Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

FIPS 140-3 Transition Effort FIPS 140-3

Project Overview

While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020. This project addresses questions concerning the process of migrating from FIPS 140-2 to FIPS 140-3.  The transition process includes organizational, documentation and procedural changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments.  Changes also support the migration of internally developed security standards towards a set of standards developed and maintained by an international body, while also referencing government standards.

The transition of FIPS 140-3 has begun

On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019 and became effective September 22, 2019.

The new standard also introduces some significant changes. Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012. The testing for these requirements will be in accordance with ISO/IEC 24759:2017. While there are few major technical requirement changes, the use of the ISO documents require several procedural changes in the management and execution of the validation program and process.

FIPS 140-2 continues

FIPS 140-2 modules can remain active for 5 years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list.  Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While Federal Agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page  and meet their requirements for the best selection of cryptographic modules, regardless of whether the modules are validated against FIPS 140-2 or FIPS 140-3.

As the effort for FIPS 140-3 development progresses, an important aspect is the continuation of efforts in supporting FIPS 140-2 validations. As there is limited resources, the queue of reviewing validation submissions is increasing. This is likely to continue well into 2021 as our resources are also needed to help develop the requirements for the new processes. Please have patience as we overhaul our processes to address the coming changes. 

Transition Schedule

Current Schedule - 06-11-2020

Date

Activity

March 22, 2019

FIPS 140-3 Approved

September 22, 2019

FIPS 140-3 Effective Date

Drafts of SP 800-140x  (Public comment closed 12-9-2019)

March 22, 2020

Publication of SP 800-140x documents (Published 3/20/2020)

May 20, 2020

Updated CMVP Program Management Manual for FIPS 140-2

July 1, 2020 Tester competency exam updated to include FIPS 140-3
In-process

FIPS 140-3 Implementation Guidance 

CMVP Program Management Manual for FIPS 140-3

September 22, 2020

CMVP accepts FIPS 140-3 submissions

September 21, 2021

CMVP stops accepting FIPS 140-2 submissions for new validation certificates

September 21, 2026

Remaining FIPS 140-2 certificates are moved to the Historical List

Created July 10, 2019, Updated July 06, 2020