FIPS 140-3: Understanding the new security standard

FIPS 140-3 is a security standard used by the U.S. and Canadian governments to ensure encryption in IT products is properly tested and approved. When a product passes validation, it receives a certificate listing the product name, version and security assurance level ranging from level 1 to 4.

FIPS 140-3 certification is often required for U.S. federal agencies and contractors handling government data. It’s also widely adopted in other sectors where data protection is critical, such as healthcare, finance and defense, to meet regulatory or customer security expectations.

Staying compliant with FIPS 140-3 certified products

For organizations buying technology that must meet FIPS 140-3 requirements, the FIPS certificate is your proof that a product’s encryption has been tested and approved. Always ask the vendor for this certificate so you can confirm that the product is officially validated.

For IT operators, compliance depends on running the exact versions and settings that were tested. Even a small change, like updating to an unvalidated software version, can lead to noncompliance.

Key points to keep in mind

• Who often needs to comply: Government agencies, contractors, healthcare providers, financial institutions and defense vendors.
• How to confirm: Request the FIPS certificate number and verify it in the NIST CMVP validation list.
• Main update from FIPS 140-2: The new version aligns with international ISO/IEC 19790 standards and enhanced testing methods.
• What to do now: Track validated software versions, use approved configurations and plan updates carefully to stay compliant.

Why FIPS 140-3 matters

FIPS 140-3 builds trust between vendors and customers by confirming that a product’s encryption meets government security standards, helping sellers prove reliability and buyers reduce compliance risks.

It defines who qualifies to sell and buy in regulatory markets

Public sector bids, defense supply chain work and many healthcare or financial procurements often require FIPS validation for any product that handles sensitive data. If you are a buyer, FIPS filters your vendor pool and protects you during audits. If you are a seller, FIPS is a qualification to compete for those contracts.

It reduces audit and renewal friction

Many security and compliance teams do not evaluate encryption from scratch. They look for a FIPS certificate number, module name, version and assurance level. When those details match your deployed version and settings, reviews move faster and issues drop.

It clarifies what “good” looks like

FIPS 140-3 is a clear, test-based result. It does not say “This product is generally secure.” It says, “This cryptographic module, at this version, passed these tests.” That precision helps buyers verify claims and helps operators keep systems in scope.

It enforces version discipline

Validation is version specific. If your environment drifts from the validated version or you toggle settings that break the validated boundary, you weaken your evidence. Staying aligned prevents findings and emergency rollbacks.

It facilitates faster decision-making

When procurement sees — FIPS 140-3 validated, Cert #XXXX, Module Y, Version Z — reviews are faster. When they see “supports FIPS” with no certificate, procurement teams often need to chase proof.

What FIPS 140-3 actually means

FIPS 140-3 certifies that a product’s cryptographic functions — such as encryption and key management — have been independently tested in an accredited lab. The goal is to ensure sensitive data, such as government or customer information, remains secure during transmission and storage.

A FIPS certificate is specific to a product and version. Each certificate lists the module name, version number, and the level of assurance, which ranges from 1 (basic) to 4 (highest). The validation applies only to the tested configuration. Changing settings or updating components may put the product outside its validated scope.

“Validated” means the product passed an official government-approved process. “Compliant” or “supports FIPS” means the vendor claims to follow the standard, but it has not gone through validation. For regulated environments, validation is what matters.

FIPS 140-3 vs. 140-2

The shift to 140-3 matters because it standardizes global testing practices. It makes certification results easier to verify and compare, helping buyers and compliance teams assess vendor security more quickly.

How to verify a FIPS 140-3 claim

Verifying a FIPS 140-3 claim is straightforward when you know what to look for and where to find it.

1. Ask for proof: Request the FIPS certificate number, product/module name, version, assurance level and supported platform.
2. Check the database: Check the NIST CMVP validation list and confirm that the details match exactly.
3. Confirm environment: Ensure your deployment runs the same version and configuration that appears on the certificate.
4. Use clear language: For questionnaires, use phrasing like “FIPS 140-3 validated (Cert #XXXX), operating on version [X.X] as listed on CMVP.”

Doing this protects both buyers and vendors from audit findings caused by mismatched versions or unverifiable claims.

Operating in a FIPS-aligned way

To stay compliant after validation:

• Maintain an inventory of all software and hardware in scope, noting their certified versions.
• Standardize configurations to match the validated setup and avoid unapproved changes.
• Apply updates carefully and confirm whether they affect the validated module, then recheck certification if needed.
• Keep FIPS certificate PDFs with your posture reports so you can respond quickly to audits and RFPs.

Consistency between what’s certified and what’s deployed is key to maintaining compliance.

Where RMM fits

Remote monitoring and management (RMM) platforms are essential for maintaining FIPS-aligned environments because they give IT teams visibility, control and documented proof of compliance across distributed systems. Kaseya VSA 10 and Datto RMM automate much of the manual work involved in tracking validated software, enforcing secure settings and recording evidence for audits.

Asset and version inventory

Identify software and firmware versions running in your environment and record which one’s map to validated modules.

Policy baselines

Enforce approved security settings across devices and prevent unauthorized changes that could affect validation.

Patch and change control

Stage and document updates to avoid breaking alignment with certified configurations.

Evidence and reporting

Generate client-ready reports that show in-scope devices, versions and compliance posture, along with any logged exceptions.

Playbooks you can run today

Kaseya VSA 10 and Datto RMM can be used to create repeatable workflows that help teams maintain FIPS-aligned operations every day. These playbooks turn complex compliance requirements into manageable, automated tasks that improve visibility, consistency and audit readiness.

• Readiness check: Run discovery scans to find all endpoints and apps handling regulated data. Tag them in your RMM to track which systems fall under FIPS requirements.
• Gap close: Use policy management to standardize configurations and enforce validated encryption settings. Set automated alerts for unapproved versions or configurations.
• Operate: Monitor continuously through dashboards and patch tools. Test updates before deployment to ensure validated modules remain unaffected. Logged changes maintain your compliance record.
• Renew: When audits or RFPs come up, export compliance reports from your RMM with version lists, patch histories and FIPS certificates for quick verification.

Common pitfalls and easy fixes

Even experienced IT teams can lose compliance alignment through small oversights. These are the most common mistakes to watch for, and how to correct them quickly.

• Assuming marketing claims equal certification: Always verify certificate numbers.
• Ignoring version specifics: FIPS validation ties to exact versions and environments.
• Allowing configuration drift: Changing settings without documentation breaks evidence chains.
• Mixing approved and unapproved components: Keep non-FIPS modules separate or document exceptions clearly.

FAQs

These are the questions most IT leaders and service providers ask when evaluating FIPS requirements and aligning their operations to the standard.

• Do we need FIPS 140-3 if we’re not a government agency?

If your clients or partners handle government or regulated data, you might. Many contracts now extend FIPS requirements across the supply chain.

• Is “FIPS-compliant” the same as “FIPS-validated”?

No. “Validated” means officially tested and listed. “Compliant” is self-declared and unverified.

• How do I confirm a supplier’s claim quickly?

Check the CMVP validation list and match the product name, version and certificate number.

• What changed from 140-2 that affects buying and operations?

FIPS 140-3 aligns with international standards, adds clearer documentation rules and simplifies verification.

• Where does my RMM help?

RMM tools help maintain visibility, enforce settings and document evidence, but they don’t replace certification. You still need validated cryptographic modules.

Bringing FIPS 140-3 compliance into everyday operations

FIPS 140-3 isn’t just a technical specification — it’s a business requirement that defines who can sell to, serve or partner with regulated clients. Knowing how to verify and maintain compliance helps reduce audit friction, strengthen vendor trust and keep your organization eligible for high-value contracts.

With Kaseya’s November 2025 update, which brings FIPS 140-3 certified cryptography to the SaaS version of VSA 10, customers gain tools that align with the latest government standards and make operating securely in regulated environments more efficient. FIPS certification for the on-premises version of VSA 10 will follow in January 2026, with Datto RMM planned to adopt the same FIPS 140-3 certified framework later in 2026.