Why FIPS 140-3?
On May 1, 2019, the Federal Register announced that the Secretary of Commerce had approved Federal Information Processing Standards Publication 140-3 (FIPS 140-3) which supersedes FIPS 140-2 on March 22, 2019.
FIPS 140-3 modernizes the standard and essentially makes and indicates that manufactures should now use the international standard ISO/IEC 19790:2012(E) that NIS has developed working closely with international industry to unify several cryptographic security standards. This means that if a crypto graphic module is FIPS 140-3 validated then it can have a higher acceptance internationally than a FIPS 140-2 validated.
In addition, the testing of the requirements specified in this standard will be in accordance with ISO/IEC 24759:2017(E) and with all the modifications, additions or deletions which implies FIPS 140-3.
Timeline
Once FIPS 140-3 has been approved, these are the important dates regarding the proposed timeline for FIPS 140-3 implementation:
- March22, 2019: FIPS 140-3 Approved
- September 22, 2019: FIPS 140-3 Effective Date which. This is the date where Labs will already have developed the testing tools for FIPS 140-3 validations and NIST will already have made the SP 800-140 documents available.
- September 22, 2020: FIPS 140-3 Testing begins.
- September 22, 2021: FIPS 140-2 Testing ends. The FIPS 140-2 certificates will remain active until their sunset date (typically 5 years after the validation date).
FIPS 140-3
As it is specified above, the FIPS 140-3 comply with a modified version of the following Standards:
- ISO/IEC 19790:2012(E): Information Technology – Security techniques – Security Requirements for Cryptographic Modules
- ISO/IEC 24759:2017(E): Information Technology – Security techniques – Test Requirements for Cryptographic Modules
The modifications are specified by FIPS 140-3 in the NIST SP 800-140 documentation as it is specified in the following table:
NIST Special Publication | Title | ISO/IEC 19790:2012(E) | ISO/IEC 24759:2017(E) | |
|---|---|---|---|---|
SP 800-140 | FIPS 140-3 Derived Test Requirements (DTR) | Modifies | -- | From Section 6.1 to 6.12 |
SP 800-140A | CMVP Documentation Requirements | Annex A | Section 6.13 | |
SP 800-140B | CMVP Security Policy Requirements | Annex B | Section 6.14 | |
SP 800-140C | CMVP Approved Security Functions | Annex C | Section 6.15 | |
SP 800-140D | CMVP Approved Sensitive Security Parameter Generation and Establishment Methods | Annex D |
Section 6.16 | |
SP 800-140E | CMVP Approved Authentication Mechanisms | Annex E | Section 6.17 | |
SP 800-140F | CMVP Approved Non-Invasive Attack Mitigation Test Metrics | Annex F | Section 6.17 |
FIPS 140-2 vs FIPS 140-3
The SP 800.140x documents are currently being developed, therefore the changes with respect to FIPS 140-2 are not completely clear yet.
However, as it is specified in the NIST webpage and Security Requirements for Cryptographic Modules (FIPS PUB 140-3) document, major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements and to the improvement of some self-test.
Conclusion
Although FIPS 140-3 has been officially approved, it is early to know all the changes that it will imply with respect its predecessor, however, there is no doubt it`s good news to update the standard after so many years.
Hopefully more insights will be know during ICMC next week in Vancouver.
