While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020. This project addresses questions concerning the process of migrating from FIPS 140-2 to FIPS 140-3. The transition process includes organizational, documentation and procedural changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments. Changes also support the migration of internally developed security standards towards a set of standards developed and maintained by an international body, while also referencing government standards.
On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019 and became effective September 22, 2019.
The new standard also introduces some significant changes. Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012. The testing for these requirements will be in accordance with ISO/IEC 24759:2017. While there are few major technical requirement changes, the use of the ISO documents require several procedural changes in the management and execution of the validation program and process.
FIPS 140-2 modules can remain active for 5 years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list. Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page and meet their requirements for the best selection of cryptographic modules, regardless of whether the modules are validated against FIPS 140-2 or FIPS 140-3.
As the effort for FIPS 140-3 development progresses, an important aspect is the continuation of efforts in supporting FIPS 140-2 validations. As there is limited resources, the queue of reviewing validation submissions is increasing. This is likely to continue well into 2021 as our resources are also needed to help develop the requirements for the new processes. Please have patience as we overhaul our processes to address the coming changes.
Date |
Activity |
---|---|
March 22, 2019 |
FIPS 140-3 Approved |
September 22, 2019 |
FIPS 140-3 Effective Date Drafts of SP 800-140x (Public comment closed 12-9-2019) |
March 20, 2020 |
Publication of SP 800-140x documents |
May 20, 2020 |
Updated CMVP Program Management Manual for FIPS 140-2 |
July 1, 2020 | Tester competency exam updated to include FIPS 140-3 |
September 21, 2020 |
Released FIPS 140-3 Implementation Guidance Released CMVP Management Manual for FIPS 140-3 |
September 22, 2020 |
CMVP accepted FIPS 140-3 submissions |
September 22, 2021 |
CMVP no longer accepts FIPS 140-2 submissions for new validation certificates unless the vendor is under contract with a CSTL prior to June 15, 2021, the CSTL has submitted an extension request, and the CSTL has received acceptance by the CMVP. The CMVP continues to accept FIPS 140-2 reports that do not change the validation sunset date, i.e. Scenarios 1, 1A, 1B, 3A, 3B and 4 from FIPS 140-2 Implementation Guidance G.8. |
April 1, 2022 | CMVP no longer accepts FIPS 140-2 submissions for new validation certificates. |
September 22, 2026 |
All FIPS 140-2 certificates are placed on the Historical List |
Security and Privacy: cryptography, testing & validation