FIPS 140-3

FIPS 140-3 Certification

Thales can help you meet your needs for data security compliance with FIPS 140-3 certified products.

FIPS 140-3

Test

FIPS 140-3 is an updated Federal Information Processing Standard (FIPS), which was approved by the Secretary of Commerce in March of 2019. It defines a new security standard to accredit cryptographic modules.

Thales:

  • Underwent an update to FIPS 140-2 from FIPS 140-1 in 2001
  • Was the first company to achieve a FIPS 140-2 Level 3 validation for a Hardware Security Module (HSM)
  • Is the HSM vendor with the most NIST FIPS validations

So, you can rely on Thales to help you navigate and demystify this future FIPS standard.

  • Regulation
  • Compliance

FIPS 140

FIPS 140 standards are a set of security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST)1 and managed by both the United States and Canada, as part of the Cryptographic Module Validation Program (CMVP)2. FIPS 140-validated modules are mandatory for protecting cryptographic keys and performing cryptographic operations for many government applications. It has become the de facto standard in many other countries and in the private sector, particularly in the financial and payment industries, as FIPS 140 validated HSMs provide confidence and trust when securing cryptographic infrastructures.

FIPS 140-2 is the current version and has been in force since May 2001. It defines a total of 4 security levels and 11 areas of cryptographic product design and implementation. These include key management; interfaces; roles; services and authentication; and operating systems. More information about FIPS 140-2 can be found in the Landing Securely on Regulatory Compliance with Thales Luna HSMs blog post.

FIPS 140-3

FIPS 140-3 will supersede FIPS 140-2 and is based on existing international standards with some modifications:

  • ISO/IEC 19790:2012

    Security Requirements for Cryptographic Modules

    ISO/IEC 19790:20123 lists the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems. This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).

  • ISO/IEC 24759:2017

    Test Requirements for Cryptographic Modules

    ISO/IEC 24759:20174 specifies the methods to be used by accredited laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.

The difference between FIPS 140-2 and FIPS 140-3

FIPS 140-3 special publications5 include information on a variety of requirements including: derived tests; documentation; security policies; security functions; security parameters; authentication; and non-invasive attack mitigation. Many of these changes are still not finalized, but some of the more interesting changes include:

  • Stricter integrity test requirements:
    • Level 2 modules must provide software/firmware integrity testing using digital signatures or HMAC (hash-based message authentication code)
    • Level 3 and Level 4 modules must provide integrity using digital signatures only
  • New required service -- to output the module name/identifier and version that can be mapped to validation records/certificates
  • Key zeroization is required -- for ALL unprotected “Sensitive Security Parameters” (SSP) at all levels, including public keys:
    • Level 2+ require a status indicator when the zeroization process is completed
    • Zeroization of unprotected SSPs can still be done procedurally at Level 1 only
  • Roles, services and authentication – must be met by a cryptographic module’s implementation (not through policy, rules, etc.), for example password size restrictions
  • Non-invasive security – is required for hardware and firmware components of a module, optional for software modules operating in a modifiable operating environment, and the module must protect against a list of non-invasive attacks
  • Lifecycle assurance -- vendor testing -- vendors need to perform their own testing on a module, in additional to the validation lab testing
  • Operational environment -- software modules no longer need to operate in a Common Criteria (CC) evaluated OS or ‘trusted operating system’ in order to meet Level 2 requirements, however, these Level 2 modifiable operational environments require an audit mechanism

Important milestones

  • March 22, 2019 – the Secretary of Commerce approved FIPS 140-3 Security Requirements for Cryptographic Modules
  • September 22, 2019 -- FIPS 140-3 became effective
  • September 22, 2020 -- FIPS 140-3 testing begins through the CMVP
  • September 22, 2021 – only FIPS 140-3 submissions accepted

Transitioning to FIPS 140-3

FIPS 140-2 will be around for a while. Modules can still be submitted and validated to FIPS 140-2 until September 22, 2021. Existing FIPS 140-2 certificates will not be revoked as part of the transition. In fact, FIPS 140-2-certified modules will be valid for a further five years until September 2026.

CMVP will start accepting FIPS 140-3 submissions only on September 22, 2020. After September 22, 2021, only FIPS 140-3 submissions will be accepted.

1https://csrc.nist.gov/publications/detail/fips/140/2/final

2https://csrc.nist.gov/projects/cryptographic-module-validation-program

3https://www.iso.org/standard/52906.html

4https://www.iso.org/standard/72515.html

5https://csrc.nist.gov/projects/fips-140-3-transition-effort/transition-to-fips-140-3

FIPS compliance is critical to working in any regulated industry that stores or collects sensitive information. Thales realizes its importance and has been actively involved in forums and working groups to help define FIPS 140-3, such as the Cryptographic Module User Forum (CMUF) – a group established between labs, vendors and CMVP to help identify improvements for CMVP, and develop documents and map Detailed Test Requirements to ISO 24759.

What’s next?

For the time being there are no actions required on your part. All Thales Luna HSMs are FIPS 140-2 Level 3-validated, offering high assurance encryption key and digital identity protection in tamper-evident hardware roots of trust. Thales will continue working towards FIPS 140-3 validation and enable its customers and partners to benefit from the validation. As in past, early FIPS 140-3 adopters are expected to face challenges in testing and implementation, but we are committed to help clarify and demystify FIPS 140-3. Once the Luna HSMs have been validated to the new standard, we will ensure an easy migration.

Thales can help

Compliance and certifications have always formed a critical part of the Thales product offering. Thales Luna HSMs are validated not only to FIPS 140, but also Common Criteria (CC), Electronic Identification, Authentication and Trust Services (eIDAS), Singapore National Information Technology Security Evaluation Scheme (NITES), Brazil ITI, and more.

Contact us to discuss how Thales can support your migration to new FIPS 140-3-validated products and watch for more blogs and information as FIPS 140-3 milestones are met.

Related Resources

Secure your digital assets, comply with regulatory and industry standards, and protect your organization’s reputation. Learn how Thales can help.

Risk Management Strategies for Digital Processes - White Paper

Risk Management Strategies for Digital Processes with HSMs - White Paper

An Anchor of Trust in a Digital World Business and governmental entities recognize their growing exposure to, and the potential ramifications of, information incidents, such as: Failed regulatory audits Fines Litigation Breach notification costs Market set-backs Brand...

Transaction processing using payShield HSMs - Brochure

Transaction processing using payShield HSMs - Brochure

payShield from Thales is the world’s leading payment HSM, helping to secure an estimated 80% of global point of sale (POS) transactions. As the HSM of choice for payment solution providers and payment technology vendors, it delivers proven integration with all of the leading...

Thales Data Protection on Demand Services - Solution Brief

Thales Data Protection on Demand Services - Solution Brief

Thales Data Protection on Demand is a cloud-based platform that provides a wide range of Cloud HSM and key management services through a simple online marketplace. With Luna Cloud HSM and CipherTrust Key Management services on Data Protection on Demand (DPoD), security is made...

Choosing the Right Cloud HSM - Webinar

Choosing the Right Cloud HSM - Webinar

Join us as we discuss the complexities of managing native cloud HSMs separately, leading to islands of security with different features and rules for each.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.