November 17, 1999: NIST announces Draft FIPS 140-2, Security Requirements for Cryptographic Modules (June 2001 - FIPS 140-2 is now a FINAL document). This begins a 90-day public comment period on the draft standard, which is intended to supersede FIPS 140-1. Public comments may be sent to proposed140-2@nist.gov.
AGENCY: National Institute of Standards and Technology (NIST), Commerce.
ACTION: Notice: request for comments.
SUMMARY: This notice announces Draft Federal Information Processing Standard 140-2 (June 2001 - FIPS 140-2 is now a FINAL document), Security Requirements for Cryptographic Modules, for public review and comment. The draft standard, designated "Draft FIPS 140-2," is proposed to supersede FIPS 140-1 [PDF].
FIPS 140-1, first published in 1994, specified that it be reviewed within five years. In 1998, NIST solicited public comments on reaffirming the standard. The comments received by NIST supported maintaining the standard. The comments also supported updating the standard due to advances in technology. The proposed revision Draft FIPS 140-2 is now available for public review and comment. (June 2001 - FIPS 140-2 is now a FINAL document)
Prior to the submission of this proposed standard to the Secretary of Commerce for review and approval, it is essential that consideration is given to the needs and views of the public, users, the information technology industry, and Federal, State and local government organizations. The purpose of this notice is to solicit such views.
DATES: Comments must be received on or before February 15, 2000.
ADDRESSES: Written comments concerning this standard may be sent to:
Electronic comments may be sent to: Proposed140-2@nist.gov.
Copies of the current FIPS 140-1 and its proposed replacement, Draft FIPS 140-2 (June 2001 - FIPS 140-2 is now a FINAL document), are available from the
They are also available electronically. Comments received in response to this notice will be published electronically at [the Cryptographic Module Validation Program Home Page].
FOR FURTHER INFORMATION CONTACT: Mr. Ray Snouffer, Computer Security Division, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930, telephone (301) 975-4436.
SUPPLEMENTARY INFORMATION: FIPS 140-1, Security Requirements for Cryptographic Modules, first issued in 1994, identifies requirements for four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and life protecting data), and a diversity of application environments. Over 60 modules have been tested by accredited private-sector laboratories and validated to-date as conforming to this standard. The standard provided that it be reviewed within five years to consider its continued usefulness and whether new or revised requirements should be added.
A notice was published in the Federal Register (Volume 63, Number 205) on October 23, 1998, soliciting public comments on reaffirming the standard. The comments supported reaffirmation of the standard, but suggested technical modifications to address advances in technology since the standard was originally issued. Using these comments, NIST prepared Draft FIPS 140-2 (June 2001 - FIPS 140-2 is now a FINAL document).
Authority: NIST's activities to develop computer security standards to protect Federal sensitive (unclassified) systems are undertaken pursuant to specific responsibilities assigned to NIST in section 5131 of the Information Technology Management Reform Act of 1996 (Pub. L. 104-106), the Computer Security of 1987 (Pub. L. 100-235), and Appendix III to Office of Management and Budget Circular A-130. Dated: November 11, 1999.
/s/
Karen H. Brown,
Deputy Director, National Institute of Standards and Technology.
[FR Doc. 99-30051 Filed 11-16-99; 8:45 am]
BILLING CODE 3510-CN-M
Last Update: March 5, 2002
Computer Security Division
National Institute of Standards and Technology