Common Criteria vs FIPS 140-3: What's the Difference?

If you work in IT security procurement or compliance, you have almost certainly encountered two standards: Common Criteria (ISO/IEC 15408) and FIPS 140-3. Both are used to evaluate the security of IT products, both are required in government procurement, and both involve accredited labs - but they solve different problems.

This guide explains the differences, when each applies, and how they work together.

The short answer

• Common Criteria evaluates the overall security design of a product - access controls, audit logging, data protection, secure communications, and more. It asks: “Does this product do what it claims to do, securely?”
• FIPS 140-3 evaluates cryptographic modules specifically - encryption algorithms, key management, random number generation, and physical tamper resistance. It asks: “Does this product implement cryptography correctly?”

They are complementary. A firewall might need a Common Criteria certification to prove its security architecture is sound, and a FIPS 140-3 validation to prove its cryptographic engine meets federal standards.

Scope and focus

Aspect	Common Criteria	FIPS 140-3
Standard	ISO/IEC 15408	NIST SP 800-140 series (derived from ISO 19790)
What it evaluates	Entire product security design	Cryptographic module only
Assurance levels	EAL1-EAL7	Levels 1-4
Requirements defined by	Security Targets and Protection Profiles	NIST-defined module requirements
Evaluation labs	Common Criteria Testing Laboratories (ITSEFs)	Cryptographic and Security Testing (CST) labs
Certificate issued by	National CC scheme bodies (BSI, ANSSI, NIAP, etc.)	NIST/CCCS (Cryptographic Module Validation Program - CMVP)
Mutual recognition	31 nations via CCRA	US and Canada (CMVP)
Typical products	Firewalls, operating systems, smart cards, databases	HSMs, TPMs, VPN appliances, TLS libraries, disk encryption

How Common Criteria evaluations work

In a CC evaluation, the vendor writes a Security Target (ST) document that describes what the product does and what security claims it makes. Optionally, the ST conforms to a Protection Profile (PP) - a standardized set of requirements for a product category.

An accredited evaluation lab (ITSEF) then tests the product against the ST at a specified Evaluation Assurance Level (EAL1-EAL7). Higher EALs require more rigorous analysis: EAL1 is a basic functional test, while EAL4 involves source code review and vulnerability analysis. EAL5 and above add formal methods and are rare outside government/military contexts.

Once the evaluation passes, a national scheme body (like BSI in Germany, ANSSI in France, or NIAP in the USA) issues a certificate. Through the CCRA, certificates are recognized across 31 member nations.

For more detail, see our wiki article on Common Criteria.

How FIPS 140-3 validations work

FIPS 140-3 focuses specifically on the cryptographic boundary of a product - the module that performs encryption, decryption, hashing, signing, and key management.

The vendor submits the module to an accredited Cryptographic and Security Testing (CST) laboratory. The lab tests against 11 requirement areas defined by NIST, including:

• Cryptographic algorithm correctness (using CAVP - Cryptographic Algorithm Validation Program)
• Key management lifecycle
• Physical security (for hardware modules)
• Self-tests and error handling
• Roles, services, and authentication

The module is validated at one of four levels:

• Level 1 - Basic requirements, software-only modules
• Level 2 - Adds tamper evidence (physical coatings or seals) and role-based authentication
• Level 3 - Adds tamper resistance (active zeroization of keys when tampered) and identity-based authentication
• Level 4 - Adds environmental failure protection and the highest physical security requirements

Certificates are issued jointly by NIST (USA) and CCCS (Canada) through the Cryptographic Module Validation Program (CMVP).

When each is required

Common Criteria is typically required when:

• A government agency procures IT products under regulations that reference CC or ISO 15408
• A Protection Profile is mandated for a product category (e.g., NIAP requires PP conformance for US government network devices)
• EU regulations like the Cybersecurity Act or sector-specific rules reference EUCC (the EU’s CC-based scheme)
• Procurement RFPs specify EAL requirements

FIPS 140-3 is typically required when:

• US federal agencies procure products that handle sensitive (non-classified) information - mandated by FISMA and OMB policy
• Canadian federal agencies procure cryptographic products
• Financial, healthcare, or other regulated industries adopt FIPS as a baseline for cryptographic assurance
• DoD systems require FIPS-validated encryption for data at rest and in transit

Both are required when:

• A product has broad security functionality (warranting CC) and performs cryptography (warranting FIPS)
• Example: A VPN appliance might hold a CC certificate for its overall security architecture and a FIPS 140-3 validation for its IPsec/TLS cryptographic engine
• Example: A hardware security module (HSM) might carry both certifications

Key differences in practice

Flexibility vs. prescription. Common Criteria is flexible - the vendor defines their own security claims in the Security Target, and evaluations are scoped accordingly. FIPS 140-3 is prescriptive - every cryptographic module is tested against the same NIST-defined requirements.

Timeline. CC evaluations typically take 6-18 months depending on EAL level and product complexity. FIPS 140-3 validations have historically taken 12-24 months due to CMVP queue backlogs, though NIST has been working to reduce this.

Cost. Both are expensive. CC evaluations at EAL2-EAL4 typically range from $150K-$500K+. FIPS validations range from $50K-$300K+ depending on module complexity and testing scope.

International recognition. CC certificates are recognized across 31 CCRA nations. FIPS validations are primarily recognized in the US and Canada, though many other countries accept FIPS-validated cryptography as a baseline.

How they work together

In practice, many products carry both certifications. The certifications are independent - passing one does not grant or imply the other. However:

• A CC evaluation might reference FIPS validation as evidence that the cryptographic implementation is sound
• A Protection Profile might require that the TOE’s cryptographic module be FIPS-validated
• NIAP Protection Profiles for US government products frequently include FIPS 140 as a prerequisite

Tracking both

NenkinTracker currently focuses on Common Criteria certification tracking across all CCRA member schemes. If you need to monitor CC certifications across BSI, ANSSI, NIAP, and other schemes - with change detection and alerts - you can start tracking for free.

For FIPS 140-3, the authoritative source is the CMVP validated modules list maintained by NIST.

See also

• What is Common Criteria? — full background on the CC side of this comparison.
• Protection Profiles (PP) — how NIAP PPs often build FIPS 140 in as a prerequisite.
• Certification Schemes Overview — which CC schemes (notably NIAP) pair most often with FIPS.
• Common Criteria Certification Process Explained — what a CC evaluation looks like end-to-end.

Continue reading

Apr 12, 2026

Guide to EAL Levels: What EAL2, EAL4, and EAL5+ Actually Mean

Evaluation Assurance Levels (EAL1-EAL7) determine how rigorously a product is tested under Common Criteria. Learn what each level requires and which one your procurement needs.

ealcommon-criteriaevaluationguide

Apr 10, 2026

Common Criteria Certification Process Explained

A step-by-step guide to how Common Criteria certification works - from preparation to certificate issuance, including timelines, costs, and key participants.

certificationcommon-criteriaprocessguide

Apr 8, 2026

EUCC: What the EU Cybersecurity Certification Scheme Means for Common Criteria

The EUCC brings Common Criteria-based certification under the EU Cybersecurity Act. Learn what changes, who is affected, and what it means for existing CC certificates.

eucceuregulationcommon-criteriacertification