---
title: "FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759"
canonical_url: "https://www.sorena.io/artifacts/global/fips-140-3/fips-140-3-vs-iso-19790"
source_url: "https://www.sorena.io/artifacts/global/fips-140-3/fips-140-3-vs-iso-19790"
author: "Sorena AI"
description: "Compare FIPS 140-3 with ISO/IEC 19790 and ISO/IEC 24759 for cryptographic module validation scope, evidence, testing, and procurement claims."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
- "FIPS 140-3"
- "ISO/IEC 19790"
- "ISO/IEC 24759"
- "CMVP validation"
- "cryptographic module validation"
- "CAVP certificates"
- "FIPS 140-3 vs ISO/IEC 19790"
- "CMVP"
- "security levels"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform
[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)
---
# FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759
Compare FIPS 140-3 with ISO/IEC 19790 and ISO/IEC 24759 for cryptographic module validation scope, evidence, testing, and procurement claims.
*Artifact Guide* *GLOBAL* *FIPS 140-3*
## FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759
A source-grounded comparison of the FIPS 140-3 validation layer with the ISO/IEC cryptographic module requirements and test standards it incorporates.
Use it to separate CMVP validation work from underlying ISO requirements and test-method references without inventing clause mappings.
Use this comparison when a procurement response, security policy, module validation plan, or customer questionnaire names FIPS 140-3 alongside ISO/IEC 19790 or ISO/IEC 24759. FIPS 140-3 is the federal cryptographic module validation standard used by CMVP; ISO/IEC 19790 supplies the international security requirements reference; ISO/IEC 24759 supplies the test-requirements reference. Treat them as related layers, not interchangeable labels.
## FIPS 140-3 vs ISO/IEC 19790 and ISO/IEC 24759: practical differences
Use this side-by-side view to distinguish CMVP validation claims from the ISO/IEC requirements and test standards referenced by FIPS 140-3.
- **FIPS 140-3 and CMVP**: The validation and federal-use side: use it for CMVP certificate scope, federal procurement claims, security levels, approved algorithms, module evidence, and program guidance.
- **ISO/IEC 19790 and ISO/IEC 24759**: The international standard-reference side: use it for cryptographic module security requirements and test-requirements framing, not as a standalone CMVP certificate.
| Dimension | FIPS 140-3 and CMVP | ISO/IEC 19790 and ISO/IEC 24759 | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | FIPS 140-3 covers cryptographic modules used in security systems and CMVP validation of those modules, including the defined module boundary, security level, interfaces, roles, services, and operational environment. | ISO/IEC 19790 covers security requirements for cryptographic modules; ISO/IEC 24759 covers test requirements for cryptographic modules. The public ISO grounding supports this scope-level distinction, not a detailed clause mapping. | Scope the claim by module and validation purpose first; do not treat an ISO standards reference as proof that a module is CMVP validated. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| Who uses the result | Vendors, CST laboratories, CMVP reviewers, federal buyers, and Canadian federal users rely on the FIPS/CMVP result to evaluate validated cryptographic modules. | Standards, assurance, procurement, and lab teams may cite ISO/IEC 19790 or ISO/IEC 24759 to describe the requirement or test basis behind cryptographic module assessment work. | Send certificate-status questions to the FIPS/CMVP evidence set; send standards-lineage questions to the ISO reference set. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| When the comparison matters | The FIPS side matters when a product claim, federal procurement response, system authorization, customer contract, or module release depends on FIPS 140-3 validation or approved cryptography evidence. | The ISO side matters when a customer, lab, or policy asks which international cryptographic module requirements or test requirements sit behind the FIPS 140-3 work. | Record the trigger in the evidence file so teams know whether they need a CMVP certificate, an ISO standards explanation, or both. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| Work products | FIPS/CMVP work products include module specification, security policy, service and approved-mode descriptions, operational-environment details, algorithm validation evidence, test reports, entropy and self-test support, and change-impact records. | ISO/IEC 19790 and ISO/IEC 24759 references support the requirements and test-method vocabulary, but this page does not assert unsupported one-to-one ISO clause deliverables. | Build the deliverable list from CMVP guidance for a FIPS claim, then use ISO references only where the source material or customer request actually cites them. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| Evidence and records | Keep certificate scope, module version, boundary diagrams, security levels, service tables, approved algorithm certificates, security policy text, lab test evidence, and CMVP change decisions together. | Keep ISO references as standards support: the ISO/IEC 19790 requirements citation, the ISO/IEC 24759 test-requirements citation, and any separately reviewed ISO text or procurement crosswalk. | Separate validation proof from standards background so auditors and customers can see what has actually been tested and validated. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| Timing and updates | FIPS 140-3 superseded FIPS 140-2, became effective after approval, and is supported by CMVP guidance that changes over time; validation evidence should track the guidance version used for the submission or change review. | ISO/IEC 19790 and ISO/IEC 24759 edition references should be recorded exactly as cited by FIPS, CMVP guidance, the lab, or the customer request. | Do not update public claims just because a comparison was rewritten; update claims when the module, certificate, standard edition, or CMVP guidance basis changes. