← Frameworks / FIPS 140-3 / Control Mappings

FIPS 140-3 Security Requirements for Cryptographic Modules

Federal standard for cryptographic module validation derived from ISO/IEC 19790:2012. Defines four increasing security levels covering cryptographic module specification, interfaces, roles and authentication, software/firmware security, operational environment, physical security, non-invasive attack resistance, sensitive security parameter management, self-tests, and life-cycle assurance. Validated through the NIST Cryptographic Module Validation Program (CMVP) with NVLAP-accredited testing laboratories.

Controls: 44

Total Mappings: 56

Publisher: NIST / CMVP Version: 2019

FIPS 140-3 → SP 800-53 SP 800-53 → FIPS 140-3 Coverage Analysis

AC (5) CA (1) CM (6) IA (3) MP (1) PE (6) RA (3) SA (7) SC (8) SI (4)

AC Access Control

Control	Name	FIPS 140-3 References
AC-02	Account Management	FIPS 140-3 §7.4
AC-04	Information Flow Enforcement	FIPS 140-3 §7.3
AC-05	Separation Of Duties	FIPS 140-3 §7.4
AC-06	Least Privilege	FIPS 140-3 §7.4
AC-07	Unsuccessful Login Attempts	FIPS 140-3 §7.4

CA Security Assessment and Authorization

Control	Name	FIPS 140-3 References
CA-08	Penetration Testing	FIPS 140-3 §7.10

CM Configuration Management

Control	Name	FIPS 140-3 References
CM-02	Baseline Configuration	FIPS 140-3 §7.6
CM-03	Configuration Change Control	FIPS 140-3 §7.11
CM-05	Access Restrictions For Change	FIPS 140-3 §7.11
CM-06	Configuration Settings	FIPS 140-3 §7.2FIPS 140-3 §7.6
CM-07	Least Functionality	FIPS 140-3 §7.6
CM-14	Signed Components	FIPS 140-3 §7.5

IA Identification and Authentication

Control	Name	FIPS 140-3 References
IA-02	User Identification And Authentication	FIPS 140-3 §7.4
IA-05	Authenticator Management	FIPS 140-3 §7.4FIPS 140-3 §7.9
IA-07	Cryptographic Module Authentication	FIPS 140-3 §7.4

MP Media Protection

Control	Name	FIPS 140-3 References
MP-06	Media Sanitization And Disposal	FIPS 140-3 §7.9

PE Physical and Environmental Protection

Control	Name	FIPS 140-3 References
PE-03	Physical Access Control	FIPS 140-3 §7.7
PE-04	Access Control For Transmission Medium	FIPS 140-3 §7.7
PE-05	Access Control For Display Medium	FIPS 140-3 §7.7
PE-06	Monitoring Physical Access	FIPS 140-3 §7.7
PE-19	Information Leakage	FIPS 140-3 §7.7FIPS 140-3 §7.8
PE-20	Asset Monitoring and Tracking	FIPS 140-3 §7.7

RA Risk Assessment

Control	Name	FIPS 140-3 References
RA-03	Risk Assessment	FIPS 140-3 §7.12FIPS 140-3 §7.8
RA-05	Vulnerability Scanning	FIPS 140-3 §7.12
RA-07	Risk Response	FIPS 140-3 §7.12

SA System and Services Acquisition

Control	Name	FIPS 140-3 References
SA-03	Life Cycle Support	FIPS 140-3 §7.11
SA-04	Acquisitions	FIPS 140-3 §7.11FIPS 140-3 §7.2
SA-08	Security Engineering Principles	FIPS 140-3 §7.2
SA-10	Developer Configuration Management	FIPS 140-3 §7.11FIPS 140-3 §7.5
SA-11	Developer Security Testing	FIPS 140-3 §7.11FIPS 140-3 §7.12FIPS 140-3 §7.5
SA-15	Development Process, Standards, and Tools	FIPS 140-3 §7.11
SA-17	Developer Security and Privacy Architecture and Design	FIPS 140-3 §7.2

SC System and Communications Protection

Control	Name	FIPS 140-3 References
SC-03	Security Function Isolation	FIPS 140-3 §7.3
SC-07	Boundary Protection	FIPS 140-3 §7.3
SC-12	Cryptographic Key Establishment And Management	FIPS 140-3 §7.9
SC-13	Use Of Cryptography	FIPS 140-3 §7.2FIPS 140-3 §7.3FIPS 140-3 §7.9
SC-17	Public Key Infrastructure Certificates	FIPS 140-3 §7.9
SC-28	Protection of Information at Rest	FIPS 140-3 §7.8FIPS 140-3 §7.9
SC-34	Non-modifiable Executable Programs	FIPS 140-3 §7.5
SC-39	Process Isolation	FIPS 140-3 §7.6

SI System and Information Integrity

Control	Name	FIPS 140-3 References
SI-02	Flaw Remediation	FIPS 140-3 §7.12
SI-03	Malicious Code Protection	FIPS 140-3 §7.6
SI-06	Security Functionality Verification	FIPS 140-3 §7.10
SI-07	Software And Information Integrity	FIPS 140-3 §7.10FIPS 140-3 §7.5