NIST announces that it plans to develop Federal Information Processing Standard (FIPS) 140-3, which will supersede FIPS 140-2, Security Requirements for Cryptographic Modules. FIPS 140-2, approved by the Secretary of Commerce and announced in the Federal Register (June 27, 2001, Volume 66, Number 124, Pages 34154-34155), identifies requirements for four levels of security for cryptographic modules that are utilized by Federal agencies to protect the security of Federal information systems. The Federal Information Security Management Act (FISMA) (Public Law 107-347) requires that all Federal agencies and their contractors use only those cryptographic-based security systems that were validated to FIPS 140-2 or to its predecessor, FIPS 140-1.
Comments on new and revised requirements for FIPS 140-3 must be received on or before February 28, 2005.
NIST plans to develop FIPS 140-3 to meet the new and revised requirements of Federal agencies for cryptographic systems, and to address technological and economic changes that have occurred since the issuance of FIPS 140-2. As the first step in the development of FIPS 140-3, NIST invites comments from the public, users, the information technology industry, and Federal, State and local government organizations concerning the need for and recommendations for a new standard.
NIST is especially interested in comments on the following issues:
- Compatibility with industry standards.
- New technology areas.
- Introduction of additional levels of security.
- Additional requirements specific to physical security.
- Portability of applications (including operating systems) based on platform and/or environment.
Following its review of the comments submitted in response to this notice, NIST will hold open, public workshops in 2005 to discuss the development of FIPS 140-3. These workshops will be announced in the Federal Register with information about participation. NIST expects to propose FIPS 140-3 for public review and comment before recommending the standard to the Secretary of Commerce for approval in 2006.
NIST will develop a plan for a transition period for testing and validating modules to FIPS 140-3, and for agencies to develop plans to acquire products that are compliant with FIPS 140-3. The transition plan will also address the use by Federal agencies of cryptographic modules that have been validated for compliance to FIPS 140-1 and FIPS 140-2.