Artifact GuideGLOBALFIPS 140-3

FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759

A source-grounded comparison of the FIPS 140-3 validation layer with the ISO/IEC cryptographic module requirements and test standards it incorporates.

Use it to separate CMVP validation work from underlying ISO requirements and test-method references without inventing clause mappings.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this comparison when a procurement response, security policy, module validation plan, or customer questionnaire names FIPS 140-3 alongside ISO/IEC 19790 or ISO/IEC 24759. FIPS 140-3 is the federal cryptographic module validation standard used by CMVP; ISO/IEC 19790 supplies the international security requirements reference; ISO/IEC 24759 supplies the test-requirements reference. Treat them as related layers, not interchangeable labels.

Side-by-side comparison

FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759: practical differences

Use this side-by-side view to distinguish CMVP validation claims from the ISO/IEC requirements and test standards referenced by FIPS 140-3.

Review all sources
First framework
FIPS 140-3 and CMVP

The validation and federal-use side: use it for CMVP certificate scope, federal procurement claims, security levels, approved algorithms, module evidence, and program guidance.

Second framework
ISO/IEC 19790 and ISO/IEC 24759

The international standard-reference side: use it for cryptographic module security requirements and test-requirements framing, not as a standalone CMVP certificate.

Comparison row 1

Scope and covered activity

FIPS 140-3 and CMVP

FIPS 140-3 covers cryptographic modules used in security systems and CMVP validation of those modules, including the defined module boundary, security level, interfaces, roles, services, and operational environment.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

ISO/IEC 19790 covers security requirements for cryptographic modules; ISO/IEC 24759 covers test requirements for cryptographic modules. The public ISO grounding supports this scope-level distinction, not a detailed clause mapping.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Comparison row 2

Who uses the result

FIPS 140-3 and CMVP

Vendors, CST laboratories, CMVP reviewers, federal buyers, and Canadian federal users rely on the FIPS/CMVP result to evaluate validated cryptographic modules.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

Standards, assurance, procurement, and lab teams may cite ISO/IEC 19790 or ISO/IEC 24759 to describe the requirement or test basis behind cryptographic module assessment work.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Comparison row 3

When the comparison matters

FIPS 140-3 and CMVP

The FIPS side matters when a product claim, federal procurement response, system authorization, customer contract, or module release depends on FIPS 140-3 validation or approved cryptography evidence.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

The ISO side matters when a customer, lab, or policy asks which international cryptographic module requirements or test requirements sit behind the FIPS 140-3 work.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Comparison row 4

Work products

FIPS 140-3 and CMVP

FIPS/CMVP work products include module specification, security policy, service and approved-mode descriptions, operational-environment details, algorithm validation evidence, test reports, entropy and self-test support, and change-impact records.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

ISO/IEC 19790 and ISO/IEC 24759 references support the requirements and test-method vocabulary, but this page does not assert unsupported one-to-one ISO clause deliverables.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Operational implication

Build the deliverable list from CMVP guidance for a FIPS claim, then use ISO references only where the source material or customer request actually cites them.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2ISO/IEC 19790 cryptographic module security requirementsSources 3ISO/IEC 24759 cryptographic module test requirementsSources 4
Comparison row 5

Evidence and records

FIPS 140-3 and CMVP

Keep certificate scope, module version, boundary diagrams, security levels, service tables, approved algorithm certificates, security policy text, lab test evidence, and CMVP change decisions together.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

Keep ISO references as standards support: the ISO/IEC 19790 requirements citation, the ISO/IEC 24759 test-requirements citation, and any separately reviewed ISO text or procurement crosswalk.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Comparison row 6

Timing and updates

FIPS 140-3 and CMVP

FIPS 140-3 superseded FIPS 140-2, became effective after approval, and is supported by CMVP guidance that changes over time; validation evidence should track the guidance version used for the submission or change review.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

ISO/IEC 19790 and ISO/IEC 24759 edition references should be recorded exactly as cited by FIPS, CMVP guidance, the lab, or the customer request.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Operational implication

Do not update public claims just because a comparison was rewritten; update claims when the module, certificate, standard edition, or CMVP guidance basis changes.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2ISO/IEC 19790 cryptographic module security requirementsSources 3ISO/IEC 24759 cryptographic module test requirementsSources 4
Comparison row 7

Assurance route

FIPS 140-3 and CMVP

FIPS 140-3 assurance runs through CMVP validation, with testing by accredited CST laboratories and acceptance by U.S. and Canadian federal agencies for protected information uses described in the source material.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

