FIPS 140-3: What MSPs and IT teams need to know

The U.S. federal, state and local governments have faced an unprecedented surge in cyberattacks in recent years, primarily driven by ransomware groups and nation-state actors. These threats have prompted regulators to strengthen security frameworks with stricter compliance requirements, many already in effect or being implemented in phases. For MSPs and IT teams that support government agencies and their providers/contractors, meeting these demands is critical — and that’s where FIPS 140-3 comes in.

FIPS 140-3 is a security standard used by the U.S. and Canadian governments to validate that encryption within IT systems is properly tested and approved. While internal IT teams in regulated sectors are required to follow this standard, FIPS 140-3 validated encryption also creates opportunities for MSPs across the public sector and other compliance-driven industries.

FIPS 140-3 supports alignment with key frameworks, including Criminal Justice Information Services (CJIS), Cybersecurity Maturity Model Certification (CMMC), the Federal Information Security Modernization Act (FISMA) and NIST 800-171. These frameworks serve as the compliance backbone for working with government agencies and highly regulated sectors, including healthcare, finance and education.

In this article, we’ll take a closer look at the FIPS security standard, with a focus on the latest FIPS 140-3 version. You’ll gain a clear understanding of what it means, who it applies to and how MSPs and IT teams can align with it — especially those serving federal, state and local governments or regulated verticals. We’ll also explore how Datto helps you meet these requirements with its all-new FIPS Mode for SIRIS 6.

What is FIPS 140-3?

FIPS 140-3 is the third iteration of the Federal Information Processing Standard that defines the security requirements for cryptographic modules used to protect sensitive data. It was published by the National Institute of Standards and Technology (NIST) on March 22, 2019, and supersedes the previous FIPS 140-2 standard.

This update was introduced to keep pace with evolving cybersecurity threats and align more closely with international standards, particularly ISO/IEC 19790. FIPS 140-3 ensures that cryptographic modules — whether in hardware, software or firmware — are designed to meet strict security guidelines. These include encryption algorithms, secure key management and tamper protection, all of which are critical for defending against today’s advanced cyberattacks.

At a high level, FIPS 140-3 provides a consistent framework for evaluating and validating encryption technologies used in federal systems. For organizations operating in or serving regulated sectors, it helps ensure that the tools they use meet globally recognized security benchmarks.

FIPS 140-3 vs. FIPS 140-2: What’s the difference?

While both standards set security requirements for cryptographic modules, FIPS 140-3 introduces several key updates that reflect the evolving cybersecurity landscape. Here’s how the two standards compare:

• International alignment: FIPS 140-3 is based on the globally recognized ISO/IEC 19790:2012 standard. This alignment supports broader international acceptance and consistency in cryptographic validation.
• Enhanced security requirements: The updated standard includes stricter criteria for software security, lifecycle management of cryptographic modules and better defenses against side-channel attacks, such as power analysis or timing-based exploits.
• Improved resilience: FIPS 140-3 addresses vulnerabilities discovered since the release of FIPS 140-2, offering stronger protection against modern threats and attack vectors.
• Modernized testing and validation: The new standard introduces changes to testing procedures and lab validation processes, helping ensure that certified modules stay secure as technology evolves.

Notably, FIPS 140-3 reflects a broader shift toward modern encryption practices and international compliance, making it essential for any organization that handles sensitive data or works with government systems.

What are the FIPS 140-3 levels?

FIPS 140-3 defines four distinct security levels, just like its predecessor. These levels are designed to match different operational environments and risk profiles. Each level builds on the last, with increasing requirements for physical and logical security. Understanding these levels helps MSPs and IT teams select the appropriate cryptographic module for their specific use case — whether it’s for general enterprise use or high-security government systems.

Level 1:

Level 1 is the baseline for cryptographic module validation. It requires the use of at least one approved encryption algorithm but has no specific physical security requirements beyond the use of production-grade equipment.

Key features:

• Use of approved cryptographic algorithms
• Standard production-grade hardware or software
• No physical tamper-evidence required

Typical use:

General-purpose software or devices in low-risk environments.

Level 2:

Level 2 introduces basic physical security protections and role-based access controls (RBAC). This level helps detect unauthorized attempts to access the module and separates user responsibilities.

Key features:

• Tamper-evident seals or coatings
• Role-based authentication to control user access
• Moderate physical protection against unauthorized access

Typical use:

Corporate IT systems and devices in controlled environments.

Level 3:

Level 3 offers a higher level of protection, including tamper-resistance and identity-based authentication. It also requires the module to automatically erase sensitive information in the event of a breach.

Key features:

• Tamper-resistant enclosures (e.g., hardened casings)
• Identity-based authentication for users
• Automatic zeroization of keys if tampering occurs

Typical use:

High-security networks, government systems and critical infrastructure.

