FIPS: A Brave New World
An Update on the FIPS 140-3 Transition
05 December 2019
In 2015, the National Institute of Standards and Technology (NIST) released seven questions for comment that were feelers for how prepared the market was for a switch to the ISO/IEC 19790 standard as the new FIPS 140-3 standard. Seventeen organizations responded (including Intertek EWA-Canada). Most responses were positive regarding the adoption of ISO 19790; the only drawback that some could see was that the Cryptographic Module Validation Program (CMVP) might change the ISO standard sufficiently to be un-useful globally.
FIPS 140-3 is a wrapper around ISO/IEC 19790 that enables vendors to enter a global market while still conforming to the Crypto Requirements of North America. The CMVP has developed draft annexes that have additional requirements. The final FIPS 140-3 standard will be the ISO/IEC 19790 with CMVP additions or removals.
The CMVP draft SP 800-140X documents can be found at:
- SP 800-140 FIPS Derived test Requirements - Modifies ISO /IEC 24759:2017
- SP-800-140A CMVP Documentation Requirements – Modifies Annex A of ISO /IEC 24759:2017
- SP 800-140B CMVP Security Policy Requirements – Modifies Annex B of ISO /IEC 24759:2017
- SP 800-140C CMVP Approved Security Functions - Modifies Annex C of ISO /IEC 24759:2017
- SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods -Modifies Annex D of ISO /IEC 24759:2017
- SP 800-140E CMVP Approved Authentication Mechanisms – Modifies Annex E of ISO /IEC 24759:2017
- SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics – Modifies Annex F of ISO /IEC 24759:2017
The timeline for FIPS 140-3 is underway.
The next step is for the CMVP to finalize the 140X documents based on public feedback.
Intertek EWA-Canada was accredited to conduct ISO/IEC 19790 testing in 2013 and as such, we are well-aware of the requirements for the new FIPS 140-3 standard. We are working closely with the CMVP during the transition to FIPS 140-3 program and standard and have supplied both delta documents (differences between FIPS 140-2 and FIPS 140-3) and an IG placement document to the CMVP. We are also active members of the FIPS 140-3 working group. Please Contact Us to request more information on how we can assist you.
Cryptographic and Security Testing Lab Manager
Richard Adams began work for Intertek EWA-Canada in 2009 as a Security Content Automation Protocol (SCAP) Tester and quickly moved into the role of Lead Tester. He trained and assisted in various other areas within the company, such as Cryptographic Module Validation (FIPS 140-2) testing; Common Criteria (CC) testing; Personal Identification Verification (PIV) testing; Visa Ready Program for Mobile Point of Sale (Visa mPOS) testing; and Certificate Authority (CA) Activities during this time. He was later promoted to the role of CST Lab Manager.
Senior IT Security Specialist
Dawn Adams has been with Intertek EWA-Canada for more than 13 years. She has been involved with the FIPS program for 21 years; she was a Lab Manager for 9 years. She has worked in and was a Manager in the Common Criteria, PCI, PIV and SCAP workspaces as well. She is currently an IT Security Specialist working mainly in Common Criteria and auditing.