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| Assurance route | FIPS 140-3 assurance runs through CMVP validation, with testing by accredited CST laboratories and acceptance by U.S. and Canadian federal agencies for protected information uses described in the source material. | ISO/IEC 19790 and ISO/IEC 24759 provide standards references; the cited public sources do not show an independent enforcement or certificate route equivalent to CMVP validation. | When a buyer asks for validated cryptography, confirm whether they mean a CMVP-listed FIPS 140-3 module rather than a general ISO standards citation. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| Overlap and reuse | FIPS 140-3 incorporates ISO/IEC 19790 and ISO/IEC 24759 references and adds FIPS/CMVP-specific validation context, NIST SP 800-140 modifications, and implementation guidance. | ISO references can explain the underlying security and test framework, but they should not absorb FIPS-specific certificate, approved-mode, CAVP, or CMVP evidence requirements. | Reuse explanatory text across the two sides, but keep validation artifacts and public claims tied to the FIPS/CMVP source that supports them. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
| Practical decision rule | Use FIPS 140-3 and CMVP as controlling when the question is "Is this cryptographic module validated for the claimed use?" | Use ISO/IEC 19790 or ISO/IEC 24759 as controlling only when the question is about the international requirements or test-requirements standard named in the request. | A defensible answer usually names both layers: the ISO standard family for requirements or tests, and the FIPS/CMVP evidence for validation status. | [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
[CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
[ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
[ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance. |
Sources for Scope and covered activity - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Scope and covered activity - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Scope and covered activity - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Who uses the result - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Who uses the result - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Who uses the result - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for When the comparison matters - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for When the comparison matters - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for When the comparison matters - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Work products - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Work products - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Work products - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Evidence and records - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Evidence and records - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Evidence and records - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Timing and updates - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Timing and updates - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Timing and updates - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Assurance route - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Assurance route - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Assurance route - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Overlap and reuse - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Overlap and reuse - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Overlap and reuse - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Practical decision rule - FIPS 140-3 and CMVP:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
Sources for Practical decision rule - ISO/IEC 19790 and ISO/IEC 24759:
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
Sources for Practical decision rule - operational implication:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- Quote: "Security Requirements for Cryptographic Modules"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
- Quote: "Test requirements for cryptographic modules"
### How to choose between FIPS 140-3 and ISO/IEC 19790 and ISO/IEC 24759
- Choose FIPS 140-3 and CMVP when the visitor needs validation status, certificate scope, or a yes-or-no answer about whether the module is accepted as validated for the claimed use.
- Choose ISO/IEC 19790 or ISO/IEC 24759 when the visitor needs the underlying requirements or test standard that the FIPS 140-3 submission references.
- When the request mixes compliance language and validation language, name both layers: ISO for the requirement/test basis and FIPS/CMVP for the validation evidence.
Sources for the practical decision rule:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Primary source for cryptographic module scope, security levels, module areas, federal applicability, and the transition from FIPS 140-2.
- Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Program guidance for FIPS 140-3 validation evidence, binding/embedding, approved service indicators, CAVP certificates, change impact, and CMVP operating expectations.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Used only for named comparison pages where FIPS 140-3 is contrasted with the underlying international cryptographic module standard.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Used only for named comparison pages where FIPS 140-3 validation evidence is contrasted with test-requirement framing.
- Quote: "Test requirements for cryptographic modules"
## What is actually being compared?
FIPS 140-3 is the published Federal Information Processing Standard for security requirements for cryptographic modules. It applies to federal agencies using cryptography-based security systems and is the basis for CMVP validation of modules used to protect sensitive information.
ISO/IEC 19790 is the international cryptographic module security requirements standard referenced by FIPS 140-3. ISO/IEC 24759 is the related test requirements standard. The cited public sources support that relationship, but they do not support a detailed public clause-by-clause equivalence table for this page.
- Use FIPS 140-3 when the claim is about CMVP validation, federal-agency acceptance, certificate scope, or a FIPS-labeled procurement requirement.