Level 4:

Level 4 delivers the highest level of security defined by FIPS 140-3. Modules must protect against all forms of physical and environmental attacks, including voltage, temperature or humidity variations. The system must respond to any breach by immediately erasing sensitive data.

Key features:

• Full environmental protection against advanced attacks
• Active tamper detection and response
• Immediate zeroization of cryptographic keys and data

Typical use:

Defense systems, military environments and high-risk physical locations.

What mandates and frameworks require FIPS-validated modules?

FIPS-validated cryptographic modules are often mandatory under several federal mandates and industry frameworks. Understanding which standards require FIPS validation is essential for winning clients, maintaining compliance and protecting sensitive data.

Below are key mandates and frameworks that require or strongly recommend FIPS 140-3 (or previously 140-2) validated encryption:

NIST SP 800-171

NIST Special Publication 800-171 outlines requirements for securing Controlled Unclassified Information (CUI) in systems outside the federal government. It explicitly mandates the use of FIPS-validated cryptography for data protection.

Who it applies to:

Any organization handling CUI on behalf of U.S. federal agencies, including the United States Department of Defense (DoD), civilian and intelligence agencies.

Tied regulations:

• DFARS 252.204-7012: Requires defense contractors and subcontractors to implement NIST SP 800-171 for handling Covered Defense Information (CDI) or CUI.
• CMMC v2 (Cybersecurity Maturity Model Certification): Requires NIST SP 800-171 controls to be implemented by DoD contractors to achieve Level 2 compliance.

FISMA

Federal Information Security Modernization Act(FISMA) establishes the baseline for securing federal systems and data. It mandates the use of FIPS-validated cryptographic modules for any system that processes, stores or transmits federal information.

Who it applies to:

All federal agencies, state agencies working with federal programs (like Medicare or student loans), and private sector organizations that manage federal data or operate systems on the government’s behalf.

Related guidance:

FISMA is supported by NIST SP 800-53, which provides specific security control requirements, including cryptographic protections.

CJIS

Published by the Federal Bureau of Investigation (FBI), the Criminal Justice Information Services (CJIS) Security Policy mandates FIPS 140-2 or 140-3 validated encryption to protect Criminal Justice Information (CJI) both at rest and in transit. The transition to FIPS 140-3 is well under way and on September 21, 2026, FIPS 140-2 validations will be moved to the historical list; once moved to historical, FIPS 140-2 may be used for existing systems and new procurements should use FIPS 140-3 certificates.

Who it applies to:

Law enforcement agencies and any third-party vendors or service providers that access or manage CJI under the FBI CJIS program.

Inherited standards and agency-specific frameworks

Several other compliance programs and federal agencies rely on FIPS validation through mappings to NIST frameworks:

• NIST SP 800-53: Forms the foundation for many security standards across federal agencies, mandating the use of FIPS-validated encryption for cryptographic operations.
• IRS Publication 1075: Requires FIPS 140 validation to protect Federal Tax Information (FTI) based on NIST SP 800-53.
• Agency-specific policies: Departments such as the Department of Justice (DoJ), the Department of Homeland Security (DHS) and the Department of Veterans Affairs (VA) have adopted NIST-based controls, making FIPS compliance critical for vendors and contractors.

What industries need FIPS 140-3?

While FIPS 140-3 is a federal standard, its influence reaches far beyond government systems. Many industries either require or benefit from using FIPS-validated cryptographic modules due to the sensitivity of the data they handle. For MSPs and IT vendors, delivering FIPS-compliant solutions helps unlock opportunities across these sectors while ensuring alignment with strict security expectations.

Federal government (Required)

FIPS 140-3 is mandatory for all U.S. federal agencies. This includes any system that stores, processes or transmits sensitive federal data.

It’s also required for organizations handling Controlled Unclassified Information, including contractors and vendors supporting federal programs, departments or agencies. Criminal justice systems used for case management, e-discovery and evidence storage often fall under this requirement due to the sensitivity of the data.

State and local government (Required)

State and local government agencies, including justice departments, law enforcement and municipal systems, frequently inherit or apply federal cybersecurity standards. FIPS 140-3 validation is often required or strongly recommended for vendors working with state or local entities, especially when public safety or citizen data is involved.

Healthcare (Leveraged)

In healthcare, FIPS validation is a key enabler of compliance under the Health Insurance Portability and Accountability Act (HIPAA). It strengthens the encryption of Protected Health Information (PHI) during storage and transmission, helping to meet HIPAA’s technical safeguards for data confidentiality.

Finance (Leveraged)

Financial institutions operate under stringent regulations from bodies such as the Federal Financial Institutions Examination Council (FFIEC), the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). FIPS-validated encryption enhances data protection for transactions, records and client data, supporting compliance across the board.

Energy and utilities (Leveraged)

Organizations in the energy and utility sector often align with the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards. FIPS 140-3 validated encryption helps these entities meet their compliance obligations and secure vital infrastructure from cyberthreats.

