FIPS 140-3 for current module requirement structure, CMVP validation evidence, approved-function claims, security policy content, and mapped implementation guidance. | Use FIPS 140-2 only as legacy context unless a certificate, customer question, procurement clause, or historical evidence file specifically requires that label. | Do not collapse the two sides into one claim. Say which standard the evidence supports, then link legacy FIPS 140-2 references to mapped FIPS 140-3 guidance when reuse is justified. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.<br>[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings. |

Sources for Standard basis - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the claim that FIPS 140-3 supersedes FIPS 140-2 and uses ISO/IEC 19790 and ISO/IEC 24759 as its document basis.
  - Quote: "FIPS 140-3 is based on ISO/IEC 19790"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports using CMVP implementation guidance for FIPS 140-3 evidence details once the current standard basis is selected.
  - Quote: "Implementation Guidance for FIPS PUB 140-3"

Sources for Standard basis - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the claim that FIPS 140-2 is superseded and should not be treated as the current technical basis without a separate legacy trigger.
  - Quote: "This standard supersedes FIPS 140-2"

Sources for Standard basis - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Validation route - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Validation route - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"

Sources for Validation route - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Requirement areas - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Requirement areas - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Requirement areas - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Approved functions - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Approved functions - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Approved functions - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Implementation guidance - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Implementation guidance - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Implementation guidance - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Transition language - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Transition language - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Transition language - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Procurement use - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Procurement use - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Procurement use - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Evidence reuse - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Evidence reuse - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Evidence reuse - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Practical decision rule - FIPS 140-3:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

Sources for Practical decision rule - FIPS 140-2 legacy validation:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"

Sources for Practical decision rule - operational implication:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

### How to choose between FIPS 140-3 and FIPS 140-2 legacy validation

- Use FIPS 140-3 when the claim concerns current cryptographic module requirements, ISO-based testing, approved functions, or CMVP validation evidence.
- Use FIPS 140-2 only when a legacy certificate, customer question, or historical evidence file specifically uses that label.
- For reused evidence, cite the CMVP mapping from the FIPS 140-2 IG topic to the FIPS 140-3 IG or Management Manual section.

Sources for the practical decision rule:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"

## What changed from FIPS 140-2 to FIPS 140-3?

FIPS 140-3 supersedes FIPS 140-2 in its entirety. It keeps the same broad subject, security requirements for cryptographic modules, but bases the technical requirements on ISO/IEC 19790:2012/Cor.1:2015 and the testing basis on ISO/IEC 24759:2017, with NIST documents modifying the annexes and test evidence where CMVP acts as validation authority.

NIST describes the major changes in FIPS 140-3 as limited to the introduction of non-invasive physical requirements. For comparison work, that means the first question is not whether both labels sound similar; it is whether the module claim, test evidence, and guidance reference point to the superseded FIPS 140-2 regime or to FIPS 140-3 and its ISO-based structure.

- Treat FIPS 140-2 as legacy language unless a source, certificate, contract, or customer question specifically asks about an older validation.
- Use FIPS 140-3 when the work concerns a current cryptographic module requirement, CMVP submission, security policy, or approved-function claim.
- Do not infer current certificate status from the standard text alone; verify module status in the applicable CMVP listing or customer evidence pack.

Sources for this answer:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the supersession claim, ISO/IEC 19790 and ISO/IEC 24759 basis, cryptographic module scope, and NIST's statement about major FIPS 140-3 changes.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the mapping from FIPS 140-2 implementation guidance topics to FIPS 140-3 guidance and management manual sections.

## How should teams read legacy FIPS 140-2 references?

A FIPS 140-2 reference is not enough to prove what a module currently satisfies. First identify what the reference is doing: naming an older standard, pointing to an older certificate, citing a FIPS 140-2 implementation guidance topic, or asking for assurance that the module has been tested under CMVP.

Then translate only the supported parts into the FIPS 140-3 frame. The CMVP implementation guidance includes mappings from FIPS 140-2 guidance topics to FIPS 140-3 guidance or management manual sections, including certificate binding, approved and non-approved functions, entropy caveats, key establishment, self-tests, mitigation of other attacks, and revalidation-related topics.

- Separate legacy label checks from current validation work; a FIPS 140-2 phrase may be a procurement shorthand rather than the controlling test requirement.
- Map FIPS 140-2 guidance citations to the FIPS 140-3 IG or management manual mapping before reusing old evidence.
- When evidence mentions algorithms, bind the claim to the relevant approved security function or CAVP certificate rather than to a generic compliance statement.