- Use ISO/IEC 19790 when the claim is about the underlying international security requirements for cryptographic modules.
- Use ISO/IEC 24759 when the claim is about the test-requirements frame referenced by FIPS 140-3 and CMVP guidance.
- Do not describe ISO/IEC 19790 or ISO/IEC 24759 as a substitute for CMVP validation unless the procurement or assurance document explicitly allows that.
Sources for this answer:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
## Where FIPS 140-3 adds operational work
The FIPS side is not just a standards citation. FIPS 140-3 names four qualitative security levels and covers module specification, interfaces, roles, services and authentication, software and firmware security, operational environment, physical security, non-invasive security, sensitive security parameter management, self-tests, life-cycle assurance, and mitigation of other attacks.
CMVP guidance turns those requirements into validation operations: module boundary and service descriptions, algorithm certificate handling, approved security service indicators, operational-environment records, entropy and SSP evidence, self-test expectations, CVE management, and change-impact decisions.
- Start FIPS evidence with the module boundary, version, operating environment, security level claims, roles, services, and approved versus non-approved services.
- Attach algorithm claims to CAVP certificate evidence where CMVP guidance requires it.
- Keep approved-mode indicators, security policy text, test reports, entropy support, self-test behavior, and change records together with the certificate scope.
- Rerun the comparison when the module boundary, implementation, operational environment, validated algorithms, or public claim changes.
Sources for this answer:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
## Where ISO/IEC 19790 and ISO/IEC 24759 fit
For this page, the supported ISO claim is deliberately narrow: ISO/IEC 19790 is the cryptographic module security requirements standard, and ISO/IEC 24759 is the cryptographic module test requirements standard. FIPS 140-3 and the CMVP guidance reference those standards, with the FIPS and CMVP material adding U.S./Canadian validation program context and NIST-specific modifications or guidance.
That means ISO references are useful for understanding the source standard family, but the evidence package for a FIPS 140-3 claim still needs CMVP-specific artifacts and current CMVP guidance.
- Use ISO citations to explain the standards lineage and requirement/test framing.
- Use FIPS and CMVP citations to support validation status, certificate scope, submission evidence, and U.S./Canadian federal acceptance claims.
- Keep any deeper ISO clause mapping outside this page unless the source text is available and reviewed directly.
- Flag customer requests that ask for "ISO 19790 compliant" evidence when they actually require a FIPS 140-3 validated module.
Sources for this answer:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
## Procurement and audit evidence to keep separate
A clean comparison keeps three evidence sets separate: the FIPS 140-3 validation claim, the ISO/IEC 19790 requirements reference, and the ISO/IEC 24759 test-requirements reference. The overlap is real, but the labels answer different procurement and assurance questions.
For customer-facing claims, avoid broad wording such as "ISO/FIPS compliant" unless the statement identifies the module, version, boundary, certificate status, operational environment, and the source that supports the claim.
- FIPS claim record: module name, version, boundary, security level, certificate identifier or status, operational environment, validated algorithms, and security policy link or artifact.
- ISO requirements record: the cited ISO/IEC 19790 edition or procurement language, plus the exact requirement family being discussed.
- Test-method record: the ISO/IEC 24759 or CMVP/DTR test reference named by the lab, assessor, or customer.
- Gap record: unsupported equivalence assumptions, missing certificate scope, expired or changed operational environments, and evidence reused from a different module.
Sources for this answer:
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Supports the FIPS 140-3 side: federal-agency applicability, four security levels, CMVP validation context, incorporated ISO/IEC 19790 and ISO/IEC 24759 references, and the module security requirement areas.
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Supports the program-evidence side: CMVP implementation guidance for submissions, algorithm validation certificates, service indicators, operational environments, entropy, self-tests, CVE management, and change handling.
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Supports the ISO/IEC 19790 comparator at scope level only: it is the international cryptographic module security requirements standard referenced by FIPS 140-3.
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Supports the ISO/IEC 24759 comparator at scope level only: it is the international test requirements standard referenced by FIPS 140-3 and CMVP guidance.
*Recommended next step*
*Placement: after practical guidance*
## Operationalize FIPS and ISO module claims
Use this comparison to separate CMVP validation evidence from ISO requirement and test references before making procurement, audit, or public security claims.
- [Open Assessment Autopilot for FIPS 140-3](/solutions/assessment.md): Track module scope, certificate evidence, algorithm validation, and change-impact review for FIPS 140-3 work.
