/Logo%202023.svg "Logo 2023"){kind=small}
/Group.svg "Group"){kind=small}
3 min read
FIPS 140 (“Federal Information Processing Standard”) is a series of security standards published by the U.S. government that specify security requirements for the evaluation of cryptographic modules. This article explores various aspects of the latest release of FIPS 140-3.
This standard covers the implementation of cryptographic modules including hardware and/or software modules or a combination of both. It is mandatory in the USA, Canada, and some other countries to only incorporate the FIPS 140 certified/validated cryptographic modules in the business solutions. Many corporate organizations dealing in the financial and payment industry follow the same standard practice across the globe. This article enlightens various aspects of the latest release of FIPS 140-3 (see Federal Information Processing Standards FIPS).
History of FIPS 140 and Implementation Timeline of FIPS 140-3
The security requirements defined in the FIPS series of standards are based on the guidance provided by the Federal Government of the US and the corporate private sector. The core aim of these requirements is to provide assistance in defense against malicious attacks. The 1st release/edition FIPS 140-1 was released on 11th January 1994. FIPS 140-2 was released on the 25th May 2001 and last updated on 3rd December 2002. FIPS 140-3 titled “Security Requirements for Cryptographic Modules” was approved on March 22, 2019. The release and implementation timeline (along with additional proposed milestones) of FIPS 140-3 is as follows:
|
Date |
Event |
|
March 22, 2019 |
FIPS 140-3 Released |
|
September 22, 2019 |
FIPS 140-3 Effective Date |
|
October 9, 2019 |
Drafts of the SP 800-140 documents were released for public comment. The comment period will be 60 days, from October 9th to December 9th |
|
March 22, 2020 |
CMVP program updates completed:
|
|
September 22, 2020 |
FIPS 140-3 Testing Begins |
|
September 22, 2021 |
NIST will stop accepting the FIPS 140-2 validation/testing submissions. |
FIPS 140-3 is not going to immediately replace FIPS 140-2. It will work alongside FIPS 140-2. The validation process for FIPS 140-2 will carry on for a year after the FIPS 140-3 validation starts.
The Finalization of FIPS 140-3
The finalization and launching of FIPS 140-3 represent the formal adoption of two existing international standards along with some modifications to its annexes:
- ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules
- It specifies the detailed requirements for the security evaluation of the cryptographic module for the protection of sensitive information. ISO/IEC 19790:2012 Standard defines four security levels for each of eleven requirement areas with each security level increasing security over the preceding level.
- ISO 24759:2017 - Test Requirements for Cryptographic Modules.
- This specifies the mechanism and procedures to be employed by the testing labs to ensure that the cryptographic module follows the specified requirements of ISO/IEC 19790:2012. The core aim of the development of this standard is to deliver authenticity and conformation to the testing process to be the same across all the testing labs. It also highlights the information format (subsidiary evidence for demonstration of compliance to ISO/IEC 19790:2012) that is provided by the vendors/developers to the testing labs.
Since the FIPS 140-3 is now more thoroughly aligned with the international ISO/IEC standards, vendors and organizations will be less impacted with the changes/updates and they can easily cope with them. Just like FIPS 140-2, FIPS 140-3 also provisions four security levels with the aim to cover a large spectrum of potential application architectures and deployment platforms. FIPS 140-2 dealt with the security requirements once it has been finalized, but FIPS 140-3 spans the security requirements starting from the design phase, implementation and final operational deployment of a cryptographic module. The security requirements identified in FIPS 140-3 are purely envisioned for the security provisioned by a particular cryptographic module, not for the overall security of architecture in which the crypto module is being deployed.
FIPS 140-3 Special Publications (SP)
|
NIST SP |
SP Title |
|
FIPS 140-3 Derived Test Requirements (DTR) |
|
|
CMVP Documentation Requirements |
|
|
CMVP Security Policy Requirements |
|
|
CMVP Approved Security Functions |
|
|
CMVP Approved Sensitive Security Parameter Generation and Establishment Methods |
|
|
CMVP Approved Authentication Mechanisms |
|
|
CMVP Approved Non-Invasive Attack Mitigation Test Metrics |
Summary
FIPS 140-3 has been finally approved and launched as the latest standard for the security evaluation of cryptographic modules. It covers a large spectrum of threats and vulnerabilities as it defines the security requirements starting from the initial design phase leading towards the final operational deployment of a cryptographic module. FIPS 140-3 requirements are primarily based on the two previously existing international standards ISO/IEC 19790:2012 “Security Requirements for Cryptographic Modules” and ISO 24759:2017 “Test Requirements for Cryptographic Modules”.
References and Further Reading
- More articles on FIPS 140 (2018 - today), by Terry Anton, Asim Mehmood, Martin Rupp and more
- Current Federal Information Processing Standards (FIPS) (2019), by the NIST Information Technology Laboratory
- Compliance FAQs: Federal Information Processing Standards (FIPS) (2019) by the NIST
- FIPS 140-3 Development (2019), by the NIST Information Technology Laboratory