ISO/IEC 19790 and ISO/IEC 24759 provide standards references; the cited public sources do not show an independent enforcement or certificate route equivalent to CMVP validation.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Operational implication

When a buyer asks for validated cryptography, confirm whether they mean a CMVP-listed FIPS 140-3 module rather than a general ISO standards citation.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2ISO/IEC 19790 cryptographic module security requirementsSources 3ISO/IEC 24759 cryptographic module test requirementsSources 4
Comparison row 8

Overlap and reuse

FIPS 140-3 and CMVP

FIPS 140-3 incorporates ISO/IEC 19790 and ISO/IEC 24759 references and adds FIPS/CMVP-specific validation context, NIST SP 800-140 modifications, and implementation guidance.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

ISO references can explain the underlying security and test framework, but they should not absorb FIPS-specific certificate, approved-mode, CAVP, or CMVP evidence requirements.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Comparison row 9

Practical decision rule

FIPS 140-3 and CMVP

Use FIPS 140-3 and CMVP as controlling when the question is "Is this cryptographic module validated for the claimed use?"

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2
ISO/IEC 19790 and ISO/IEC 24759

Use ISO/IEC 19790 or ISO/IEC 24759 as controlling only when the question is about the international requirements or test-requirements standard named in the request.

ISO/IEC 19790 cryptographic module security requirementsSources 1ISO/IEC 24759 cryptographic module test requirementsSources 2
Operational implication

A defensible answer usually names both layers: the ISO standard family for requirements or tests, and the FIPS/CMVP evidence for validation status.

NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2ISO/IEC 19790 cryptographic module security requirementsSources 3ISO/IEC 24759 cryptographic module test requirementsSources 4
Practical decision rule

How to choose between FIPS 140-3 and ISO/IEC 19790 and ISO/IEC 24759

  • Choose FIPS 140-3 and CMVP when the visitor needs validation status, certificate scope, or a yes-or-no answer about whether the module is accepted as validated for the claimed use.
  • Choose ISO/IEC 19790 or ISO/IEC 24759 when the visitor needs the underlying requirements or test standard that the FIPS 140-3 submission references.
  • When the request mixes compliance language and validation language, name both layers: ISO for the requirement/test basis and FIPS/CMVP for the validation evidence.
NIST FIPS 140-3 security requirements for cryptographic modulesSources 1CMVP Implementation Guidance for FIPS 140-3Sources 2ISO/IEC 19790 cryptographic module security requirementsSources 3ISO/IEC 24759 cryptographic module test requirementsSources 4
Section 1

What is actually being compared?

FIPS 140-3 is the published Federal Information Processing Standard for security requirements for cryptographic modules. It applies to federal agencies using cryptography-based security systems and is the basis for CMVP validation of modules used to protect sensitive information.

ISO/IEC 19790 is the international cryptographic module security requirements standard referenced by FIPS 140-3. ISO/IEC 24759 is the related test requirements standard. The cited public sources support that relationship, but they do not support a detailed public clause-by-clause equivalence table for this page.

  • Use FIPS 140-3 when the claim is about CMVP validation, federal-agency acceptance, certificate scope, or a FIPS-labeled procurement requirement.
  • Use ISO/IEC 19790 when the claim is about the underlying international security requirements for cryptographic modules.
  • Use ISO/IEC 24759 when the claim is about the test-requirements frame referenced by FIPS 140-3 and CMVP guidance.
  • Do not describe ISO/IEC 19790 or ISO/IEC 24759 as a substitute for CMVP validation unless the procurement or assurance document explicitly allows that.
Sources for this answer
NIST FIPS 140-3 security requirements for cryptographic modules
Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
CMVP Implementation Guidance for FIPS 140-3
Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
ISO/IEC 19790 cryptographic module security requirements
Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
ISO/IEC 24759 cryptographic module test requirements
Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
Section 2

Where FIPS 140-3 adds operational work

The FIPS side is not just a standards citation. FIPS 140-3 names four qualitative security levels and covers module specification, interfaces, roles, services and authentication, software and firmware security, operational environment, physical security, non-invasive security, sensitive security parameter management, self-tests, life-cycle assurance, and mitigation of other attacks.

CMVP guidance turns those requirements into validation operations: module boundary and service descriptions, algorithm certificate handling, approved security service indicators, operational-environment records, entropy and SSP evidence, self-test expectations, CVE management, and change-impact decisions.

