Understanding FIPS 140-3: How It Strengthens Security and Compliance in Container Images

You’ve probably come across FIPS 140-3 in documentation, compliance checklists, or conversations about cryptography. But what does it actually cover, and why does it matter for containerized environments?

In this post, we’ll break down what FIPS 140-3 is, how validation works, and why it’s increasingly essential for organizations building or deploying secure container images.

‍

What is FIPS?

FIPS stands for Federal Information Processing Standard. Developed by NIST, these standards define how cryptography must be implemented to protect sensitive data in government systems, and, by extension, in industries that follow federal guidelines like FedRAMP, FISMA, or HIPAA.

Originally introduced in the 1970s, FIPS standards were designed to ensure that all federal agencies used consistent, proven approaches to information security and data protection. Over time, they’ve become the de facto benchmark for secure encryption practices across both public and private sectors.

Within cybersecurity, FIPS standards specify which cryptographic algorithms can be used and how those algorithms must be implemented and validated. This ensures not just theoretical security, but practical assurance that encryption modules perform correctly, resist tampering, and protect sensitive information as intended.

‍

What is FIPS 140-3?

FIPS 140-3 is the third iteration of the Federal Information Processing Standard that governs how cryptographic modules are designed, tested, and validated. It builds on the earlier versions, FIPS 140-1 (1994) and FIPS 140-2 (2001), which first established and refined the framework for ensuring that encryption technologies used by federal agencies are implemented correctly and securely.

In other words, while other FIPS standards such as FIPS 197 (AES) or FIPS 202 (SHA-3) define what encryption does, the FIPS 140 series, and 140-3 specifically, defines how those algorithms must be implemented, tested, and maintained so that they can be trusted.

‍

How FIPS 140-3 Aligns with International ISO Standards

One of the most significant changes between FIPS 140-2 and 140-3 was that 140-3 introduces formal alignment with international ISO standards. This brought U.S. and Canadian validation programs in line with the rest of the world, creating a single, harmonized framework for testing cryptographic modules.

FIPS 140-3 maps directly to two ISO standards:

• ISO/IEC 19790 specifies the security requirements a cryptographic module must meet, such as physical protection, key lifecycle management, and self-tests to detect faults or tampering.
  
• ISO/IEC 24759 defines the testing methodology that independent laboratories must follow to evaluate those modules. It details everything from required test vectors and environmental conditions to the evidence vendors must provide.
  
  

Together, these ISO standards ensure that every FIPS-validated module has been:

• Independently tested by an accredited lab following a standardized, transparent process
• Certified to the same technical baseline used by international partners
• Documented and traceable, with all test results reviewed by NIST and CSE before a certificate is issued

This global alignment means FIPS validation isn’t just a U.S. government checkbox anymore; it’s an internationally recognized proof of cryptographic integrity. For global enterprises, that alignment allows one validation effort to satisfy multiple jurisdictions’ security and compliance requirements.

‍

What is the CMVP validation process?

All FIPS 140-3 validations are managed under the Cryptographic Module Validation Program (CMVP), a joint initiative between NIST in the United States and the Canadian Centre for Cyber Security (CSE). The CMVP defines the entire testing and certification process, setting both the technical requirements for cryptographic modules and the rules that accredited testing labs must follow.

‍

How the CMVP Validation Process Works

The CMVP validation process is a comprehensive, methodical validation system that leaves very little to interpretation. Vendors submit their cryptographic modules (whether software libraries, firmware, or hardware components) to independent labs that have been accredited under ISO/IEC 24759. These labs are responsible for proving that each implementation meets every aspect of the FIPS 140-3 standard.

The process is deliberate and detailed:

1. Design and Documentation Review: Vendors first provide extensive documentation describing the module’s architecture, supported algorithms, key management design, and entropy sources used for randomness.
   
   
2. Independent Lab Testing: Accredited labs conduct formal tests to ensure the implementation behaves exactly as required. This includes verifying the strength and unpredictability of entropy, testing error handling and self-tests, and assessing how keys are generated, stored, and destroyed.
   
   
3. CMVP Review and Certification: Once testing is complete, the results are submitted to NIST and CSE for review. If approved, the module receives an official FIPS 140-3 certificate and is added to the public CMVP validation list.
   
   

Each validated module is also assigned a security level from 1 to 4, indicating its depth of protection, from software-only assurance at Level 1 to tamper-evident and tamper-resistant hardware at Level 4.

The purpose of FIPS validation extends far beyond algorithm correctness, since the math itself is rarely the weak point. Instead, validation focuses on how cryptography is implemented in practice, ensuring that the surrounding systems, dependencies, and key-handling processes are just as secure as the algorithms they rely on.

‍

What is next for FIPS-140 and CMVP?

Like everything in cybersecurity, FIPS isn’t standing still. NIST continues to evolve the CMVP program to keep pace with new threats, technologies, and performance expectations. In the coming years, organizations can expect:

• Updated ISO standards that refine testing methods and expand international consistency.
  
