FIPS 140
ComplianceFederal Information Processing Standard 140-2 (and successor 140-3) is a US/Canadian government standard for cryptographic module security. It defines four increasing levels of security requirements. Smart card secure elements used in government applications typically require FIPS 140-2 Level 3 or higher certification.
FIPS 140 -- Cryptographic Module Security Standard
FIPS 140FIPS 140ComplianceUS government cryptographic module security standard.Click to view → (Federal Information Processing Standard Publication 140) is a US and Canadian government standard that specifies security requirements for cryptographic modules -- hardware, software, or firmware components that implement cryptographic functions. Published by NIST, the standard is mandatory for all cryptographic products used in US federal government systems and is widely adopted by financial institutions, healthcare organizations, and defense contractors worldwide.
Security Levels
FIPS 140-2 (and its successor 140-3) defines four progressively stringent security levels. Level 1 requires production-grade equipment and at least one approved algorithm. Level 2 adds tamper-evidence requirements (tamper-evident coatings or seals) and role-based authentication. Level 3 requires tamper-resistance (active tamper response mechanisms that zeroize keys upon physical intrusion) and identity-based authentication. Level 4 provides the highest level of physical security with environmental failure protection. Smart card secure elements used in government applications typically require Level 2 or Level 3 certification.
Smart Card Relevance
HSMs used in key ceremony procedures and card personalization systems require FIPS 140-2 Level 3 certification to handle master keys securely. PIV cards mandate that the on-card cryptographic module meets FIPS 140-2 Level 2, ensuring that RSA and ECC key operations are performed within a validated security boundary. CAC cards carry similar requirements under DoD policy. The transition from FIPS 140-2 to 140-3 (aligned with ISO/IEC 19790) introduces updated requirements for firmware integrity, non-invasive attack resistance, and multi-chip standalone module testing.
Validation Process
FIPS 140 validation is performed by accredited Cryptographic and Security Testing (CST) laboratories and certified by the Cryptographic Module Validation Program (CMVP), jointly administered by NIST and the Canadian Centre for Cyber Security. The validation process typically takes 6-18 months and results in a numbered validation certificate listed on the NIST CMVP website. Organizations selecting smart card products should verify that both the chip hardware and the on-card cryptographic library carry current FIPS 140 validation, as validation applies to a specific firmware version and configuration.
Related Content
HSM Integration for Smart Cards
Security…in payment card issuance must meet: Standard Requirement FIPS 140-3 Level 3 Cryptographic module standard — physical tamper…
FIPS 140 for Smart Card Products
ComplianceFIPS 140 for Smart Card Products Federal Information Processing…
Common Criteria Evaluation Process
Compliance…attacker with chip lab equipment could mount. See the FIPS 140 Guide for the parallel U.S. cryptographic module…
Smart Card Testing Framework
Developer Tools…Sponsor's test cases in Security Target Per-scheme tooling FIPS 140 CMVP ACVTS (algorithm validation) NIST ACVTS EMVCo Level 1…
Perguntas frequentes
The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.
Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.