John Ray | Director, HSM Product Management
FIPS 140-3 and You, Part Two
Awhile back, we shared that Thales Luna HSMs were about to kick-off the process of moving towards Federal Information Processing Standard (FIPS) 140-3 Level 3, the newest security standard to accredit cryptographic modules. Security standards, like technology, are always evolving, making compliance challenging for customers and vendors alike.
Today, we are excited to share that not only have we received FIPS 140-3 Level 3 validation, but we are the first HSM in the industry to receive it!
Ch..Ch..Ch..Changes…
When changes happen, everyone wants to know one thing…why? Why did they change something like a compliance standard? Mainly, the reason for change is change itself! A change in technology that is. FIPS 140-3 is more closely aligned to international standards and better suited to today's technologies. It is also more flexible and modular in its approach.
FIPS 140-3 will also introduce the ability to certify Post-Quantum Cryptography (PQC) algorithms. This change will ensure cryptographic modules are prepared to address the challenges and threats posed by quantum attacks. Implementing FIPS 140-3 validated security solutions is an essential part of building a quantum-safe crypto agile security posture, ensuring organizations stay protected today, and into the future.
Since FIPS 140-2 was established in 1998, technology has transformed a lot impacting everyone, including certifications. If you are looking to know the full list of differences between 140-2 and 140-3 and the benefits from the changeover, read our FIPS 140-3 webpage.
Next Steps
What does this mean for anyone who needs to maintain FIPS compliance? First, it is important to point out that the introduction of FIPS 140-3 started the clock on sunsetting the previous iteration of the standard. The CMVP no longer accepts submissions for FIPS 140-2, and existing 140-2 certifications are slated to become historical beginning September 2026.
Therefore, organizations that need to maintain FIPS compliance must ensure that their HSM is FIPS 140-3 validated after this date. Now that Thales Luna HSMs have received this validation, you can rest easy that this transition will be smooth and painless.
In fact, Luna HSM customers can just download and install the latest FIPS validated firmware. For the full details, read the FIPS 140-3 Product Announcement on our Customer Support Portal that outlines where to get the latest firmware for the Luna Network and Luna PCIe models. And that’s it! If you have any questions throughout this process, the Thales team is always here to help.
If you are new to understanding FIPS compliance and want to learn more about our market-leading Luna HSMs that help to make compliance easy, simply visit our HSM webpage or contact your local Thales representative.
Stay tuned for more announcements coming from Thales about FIPS 140-3 validated security solutions, as the Luna USB and Backup HSMs are scheduled to receive the validation later this year.