Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
What is FIPS 140-2? Cryptographic Module Validation Program
Last updated
November 18, 2024
{x} minute read

What is FIPS 140-2? Cryptographic Module Validation Program

Download the PDF guide
Free trial
Written by
Nicholas Sollitto
Senior Cybersecurity Writer
Nicholas's cybersecurity writing has been featured in G2.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

FIPS 140-2 is a federal information processing standard that manages security requirements for cryptographic modules. The National Institute of Standards and Technology (NIST) published the security standard in November 2001 to develop coordinated requirements for hardware computer components.

NIST replaced FIPS 140-2 with FIPS 140-3 in March 2019. This iteration introduced new critical security parameters for software and firmware and updated the four critical security levels that FIPS 140-2 introduced. These four levels of security include regulations that the U.S. government and other highly regulated industries that store, collect, or disclose sensitive information (finance, healthcare, etc.) must comply with.

What is Cryptography?

Cryptography is an encryption method that utilizes technical codes to protect sensitive data and ensure information security. This method commonly uses cryptographic keys, algorithms, and crypto techniques such as microdots or encryption (scrambling plaintext into ciphertext).

What is Sensitive Data?

Sensitive data includes any information, whether original or copied from another source, that contains:

  • Racial or ethnic origin
  • Political opinion
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Sex life or sexual orientation
  • Financial information (bank account numbers and credit card numbers)
  • Classified information

Some regulatory standards, including the EU’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act of 1996 (HIPPA), and the Gramm-Leach-Bliley Act (GLBA), all include provisions that protect other types of information as sensitive data.

Recommended reading: What is the Primary Method for Protecting Sensitive Data? and What is Sensitive Data?

FIPS 140-1 vs. FIPS 140-2 vs. FIPS 140-3

NIST released the FIPS 140 publication series in 1994 to establish the cryptographic module validation program (CMVP) through a joint effort with the Canadian government.

Starting with FIPS 140-1, the publication series now spans three iterations, each improving upon the last and fortifying the validation process with increasingly robust standards.

FIPS 140-1

As previously mentioned, FIPS 140-1 established the CMVP. The publication is one of NIST’s most successful standards and is still relevant today. Unlike other published standards that have changed in scope or applicability, FIPS 140-1 has only been strengthened by FIPS 140-2 and FIPS 140-3.

When the NIST introduced FIPS 140-1, it imposed requirements across eleven areas of cryptographic modules:

  1. Cryptographic module specification (documentation and procedural records)
  2. Ports and interfaces (what information flows in and out of a cryptographic module)
  3. User roles, access levels, and authentication
  4. Finite state model (documentation of what states a module can occupy and when and why transitions are triggered)
  5. Physical security (tamper evidence and resistance)
  6. Operational environment (what operating system does a module use)
  7. Cryptographic key management (encryption generation, storage, lifecycle, and destruction)
  8. Electromagnetic compatibility (what systems is a module compatible with)
  9. Security tests (procedures outlining what tests must be completed and the consequences of failure)
  10. Module design (documentation that proves a module was designed to meet current industry standards)
  11. Attack mitigation (records proving a module has been designed to mitigate particular types of environmental attacks)

FIPS 140-2

FIPS 140-2 ensures that the hardware organizations utilize to store sensitive data and other protected information meets critical security specifications and key management requirements.

This second iteration of the FIPS publication series introduced the FIPS certification process, which is defined by four increasing, qualitative levels of security.

Qualitative Levels of Security

  • Level 1: Requires organizations to utilize “production-grade” hardware, physical security mechanisms, and externally tested and approved algorithms
  • Level 2: Adds additional requirements for physical tamper-evidence and role-based authentication. It also requires all operating systems to be approved by common criteria
  • Level 3: Adds requirements for identity-based authentication and tamper-proof physical security functions (pick-resistant locks). It also requires a logical separation between the interfaces, enabling “critical security parameters” to enter and leave the module. Encryption keys that meet the Advanced Encryption Standard (AES) are also required during entrances and exits
  • Level 4: Adds physical security requirements that will erase the contents of a device if the system detects severe vulnerabilities or cyber-attacks

FIPS 140-3

Overall, FIPS 140-3 expanded the scope of FIPS 140-2 to cover firmware and software in addition to hardware computer components. The FIPS 140-3 standard supersedes all FIPS 140-2 standards from its effective date in 2019. FIPS 140-3 also incorporates two existing standards (ISO 19790 and ISO 24759) to elevate its requirements for cryptographic modules and cryptographic algorithms.

With FIPS 140-3, NIST also updated several requirements within its qualitative security levels. Most notably, these updates included:

  • Level 2 security clearance can now be achieved by software modules without common criteria dependency
  • Level 2 security clearance now includes OS requirements that are similar to the criteria outlined in Common Criteria OSPP
  • Level 3 security clearance now requires Environmental Failure Testing (EFT) or Environmental Failure Protection (EFP)
  • Level 4 security clearance now requires Environmental Failure Protection (EFP) to meet voltage and temperature demands
  • Level 4 security clearance now requires fault induction protection
  • Level 4 security clearance now requires multi-factor authentication

Where Can I Learn More About FIPS 140-3?

The UpGuard blog, “What is FIPS 140-3? The Critical Updates You Must Be Aware Of,” includes additional information about FIPS 140-3. The blog also lists additional technical differences between FIPS 140-2 and FIPS 140-3.

Who Must Comply With FIPS 140?

The Federal Information Security Management Act (FISMA) requires various U.S. entities to maintain FIPS-compliant cryptographic modules. Canada has also adopted FIPS standards to validate cryptographic modules throughout several highly regulated industries.

Overall, the following groups are required to comply with FIPS 140 standards:

  • U.S. government agencies and U.S. government contractors
  • Canadian federal agencies and Canadian government contractors
  • Third parties working alongside federal government agencies
  • Cybersecurity organizations that market or sell to regulated industries

Additional industries, such as finance, healthcare, and other highly regulated practices, have also adopted FIPS standards because of the publication’s advanced focus on securing and protecting sensitive data.

When Will FIPS 140-2 Certificates Be Retired?

The U.S. Federal Government is currently establishing practices to validate all FIPS 140-2 certificates with the new standards outlined by FIPS 140-3. In addition, NIST announced that all FIPS 140-2 validations will be retired by September 2026.

How Can UpGuard Help with FIPS 140-3?

UpGuard Vendor Risk empowers organizations to achieve compliance across their digital supply chains. Users of UpGuard Vendor Risk can access UpGuard’s flexible vendor questionnaire library or configure custom questionnaires of their own using the platform’s intuitive and easy-to-use interface.

After sending and receiving vendor questionnaires, organizations can also utilize UpGuard’s remediation workflows to work alongside vendors to solve compliance issues and eliminate compliance risks.

Overall, UpGuard Vendor Risk enables organizations to elevate their third-party risk management programs through the use of powerful cybersecurity tools such as:

Start your UpGuard free trial right now. Or, discover how UpGuard helps organizations protect their internal and external attack surfaces by learning more about UpGuard’s robust cybersecurity solutions.

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts