Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

FIPS 140-3 Development

Project Overview

THIS PAGE IS FOR HISTORICAL PURPOSES ONLY

SEE FIPS 140-3 TRANSITION EFFORT FOR THE CURRENT STATUS

Approval of FIPS 140-3  |  SP 800-140x Development  |  Implementation Schedule  |  2015 RFI

FIPS 140-3 approved

On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019.

FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to the Cryptographic Module Validation Program (CMVP), as a validation authority. The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), with the modifications, additions or deletions of vendor evidence and testing allowed as a validation authority under paragraph 5.2. Major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements.

Special Publication 800-140x Development

Sections 3.3 and 3.4 of FIPS 140-3 identify NIST publications that will modify the annex requirements of ISO/IEC 19790:2012(E) and ISO/IEC 24759:2017(E). The SP 800-140x documents are currently in development and NIST plans to release drafts for public comment in September 2019. Final publication of those documents are expected to occur by March 2020. The draft and final publications will be available on the SP 800 publications page.

The following table summarizes those publications and their relationships to the two ISO/IEC standards:

NIST Special Publications (SPs) that Modify ISO/IEC Standards

NIST SP Title   ISO/IEC
19790:2012(E)
ISO/IEC
24759:2017(E)
SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) modifies -- §6.1 through §6.12
SP 800-140A CMVP Documentation Requirements modifies Annex A §6.13
SP 800-140B CMVP Security Policy Requirements modifies Annex B §6.14
SP 800-140C CMVP Approved Security Functions modifies Annex C §6.15
SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods modifies Annex D §6.16
SP 800-140E CMVP Approved Authentication Mechanisms modifies Annex E §6.17
SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics modifies Annex F §6.18
Implementation Schedule

Clause 12 of the FIPS 140-3 announcement section provides an implementation schedule for FIPS 140-3. Below is a summary of that timeline, with additional proposed milestones.

Proposed Timeline for FIPS 140-3 Implementation

March 22, 2019 FIPS 140-3 Approved
Mid-2019 Drafts of SP 800-140x available for public comment
September 22, 2019

FIPS 140-3 Effective Date

  • Draft Publication of SP 800-140x documents
  • ISO Document request application available
March 22, 2020

CMVP program updates completed:

  • Final Publication of SP 800-140x documents
  • Update Pearson competency test
  • Implementation Guidance updates
  • Resolve applications Changes
September 22, 2020 FIPS 140-3 Testing Begins
September 22, 2021 FIPS 140-2 Testing Ends
Request for Information (2015)

On August 12, 2015, NIST published a Request for Information (RFI) in the Federal Register, requesting public comments on using the ISO/IEC 19790:2012 standard, Security Requirements for Cryptographic Modules, as the U.S. federal standard for cryptographic modules.

The RFI provided additional background information, including seven questions that NIST was especially interested in having addressed. The RFI also discussed NIST's intentions.

The comment period closed on September 28, 2015. NIST received comments from 17 organizations.

Created August 04, 2017, Updated September 25, 2019