Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

FIPS 140-3 Transition Effort

Transition Status

This page focuses on the progress of transitioning cryptographic module security standards and associated documents from FIPS 140-2 to FIPS 140-3.  The process includes organizational, procedural and the resultant automated processing changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments.  The procedural changes include the migration from internally developed security standards to the additional activities of working with a set of standards developed and maintained by an international body, while adhering to government standards and regulations. Check back often to stay abreast of the overall migration effort. CMVP is committed to making this an open process, sharing with labs, vendors, and other interested parties.

Comment period closed for SP 800-140x drafts 

Sections 3.3 and 3.4 of FIPS 140-3 identify NIST special publications that modify requirements of ISO/IEC 19790:2012 and ISO/IEC 24759:2017. On October 9th, drafts of the SP 800-140 documents (see table below) were  released for public comment. The comment period was 60 days, from October 9th to December 9th. The comment period is now closed, and the comments in review.  Final publication of those documents is anticipated to occur by March 22, 2020. Copies of the draft publications are available at the links below.

Special Publications to manage ISO/IEC standards for cryptographic module validations 

NIST SP

Title ISO/IEC
19790:2012(E)
ISO/IEC
24759:2017(E)

SP 800-140 (Draft)

FIPS 140-3 Derived Test Requirements (DTR) -- §6.1 through §6.12

SP 800-140A (Draft)

CMVP Documentation Requirements Annex A §6.13

SP 800-140B (Draft)

CMVP Security Policy Requirements Annex B §6.14

SP 800-140C (Draft)

CMVP Approved Security Functions Annex C §6.15

SP 800-140D (Draft)

CMVP Approved Sensitive Security Parameter Generation and Establishment Methods Annex D §6.16

SP 800-140E (Draft)

CMVP Approved Authentication Mechanisms Annex E §6.17

SP 800-140F (Draft)

CMVP Approved Non-Invasive Attack Mitigation Test Metrics Annex F §6.18

Thanks for the assist

Special thanks to the Cryptographic Module User Forum for assisting us in identifying improvements for CMVP and also for vendors, testing laboratories, and end users. This open group of vendors and testing laboratories volunteer to help us evaluate ways to better the process for everyone. There are working groups for improving Security Policies, use of cryptographic modules in the clouds, equivalency, and are also aiding with the development of FIPS 140-3 tools so that we can keep as many resources as possible focused on delivering cryptographic module validations.

Currently the FIPS 140-3 Transition Working Group (WG) is reviewing and improving the Derived Test Requirements and reviewing FIPS 140-2 IGs for disposition into FIPS 140-3. In the coming year, the WG will start with a new efforts to aid in the transition to the new standards and assessment tools, including providing feedback for the new Web Cryptik reporting tool, FIPS 140-3 IGs, and the FIPS 140-3 Management Manual, all currently in development.

ISO/IEC 19790 and ISO/IEC 24759 standards, each individual must have one!

Unlike the FIPS 140-2 Standard which included the requirements for cryptographic modules, the FIPS 140-3 references ISO/IEC 19790:2012 and ISO/IEC 24759:2017 which can be purchased through the International Organization for Standardization Store.  If you already have the ISO/IEC 19790:2012, make sure it contains the 2015 update. There is much confusion as ISO/IEC normally posts a Technical Corrigendum listing only the changes to the standard. However, ISO/IEC has withdrawn the Technical Corrigendum, and has folded the updates into the ISO/IEC 19790:2012 now available. The update is internally marked as ISO/IEC 19790:2012/Cor.1:2015(E).

ISO publications can only be bought for your personal individual use and cannot be transferred to another user. If you wish to purchase (an) ISO publication(s) for multiple users (for example, for your colleagues or post on your company’s intranet) or want to obtain broader rights beyond your personal use, please contact ISO or your ISO Member to explore your options.

NIST intends to work with the appropriate parties to help ensure that the ISO/IEC standard will be made reasonably available to researchers, academics and small organizations. To support this effort, NIST is currently making available a limited number of copies of ISO/IEC 19790:2012 and ISO/IEC 24759:2017. To request a copy of each document, complete the Contact Information form and then email a copy of your signed End User License Agreement to cmvpiso@nist.gov.

 

Created July 10, 2019, Updated December 27, 2019