An updated Federal Information Processing Standard (FIPS), FIPS 140-3, was approved by the Secretary of Commerce in March of 2019, defining a new security standard to accredit cryptographic modules.
Having undergone an update to FIPS 140-2 from FIPS 140-1 back in 2001; as the first company to achieve a FIPS 140-2 Level 3 validation for a Hardware Security Module (HSM), a cryptographic accelerator along with combined key management; and as the HSM vendor with the most NIST FIPS validations, Thales is here to help you navigate and demystify this future FIPS standard.
FIPS 140 standards are a set of security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST) and managed by both the United States and Canada, as part of the Cryptographic Module Validation Program (CMVP). FIPS 140-validated modules are mandatory for protecting keys and performing cryptographic operations for many government applications. In fact, it has become the de facto standard in many other countries and in the private sector, particularly in the financial and payment industries, as FIPS 140 validated HSMs provide confidence and trust when securing cryptographic infrastructures.
FIPS 140-2 is the current version, and has been around since May 2001. It defines a total of 4 security levels, and 11 areas of cryptographic product design and implementation including key management; interfaces; roles; services and authentication; and operating systems. More information about FIPS 140-2 can be found in the Landing Securely on Regulatory Compliance with Thales Luna HSMs blog post.
FIPS 140-3 will supersede FIPS 140-2 and is based on existing international standards with some modifications:
FIPS 140-3 special publications include information on a variety of requirements including: derived tests; documentation; security policies; security functions; security parameters; authentication; and non-invasive attack mitigation. Many of these changes are still not finalized, but some of the more interesting changes include:
FIPS 140-2 will be around for a while. Modules can still be submitted and validated to FIPS 140-2 until September 22, 2021. Existing FIPS 140-2 certificates will not be revoked as part of the transition. In fact, FIPS 140-2-certified modules will be valid for a further five years until September 2026.
CMVP will start accepting FIPS 140-3 submissions only on September 22, 2020. After September 22, 2021, only FIPS 140-3 submissions will be accepted.
FIPS compliance is critical to working in any regulated industry that stores or collects sensitive information. Thales realizes its importance and has been actively involved in forums and working groups to help define FIPS 140-3, such as the Cryptographic Module User Forum (CMUF) – a group established between labs, vendors and CMVP to help identify improvements for CMVP, and develop documents and map Detailed Test Requirements to ISO 24759.
For the time being there are no actions required on your part. Today, all Thales Luna HSMs are FIPS 140-2 Level 3-validated, offering high assurance encryption key and digital identity protection in tamper-evident hardware roots of trust. Thales will continue working towards FIPS 140-3 validation and enable its customers and partners to benefit from the validation. As in past, early FIPS 140-3 adopters are expected to face challenges in testing and implementation, but we are committed to help clarify and demystify FIPS 140-3. Once the Luna HSMs have been validated to the new standard we will ensure an easy migration.
Compliance and certifications have always formed a critical part of the Thales product offering, validating our Thales Luna HSMs to not only FIPS 140, but also Common Criteria (CC), Electronic Identification, Authentication and Trust Services (eIDAS), Singapore National Information Technology Security Evaluation Scheme (NITES), Brazil ITI and more.
Contact us to discuss how Thales can support your migration to new FIPS 140-3-validated products, and watch for more blogs and information as FIPS 140-3 milestones are met.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.