On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019.
FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to the Cryptographic Module Validation Program (CMVP), as a validation authority. The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), with the modifications, additions or deletions of vendor evidence and testing allowed as a validation authority under paragraph 5.2. Major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements.
Sections 3.3 and 3.4 of FIPS 140-3 identify NIST publications that will modify the annex requirements of ISO/IEC 19790:2012(E) and ISO/IEC 24759:2017(E). The SP 800-140x documents are currently in development and NIST plans to release drafts for public comment in September 2019. Final publication of those documents are expected to occur by March 2020. The draft and final publications will be available on the SP 800 publications page.
The following table summarizes those publications and their relationships to the two ISO/IEC standards:
NIST SP | Title | ISO/IEC 19790:2012(E) |
ISO/IEC 24759:2017(E) |
|
---|---|---|---|---|
SP 800-140 | FIPS 140-3 Derived Test Requirements (DTR) | modifies | -- | §6.1 through §6.12 |
SP 800-140A | CMVP Documentation Requirements | modifies | Annex A | §6.13 |
SP 800-140B | CMVP Security Policy Requirements | modifies | Annex B | §6.14 |
SP 800-140C | CMVP Approved Security Functions | modifies | Annex C | §6.15 |
SP 800-140D | CMVP Approved Sensitive Security Parameter Generation and Establishment Methods | modifies | Annex D | §6.16 |
SP 800-140E | CMVP Approved Authentication Mechanisms | modifies | Annex E | §6.17 |
SP 800-140F | CMVP Approved Non-Invasive Attack Mitigation Test Metrics | modifies | Annex F | §6.18 |
Clause 12 of the FIPS 140-3 announcement section provides an implementation schedule for FIPS 140-3. Below is a summary of that timeline, with additional proposed milestones.
March 22, 2019 | FIPS 140-3 Approved |
Mid-2019 | Drafts of SP 800-140x available for public comment |
September 22, 2019 |
FIPS 140-3 Effective Date
|
March 22, 2020 |
CMVP program updates completed:
|
September 22, 2020 | FIPS 140-3 Testing Begins |
September 22, 2021 | FIPS 140-2 Testing Ends |
On August 12, 2015, NIST published a Request for Information (RFI) in the Federal Register, requesting public comments on using the ISO/IEC 19790:2012 standard, Security Requirements for Cryptographic Modules, as the U.S. federal standard for cryptographic modules.
The RFI provided additional background information, including seven questions that NIST was especially interested in having addressed. The RFI also discussed NIST's intentions.
The comment period closed on September 28, 2015. NIST received comments from 17 organizations.
Security and Privacy: cryptography, testing & validation
Technologies: hardware, software & firmware