- [Research FIPS and ISO source questions](/solutions/research-copilot.md): Resolve whether a request needs CMVP validation evidence, ISO requirements context, test-method references, or all three.
- [Talk through implementation](/contact.md): Review module boundaries, source claims, validation evidence, and procurement wording with Sorena.
## Primary sources
- [NIST FIPS 140-3 security requirements for cryptographic modules](https://doi.org/10.6028/NIST.FIPS.140-3?ref=sorena.io) - Primary source for cryptographic module scope, security levels, module areas, federal applicability, and the transition from FIPS 140-2.
- Quote: "four increasing, qualitative levels of security"
- [CMVP Implementation Guidance for FIPS 140-3](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/FIPS%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Program guidance for FIPS 140-3 validation evidence, binding/embedding, approved service indicators, CAVP certificates, change impact, and CMVP operating expectations.
- Quote: "CAVP addresses the testing of Approved Security Functions"
- [ISO/IEC 19790 cryptographic module security requirements](https://www.iso.org/standard/52906.html?ref=sorena.io) - Used only for named comparison pages where FIPS 140-3 is contrasted with the underlying international cryptographic module standard.
- Quote: "Security requirements for cryptographic modules"
- [ISO/IEC 24759 cryptographic module test requirements](https://www.iso.org/standard/72515.html?ref=sorena.io) - Used only for named comparison pages where FIPS 140-3 validation evidence is contrasted with test-requirement framing.
- Quote: "Test requirements for cryptographic modules"
## Related Topic Guides
- [FIPS 140-3 algorithm certificate mapping: ACVTS certificates to module boundary](/artifacts/global/fips-140-3/algorithm-certificate-mapping.md): Map CAVP algorithm certificates to FIPS 140-3 module services, approved security functions, security policy tables, and validation evidence.
- [FIPS 140-3 Algorithm Certificates FAQ](/artifacts/global/fips-140-3/faq/algorithm-certificates.md): How CAVP algorithm certificates support, but do not replace, FIPS 140-3 cryptographic module validation evidence.
- [FIPS 140-3 Applicability Test](/artifacts/global/fips-140-3/applicability-test.md): Check whether FIPS 140-3 applies to a cryptographic module claim by testing agency use, module boundary, security level, approved functions, CMVP status, and procurement evidence.
- [FIPS 140-3 Approved and Non-Approved Mode Workflow](/artifacts/global/fips-140-3/approved-and-non-approved-mode-workflow.md): Classify FIPS 140-3 module services by approved security service, allowed no-security-claimed use, and non-approved service evidence.
- [FIPS 140-3 approved-mode evidence workflow](/artifacts/global/fips-140-3/approved-mode-evidence-workflow.md): A grounded workflow for collecting FIPS 140-3 approved-mode evidence: module boundary, approved services, service indicators, CAVP certificates, Security Policy entries, and change review.
- [FIPS 140-3 Certificate Maintenance FAQ](/artifacts/global/fips-140-3/faq/certificate-maintenance.md): How to maintain FIPS 140-3 certificate evidence after validation by checking module status, version, caveats, Security Policy, and revalidation records.
- [FIPS 140-3 Change Impact Review](/artifacts/global/fips-140-3/change-impact.md): Review FIPS 140-3 module changes against boundary, version, operational environment, embedded module, software loading, CVE, and certificate evidence.
- [FIPS 140-3 compliance guide](/artifacts/global/fips-140-3/compliance.md): A grounded FIPS 140-3 compliance guide for cryptographic module scope, security-level claims, CMVP validation evidence, and procurement review.
- [FIPS 140-3 Entropy and DRBG Evidence](/artifacts/global/fips-140-3/entropy-and-drbg.md): FIPS 140-3 entropy and DRBG guidance for module boundary decisions, entropy caveats, Security Policy evidence, ESV references, and DRBG CSP handling.
- [FIPS 140-3 Entropy Evidence FAQ](/artifacts/global/fips-140-3/faq/entropy-evidence.md): How FIPS 140-3 entropy evidence should document entropy source location, GetEntropy access, SP 800-90B testing, Security Policy text, and certificate caveats.
- [FIPS 140-3 FAQ for Cryptographic Modules](/artifacts/global/fips-140-3/faq.md): Answers to common FIPS 140-3 questions about scope, CMVP validation, algorithm certificates, module boundaries, approved mode, and validation evidence.
- [FIPS 140-3 Module Boundaries FAQ](/artifacts/global/fips-140-3/faq/module-boundaries.md): Understand how FIPS 140-3 module boundaries affect cryptographic module scope, interfaces, software and firmware components, and bound or embedded validated modules.
