Having now been signed by the U.S. Commerce Secretary, it is official, FIPS 140-3 has been approved!
“This notice announces the Secretary of Commerce’s issuance of Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules. FIPS 140-3 includes references to two existing international standards: International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules, and ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules. As permitted by those standards, NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.”
The new SP 800-140 documents are still in development, so we don’t have a fully vetted list of implementation and administrative guidance yet. Many of the supplemental and more detailed documents have not been released. They are scheduled to be released for comment later this year:
“Sections 3.3 and 3.4 of FIPS 140-3 identify NIST publications that will modify the annex requirements of ISO/IEC 19790:202(E) and ISO/IEC 24759:2017(E). The SP 800-140x documents are currently in development and NIST plans to release drafts for public comment in mid-2019. Final publication of those documents will occur by September 22, 2019”
Companies actively working on or planning a FIPS validation will inevitably face decisions around which standard to work towards. The following dates will be critical for those projects:
- Draft For Comments: Mid 2019
- Effective Date: 9/22/19
- Publication of the Standard: 9/22/19
- CMVP Program Updates: 3/22/20
- New Testing Begins: 9/22/20
- 140-3 Mandated & The Last Day for 140-2 Submissions: 9/22/21
- This means Labs must submit their Lab reports to CMVP by this date.
- Get Ahead: Be the first to complete the new standard (FIPS 140-3)
- Revalidate Early: Avoid the new requirements prior to the mandated transition date and add 5 years to your current FIPS 140-2 validation
- Plan Accordingly – Products being evaluated against FIPS 140-2 during testing transition may face problems completing their certification under old requirements.
Early Review and Analysis:
This release has been a long time coming. We still expect additional updates and changes to come, but Corsec has reviewed the public documents and found the following areas to be of interest:
- This version of FIPS 140-3 retains the 4 levels of validation
- The sections in FIPS 140-3 are now as follows:
- Cryptographic Module Specification
- Cryptographic Module Interfaces
- Roles, Services, And Authentication
- Software/Firmware Security
- Operating Environment
- Physical Security
- Non-Invasive Security
- Sensitive Security Parameter Management*
- Life-Cycle Assurance
- Mitigation of Other Attacks
*Sensitive Security Parameters is a new category – SSPs include both CSPs and PSPs (Public Security Parameters)
**Finite State Model was removed but may have been absorbed into section 11
***EMI/EMC was removed. There was no mention of EMI/EMC in the draft ISO 24759 either.
- CMVP wants to minimize the content in the series of NIST SP 800-140800-140 documents because they hope to be as close to the international standard as possible. These are the documents that we believe will replace the existing FIPS 140-2 DTR, Appendices, and Annexes:
- NIST SP 800-140 – FIPS 140-3 Derived Test Requirements
- NIST SP 800-140A – CMVP Documentation Requirements
- NIST SP 800-140B – CMVP Security Policy Requirements
- NIST SP 800-140C – CMVP Approved Security Functions
- NIST SP 800-140D – CMVP Approved Sensitive Security Parameter Generation and Establishment Methods
- NIST SP 800-140E – CMVP Approved Authentication Mechanisms
- NIST SP 800-140F – CMVP Approved Non-Invasive Attack Mitigation Test Metrics
- A notable omission from the new SP 800-140 series is any reference document for Approved Protection Profiles from Common Criteria (a CC-certified operating system was required for software validations at level 2 and above).
- Noteworthy Text:
“Major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements.”
Corsec participates in numerous committees, technical working groups, certification leadership positions, and industry events. As more information develops, we will deliver updates. Stay informed on all the program details, requirements, and timelines associated with FIPS 140-3 – Subscribe
For any questions on how this will affect current or future FIPS projects, contact Corsec!
Corsec Director of Marketing