On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules.
FIPS 140-3 includes references to two existing international standards:
- International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790:2012(E) Information technology — Security techniques — Security requirements for cryptographic modules; and
- ISO/IEC 24759:2017(E) Information technology — Security techniques — Test requirements for cryptographic modules.
As permitted by those standards, the NIST Special Publication (SP) series 800-140 will specify updates, replacements, or additions to the currently-cited ISO/IEC standard, as necessary. Those new SP 800-140 documents (currently under development) will consolidate implementation guidance and administrative guidance, and will be made available for public review and comment.
Here are some important milestones:
- FIPS 140-3 becomes effective on September 22, 2019;
- FIPS 140-3 testing, through the Cryptographic Module Validation Program (CMVP), will begin September 22, 2020; and
- FIPS 140-2 testing will continue for at least a year after FIPS 140-3 testing begins.
On August 12, 2015, a Federal Register Notice requested public comments on the potential use of ISO/IEC standards for cryptographic algorithm and cryptographic module testing, conformance, and validation activities that were specified in FIPS 140-2. NIST received comments from 17 entities. A summary of the comments is available in the May 1, 2019 Federal Register Notice announcing FIPS 140-3; the complete set of comments is also available on CSRC.
See the FIPS 140-3 Development project for additional details about the implementation of FIPS 140-3 and its supporting SP 800-140 publications.