This is a potential security issue, you are being redirected to https://csrc.nist.gov.
This page focuses on the progress of transitioning cryptographic module security standards and associated documents from FIPS 140-2 to FIPS 140-3. The process includes organizational, procedural and the resultant automated processing changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments. The procedural changes include the migration from internally developed security standards to the additional activities of working with a set of standards developed and maintained by an international body, while adhering to government standards and regulations. Check back often to stay abreast of the overall migration effort. CMVP is committed to making this an open process, sharing with labs, vendors, and other interested parties.
Sections 3.3 and 3.4 of FIPS 140-3 identify NIST special publications that modify requirements of ISO/IEC 19790:2012 and ISO/IEC 24759:2017. Final publication of those documents occurred on March 20, 2020. Copies of the publications are available using the links below.
Special Publications for FIPS 140-3 cryptographic module validations
|FIPS 140-3 Derived Test Requirements (DTR)||--||§6.1 through §6.12|
|CMVP Documentation Requirements||Annex A||§6.13|
|CMVP Security Policy Requirements||Annex B||§6.14|
|CMVP Approved Security Functions||Annex C||§6.15|
|CMVP Approved Sensitive Security Parameter Generation and Establishment Methods||Annex D||§6.16|
|CMVP Approved Authentication Mechanisms||Annex E||§6.17|
|CMVP Approved Non-Invasive Attack Mitigation Test Metrics||Annex F||§6.18|
Special thanks to the Cryptographic Module User Forum for assisting us in identifying and proposing requirement and process improvements for CMVP which will also aid vendors, testing laboratories, and end users. This open group of vendors and testing laboratories volunteer to help us evaluate ways to better the process for everyone. CMUF hosts several working groups including aiding with the development of FIPS 140-3 tools and guidance. This allows the CAVP and CMVP to keep more resources focused on delivering cryptographic module validations.
The FIPS 140-3 Transition Working Group (WG) recently developed FIPS 140-3 training and reviewed the FIPS 140-3 Implementation Guidance (IG) document and FIPS 140-3 Management manual, prior to their release. Currently, the WG is aiding in the development of assessment and management tools, including providing feedback for the new Cryptik report generation tool. You can access in-progress works and aid in the development of CMVP resources by joining in the CMUF.
Unlike the FIPS 140-2 Standard which included the requirements for cryptographic modules, the FIPS 140-3 references ISO/IEC 19790:2012 and ISO/IEC 24759:2017 which can be purchased through the International Organization for Standardization Store. If you already have the ISO/IEC 19790:2012, make sure it contains the 2015 update. There is much confusion as ISO/IEC normally posts a Technical Corrigendum listing only the changes to the standard. However, ISO/IEC has withdrawn the Technical Corrigendum, and has folded the updates into the ISO/IEC 19790:2012 now available. The update is internally marked as ISO/IEC 19790:2012/Cor.1:2015(E).
ISO publications can only be bought for your personal individual use and cannot be transferred to another user. If you wish to purchase (an) ISO publication(s) for multiple users (for example, for your colleagues or post on your company’s intranet) or want to obtain broader rights beyond your personal use, please contact ISO or your ISO Member to explore your options.
NIST intends to work with the appropriate parties to help ensure that the ISO/IEC standard will be made reasonably available to researchers, academics and small organizations. To support this effort, NIST has make available over 150 copies of ISO/IEC 19790:2012 and ISO/IEC 24759:2017 to date. To request a copy of each document, complete the Contact Information form and then email a copy of your signed End User License Agreement to email@example.com.