FIPS 140-3 PQC Compliance Guide

FIPS 140-3 Compliance Guide for Post-Quantum Cryptography

Understanding FIPS 140-3 requirements and preparing for post-quantum cryptographic module validation.

Note: This guide provides an overview of FIPS 140-3 compliance in the context of post-quantum cryptography. As NIST continues to finalize PQC standards, this information will evolve.

FIPS 140-3 Overview

The Federal Information Processing Standard (FIPS) 140-3 is the U.S. government standard for cryptographic module validation. It specifies the security requirements for cryptographic modules used to protect sensitive but unclassified information in federal systems.

Key Points About FIPS 140-3

Adopted in 2019, replacing FIPS 140-2
Based on ISO/IEC 19790:2012 and ISO/IEC 24759:2017
Managed by the NIST Cryptographic Module Validation Program (CMVP)
Defines four security levels with increasing security requirements
Mandatory for federal agencies and often required for contractors

Security Levels

Level	Description
Level 1	Basic security requirements; allows software-only cryptographic modules
Level 2	Adds requirements for role-based authentication and tamper evidence
Level 3	Adds requirements for identity-based authentication and physical tamper resistance
Level 4	Highest level; adds protection against environmental attacks and robust physical security

Important: FIPS 140-3 validation is a rigorous process that can take 12-18 months to complete. Organizations should plan accordingly when implementing new cryptographic modules.

FIPS 140-3 and Post-Quantum Cryptography

As NIST finalizes post-quantum cryptographic standards, the CMVP is preparing to incorporate these algorithms into the FIPS 140-3 validation program. This section outlines the current status and future expectations for PQC in FIPS 140-3.

Current Status

Status Update: As of 2023, NIST has selected initial PQC algorithms for standardization, but these have not yet been incorporated into FIPS 140-3 as approved algorithms. The formal standards are expected to be published in 2024-2025.

Transition Timeline

2022-2023: NIST selection of standardization candidates
Completed
2023-2024: Draft FIPS publication for selected algorithms
In progress
2024-2025: Final FIPS publication and inclusion in approved algorithms list
Planned
2025-2026: First FIPS 140-3 validations for PQC modules
Planned
2026-2030: Gradual transition and deprecation of quantum-vulnerable algorithms
Planned

Implementation Approaches

Current Options for Organizations

Hybrid Implementations: Combine current FIPS-approved algorithms with PQC algorithms
Parallel Testing: Implement PQC in non-production environments while maintaining FIPS compliance in production
Algorithm Agility: Design systems to easily swap cryptographic algorithms when FIPS-approved PQC becomes available
Vendor Engagement: Work with vendors who are actively participating in NIST's PQC standardization process

Until PQC algorithms are approved for use in FIPS 140-3, they cannot be used as the sole cryptographic protection in federal systems requiring FIPS compliance.

Preparing for FIPS 140-3 PQC Validation

Organizations developing cryptographic modules that will eventually require FIPS 140-3 validation with post-quantum algorithms should begin preparation now. This section outlines key considerations and steps.

Documentation Requirements

FIPS 140-3 validation requires extensive documentation. For PQC modules, prepare:

Security Policy: Detailed documentation of the cryptographic module's security features, interfaces, and approved algorithms
Cryptographic Algorithm Validation: Evidence that implementations of cryptographic algorithms conform to their specifications
Module Design Documentation: Architecture, design, and implementation details
Testing Documentation: Test plans, procedures, and results
Vendor Evidence: Documentation demonstrating compliance with each applicable FIPS 140-3 requirement
Administrative Documentation: User and administrator guidance

Testing Considerations

Testing for FIPS 140-3 validation with PQC will include:

Algorithm Testing: Verification that algorithm implementations produce expected outputs for given inputs
Module Interface Testing: Validation of all module interfaces and services
Self-Test Verification: Confirmation that power-up and conditional self-tests function correctly
Side-Channel Analysis: Assessment of resistance to timing, power, and electromagnetic side-channel attacks
Physical Security Testing: For higher security levels, testing of tamper evidence, resistance, and response mechanisms
Entropy Assessment: Evaluation of random number generation quality

Hybrid Cryptography Considerations

During the transition period, hybrid approaches combining classical and post-quantum algorithms will be common. For FIPS 140-3 validation:

Aspect	Consideration	Recommendation
Algorithm Composition	How classical and PQC algorithms are combined	Document the composition method and security analysis. Consider standards like IETF Hybrid Key Exchange.
Key Management	Managing both classical and PQC keys	Ensure the module handles both key types securely and documents key lifecycle management for both.
Performance Impact	Additional computational and memory requirements	Document performance characteristics and ensure they meet operational requirements.
Validation Scope	Which algorithms are included in validation	Initially, only the classical algorithms will be validated. Document PQC algorithms as "non-approved but allowed."

FIPS 140-3 PQC Compliance Checklist

Use this checklist to track your organization's progress toward FIPS 140-3 compliance with post-quantum cryptography:

#	Task	Status	Timeline
1	Cryptographic Inventory Assessment Identify all cryptographic modules and algorithms in use	Not Started	Immediate
2	Risk Assessment Evaluate quantum threat timeline for your specific applications	Not Started	Immediate
3	Algorithm Selection Select appropriate PQC algorithms based on NIST recommendations	Not Started	When standards finalized
4	Transition Strategy Development Create a plan for transitioning to PQC while maintaining FIPS compliance	Not Started	1-3 months
5	Vendor Engagement Engage with vendors about their PQC roadmaps and FIPS 140-3 plans	Not Started	Ongoing
6	Implementation Testing Test PQC implementations in non-production environments	Not Started	3-6 months
7	Documentation Preparation Prepare documentation required for FIPS 140-3 validation	Not Started	6-12 months
8	Laboratory Selection Select an accredited testing laboratory for FIPS 140-3 validation	Not Started	When ready for validation
9	Validation Testing Submit module for testing and address any issues	Not Started	When PQC is FIPS-approved
10	Ongoing Compliance Maintain compliance through algorithm and module updates	Not Started	Continuous

Pro Tip: Start with a hybrid approach that maintains current FIPS compliance while preparing for the transition to PQC. This allows you to gain experience with PQC while meeting current regulatory requirements.

Resources and References

Official Documentation

FIPS 140-3 Standard

Official FIPS 140-3 publication

NIST CMVP

Cryptographic Module Validation Program

NIST PQC Project

Post-Quantum Cryptography Standardization

Implementation Guidance

FIPS 140-3 Implementation Guidance

Official guidance for implementing FIPS 140-3 compliant modules

Getting Ready for Post-Quantum Cryptography

NIST white paper on preparing for the transition to PQC

NIST SP 800-56C Rev. 2

Recommendation for Key-Derivation Methods in Key-Establishment Schemes

Testing Laboratories

FIPS 140-3 validation requires testing by an accredited laboratory. The following laboratories have experience with cryptographic validation:

North America

Europe

Asia-Pacific

Note: For the most current list of accredited laboratories, visit the NIST CMVP Laboratories page.

Need Expert Guidance on FIPS 140-3 PQC Compliance?

Our team of quantum security experts is available to provide personalized guidance for your organization's FIPS 140-3 compliance strategy.

Book a Consultation