Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

FIPS 140-3 Transition Effort FIPS 140-3

Transition Status

This page focuses on the progress of transitioning cryptographic module security standards and associated documents from FIPS 140-2 to FIPS 140-3.  The process includes organizational, procedural and the resultant automated processing changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments.  The procedural changes include the migration from internally developed security standards to the additional activities of working with a set of standards developed and maintained by an international body, while adhering to government standards and regulations. Check back often to stay abreast of the overall migration effort. CMVP is committed to making this an open process, sharing with labs, vendors, and other interested parties.

SP 800-140x now available 

Sections 3.3 and 3.4 of FIPS 140-3 identify NIST special publications that modify requirements of ISO/IEC 19790:2012 and ISO/IEC 24759:2017. Final publication of those documents occurred on March 20, 2020. Copies of the publications are available using the links below.

Special Publications for FIPS 140-3 cryptographic module validations 

NIST SP

Title ISO/IEC
19790:2012(E)
ISO/IEC
24759:2017(E)

SP 800-140

FIPS 140-3 Derived Test Requirements (DTR) -- §6.1 through §6.12

SP 800-140A

CMVP Documentation Requirements Annex A §6.13

SP 800-140B

CMVP Security Policy Requirements Annex B §6.14

SP 800-140C

CMVP Approved Security Functions Annex C §6.15

SP 800-140D

CMVP Approved Sensitive Security Parameter Generation and Establishment Methods Annex D §6.16

SP 800-140E

CMVP Approved Authentication Mechanisms Annex E §6.17

SP 800-140F

CMVP Approved Non-Invasive Attack Mitigation Test Metrics Annex F §6.18

Thanks for the assist

Special thanks to the Cryptographic Module User Forum for assisting us in identifying and proposing requirement and process improvements for CMVP which will also aid vendors, testing laboratories, and end users. This open group of vendors and testing laboratories volunteer to help us evaluate ways to better the process for everyone. CMUF hosts several working groups including aiding with the development of FIPS 140-3 tools and guidance. This allows the CAVP and CMVP to keep more resources focused on delivering cryptographic module validations.

Currently the FIPS 140-3 Transition Working Group (WG) is developing FIPS 140-3 training and also reviewing and drafting FIPS 140-3 Implementation Guidance (IGs). You can access these in-progress works and aid in the development of these resources by joining in the CMUF. In the upcoming months, the WG will also aid in the development of assessment and management tools, including providing feedback for the new Cryptik reporting tool and the FIPS 140-3 Management Manual, currently in development.

ISO/IEC 19790 and ISO/IEC 24759 standards, each individual must have one!

Unlike the FIPS 140-2 Standard which included the requirements for cryptographic modules, the FIPS 140-3 references ISO/IEC 19790:2012 and ISO/IEC 24759:2017 which can be purchased through the International Organization for Standardization Store.  If you already have the ISO/IEC 19790:2012, make sure it contains the 2015 update. There is much confusion as ISO/IEC normally posts a Technical Corrigendum listing only the changes to the standard. However, ISO/IEC has withdrawn the Technical Corrigendum, and has folded the updates into the ISO/IEC 19790:2012 now available. The update is internally marked as ISO/IEC 19790:2012/Cor.1:2015(E).

ISO publications can only be bought for your personal individual use and cannot be transferred to another user. If you wish to purchase (an) ISO publication(s) for multiple users (for example, for your colleagues or post on your company’s intranet) or want to obtain broader rights beyond your personal use, please contact ISO or your ISO Member to explore your options.

NIST intends to work with the appropriate parties to help ensure that the ISO/IEC standard will be made reasonably available to researchers, academics and small organizations. To support this effort, NIST is currently making available a limited number of copies of ISO/IEC 19790:2012 and ISO/IEC 24759:2017. To request a copy of each document, complete the Contact Information form and then email a copy of your signed End User License Agreement to cmvpiso@nist.gov.

 

Created July 10, 2019, Updated July 06, 2020