NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

FIPS 140-3 Development

Current FIPS 140-3 Development

On August 12, 2015, NIST published a Request for Information (RFI) in a Federal Register Notice (80 FR 48295), requesting public comments on using the ISO/IEC 19790:2012 standard, Security Requirements for Cryptographic Modules, as the U.S. Federal Standard for cryptographic modules.

The RFI provides additional background information, including seven questions (excerpted below) that NIST is especially interested in having addressed. The RFI also disucsses NIST's intentions.

Comments are due September 28, 2015, and may be sent to

After the comment period closes, comments received will be posted from this page.

* * *

[Excerpt from the RFI, with references to "ISO/IEC 19790:2014" changed to the correct "ISO/IEC 19790:2012":]

NIST requests comments on the following questions regarding the use of ISO/IEC 19790:2012, but comments on other cryptographic test and conformance issues will also be considered.

  1. Have your customers or users asked for either ISO/IEC 19790:2012 or FIPS 140-2 validations in cryptographic products?

  2. Have the markets you serve asked for either validation and have you noticed any changes in what the markets you serve are asking for?

  3. Do you think the ISO/IEC 19790:2012 standard specifies tests and provides evidence of conformance for cryptographic algorithms and modules better, equally or less as compared to FIPS 140-2 and in what areas?

  4. Is there a difference in risk that you perceive would be mitigated or accepted in use of one standard versus the other?

  5. Are the requirements in ISO/IEC 19790:2012 specific enough for your organization to develop a cryptographic module that can demonstrate conformance to this standard?

  6. Would the U.S. Government citation of an ISO standard that has a fee for access to the standard inhibit your use or implementation of this standard?

  7. Do either FIPS 140-2 or ISO/IEC 19790:2012 have a gap area that is not required for implementation, test or validation that presents an unacceptable risk to users of cryptographic modules?

The responses to this request for information will be used to plan possible changes to the FIPS or in a decision to use all or part of ISO/IEC 19790:2012 for testing, conformance and validation of cryptographic algorithms and modules.

Back to Top


Past FIPS 140-3 Development (2005-2012)

During the years 2005-2012, NIST used three Federal Register Notices and two workshops to gather input for proposed changes to FIPS 140-2. Although it was very informative, that effort was inconclusive and did not result in the publication of FIPS 140-3.

Past FIPS 140-3 Development (2005-2012)
1 Oct 2012

Public comment period ended.

30 Aug 2012

Federal Register Notice (77 FR 52692), Request for Comments:

NIST Federal Information Processing Standard (FIPS) 140-3 (Second Draft), Security Requirements for Cryptographic Modules; Request for Additional Comments

-In order to clarify and resolve inconsistent comments on the Revised (aka "Second") Draft FIPS 140-3 (Dec 2009), NIST requested additional comments on specific sections and subsections of the draft.

11 Mar 2010

Public comment period ended for Revised Draft FIPS 140-3 (Dec 2009).

Spreadsheet of all comments received on the Revised Draft (Dec 2009)

11 Dec 2009

Federal Register Notice (74 FR 65753), Request for Comments:

Announcing Revised Draft Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules

-In response to public comments received on the July 2007 Draft FIPS 140-3 and results of the FIPS 140-3 Software Security Workshop, NIST released aRevised Draft of FIPS 140-3 (Dec 2009).

18 Mar 2008

FIPS 140-3 Software Security Workshop.

11 Oct 2007

Public comment period ended for Draft FIPS 140-3 (July 2007).

Spreadsheet of all comments received and NIST's comment resolutions on the Draft (July 2007)

13 Jul 2007

Federal Register Notice (72 FR 38566), Request for Comments:

Announcing Draft Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules

Draft FIPS 140-3 (July 2007)

31 Mar 2007

NIST completed preparing the first public draft of FIPS 140-3; began the NIST and Department of Commerce administrative review/release process.

26-29 Sep 2005

Physical Security Testing Workshop.

28 Feb 2005

Public comment period ended for new and revised requirements for FIPS 140-3.

12 Jan 2005

Federal Register Notice (70 FR 2122), Request for Comments:

Announcing Development of Federal Information Processing Standard (FIPS) 140-3, a Revision of FIPS 140-2, Security Requirements for Cryptographic Modules

Back to Top



Questions about the FIPS 140-3 development effort, FIPS 140-2, or cryptographic modules testing and validation should be directed to the Cryptographic Module Validation Program's (CMVP) points of contact.

Back to Top