Project Overview
Current Development
On August 12, 2015, NIST published a Request for Information (RFI) in the Federal Register, requesting public comments on using the ISO/IEC 19790:2012 standard, Security Requirements for Cryptographic Modules, as the U.S. federal standard for cryptographic modules.
The RFI provided additional background information, including seven questions (excerpted below) that NIST was especially interested in having addressed. The RFI also disucssed NIST's intentions.
The comment period closed on September 28, 2015.
[Excerpt from the RFI, with references to "ISO/IEC 19790:2014" changed to the correct "ISO/IEC 19790:2012":]
NIST requests comments on the following questions regarding the use of ISO/IEC 19790:2012, but comments on other cryptographic test and conformance issues will also be considered.
-
Have your customers or users asked for either ISO/IEC 19790:2012 or FIPS 140-2 validations in cryptographic products?
-
Have the markets you serve asked for either validation and have you noticed any changes in what the markets you serve are asking for?
-
Do you think the ISO/IEC 19790:2012 standard specifies tests and provides evidence of conformance for cryptographic algorithms and modules better, equally or less as compared to FIPS 140-2 and in what areas?
-
Is there a difference in risk that you perceive would be mitigated or accepted in use of one standard versus the other?
-
Are the requirements in ISO/IEC 19790:2012 specific enough for your organization to develop a cryptographic module that can demonstrate conformance to this standard?
-
Would the U.S. Government citation of an ISO standard that has a fee for access to the standard inhibit your use or implementation of this standard?
-
Do either FIPS 140-2 or ISO/IEC 19790:2012 have a gap area that is not required for implementation, test or validation that presents an unacceptable risk to users of cryptographic modules?
The responses to this request for information will be used to plan possible changes to the FIPS or in a decision to use all or part of ISO/IEC 19790:2012 for testing, conformance and validation of cryptographic algorithms and modules.