Approval of FIPS 140-3
On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019.
FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to the Cryptographic Module Validation Program (CMVP), as a validation authority. The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), with the modifications, additions or deletions of vendor evidence and testing allowed as a validation authority under paragraph 5.2. Major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements.
Special Publication 800-140x Development
Sections 3.3 and 3.4 of FIPS 140-3 identify NIST publications that will modify the annex requirements of ISO/IEC 19790:202(E) and ISO/IEC 24759:2017(E). The SP 800-140x documents are currently in development and NIST plans to release drafts for public comment in mid-2019. Final publication of those documents will occur by September 22, 2019. The draft and final publications will be available on the SP 800 publications page.
The following table summarizes those publications and their relationships to the two ISO/IEC standards:
NIST Special Publications (SPs) that Modify ISO/IEC Standards
||FIPS 140-3 Derived Test Requirements (DTR)
||§6.1 through §6.12
||CMVP Documentation Requirements
||CMVP Security Policy Requirements
||CMVP Approved Security Functions
||CMVP Approved Sensitive Security Parameter Generation and Establishment Methods
||CMVP Approved Authentication Mechanisms
||CMVP Approved Non-Invasive Attack Mitigation Test Metrics
Clause 12 of the FIPS 140-3 announcement section provides an implementation schedule for FIPS 140-3. Below is a summary of that timeline, with additional proposed milestones.
Proposed Timeline for FIPS 140-3 Implementation
|March 22, 2019
||FIPS 140-3 Approved
||Drafts of SP 800-140x available for public comment
|September 22, 2019
FIPS 140-3 Effective Date
- Publication of SP 800-140x documents
- ISO Document request application available
|March 22, 2020
CMVP program updates completed:
- Update Pearson competency test
- Implementation Guidance updates
- Resolve applications Changes
|September 22, 2020
||FIPS 140-3 Testing Begins
|September 22, 2021
||FIPS 140-2 Testing Ends
Request for Information (2015)
On August 12, 2015, NIST published a Request for Information (RFI) in the Federal Register, requesting public comments on using the ISO/IEC 19790:2012 standard, Security Requirements for Cryptographic Modules, as the U.S. federal standard for cryptographic modules.
The RFI provided additional background information, including seven questions that NIST was especially interested in having addressed. The RFI also discussed NIST's intentions.
The comment period closed on September 28, 2015. NIST received comments from 17 organizations.