An updated Federal Information Processing Standard (FIPS), FIPS 140-3, was approved by the Secretary of Commerce in March of 2019, defining a new security standard to accredit cryptographic modules. But with new mandates comes uncertainty - wondering what this evolving security standard means; how and when you need to comply; and how it will impact your current FIPS 140-2-validated appliances.
Navigating through certifications is challenging to say the least. Having undergone an update to FIPS 140-2 from FIPS 140-1 back in 2001, I’d like to share some insight based on our experience back then to help answer your questions and concerns. Let’s get started.
About FIPS 140
As background, FIPS 140 standards are a set of security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST), and are managed by both the United States and Canada as part of the Cryptographic Module Validation Program (CMVP). FIPS 140-validated modules are mandatory for protecting keys and performing cryptographic operations for many government applications. In fact, it has become the de facto standard in many other countries and in the private sector (particularly in the financial and payment industries) as FIPS 140 validated HSMs provide confidence and trust when securing cryptographic infrastructures.
FIPS 140-2 is the current version, and has been around since May 2001. It defines a total of four security levels, and 11 areas of cryptographic product design and implementations including key management, interfaces, roles, services and authentication and operating systems. More information about FIPS 140-2 can be found in our Landing Securely on Regulatory Compliance with Thales Luna HSMs blog post.
What’s the difference?
FIPS 140-3 will supersede FIPS 140-2 and is based on existing international standards with some modifications. FIPS 140-3 special publications include information on a variety of requirements including: derived tests; documentation; security policies; security functions; security parameters; authentication; and non-invasive attack mitigation. It should be noted that many of these changes are still not finalized.
Important milestones
To put this all in perspective, below are several key milestones for the standard:
- March 22, 2019 – the Secretary of Commerce approved FIPS 140-3 Security Requirements for Cryptographic Modules
- September 22, 2019 - FIPS 140-3 became effective
- September 22, 2020 - FIPS 140-3 testing begins through the CMVP
- September 22, 2021 – only FIPS 140-3 submissions accepted
Transitioning to FIPS 140-3 and its impact
While it is well understood that FIPS 140-2 will be around for a while, modules can still be submitted and validated to FIPS 140-2 until September 22, 2021. Existing FIPS 140-2 certificates will not be revoked as part of the transition. In fact, FIPS 140-2-certified modules will be valid for until September 2026.
Furthermore, CMVP will start accepting FIPS 140-3 submissions only on September 22, 2020. After September 22, 2021, only FIPS 140-3 submissions will be accepted.
What’s next?
For the time being there are no actions required on your part. However, you can rely on Thales to help you navigate through this transition when the time is right. We understand your needs and concerns and are here to help clarify and demystify FIPS 140-3. In the meantime, we will: 1) continue working towards FIPS 140-3 validation; 2) participate in forums and working groups to help define FIPS 140-3 and identify improvements for CMVP; 3) develop documents and map requirements to ISO 24759; and, 4) run through the expected testing and implementation that comes from being an early adopter.
Visit our FIPS 140-3 website page for more details on the specific regulation changes, modifications to the existing international standard, and how we can help.