About FIPS 140-3

What is FIPS 140

Federal Information Processing Standards (FIPS) are a collection of security standards publicly published by the US National Institute of Standards and Technology (NIST). The FIPS 140 regulation specifies requirements for cryptographic modules and covers both software and hardware components.

There are 11 areas of requirements the FIPS standard specifies:

  • cryptographic module specification,
  • cryptographic module ports and interfaces,
  • roles, services and authentication,
  • finite state model,
  • physical security,
  • operational environment,
  • cryptographic key management,
  • electromagnetic interference/electromagnetic compatibility (EMI/EMC),
  • self-tests,
  • design assurance, and
  • mitigation of other attacks.

The first FIPS 140 regulation, FIPS 140-1, was published on 11 January 1994. On 25 May 2001 FIPS 140-2 was issued and one year later FIPS 140-1 was withdrawn.

FIPS 140-3 and its Implementation

On 12 February 2005 the start of development of FIPS 140-3 was announced. In its early stages the new FIPS 140 series proposal suggested changing the previously used 4 levels of assurance to 5 (by adding Level 5), but the idea was later abbandoned. The finalised version of FIPS 140-3 now presents a significant change in the management of the FIPS standard by adopting two international standards instead of directly stating the cryptographic module requirements. The intention behind is to make it easier to satisfy the requirements for vendors and organisations, and to facilitate future updates.

The first standard FIPS 140-3 relies on is ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules, which covers security requirements for cryptographic modules in use in security computer and telecommunication systems.

The second is ISO 24759:2017 - Test Requirements for Cryptographic Modules. FIPS 140-3 made additional modification to both standards' annexes with so-called NIST Special Publications (SPs):

NIST SP

Title

 

ISO/IEC
19790:2012(E)

ISO/IEC
24759:2017(E)

SP 800-140

FIPS 140-3 Derived Test Requirements (DTR)

modifies

--

§6.1 through §6.12

SP 800-140A

CMVP Documentation Requirements

modifies

Annex A

§6.13

SP 800-140B

CMVP Security Policy Requirements

modifies

Annex B

§6.14

SP 800-140C

CMVP Approved Security Functions

modifies

Annex C

§6.15

SP 800-140D

CMVP Approved Sensitive Security Parameter Generation and Establishment Methods

modifies

Annex D

§6.16

SP 800-140E

CMVP Approved Authentication Mechanisms

modifies

Annex E

§6.17

SP 800-140F

CMVP Approved Non-Invasive Attack Mitigation Test Metrics

modifies

Annex F

§6.18

 

These and other SP 800 documents can be located on NIST's official webpage. Currently only drafts of SP 800-140 are available, but according to the implementation schedule, their final versions are to be published on 22nd of March this year.

The official implementation schedule for FIPS 140-3 goes as follows:

Date

Activity

March 22, 2019

FIPS 140-3 Approved

September 22, 2019

FIPS 140-3 Effective Date

Drafts of SP 800-140x  (Public comment closed 12-9-2019)

March 22, 2020

Publication of SP 800-140x documents

Implementation Guidance updates

Tester competency exam updated to include FIPS 140-3

Updated CMVP Program Management Manual

September 22, 2020

CMVP accepts FIPS 140-3 submissions

September 22, 2021

CMVP stops accepting FIPS 140-2 submissions for new validation certificates

September 22, 2026

Remaining FIPS 140-2 certificates moved to Historical List

 

 

---
Compiled by CREA plus Cybersecurity team.

Novice

Obvladovanje kibernetske varnosti v podjetju

work 731198 1920Rezervirajte si čas v petek, 7.2.2020 od 9:00 do 11:00 v Ljubljani za aktualni dogodek na temo obvladovanja kibernetske varnosti v podjetju.

Več

Gorenjska banka s HID ActivID in HID Approve

Tudi heroGorenjska banka d.d. se je zaradi doseganja skladnosti z direktivo PSD2 in povečanja varnosti internetnega in mobilnega bančništva odločila za uvedbo rešitve HID ActivID Authentication Appliance z mobilno aplikacijo HID Approve.

Več