  • Start FIPS evidence with the module boundary, version, operating environment, security level claims, roles, services, and approved versus non-approved services.
  • Attach algorithm claims to CAVP certificate evidence where CMVP guidance requires it.
  • Keep approved-mode indicators, security policy text, test reports, entropy support, self-test behavior, and change records together with the certificate scope.
  • Rerun the comparison when the module boundary, implementation, operational environment, validated algorithms, or public claim changes.
Sources for this answer
NIST FIPS 140-3 security requirements for cryptographic modules
Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
CMVP Implementation Guidance for FIPS 140-3
Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
Section 3

Where ISO/IEC 19790 and ISO/IEC 24759 fit

For this page, the supported ISO claim is deliberately narrow: ISO/IEC 19790 is the cryptographic module security requirements standard, and ISO/IEC 24759 is the cryptographic module test requirements standard. FIPS 140-3 and the CMVP guidance reference those standards, with the FIPS and CMVP material adding U.S./Canadian validation program context and NIST-specific modifications or guidance.

That means ISO references are useful for understanding the source standard family, but the evidence package for a FIPS 140-3 claim still needs CMVP-specific artifacts and current CMVP guidance.

  • Use ISO citations to explain the standards lineage and requirement/test framing.
  • Use FIPS and CMVP citations to support validation status, certificate scope, submission evidence, and U.S./Canadian federal acceptance claims.
  • Keep any deeper ISO clause mapping outside this page unless the source text is available and reviewed directly.
  • Flag customer requests that ask for "ISO 19790 compliant" evidence when they actually require a FIPS 140-3 validated module.
Sources for this answer
NIST FIPS 140-3 security requirements for cryptographic modules
Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
CMVP Implementation Guidance for FIPS 140-3
Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
ISO/IEC 19790 cryptographic module security requirements
Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
ISO/IEC 24759 cryptographic module test requirements
Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
Section 4

Procurement and audit evidence to keep separate

A clean comparison keeps three evidence sets separate: the FIPS 140-3 validation claim, the ISO/IEC 19790 requirements reference, and the ISO/IEC 24759 test-requirements reference. The overlap is real, but the labels answer different procurement and assurance questions.

For customer-facing claims, avoid broad wording such as "ISO/FIPS compliant" unless the statement identifies the module, version, boundary, certificate status, operational environment, and the source that supports the claim.

  • FIPS claim record: module name, version, boundary, security level, certificate identifier or status, operational environment, validated algorithms, and security policy link or artifact.
  • ISO requirements record: the cited ISO/IEC 19790 edition or procurement language, plus the exact requirement family being discussed.
  • Test-method record: the ISO/IEC 24759 or CMVP/DTR test reference named by the lab, assessor, or customer.
  • Gap record: unsupported equivalence assumptions, missing certificate scope, expired or changed operational environments, and evidence reused from a different module.
Sources for this answer
NIST FIPS 140-3 security requirements for cryptographic modules
Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
CMVP Implementation Guidance for FIPS 140-3
Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
ISO/IEC 19790 cryptographic module security requirements
Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
ISO/IEC 24759 cryptographic module test requirements
Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
Recommended next step

Operationalize FIPS and ISO module claims

Use this comparison to separate CMVP validation evidence from ISO requirement and test references before making procurement, audit, or public security claims.

Assessment workflow
Open Assessment Autopilot for FIPS 140-3

Track module scope, certificate evidence, algorithm validation, and change-impact review for FIPS 140-3 work.

Explore next step
Research workflow
Research FIPS and ISO source questions

Resolve whether a request needs CMVP validation evidence, ISO requirements context, test-method references, or all three.

Explore next step
Talk to Sorena
Talk through implementation

Review module boundaries, source claims, validation evidence, and procurement wording with Sorena.

Explore next step
Primary sources

References and citations

CMVP Implementation Guidance for FIPS 140-3
csrc.nist.gov
Referenced sections
  • Program guidance for FIPS 140-3 validation evidence, binding/embedding, approved service indicators, CAVP certificates, change impact, and CMVP operating expectations.
"CAVP addresses the testing of Approved Security Functions"
Related guides

