--- title: "What Is Included in FIPS Standards Hub (FIPS 140-3, CMVP, FIPS Crypto)" canonical_url: "https://www.sorena.io/artifacts/global/fips-standards-hub/what-is-included" source_url: "https://www.sorena.io/artifacts/global/fips-standards-hub/what-is-included" author: "Sorena AI" description: "Coverage map for the FIPS Standards Hub: FIPS 140-3 cryptographic module requirements, CMVP context and guidance." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "what is included FIPS standards hub" - "FIPS 140-3 coverage" - "CMVP guidance" - "FIPS crypto algorithms coverage" - "AES FIPS 197" - "SHA-2 FIPS 180-4" - "SHA-3 FIPS 202" - "FIPS 186-5" - "FIPS 203" - "FIPS 204" - "FIPS 205" - "GLOBAL compliance" - "FIPS standards" - "FIPS 140-3" - "CMVP" - "FIPS crypto algorithms" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # What Is Included in FIPS Standards Hub (FIPS 140-3, CMVP, FIPS Crypto) Coverage map for the FIPS Standards Hub: FIPS 140-3 cryptographic module requirements, CMVP context and guidance. *Coverage map* *GLOBAL* ## FIPS Standards Hub What is included A coverage map for FIPS standards and validation reality: algorithms, modules, and evidence. Use this page to see which document to use for which question, and what evidence it tends to drive. FIPS-compliant is a phrase that hides multiple different things: using approved algorithms, building a cryptographic module that meets FIPS 140-3 requirements, and achieving validation through the CMVP. This hub is organized to remove that confusion. Below is what is included, what it is for, and how the pieces fit together into a defensible evidence and procurement story. ## The two layers: algorithms versus module validation Layer one is the algorithm layer. It includes AES, secure hash, digital signatures, and post-quantum primitives. These documents tell you what the primitive is and what algorithm-level requirements apply. Layer two is the module layer. FIPS 140-3 defines security requirements for cryptographic modules, and the CMVP validates modules against those requirements through labs, test evidence, and Security Policies. - Algorithm layer: what the primitive is and how it is specified - Module layer: how crypto is packaged, exposed as services, tested, and evidenced - Procurement reality: buyers often ask for the module-validation story, not just an algorithm name ## Included: FIPS 140-3 and CMVP program reality This hub includes FIPS 140-3, the CMVP program context, and the implementation-guidance layer that affects how real submissions are scoped and tested. That means you can use the hub to understand boundary, approved mode, services, self-tests, and the supporting SP 800-140 family used in the CMVP ecosystem. - FIPS 140-3 for module requirements and levels - CMVP for validation flow and certificate meaning - Implementation Guidance and SP 800-140 references for application detail *Recommended next step* *Placement: after the scope or definition section* ## Use FIPS Standards Hub What is included as a cited research workflow Research Copilot can take FIPS Standards Hub What is included from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on FIPS Standards Hub can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Research Copilot for FIPS Standards Hub What is included](/solutions/research-copilot.md): Start from FIPS Standards Hub What is included and answer scope, timing, and interpretation questions with cited outputs. - [Talk through FIPS Standards Hub](/contact.md): Review your current process, evidence gaps, and next steps for FIPS Standards Hub What is included. ## Included: the core FIPS crypto standards The hub includes the FIPS crypto standards most commonly referenced in product security, validation, and procurement work. Treat this as an implementation set: it helps you choose algorithms, set safe defaults, and create evidence-backed decisions. - FIPS 197 for AES - FIPS 180-4 and FIPS 202 for secure hash and XOF coverage - FIPS 186-5 for RSA, ECDSA, deterministic ECDSA, and EdDSA - FIPS 203, 204, and 205 for PQC key establishment and signatures ## Included: the related cryptographic NIST SP layer The hub also points to the cryptographic NIST SP ecosystem that makes the FIPS documents usable in practice. Those publications include the SP 800-140 family for CMVP use, SP 800-175B for applying cryptographic standards, SP 800-89 for signature-assurance methods, SP 800-208 for stateful hash-based signatures, and SP 800-227 for KEM guidance. These are not replacements for the FIPS standards. They are the companion guidance that helps teams implement, validate, and defend decisions. - SP 800-140 family for CMVP annex and documentation details - SP 800-175B for federal cryptographic standards usage guidance - SP 800-89 for digital-signature assurance - SP 800-208 and SP 800-227 for hash-based-signature and KEM guidance ## How to use this hub as a workflow This hub is designed as a workflow. If you follow it, you should end up with a crypto inventory, a list of allowed algorithms and parameters, an approved-mode story where relevant, and an evidence pack that makes audits and procurement responses predictable. Use the comparison pages to reduce program confusion: FIPS versus NIST SP and FIPS versus Common Criteria. - Inventory where crypto is used and who owns it - Select allowed algorithms, parameters, and migration patterns - Build evidence tied to scope and versions - Decide whether you need algorithm conformance evidence, module validation, product evaluation, or both ## Primary sources - [FIPS 140-3 (Security Requirements for Cryptographic Modules)](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf?ref=sorena.io) - Primary standard defining security levels and requirement areas for cryptographic modules. - [NIST and CCCS CMVP program overview](https://csrc.nist.gov/projects/cryptographic-module-validation-program?ref=sorena.io) - Program context for how modules are tested and validated. - [Implementation Guidance for FIPS 140-3 and the CMVP](https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf?ref=sorena.io) - Guidance used in practice by labs and vendors. - [FIPS 197 upd1 (AES)](https://doi.org/10.6028/NIST.FIPS.197-upd1?ref=sorena.io) - Primary AES algorithm standard reference. - [FIPS 180-4 (Secure Hash Standard)](https://doi.org/10.6028/NIST.FIPS.180-4?ref=sorena.io) - Primary SHA-2 family standard reference. - [FIPS 202 (SHA-3 Standard)](https://doi.org/10.6028/NIST.FIPS.202?ref=sorena.io) - Primary SHA-3 and SHAKE XOF standard reference. - [FIPS 186-5 (Digital Signature Standard)](https://doi.org/10.6028/NIST.FIPS.186-5?ref=sorena.io) - Primary signature standard reference. - [FIPS 203, 204, and 205](https://doi.org/10.6028/NIST.FIPS.203?ref=sorena.io) - PQC FIPS entry point; see also FIPS 204 and FIPS 205. ## Related Topic Guides - [FIPS Standards FAQ (Procurement, CMVP, Evidence)](/artifacts/global/fips-standards-hub/faq.md): FIPS Standards FAQ for procurement, compliance, and crypto-engineering teams: what FIPS-compliant means, FIPS algorithms versus FIPS 140-3 validated modules. - [FIPS vs Common Criteria (CC) - What to Validate vs Evaluate](/artifacts/global/fips-standards-hub/fips-vs-common-criteria.md): Deep comparison of FIPS, especially FIPS 140-3 and CMVP, versus Common Criteria: scope differences, evidence overlap, and when procurement requires both. - [FIPS vs NIST SP Series (Standards vs Cryptographic Guidance)](/artifacts/global/fips-standards-hub/fips-vs-nist-sp-series.md): Deep comparison of FIPS standards versus NIST Special Publications in the cryptographic ecosystem: how they differ, how they are used together. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/fips-standards-hub/what-is-included