🛡️ STATUS BADGE: 🟢 ELIGIBLE (Self-Hosted)
Executive Summary: What is it?
Federal Information Processing Standard (FIPS) 140-3 is the NIST standard specifying security requirements for cryptographic modules — the hardware and software components that perform encryption, decryption, key management, and authentication. Validated modules are listed in the CMVP (Cryptographic Module Validation Program) registry maintained jointly by NIST and Canada's CSEC. FIPS 140-3 supersedes FIPS 140-2; both remain in active use, but new validations are being submitted exclusively under 140-3.
CFO / Business Impact: What does it cost/risk?
- Federal & DoD Market Access: US federal agencies and contractors are required by OMB mandate to use FIPS 140-validated cryptography for all sensitive unclassified data. Self-certification ("we use AES-256") is not sufficient — the library itself must be CMVP-listed.
- CMMC & Impact Level Prerequisite: FIPS 140 validation is a foundational requirement for CMMC (Cybersecurity Maturity Model Certification) and DoD IL2–IL5 authorizations. Without it, a solution cannot enter the Defense Industrial Base supply chain.
Technical Reality: How does it work?
- CMVP-Listed Libraries: The cryptographic library in use (e.g., OpenSSL with its FIPS Provider, BoringCrypto, or Microsoft's CNG) must be independently tested by an NVLAP-accredited laboratory and appear on the NIST CMVP active modules list.
- FIPS Mode Enforcement: Self-hosted deployments must be configured to run in a validated "FIPS mode," which disables non-approved algorithms (MD5 for security, DES, RC4) and enforces approved cipher suites (AES-256-GCM, SHA-2/SHA-3, ECDH P-384).
- Key Management: Key generation, storage, zeroization, and destruction procedures must satisfy FIPS 140-3 Level 1 (software) through Level 4 (hardware) requirements depending on the target deployment classification.