Explore more topics

FIPS 140-3 algorithm certificate mapping: ACVTS certificates to module boundary
Map CAVP algorithm certificates to FIPS 140-3 module services, approved security functions, security policy tables, and validation evidence.
FIPS 140-3 Algorithm Certificates FAQ
How CAVP algorithm certificates support, but do not replace, FIPS 140-3 cryptographic module validation evidence.
FIPS 140-3 Applicability Test
Check whether FIPS 140-3 applies to a cryptographic module claim by testing agency use, module boundary, security level, approved functions, CMVP status, and procurement evidence.
FIPS 140-3 Approved and Non-Approved Mode Workflow
Classify FIPS 140-3 module services by approved security service, allowed no-security-claimed use, and non-approved service evidence.
FIPS 140-3 approved-mode evidence workflow
A grounded workflow for collecting FIPS 140-3 approved-mode evidence: module boundary, approved services, service indicators, CAVP certificates, Security Policy entries, and change review.
FIPS 140-3 Certificate Maintenance FAQ
How to maintain FIPS 140-3 certificate evidence after validation by checking module status, version, caveats, Security Policy, and revalidation records.
FIPS 140-3 Change Impact Review
Review FIPS 140-3 module changes against boundary, version, operational environment, embedded module, software loading, CVE, and certificate evidence.
FIPS 140-3 compliance guide
A grounded FIPS 140-3 compliance guide for cryptographic module scope, security-level claims, CMVP validation evidence, and procurement review.
FIPS 140-3 Entropy and DRBG Evidence
FIPS 140-3 entropy and DRBG guidance for module boundary decisions, entropy caveats, Security Policy evidence, ESV references, and DRBG CSP handling.
FIPS 140-3 Entropy Evidence FAQ
How FIPS 140-3 entropy evidence should document entropy source location, GetEntropy access, SP 800-90B testing, Security Policy text, and certificate caveats.
FIPS 140-3 FAQ for Cryptographic Modules
Answers to common FIPS 140-3 questions about scope, CMVP validation, algorithm certificates, module boundaries, approved mode, and validation evidence.
FIPS 140-3 Module Boundaries FAQ
Understand how FIPS 140-3 module boundaries affect cryptographic module scope, interfaces, software and firmware components, and bound or embedded validated modules.
FIPS 140-3 Module Boundary Selector Workflow
A FIPS 140-3 workflow for selecting a cryptographic module boundary, separating embedded and bound modules, and collecting CMVP validation evidence.
FIPS 140-3 operational environments FAQ
Learn what a FIPS 140-3 operational environment means for software, firmware, and hybrid cryptographic modules, and what evidence to check before relying on a validation claim.
FIPS 140-3 security levels: how to choose and evidence them
A practical FAQ on FIPS 140-3 security levels, module scope, CMVP evidence, bound or embedded modules, and common claim mistakes.
FIPS 140-3 Security Policy Template
Build a FIPS 140-3 module Security Policy with sections for boundary, roles, services, approved algorithms, SSP handling, self-tests, and CMVP evidence.
FIPS 140-3 Validation Checklist
Checklist for preparing a cryptographic module for FIPS 140-3 validation: boundary, levels, services, approved algorithms, entropy, tests, security policy, and change evidence.
FIPS 140-3 Validation Maintenance
Maintain FIPS 140-3 validation claims by checking module identity, certificate status, boundary changes, operational environments, and CAVP evidence.
FIPS 140-3 Validation Maintenance Change Workflow
A FIPS 140-3 workflow for triaging module changes against CMVP validation scope, Security Policy evidence, CAVP certificates, software loading, and CVE records.
FIPS 140-3 Vendor Affirmation FAQ
When vendor affirmation can support a FIPS 140-3 module claim, what it does not supersede, and which Security Policy, CAVP, CSTL, and test-report evidence to keep.
FIPS 140-3: CMVP Lifecycle Timeline
Practical FIPS 140-3 guidance for CMVP Lifecycle Timeline: scope, controls, evidence, source-linked decisions, and implementation checkpoints.
FIPS 140-3: FIPS 140-2 vs FIPS 140-3
Compare FIPS 140-2 legacy references with FIPS 140-3 requirements, ISO/IEC 19790 alignment, CMVP testing evidence, and guidance mappings.
FIPS 140-3: Module Boundary and Service Mapping
Map a FIPS 140-3 cryptographic module boundary to services, approved algorithms, operational environments, and CMVP validation evidence.
FIPS 140-3: Module Boundary Selector
Select and document a FIPS 140-3 cryptographic module boundary across hardware, software, firmware, operational environment, services, and validation evidence.
FIPS 140-3: Operational Environment
FIPS 140-3 operational environment guidance for software, firmware, hybrid, CAVP certificate, EVM, and PAA/PAI validation claims.
FIPS 140-3: Security Levels Explained
Explain FIPS 140-3 Security Levels 1 through 4, what they cover, and how to document level claims for cryptographic module validation.
FIPS 140-3: step-by-step workflow for mapping algorithm certificates to CMVP modules
Map CAVP algorithm certificates to a FIPS 140-3 module by matching implementation identity, operational environment, module services, and security policy evidence.
How should teams handle approved mode under FIPS 140-3?
Answer the FIPS 140-3 approved-mode question with service-level indicators, Security Policy evidence, and limits on non-approved functions.