- [FIPS 140-3 Module Boundary Selector Workflow](/artifacts/global/fips-140-3/module-boundary-selector-workflow.md): A FIPS 140-3 workflow for selecting a cryptographic module boundary, separating embedded and bound modules, and collecting CMVP validation evidence.
- [FIPS 140-3 operational environments FAQ](/artifacts/global/fips-140-3/faq/operational-environments.md): Learn what a FIPS 140-3 operational environment means for software, firmware, and hybrid cryptographic modules, and what evidence to check before relying on a validation claim.
- [FIPS 140-3 security levels: how to choose and evidence them](/artifacts/global/fips-140-3/faq/security-levels.md): A practical FAQ on FIPS 140-3 security levels, module scope, CMVP evidence, bound or embedded modules, and common claim mistakes.
- [FIPS 140-3 Security Policy Template](/artifacts/global/fips-140-3/security-policy-template.md): Build a FIPS 140-3 module Security Policy with sections for boundary, roles, services, approved algorithms, SSP handling, self-tests, and CMVP evidence.
- [FIPS 140-3 Validation Checklist](/artifacts/global/fips-140-3/fips-140-3-validation-checklist.md): Checklist for preparing a cryptographic module for FIPS 140-3 validation: boundary, levels, services, approved algorithms, entropy, tests, security policy, and change evidence.
- [FIPS 140-3 Validation Maintenance](/artifacts/global/fips-140-3/validation-maintenance.md): Maintain FIPS 140-3 validation claims by checking module identity, certificate status, boundary changes, operational environments, and CAVP evidence.
- [FIPS 140-3 Validation Maintenance Change Workflow](/artifacts/global/fips-140-3/validation-maintenance-change-impact-workflow.md): A FIPS 140-3 workflow for triaging module changes against CMVP validation scope, Security Policy evidence, CAVP certificates, software loading, and CVE records.
- [FIPS 140-3 Vendor Affirmation FAQ](/artifacts/global/fips-140-3/faq/vendor-affirmation.md): When vendor affirmation can support a FIPS 140-3 module claim, what it does not supersede, and which Security Policy, CAVP, CSTL, and test-report evidence to keep.
- [FIPS 140-3: CMVP Lifecycle Timeline](/artifacts/global/fips-140-3/cmvp-lifecycle-timeline.md): Practical FIPS 140-3 guidance for CMVP Lifecycle Timeline: scope, controls, evidence, source-linked decisions, and implementation checkpoints.
- [FIPS 140-3: FIPS 140-2 vs FIPS 140-3](/artifacts/global/fips-140-3/fips-140-2-vs-fips-140-3.md): Compare FIPS 140-2 legacy references with FIPS 140-3 requirements, ISO/IEC 19790 alignment, CMVP testing evidence, and guidance mappings.
- [FIPS 140-3: Module Boundary and Service Mapping](/artifacts/global/fips-140-3/module-boundary-and-service-mapping.md): Map a FIPS 140-3 cryptographic module boundary to services, approved algorithms, operational environments, and CMVP validation evidence.
- [FIPS 140-3: Module Boundary Selector](/artifacts/global/fips-140-3/module-boundary-selector.md): Select and document a FIPS 140-3 cryptographic module boundary across hardware, software, firmware, operational environment, services, and validation evidence.
- [FIPS 140-3: Operational Environment](/artifacts/global/fips-140-3/operational-environment.md): FIPS 140-3 operational environment guidance for software, firmware, hybrid, CAVP certificate, EVM, and PAA/PAI validation claims.
- [FIPS 140-3: Security Levels Explained](/artifacts/global/fips-140-3/security-levels-explained.md): Explain FIPS 140-3 Security Levels 1 through 4, what they cover, and how to document level claims for cryptographic module validation.
- [FIPS 140-3: step-by-step workflow for mapping algorithm certificates to CMVP modules](/artifacts/global/fips-140-3/algorithm-certificate-mapping-workflow.md): Map CAVP algorithm certificates to a FIPS 140-3 module by matching implementation identity, operational environment, module services, and security policy evidence.
- [How should teams handle approved mode under FIPS 140-3?](/artifacts/global/fips-140-3/faq/approved-mode.md): Answer the FIPS 140-3 approved-mode question with service-level indicators, Security Policy evidence, and limits on non-approved functions.
---
[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)
(c) 2026 Sorena AB (559573-7338). All rights reserved.
Source: https://www.sorena.io/artifacts/global/fips-140-3/fips-140-3-vs-iso-19790