The Federal Information Processing Standard Publication 140-3, (FIPS PUB 140-3), is a

U.S. The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...

government A government is the system or group of people governing an organized community, generally a state. In the case of its broad associative definition, government normally consists of legislature, executive, and judiciary. Government is a ...

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

standard Standard may refer to: Symbols * Colours, standards and guidons, kinds of military signs * Standard (emblem), a type of a large symbol or emblem used for identification Norms, conventions or requirements * Standard (metrology), an object th ...

used to approve

cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...

modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publication was on March 22, 2019 and it supersedes

FIPS 140-2 The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publ ...

Purpose

The

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...

(NIST) issued the

FIPS 140 The 140 series of Federal Information Processing Standards ( FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. , FIPS 140-2 and FIPS 140-3 are both accepted as current and active. FIPS 140-3 ...

Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. Federal agencies and departments can validate that the module in use is covered by an existing

certificate that specifies the exact module name, hardware, software, firmware, and/or applet version numbers. The cryptographic modules are produced by the

private sector The private sector is the part of the economy, sometimes referred to as the citizen sector, which is owned by private groups, usually as a means of establishment for profit or non profit, rather than being owned by the government. Employment The ...

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...

communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.

History

Efforts to update the FIPS 140 standard date back to the early 2000s. The FIPS 140-3 (2013 Draft) was scheduled for signature by the Secretary of Commerce in August 2013, however that never happened and the draft was subsequently abandoned. In 2014, NIST released a substantially different draft of FIPS 140-3, this version effectively directing the use of an International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard, 19790:2012, as the replacement for

. The 2014 draft of FIPS 140-3 was also abandoned, although the use of ISO/IEC 19790 did ultimately come to fruition. On August 12, 2015, NIST formally released a statement on the Federal Register asking for comments on the potential use of portions of ISO/IEC 19790:2014 in the update of

. The reference to a 2014-version of ISO/IEC 19790 was an inadvertent error in the Federal Registry posting, as 2012 is the most recent version. ISO/IEC 19790 has been reviewed and re-confirmed as recently as 2018, but without changes, hence retaining the 2012 version nomenclature. The update process for FIPS 140 was hamstrung by deep technical issues in topics such as hardware security and apparent disagreement in the US government over the path forward. The now abandoned 2013 draft of FIPS 140-3 had required mitigation of non-invasive attacks when validating at higher security levels, introduced the concept of public security parameter, allowed the deference of certain self-tests until specific conditions are met, and strengthened the requirements on user authentication and integrity testing.

Cryptographic Module Validation Program

The FIPS 140 standard established the Cryptographic Module Validation Program (CMVP) as a joint effort by the NIST and the

Communications Security Establishment The Communications Security Establishment (CSE; french: Centre de la sécurité des télécommunications, ''CST''), formerly (from 2008-2014) called the Communications Security Establishment Canada (CSEC), is the Government of Canada's national c ...

(CSEC) for the

Canadian Canadians (french: Canadiens) are people identified with the country of Canada. This connection may be residential, legal, historical or cultural. For most Canadians, many (or all) of these connections exist and are collectively the source of ...

government, now handled by the CCCS, the Canadian Centre for Cyber Security, a new centralized initiative within the CSEC agency. Security programs overseen by NIST and CCCS focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.

Approval and issuance

On March 22, 2019, the

United States Secretary of Commerce The United States secretary of commerce (SecCom) is the head of the United States Department of Commerce. The secretary serves as the principal advisor to the president of the United States on all matters relating to commerce. The secretary rep ...

Wilbur Ross Wilbur Louis Ross Jr. (born November 28, 1937) is an American businessman who served as the 39th United States Secretary of Commerce from 2017 to 2021. A member of the Republican Party, Ross was previously chairman and chief executive officer ...

approved FIPS 140-3, ''Security Requirements for Cryptographic Modules'' to succeed

. FIPS 140-3 became effective on September 22, 2019. FIPS 140-3 testing began on September 22, 2020, although no FIPS 140-3 validation certificates have been issued yet. FIPS 140-2 testing is still available until September 21, 2021, creating an overlapping transition period of one year. FIPS 140-2 test reports that remain in the CMVP queue will still be granted validations after that date, but all FIPS 140-2 validations will be moved to the Historical List on September 21, 2026 regardless of their actual final validation date.

References

External links