• Post-Quantum Cryptography (PQC) integration, enabling hybrid algorithms that combine classical and quantum-resistant protections.
  
• Automated validation processes that make certification faster, more scalable, and better aligned with modern software release cycles.
  
  

These updates aim to make cryptography more flexible and future-ready. With a validated module, organizations can adapt to new algorithms and standards without starting over, an advantage that will be critical as quantum-safe encryption and automated validation become the norm.

‍

Why do container images need FIPS 140-3 validated modules?

Cryptography isn’t something that lives on the edge of your infrastructure; it runs through every layer of it.

Every container image includes cryptographic libraries such as OpenSSL or BoringCrypto. Applications inside those containers call these libraries through APIs to handle encryption, signatures, and secure communication.

If those underlying crypto modules aren’t FIPS-validated, your containerized workloads can fall out of compliance, and worse, introduce security gaps that are invisible until audit time.

‍

What FIPS Validation Guarantees

Using a FIPS 140-3 validated module isn’t just about checking a compliance box; it’s about measurable, verifiable assurance.

FIPS validation confirms that:

• Algorithms are correct. Standards like AES, SHA-3, and emerging post-quantum cryptography (PQC) algorithms are implemented exactly as defined, without side-channel or coding errors.
  
• Entropy is strong. Random number generation, the foundation of cryptographic strength, is tested and validated to prevent predictable outputs.
  
• Keys are secure. Key generation, use, storage, and destruction (zeroization) follow strict requirements to prevent leaks or residue in memory.
  
• Code is independently verified. Accredited labs review both the design and source to confirm the module behaves as documented and resists tampering.
  
  

Together, these controls give organizations provable assurance that their cryptography not only works, but has been verified by an independent authority against internationally recognized criteria.

‍

Strengthening the Software Supply Chain

Validated crypto modules also improve supply chain security by removing ambiguity about what’s inside your images. Each FIPS 140-3 certificate lists:

• The exact module name and version
  
• The vendor responsible for validation
  
• The validated platforms and operating environments

That transparency helps security teams track cryptographic provenance across the entire pipeline. When every container image is built on a validated module, you know precisely which version, library, and configuration is in use, and you can quickly prove it to auditors or customers.

This also reduces dependency risk. If your image provider maintains its own validation, you’re not relying on an upstream open-source maintainer to revalidate after a patch or kernel update. 

‍

Meeting Regulatory and Compliance Requirements

FIPS 140-3 validation is explicitly required or strongly recommended in a wide range of regulatory frameworks and security programs, including:

• FedRAMP and DoD SRG for cloud and government workloads
  
• FISMA and NIST SP 800-53 for federal information systems
  
• HIPAA for healthcare data protection
  
• PCI-DSS for payment and financial systems
  
• CJIS, GovRamp, and other state and sector-specific mandates
  
  

In these environments, using non-validated cryptography can lead to non-compliance findings, failed audits, or contract ineligibility. By contrast, validated crypto gives teams defensible compliance evidence, a certificate that proves their encryption meets federal and international security standards.

‍

FIPS Validation Challenges

Despite its clear benefits, FIPS validation remains a complex and resource-intensive process.

• It’s slow. Achieving validation often takes months and requires extensive documentation, testing, and review.
  
• It’s continuous. Any change (a kernel patch, library update, or CVE fix) can trigger the need for revalidation.
  
• It’s specialized. True cryptographic expertise is rare, and maintaining it internally is costly.
  
  

Achieving and maintaining FIPS validation always requires investment. Either you build the expertise in-house and manage it yourself, or you rely on a partner who already has the capabilities in place.

‍

How Image Providers Approach FIPS Validation

When it comes to FIPS, most organizations aren’t equipped to build and maintain their own FIPS-validated images, and they don’t need to be. Image providers (organizations that build, maintain, and distribute container images for others to use) can handle that work. 

Instead of teams assembling everything from scratch, image providers supply prebuilt, hardened, and continuously maintained images that become the foundation for applications and workloads.

Image providers typically follow one of three paths to get FIPS-validated cryptography:

1. Use open-source modules as-is, relying on existing public validations.
   
2. Revalidate open-source modules under their own name through an accredited lab.
   
3. License a commercial validated module that includes vendor-backed maintenance and support.
   
   

Each model offers different trade-offs in effort, assurance, and long-term risk. Understanding which approach your image provider uses can directly influence your compliance posture, audit readiness, and how quickly you can patch or update critical systems.

In part two of this series, we’ll dig deeper into each model: how they work, who maintains compliance, and what they mean for your update cycles and day-to-day operations.

‍

Simplify FIPS Compliance With Minimus

Minimus hardened container images are built with validated cryptography, continuous maintenance, and transparent compliance evidence, so you can deploy faster, pass audits confidently, and focus on what matters. Explore FIPS-validated Minimus images.