Education (Leveraged)

Colleges and universities may be required to use FIPS-validated systems when handling federal research grants, student financial aid data or other sensitive information tied to federal programs. Even when not mandated, FIPS compliance can strengthen data protection and support funding eligibility.

Why FIPS 140-3 is important for MSPs and IT teams

For MSPs and IT teams, FIPS 140-3 isn’t just another compliance box to check — it’s a foundational standard that defines trust, credibility and long-term viability in regulated environments.

Here’s why it matters:

1. Highest level of cryptographic assurance

FIPS 140-3 validated cryptography means that encryption modules have undergone formal testing and been approved by NIST-accredited laboratories. Unlike vendor claims of “strong encryption,” FIPS validation eliminates guesswork by ensuring:

• Only rigorously tested, government-approved encryption is used.
• No unverified, custom-built or home-grown cryptographic tools are involved.
• Encryption aligns with the highest standards recognized in the U.S. federal cybersecurity policy.

This independent validation gives MSPs and IT teams confidence in the tools they deploy, especially when handling sensitive or regulated data.

2. Legal and contractual requirement

FIPS-validated modules are often written directly into law, agency policies or government contracts. If you serve any of the following sectors, FIPS 140-3 is a mandatory requirement:

• Federal contractors handling Controlled Unclassified Information under NIST SP 800-171, DFARS or CMMC.
• Law enforcement and public safety agencies under the FBI’s CJIS policy.
• State and local agencies managing citizen or taxpayer data, as outlined in IRS Publication 1075.
• Federal workloads and programs governed by FISMA, FedRAMP or DoD SRG.
• Organizations following NIST SP 800-53 controls (directly or via inherited policies).

Failing to meet these requirements can result in disqualification from contracts, failure to pass audits or regulatory penalties.

3. Reduced risk and liability

Using FIPS-validated encryption is one of the fastest ways to strengthen an organization’s security posture. It significantly lowers the risk of:

• Fines or legal action following a data breach.
• Contract termination due to non-compliance.
• Mandatory breach notifications under data protection laws.
• Denied claims or loss of coverage from cyber insurance providers.

By embedding proven cryptographic protections, MSPs and IT teams can improve defensibility and reduce exposure across the board.

4. Supports long-term compliance and future-readiness

Regulatory landscapes are tightening. Governments and industries around the world are moving toward stricter encryption rules, zero trust security frameworks and mandatory use of validated cryptography. FIPS 140-3 positions MSPs and IT teams to stay ahead of these changes and scale securely as new requirements emerge.

5. Creates a competitive advantage

For MSPs in particular, offering FIPS 140-3 validated solutions is a strong market differentiator. It signals:

• Mature and audit-ready security practices.
• Capability to serve high-compliance verticals like healthcare, finance, defense and government.
• A commitment to enterprise-grade protection.

Whether you’re looking to enter new markets or deepen relationships with regulated clients, FIPS validation sets your services apart.

Get FIPS 140-3 validated encryption inside Datto SIRIS 6

As compliance requirements continue to tighten across various sectors, including government, finance, healthcare and education, adopting solutions built to meet the highest federal encryption standards is crucial.

Datto is setting a new benchmark in secure backup and disaster recovery with the introduction of FIPS 140-3 Inside in its SIRIS 6 appliances. This means end-to-end cryptographic protection, validated to FIPS 140-3 standards, is now available across local backup, recovery and virtualization workflows.

FIPS Mode combines Datto’s recovery-first architecture with FIPS-validated cryptography across the full stack, delivering compliant continuity without compromise. It’s the same platform trusted by thousands of MSPs worldwide, now hardened for clients that demand government-grade assurance.

SIRIS 6 allows you to easily activate FIPS Mode at no additional cost across all supported hardware form factors, including rack mount, mini PC and desktop. It delivers FIPS 140-3 Inside* for the collection and transmission of encrypted data, supporting both Windows and Linux workloads, which helps you stay compliant without compromising performance.

As of December 2025, Datto Cloud supports FIPS 140-2 Inside**, with FIPS 140-3 Inside scheduled for release in 2026 — helping ensure FIPS validation across your entire backup and recovery stack.

For MSPs and IT teams seeking to meet stringent compliance mandates, mitigate risk and deliver enterprise-grade protection, Datto SIRIS 6 with FIPS 140-3 Inside is the solution designed for the job. Explore SIRIS 6 to see how Datto helps you meet the highest encryption standards.

*Datto SIRIS 6 appliances, Datto Windows Agent, Datto Linux Agent: FIPS 140-3 Inside  Certificate #5040 , FIPS 140-3 Inside  Certificate #4794  , FIPS 140-3 Inside  Certificate #4894

**Datto Cloud: FIPS 140-3 Inside  Certificate #5040 , FIPS 140-2 Inside  Certificate #3966 , FIPS 140-2 Inside  Certificate #4366