The countdown is on. As of September 22, 2021, FIPS 140-2 will be sunset and only FIPS 140-3 validations can be submitted to the Cryptographic Module Validation Program (CMVP). In this latest post, we cover the key differences in the versions and where to find additional information.
FIPS 140-3 – Good to Know
If you are familiar with the technical requirements of 140-2, here are some key changes that come into effect with the new version of the standard, 140-3:
- Normal and optional support of a degraded operating mode
- New Logical Interfaces:
- Software or Firmware Module Interface (SFMI)
- Hardware Module Interface (HMI)
- Hybrid Software or Hybrid Firmware Module Interface (HSMI or HFMI)
- Control Output Interface
- Trusted Channel (SL3 – SL4)
- Mandatory services are show module name, version & zeroization
- New section on Software/Firmware Security
- Physical security now includes testing over the full operating range and EFP/EFT
- New section Non-Invasive Security – mitigate against non-invasive attacks
- Sensitive Security Parameter (SSP) management where an SSP is either a Critical Security Parameter (CSP) or a Public Security Parameter (PSP)
- Pre-operational and conditional self-tests – most self-tests are now conditional
- Life-Cycle Assurance covers design, CMS and the Finite State Model (FSM)
Key FIPS 140-3 Documents:
- FIPS 140-3 Project Pages: FIPS 140-3 Final andFIPS 140-3 Requirements and Management Documents
- FIPS 140-3 Standard (ISO/IEC 19790:2012: Security Requirements for Cryptographic Modules)
- FIPS 140-3 Derived Test Requirements (DTR) (ISO/IEC 24759:2017: Information technology — Security techniques — Test requirements for cryptographic modules)
- FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 which includes links to the SP 800-140A-F documents
- See ISO/IEC 19790:2012 Annex A for a detailed list of Documentation Requirements.
FIPS 140-3 Summary
(Source: INCITS/ISO/IEC 19790:2012(2014))
Lightship Security are FIPS 140 testing experts and one of the fastest growing FIPS test labs in the program. If you need support on your upcoming FIPS 140 validation or would like to be on our FIPS updates distribution list, contact us.
Jason has been involved in the leadership of different cyber security companies, including being responsible for the accreditation, management and profitable growth of several government-accredited IT security laboratories. Jason drives the Lightship vision of modernizing the product certification landscape.
James Ramage
James Ramage is a senior FIPS evaluator at Lightship. He has been doing FIPS evaluations and security certifications for 5+ years and enjoys working with customers, training team members and evaluating new technologies.