FIPS 140-3

The Federal Information Processing Standard (FIPS) Publication 140-3 is an announced update to the U.S. government computer security standard used to accredit cryptographic modules. The title of the standard is Security Requirements for Cryptographic Modules and FIPS 140-2 remains the currently approved version. Efforts to update FIPS 140-2 date back to the early 2000s. The FIPS 140-3 (2013 Draft) was scheduled for signature by the Secretary of Commerce in August 2013, however that never happened and the draft was subsequently abandoned. In 2014, NIST released a substantially different draft of FIPS 140-3, this version effectively directing the use of an International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard, 19790:2012, as the replacement for FIPS 140-2. The 2014 draft of FIPS 140-3 was also abandoned. On August 12, 2015, NIST formally released a statement on the Federal Register asking for comments on the potential use of portions of ISO/IEC 19790:2014 in the update of FIPS 140-2. The reference to a 2014-version of ISO/IEC 19790 was an inadvertent error in the Federal Registry posting, as 2012 is the most recent version.

The update process for FIPS 140 has been hamstrung by deep technical issues in topics such as hardware security[1] and apparent disagreement in the US government over the path forward. The now abandoned 2013 draft of FIPS 140-3 had required mitigation of non-invasive attacks when validating at higher security levels, introduced the concept of public security parameter, allowed the deference of certain self-tests until specific conditions are met, and strengthened the requirements on user authentication and integrity testing. It remains unclear whether these issues will be addressed in the ultimately approved release of FIPS 140-3.

Purpose

The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. Federal agencies and departments can validate that the module in use is covered by an existing FIPS 140-2 certificate that specifies the exact module name, hardware, software, firmware, and/or applet version numbers. The cryptographic modules are produced by the private sector or open source communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. A commercial cryptographic module is also commonly referred to as a hardware security module.

Cryptographic Module Validation Program

FIPS 140-2 establishes the Cryptographic Module Validation Program (CMVP) as a joint effort by the NIST and the Communications Security Establishment (CSEC) for the Canadian government.[2]

Security programs overseen by NIST and CSEC focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.

Approval and issurance

On March 22, 2019, the United States Secretary of Commerce Wilbur Ross approved FIPS 140-3, Security Requirements for Cryptographic Modules to succeed FIPS 140-2.[3] According to the announcement, FIPS 140-3 will become effective on September 22, 2019. Validated through the Cryptographic Module Validation Program (CMVP), FIPS 140-3 testing will begin September 22, 2020. After FIPS 140-3 testing begins, FIPS 140-2 testing will continue for at least a year, making the two standards to coexist for some time.

gollark: ++DELETE DONALD TRUMP
gollark: OR DOES IT?
gollark: I am not an instance of SCP-3368.
gollark: Some laws I'm allegedly bound by are probably contradictory, so do you just break those by default?
gollark: I have broken between 0 and 18294618761875 laws.

See also

References

  1. "Proceedings of the NIST Physical Security Testing Workshop". NIST. 2005-09-26. Archived from the original on 2016-03-04. Retrieved 2016-01-10.
  2. "Cryptographic Module Validation Program". csrc.nist.gov. National Institute of Standards and Technology. May 8, 2019. Retrieved May 29, 2019.
  3. "Announcing Approval and Issuance of FIPS 140-3, Security Requirements for Cryptographic Modules". www.nist.gov. National Institute of Standards and Technology. May 1, 2019. Retrieved May 29, 2019.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.