Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

FIPS 140-3 Transition Effort

Project Overview

While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020. This project addresses questions concerning the process of migrating from FIPS 140-2 to FIPS 140-3.  The transition process includes organizational, documentation and procedural changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments.  Changes also support the migration of internally developed security standards towards a set of standards developed and maintained by an international body, while also referencing government standards.

The transition of FIPS 140-3 has begun

On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019 and became effective September 22, 2019.

The new standard also introduces some significant changes in the management of the standard. Rather than encompassing the module requirements directly, FIPS 140-3 references ISO/IEC 19790:2012(E). The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E). While there are few major technical requirement changes, the use of the ISO documents require several procedural changes in the management and execution of the validation process.

FIPS 140-2 continues

As the effort for FIPS 140-3 development increases, an important aspect is the continuation of efforts in supporting FIPS 140-2 validations. As there is limited resources, the queue of reviewing submissions is increasing. This is likely to continue well into the new year as our resources are also needed to help develop the requirements for the new processes. Sometimes it feels like we are rebuilding the plane as it continues to fly, so please have patience with us as we overhaul our processes to address the coming changes. 

Implementation Schedule

Current Schedule - 9-26-2019

Date

Activity

March 22, 2019

FIPS 140-3 Approved

September 22, 2019

FIPS 140-3 Effective Date

Drafts of SP 800-140x available for public comment (See status page)

March 22, 2020

Publication of SP 800-140x documents

Implementation Guidance updates

Tester competency exam updated to include FIPS 140-3

Updated CMVP Program Management Manual

September 22, 2020

CMVP accepts FIPS 140-3 submissions

September 22, 2021

CMVP stops accepting FIPS 140-2 submissions for new validation certificates

September 22, 2026

Remaining FIPS 140-2 certificates moved to Historical List

Created July 10, 2019, Updated October 09, 2019