FIPS: A Brave New World
An Update on the FIPS 140-3 Transition
05 December 2019
In 2015, the National Institute of Standards and Technology (NIST) released seven questions for comment that were feelers for how prepared the market was for a switch to the ISO/IEC 19790 standard as the new FIPS 140-3 standard. Seventeen organizations responded (including Intertek EWA-Canada). Most responses were positive regarding the adoption of ISO 19790; the only drawback that some could see was that the Cryptographic Module Validation Program (CMVP) might change the ISO standard sufficiently to be un-useful globally.
FIPS 140-3 is a wrapper around ISO/IEC 19790 that enables vendors to enter a global market while still conforming to the Crypto Requirements of North America. The CMVP has developed draft annexes that have additional requirements. The final FIPS 140-3 standard will be the ISO/IEC 19790 with CMVP additions or removals.
The CMVP draft SP 800-140X documents can be found at:
- SP 800-140 FIPS Derived test Requirements - Modifies ISO /IEC 24759:2017
- SP-800-140A CMVP Documentation Requirements – Modifies Annex A of ISO /IEC 24759:2017
- SP 800-140B CMVP Security Policy Requirements – Modifies Annex B of ISO /IEC 24759:2017
- SP 800-140C CMVP Approved Security Functions - Modifies Annex C of ISO /IEC 24759:2017
- SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods -Modifies Annex D of ISO /IEC 24759:2017
- SP 800-140E CMVP Approved Authentication Mechanisms – Modifies Annex E of ISO /IEC 24759:2017
- SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics – Modifies Annex F of ISO /IEC 24759:2017
The timeline for FIPS 140-3 is underway.
The next step is for the CMVP to finalize the 140X documents based on public feedback.
Intertek EWA-Canada was accredited to conduct ISO/IEC 19790 testing in 2013 and as such, we are well-aware of the requirements for the new FIPS 140-3 standard. We are working closely with the CMVP during the transition to FIPS 140-3 program and standard and have supplied both delta documents (differences between FIPS 140-2 and FIPS 140-3) and an IG placement document to the CMVP. We are also active members of the FIPS 140-3 working group. Please Contact Us to request more information on how we can assist you.