There’s a new sheriff in town, and it's enforcing tougher laws for cryptographic security. FIPS 140-3 arrives with a fresh badge of trust for Hardware Security Modules (HSMs), introducing stricter requirements that raise the bar for anyone in the business of protecting sensitive data.
HSMs play a critical role in securing sensitive information especially in government systems where security and reliability are non-negotiable. To guide this, the National Institute of Standards and Technology (NIST) issues the Federal Information Processing Standards (FIPS), which set the benchmark for security requirements of cryptographic modules – including HSMs. One of the most important standards, FIPS 140-2, has long defined how HSMs must be designed, implemented, and operated.
However, change is on the horizon – FIPS 140-3 is scheduled to completely replace its predecessor on September 21, 2026. In fact, as of April 1, 2022, all new submissions must meet the requirements of FIPS 140-3. This updated standard, validated through the Cryptographic Module Validation Program (CMVP), ensures a more robust and modern approach to cryptographic security for federal departments and agencies.
In this article, we'll explore the details of FIPS 140-3 in terms of timeline, security levels and Utimaco's FIPS 140-3 compliant HSM portfolio.
FIPS 140-3 Rollout Timeline
March 2019: FIPS 140-3 has been approved
September 2020: The CMVP begins accepting module validations under FIPS 140-3
September 2021: Testing laboratories are required to be NVLAP-accredited for FIPS 140-3
April 2022: New submissions are only possible for FIPS 140-3
September 2026: FIPS 140-2 will be fully replaced by FIPS 140-3
FIPS 140-3 vs. FIPS 140-2 – Key Differences
As cyber threats become more advanced, the standards that protect our data need to keep up. That’s why FIPS 140-3 was introduced—to strengthen security and align more closely with global expectations. Here’s how it differs from the earlier FIPS 140-2 standard:
- FIPS 140-3 aligns with international standards like ISO/IEC 19790:2012.
- FIPS 140-3 covers stricter security requirements from design to development.
- FIPS 140-3 examines a fifth interface: “control output” (FIPS 140-2 covered “data input”, “data output”, “control input”, “status output”).
- FIPS 140-3 includes stricter requirements for physical security, including temperature testing and environmental failure testing (EFT) mechanisms.
- Algorithm requirements changed in FIPS 140-3, specifying more advanced cryptography such as SHA-3 and AES-256.
- FIPS 140-3 includes stricter zeroization requirements for CSPs as well as unprotected SSPs and key components within the module.
FIPS 140-3 Areas
The FIPS 140-3 standard evaluates the following areas of cryptographic modules:
- Cryptographic module specification,
- Cryptographic module interfaces; roles, services, and authentication,
- Software/firmware security,
- Operating environment,
- Physical security,
- Non-invasive security,
- Sensitive security parameter management,
- Self-tests,
- Life-cycle assurance,
- Mitigation of other attacks.
FIPS 140-3 Security Levels
The FIPS 140-3 standard provides four increasing, qualitative levels of security:
Level 1: The lowest level of security which contains basic security requirements on firmware or software level and the use of one approved encryption algorithm.
Level 2: Includes all requirements from level 1 and additionally demands role-based authentication, physical security mechanisms and tamper evidence mechanisms.
Level 3: Includes all requirements from level 2 and additionally demands the use of identity-based authentication, physical manipulation security & resistant housing/coating, and Environmental Failure Protection (EFP) or Environmental Failure Testing (EFT) mechanisms.
Level 4: Includes all requirements from level 3 and additionally adds demands for multi-factor authentication and more advanced physical security mechanisms.
Utimaco’s FIPS 140-3 Hardware Security Module portfolio
Atalla AT1000 Payment HSM - The first FIPS 140-3 Level 3 Certified Payment HSM
The Atalla AT1000 Payment HSM is the leading Payment Hardware Security Module in the industry, designed for secure and compliant non-cash retail payment transactions, card issuance and cardholder authentication.
It is the first Payment Hardware Security Modules that received the FIPS 140-3 Level 3 validation.
u.trust General Purpose HSM Se-Series – FIPS 140-3 Level 3 Certification in Progress
The u.trust General Purpose HSM Se-Series combines scalable multi-tenancy functionality with superior performance. Its container-based architecture supports up to 31 containers and enables flexible deployment of classical and post quantum cryptography algorithms across many use cases including extensions for 5G, blockchain, and custom applications. Customers can choose between on-premises and as a service deployment.
The FIPS 140-3 certification for the u.trust General Purpose HSM Se-Series is in progress.
Summary: FIPS 140-3 will succeed FIPS 140-2 in September 2026
As of September 2026, FIPS 140-3 will be the benchmark for the security of cryptographic modules in the market. The new standard introduces stricter and broader security requirements enhancing cryptographic security for modern requirements.
