The U.S. federal government’s transition to the FIPS 140-3 cryptography standard has begun, with NIST announcing that all FIPS 140-2 certificates will be retired in September 2026. Cerberus FTP Server versions 12.11 and higher have moved to OpenSSL 3, which will extend FIPS validation through the end of 140-2’s lifecycle, and future versions of Cerberus will include FIPS 140-3 validation.
This post will discuss the reasons behind NIST’s transition and the benefit of FIPS 140-3 validation for data transfer.
What’s new in FIPS 140-3?
Cryptography
FIPS 140-3 extends cryptography standards beyond hardware to include both firmware, software, and hybrid modules.
- Block ciphers must use AES 128 or higher algorithms for encryption. Older algorithms such as TDEA and SKIP JACK may only be used for legacy decryption
- Digital signatures must use security greater than or equal to 112 bits for any new signature generation
- Hash functions have received further guidance on appropriate use cases in the FIPS 140-3 Transition Documentation
Additionally, FIPS 140-3 now includes a “Self-Initiated Cryptographic Output Capability,” which is an automated functioning module that can execute cryptographic operations or other approved security functions autonomously.
Roles & Authentication
Adherence to ISO 19790‘s authentication levels remains in place, but level 4 authentication must now be performed via multi-factor identify-based authentication. This requirement has changed due to the upgrade from 140-2’s trusted path to 140-3’s trusted channel and its effort to secure communications between the cryptographic module and the endpoint device.
140-3 also adds a fifth control output interface that will indicate the state of an operation, which can help troubleshoot.
The only required role in FIPS 140-3 is the crypto officer role, although the user and maintenance roles remain options.
Validation and Testing
Because hybrid modules (hybrid firmware, hybrid software, etc.) are included in FIPS 140-3, a wider variety of vendors and resources will be able to apply for validation beyond level 1. This should open up a more extensive toolset for secure transfer, which is always a positive.
Testing has changed as well:
- FIPS 140-3 now requires a Pre-Operational Self-Test (POST) and the Conditional Algorithm Self-Test.
- Known Answer Tests now only run prior to using an algorithm.
- The POST now focuses on memory integrity.
Cryptography is complex, and we hope this blog has helped you understand what is changing in the transition to FIPS 140-3. Click here to learn more about FIPS 140 compliance with Cerberus FTP Server. To learn more about Cerberus FTP Server, visit cerberusftp.com.