Sources for this answer:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the distinction between FIPS 140-2 as the superseded standard and FIPS 140-3 as the current standard basis.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports using CMVP's FIPS 140-2 to FIPS 140-3 guidance mappings rather than manually translating legacy guidance names.
- [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program?ref=sorena.io) - Official NIST CAVP source for validation testing of approved algorithms and for linking algorithm certificate evidence to FIPS module reviews.

## What evidence belongs on the FIPS 140-3 side?

FIPS 140-3 evidence should follow the cryptographic module and the security areas named in the standard. The standard covers module specification, interfaces, roles, services and authentication, software and firmware security, operating environment, physical security, non-invasive security, sensitive security parameter management, self-tests, life-cycle assurance, and mitigation of other attacks.

For validation evidence, the CMVP context matters. NIST states that vendors use independent, accredited Cryptographic and Security Testing laboratories, and that NVLAP-accredited laboratories perform cryptographic module compliance or conformance testing. A public claim should therefore name the module boundary, security level, approved functions, testing basis, and certificate or submission context that supports it.

- Boundary evidence: module type, hardware, software, firmware, hybrid components, interfaces, and operational environment.
- Service evidence: roles, services, authentication, approved and non-approved functions, and approved-service indicators where applicable.
- Test evidence: security policy, laboratory report context, CAVP algorithm certificates, self-test evidence, entropy records, and change-impact rationale.

Sources for this answer:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the list of FIPS 140-3 security requirement areas and the CMVP laboratory testing context.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports FIPS 140-3 evidence topics such as certificate binding, approved service indicators, entropy caveats, self-tests, and implementation guidance updates.
- [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program?ref=sorena.io) - Official NIST CAVP source for validation testing of approved algorithms and for linking algorithm certificate evidence to FIPS module reviews.

*Recommended next step*

*Placement: after practical guidance*

## Review the module evidence behind the claim

Use this comparison to separate legacy FIPS 140-2 wording from FIPS 140-3 module scope, security policy, approved-function, and CMVP guidance evidence.

- [Open Assessment Autopilot for FIPS 140-3](/solutions/assessment.md): Turn mixed FIPS 140-2 and FIPS 140-3 claims into scoped evidence tasks for module boundaries, security policies, and algorithm certificates.
- [Research FIPS 140-3 source questions](/solutions/research-copilot.md): Use NIST and CMVP source material to resolve supersession, ISO basis, guidance mapping, and evidence questions.
- [Talk through implementation](/contact.md): Review module scope, legacy wording, public claims, and cited evidence with Sorena.

## Where can FIPS 140-2 evidence be reused?

Reuse is safest for factual artifacts that still describe the same module boundary, algorithm implementation, operational environment, role or service table, or security policy text. Reuse is weaker when an artifact exists only because a FIPS 140-2 guidance item had a different name, structure, or test expectation.

The CMVP IG mapping is the first reuse check. It shows where FIPS 140-2 implementation guidance moved into FIPS 140-3 guidance or management manual sections. If a legacy topic is not mapped to the same technical question, preserve it as background evidence instead of treating it as FIPS 140-3 proof.

- Reusable with caution: diagrams, service tables, algorithm implementation descriptions, operational environment records, and security policy sections that still match the tested module.
- Requires remapping: FIPS 140-2 IG citations such as certificate binding, entropy caveats, key establishment, and known-answer/self-test topics.
- Not enough by itself: a prior FIPS 140-2 label, marketing claim, or customer spreadsheet cell with no certificate scope or module boundary.

Sources for this answer:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports why evidence reuse must stay tied to the cryptographic module, security level, and security requirement areas.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports using CMVP's mapping tables before translating FIPS 140-2 implementation guidance evidence into FIPS 140-3 work.
- [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program?ref=sorena.io) - Official NIST CAVP source for validation testing of approved algorithms and for linking algorithm certificate evidence to FIPS module reviews.

## Checklist for cleaning up mixed FIPS 140-2 and FIPS 140-3 claims

Use this checklist before publishing a FIPS claim, answering a procurement question, or preparing a validation evidence pack that references both standards.

- State whether the claim is about FIPS 140-3, an older FIPS 140-2 certificate, or a contract clause that still uses FIPS 140-2 wording.
- Attach the claim to a cryptographic module boundary, security level, operational environment, and approved security functions.
- Check whether any cited FIPS 140-2 IG topic has a CMVP mapping to a FIPS 140-3 IG or management manual section.
- Keep CAVP algorithm certificates separate from the module validation claim unless the evidence shows how they are bound to the module.
- Avoid unsupported status language; verify module listing and procurement status outside this page before relying on it.

Sources for this answer:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports checklist items for module boundary, security level selection, approved security functions, and laboratory-tested validation context.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports checklist items for FIPS 140-2 IG mapping, CAVP certificate binding, approved functions, entropy, and self-test guidance.
- [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program?ref=sorena.io) - Official NIST CAVP source for validation testing of approved algorithms and for linking algorithm certificate evidence to FIPS module reviews.

