U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

Cryptographic Module Validation Program CMVP

FIPS 140-3 IG Announcements

FIPS 140-3 IG - Latest version

[11-05-2021]

New Guidance:

    • D.P SP 800-56Crev2 One-Step Key Derivation Function Without a Counter

Updated Guidance:

 

    • Added a space to all ENT entries to ENT (P) or ENT (NP).
    • 2.4.B Tracking the Component Validation List – Added references to SP 800-56Arev3 for the ECC-CDH primitive CVL in Resolution #1.
    • 2.4.A Definition and Use of a non-Approved Security Function – Synchronized minor text in the Resolution to be consistent with IG 1.23 (FIPS 140-2).  Clarified XOR example with a note.  Added Additional Comment #2 to further clarify when a vendor can apply this IG.
    • 10.3.A Cryptographic Algorithm Self-Test Requirements – Spelled out the ENT self-test requirements to avoid ambiguity.
    • C.F Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 – Added Table 1 with a more relaxed upper bound limit and introduced supporting text including adding two new Additional Comments.  Clarified the minimum number of the Miller-Rabin tests. Cleaned up old text in the Additional Comments.
    • D.C References to the Support of Industry Protocols – Included guidance on the use of AES-CBC-MAC within OTAR.
    • D.J Entropy Estimation and Compliance with SP 800-90B – Added Additional Comment #10 to clarify when other parties can write a labs’ entropy source description and its heuristic entropy analysis.
    • D.L Critical Security Parameters for the SP 800-90A DRBGs – Added Additional Comment on the CTR_DRBG without a derivation function.

[08-30-2021]

New Guidance:

  • 10.3.D Error Logging
  • 10.3.E Periodic Self-Testing
  • E.A Applicability of Requirements from SP 800-63B

Updated Guidance:

  • 5.A Non-Reconfigurable Memory Integrity Test – Incorporated end of life procedures.

[05-04-2021]

New Guidance:

    • 2.4.C Approved Security Service Indicator
    • 9.7.B Indicator of Zeroization
    • 10.3.C Conditional Manual Entry Self-Test Requirements
    • 11.A CVE Management
    • 12.A Mitigation of Other Attacks
    • D.O Combining Entropy from Multiple Sources

Updated Guidance:

    • 3.4.A Trusted Channel – clarified in the last bullet in Resolution 2 that the operator must stay in control over the physical path and prevent any unauthorized tampering.
    • 4.1.A Authorised Roles - Clarified the requirements of the text “or other services that do not affect the security of the module”.
    • 10.3.A Cryptographic Algorithm Self-Test Requirements – Updated to remain consistent with FIPS 140-2 IG 9.4. Also, clarified self-test rules around the PBKDF Iteration Count parameter.
    • C.H Key/IV Pair Uniqueness Requirements from SP 800-38D - Removed Scenario 2’s second and fourth bullets and added the reasoning as Additional Comment #4.
    • D.F Key Agreement Methods - Removed Additional Comment 10 since SP 800-56Arev3 testing is available and therefore vendor affirming to this standard is not permitted.
    • D.G Key Transport Methods - Added “if applicable” for key confirmation under the first approved method.
    • D.J Entropy Estimation and Compliance with SP 800-90B - Updated to align ENT references with that of IG D.O.

[09-21-2020]

The first release of the FIPS 140-3 Implementation Guidance document was published on September 21, 2020. This release incorporates 41 IGs, down from the 104 IGs currently in FIPS 140-2 IG document. Many of the IGs were no longer required as they were incorporated into ISO/IEC 19790, ISO/IEC 24759, and the SP 800-140x documents. Many thanks to those who helped identify, draft, review, and publish this new CMVP document.

Created October 11, 2016, Updated November 17, 2021