Cybersecurity FIPS | DEKRA
FIPS 140-3/ ISO 19790

The most widely recognized security validation for Cryptographic Modules

FIPS 140-3/ ISO 19790

What is FIPS 140-3?

FIPS (Federal Information Processing Standard) 140-3 is the standard for validating the effectiveness of cryptographic modules.
Although FIPS 140-3 is a U.S./Canadian Federal standard, FIPS 140-3 compliance has been widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and realistic best practice.
FIPS 140-3 is based on ISO/IEC 19790, an international standard. Several countries also issue certificates according to ISO/IEC 19790.
Organizations use the FIPS 140-3 standard to ensure that the hardware, software or firmware they select meets specific security functional requirements and approved algorithms.

How does it work?

The FIPS 140-3 certification standard defines four increasing, qualitative levels of security:
  • Level 1: Validation of at least one approved algorithm or security function. Requires explicit or implicit authentication, production-grade components and functional testing.
  • Level 2: Requires role-based authentication and physical security requirements for tamper evidence.
  • Level 3: Requires identity-based authentication.
  • Adds requirements for physical tamper-resistance and environ-mental conditions for temperature and voltage. Trusted channel for the transmission of unprotected key material.
  • Level 4: Requires multifactor-based authentication. Adds requirements for tamper detection and response envelope, EFP and fault injection mitigation.
Additional validation programs:
Cryptographic Algorithm Validation Program (CAVP)
provides validation testing of Approved (i.e., FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. Cryptographic algorithm validation is a prerequisite for cryptographic module validation.
Entropy Source Validation (ESV)

What is tested in FIPS 140-3?

Each one of the FIPS 140-3 levels focuses on eleven functional areas of product security related to secure design and implementation.
At each level, greater amount of evidence and engineering is required from the product manufacturer in order to show compliance with the standard.
The functional areas that must be addressed are:
  • Cryptographic module specification
  • Cryptographic module interfaces
  • Roles, services, and authentication
  • Software/Firmware security
  • Operational environment
  • Physical security
  • Non-invasive security
  • Sensitive security parameter management
  • Self-tests
  • Life-cycle assurance
  • Mitigation of other attacks

Certifying your Cryptographic Module with DEKRA

We understand that achieving FIPS 140-3 Certification represents a significant investment by our customers.
We help our clients to gain a FIPS 140-3 certificate as quickly as possible (on time and on budget). Our validation procedures are fully optimized to minimize the impact on our customers’ resources. We conduct a fast and smooth testing process.

Our Services

  • Pre-assessment
  • CAVP certification
  • ESV certification
  • CMVP certification (FIPS 140-3 and FIPS 140-2 cert maintenance)
  • FIPS 140-3/CAVP/ESV training
  • Compliance letters


At DEKRA we are committed to supporting our customers with their FIPS 140-3 and ISO 19790 certification needs. We understand the pressures of validating a product or implementation against demanding technical requirements with stringent time constraints, so we stand by our customers by providing timely and professional support. Our goal is to complete the lab work efficiently and within the committed time at a reasonable price.
DEKRA Security lab performs FIPS 140-3 evaluations and supporting services, under two NVLAP accredited labs. Lab Codes: 200856-0 and 600319-0.
DEKRA has experience in all certification types under FIPS 140-3 scope (CMVP, CAVP and ESV), covering HW, SW and Hybrid platforms.
Our coordinated crypto labs in Spain and USA (with cross-qualified staff) allows us to provide regional support in Europe and Americas with globally distributed evaluation work.
DEKRA is also ISO 19790 accredited by CCN (Spain) scheme, allowing a FIPS 140-3 based evaluation to be easily upgraded to cover ISO 19790 (and viceversa) with minimum extra effort and cost.