## Common mistakes in FIPS 140-2 vs FIPS 140-3 comparisons

Most comparison errors come from treating the two labels as interchangeable. FIPS 140-3 has its own document basis, applicable standards, CMVP guidance, and testing evidence; FIPS 140-2 references need to be checked before they are copied into a current claim.

- Do not say a module is FIPS 140-3 validated because its algorithms have CAVP certificates; algorithm validation and module validation are related evidence, not the same claim.
- Do not cite FIPS 140-2 implementation guidance without checking the CMVP mapping to FIPS 140-3 guidance or management manual sections.
- Do not convert FIPS 140-3's relative transition language into unsourced calendar dates on this page.
- Do not rely on the CMVP Historical list for procurement decisions; FIPS 140-3 itself warns that the Historical list is for reference.

Sources for this answer:

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the warning against unsourced transition-date conversion and the Historical list procurement caveat.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the distinction between algorithm certificate evidence and module validation evidence.
- [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program?ref=sorena.io) - Official NIST CAVP source for validation testing of approved algorithms and for linking algorithm certificate evidence to FIPS module reviews.

## Primary sources

- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the cited FIPS 140-3 claim about supersession, module scope, security levels, ISO-based requirements, approved functions, CMVP validation, or procurement caveats.
  - Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the cited CMVP claim about FIPS 140-3 implementation guidance, CAVP certificate binding, approved-service indicators, entropy, self-tests, or FIPS 140-2 guidance mappings.
  - Quote: "CAVP addresses the testing of Approved Security Functions"
- [NIST Cryptographic Algorithm Validation Program](https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program?ref=sorena.io) - Official NIST CAVP source for validation testing of approved algorithms and for linking algorithm certificate evidence to FIPS module reviews.
  - Quote: "provides validation testing of Approved"

## Related Topic Guides

- [FIPS 140-3 algorithm certificate mapping: ACVTS certificates to module boundary](/artifacts/global/fips-140-3/algorithm-certificate-mapping.md): Map CAVP algorithm certificates to FIPS 140-3 module services, approved security functions, security policy tables, and validation evidence.
- [FIPS 140-3 Algorithm Certificates FAQ](/artifacts/global/fips-140-3/faq/algorithm-certificates.md): How CAVP algorithm certificates support, but do not replace, FIPS 140-3 cryptographic module validation evidence.
- [FIPS 140-3 Applicability Test](/artifacts/global/fips-140-3/applicability-test.md): Check whether FIPS 140-3 applies to a cryptographic module claim by testing agency use, module boundary, security level, approved functions, CMVP status, and procurement evidence.
- [FIPS 140-3 Approved and Non-Approved Mode Workflow](/artifacts/global/fips-140-3/approved-and-non-approved-mode-workflow.md): Classify FIPS 140-3 module services by approved security service, allowed no-security-claimed use, and non-approved service evidence.
- [FIPS 140-3 approved-mode evidence workflow](/artifacts/global/fips-140-3/approved-mode-evidence-workflow.md): A grounded workflow for collecting FIPS 140-3 approved-mode evidence: module boundary, approved services, service indicators, CAVP certificates, Security Policy entries, and change review.
- [FIPS 140-3 Certificate Maintenance FAQ](/artifacts/global/fips-140-3/faq/certificate-maintenance.md): How to maintain FIPS 140-3 certificate evidence after validation by checking module status, version, caveats, Security Policy, and revalidation records.
- [FIPS 140-3 Change Impact Review](/artifacts/global/fips-140-3/change-impact.md): Review FIPS 140-3 module changes against boundary, version, operational environment, embedded module, software loading, CVE, and certificate evidence.
- [FIPS 140-3 compliance guide](/artifacts/global/fips-140-3/compliance.md): A grounded FIPS 140-3 compliance guide for cryptographic module scope, security-level claims, CMVP validation evidence, and procurement review.
- [FIPS 140-3 Entropy and DRBG Evidence](/artifacts/global/fips-140-3/entropy-and-drbg.md): FIPS 140-3 entropy and DRBG guidance for module boundary decisions, entropy caveats, Security Policy evidence, ESV references, and DRBG CSP handling.
- [FIPS 140-3 Entropy Evidence FAQ](/artifacts/global/fips-140-3/faq/entropy-evidence.md): How FIPS 140-3 entropy evidence should document entropy source location, GetEntropy access, SP 800-90B testing, Security Policy text, and certificate caveats.
- [FIPS 140-3 FAQ for Cryptographic Modules](/artifacts/global/fips-140-3/faq.md): Answers to common FIPS 140-3 questions about scope, CMVP validation, algorithm certificates, module boundaries, approved mode, and validation evidence.
- [FIPS 140-3 Module Boundaries FAQ](/artifacts/global/fips-140-3/faq/module-boundaries.md): Understand how FIPS 140-3 module boundaries affect cryptographic module scope, interfaces, software and firmware components, and bound or embedded validated modules.
- [FIPS 140-3 Module Boundary Selector Workflow](/artifacts/global/fips-140-3/module-boundary-selector-workflow.md): A FIPS 140-3 workflow for selecting a cryptographic module boundary, separating embedded and bound modules, and collecting CMVP validation evidence.
- [FIPS 140-3 operational environments FAQ](/artifacts/global/fips-140-3/faq/operational-environments.md): Learn what a FIPS 140-3 operational environment means for software, firmware, and hybrid cryptographic modules, and what evidence to check before relying on a validation claim.
- [FIPS 140-3 security levels: how to choose and evidence them](/artifacts/global/fips-140-3/faq/security-levels.md): A practical FAQ on FIPS 140-3 security levels, module scope, CMVP evidence, bound or embedded modules, and common claim mistakes.
- [FIPS 140-3 Security Policy Template](/artifacts/global/fips-140-3/security-policy-template.md): Build a FIPS 140-3 module Security Policy with sections for boundary, roles, services, approved algorithms, SSP handling, self-tests, and CMVP evidence.
- [FIPS 140-3 Validation Checklist](/artifacts/global/fips-140-3/fips-140-3-validation-checklist.md): Checklist for preparing a cryptographic module for FIPS 140-3 validation: boundary, levels, services, approved algorithms, entropy, tests, security policy, and change evidence.
- [FIPS 140-3 Validation Maintenance](/artifacts/global/fips-140-3/validation-maintenance.md): Maintain FIPS 140-3 validation claims by checking module identity, certificate status, boundary changes, operational environments, and CAVP evidence.
- [FIPS 140-3 Validation Maintenance Change Workflow](/artifacts/global/fips-140-3/validation-maintenance-change-impact-workflow.md): A FIPS 140-3 workflow for triaging module changes against CMVP validation scope, Security Policy evidence, CAVP certificates, software loading, and CVE records.
- [FIPS 140-3 Vendor Affirmation FAQ](/artifacts/global/fips-140-3/faq/vendor-affirmation.md): When vendor affirmation can support a FIPS 140-3 module claim, what it does not supersede, and which Security Policy, CAVP, CSTL, and test-report evidence to keep.
- [FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759](/artifacts/global/fips-140-3/fips-140-3-vs-iso-19790.md): Compare FIPS 140-3 with ISO/IEC 19790 and ISO/IEC 24759 for cryptographic module validation scope, evidence, testing, and procurement claims.
- [FIPS 140-3: CMVP Lifecycle Timeline](/artifacts/global/fips-140-3/cmvp-lifecycle-timeline.md): Practical FIPS 140-3 guidance for CMVP Lifecycle Timeline: scope, controls, evidence, source-linked decisions, and implementation checkpoints.
- [FIPS 140-3: Module Boundary and Service Mapping](/artifacts/global/fips-140-3/module-boundary-and-service-mapping.md): Map a FIPS 140-3 cryptographic module boundary to services, approved algorithms, operational environments, and CMVP validation evidence.
- [FIPS 140-3: Module Boundary Selector](/artifacts/global/fips-140-3/module-boundary-selector.md): Select and document a FIPS 140-3 cryptographic module boundary across hardware, software, firmware, operational environment, services, and validation evidence.
- [FIPS 140-3: Operational Environment](/artifacts/global/fips-140-3/operational-environment.md): FIPS 140-3 operational environment guidance for software, firmware, hybrid, CAVP certificate, EVM, and PAA/PAI validation claims.
- [FIPS 140-3: Security Levels Explained](/artifacts/global/fips-140-3/security-levels-explained.md): Explain FIPS 140-3 Security Levels 1 through 4, what they cover, and how to document level claims for cryptographic module validation.
- [FIPS 140-3: step-by-step workflow for mapping algorithm certificates to CMVP modules](/artifacts/global/fips-140-3/algorithm-certificate-mapping-workflow.md): Map CAVP algorithm certificates to a FIPS 140-3 module by matching implementation identity, operational environment, module services, and security policy evidence.
- [How should teams handle approved mode under FIPS 140-3?](/artifacts/global/fips-140-3/faq/approved-mode.md): Answer the FIPS 140-3 approved-mode question with service-level indicators, Security Policy evidence, and limits on non-approved functions.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/fips-140-3/fips-140-2-vs-fips-140-3