FIPS 140-3 FAQ

What is FIPS 140-3?

FIPS 140-3 will be a newly revised version of the current Federal Information Processing Standards Publication 140-2: Security Requirements for Cryptographic Modules. The new standard provides a set of cryptographic module requirements that a product must satisfy before being considered for government acquisition.

On December 11, 2009, NIST released the second public draft of the proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007. The FIPS 140-3 Software Security Workshop was held on March 18, 2008 (to view the Federal Register Notice about released of revised Draft FIPS 140-3).

While the 2007 Draft proposed five levels of security, the Revised Draft FIPS 140-3 reverts to four levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines associated security requirements, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4.

Changes from the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.

Why is a new FIPS 140 release planned?

By mandate, NIST must review all Federal Information Processing Standards Publications every five years to determine if the standards should be modified, kept intact, or deprecated as technology and government needs change. FIPS 140-2 was released in 2001 and was due for review in 2006. However, the CMVP had already begun planning for an update for FIPS 140-2 to reflect the ever-changing security technology industry. Although the existing FIPS 140-2 standard does a good job of addressing many validation needs, FIPS 140-3 will strengthen and update requirements in the face of new technologies, attacks, and techniques.

What will happen to FIPS 140-2?

The new FIPS 140-3 will eventually completely replace FIPS 140-2. Once FIPS 140-3 is released, we expect to see much of same transition rules as we saw in the FIPS 140-1 to FIPS 140-2. As with the prior transition we expect to see a one year rollover and previous FIPS 140-2 validations most likely will not expire.

Due to the more stringent revised requirements of the new release, it will likely be much more difficult to obtain FIPS 140-3 validation. For this reason, Corsec expects to see a rush of vendors who want to achieve FIPS 140-2 validation before the end of the one-year rollover period.

Revalidation will be possible under FIPS 140-2 still, but most new versions will have to undergo a FIPS 140-3 validation after some time. Technically, a FIPS 140-3 revalidation might be called a new validation. However, FIPS 140-3 is just an evolution of FIPS 140-2, because most of the technical points and work done for the prior validation can be reused.

Due to our past experiences with the transition from FIPS 140-1 to FIPS 140-2, we recommend that vendors looking to pursue a validation consult with Corsec as early as possible to avoid many common obstacles. We have successfully led many vendors through this transition period and have the expertise to transition you through quickly and efficiently.

Should I pursue FIPS 140-2 or wait for FIPS 140-3?

FIPS 140-2, like all Federal Information Processing Standards is periodically reviewed; and changes and revisions are expected to be published in the form of the new FIPS 140-3. However, the draft FIPS 140-3 has not yet been finalized let alone signed into law. Although NIST is moving quickly towards this, it still takes significant time to publish and sign a FIPS into law. In addition, we expect NIST to provide transition time between the two standards, including roughly a one year rollover. FIPS 140-2 was signed into law in March 2001, but FIPS 140-1 validations could still be issued until March 2002. Thus, although plans for FIPS 140-3 are under way, vendors may still comfortably pursue FIPS 140-2 for some time.

We recommend that vendors pursue FIPS 140-2 now rather than wait for FIPS 140-3 to be published. A FIPS 140-2 validation should be grandfathered under 140-3 (and thus not require revalidation under 140-3 for the same product version). Achieving a FIPS 140-2 validation now will allow vendors to sell into additional markets while FIPS 140-3 is still being transitioned in.

Typically NIST has gradually raised the bar on revisions and modifications to the FIPS 140 series, and we expect FIPS 140-3 to be stricter and slightly more difficult for some vendors to achieve. If this is the case (as it was for FIPS 140-1 / FIPS 140-2), then there will be a rush of vendors seeking FIPS 140-2 before FIPS 140-3 becomes the only option. Vendors planning projects that won’t be ready for FIPS testing before FIPS 140-3 is published should prepare for FIPS 140-3 now, but in most instances Corsec can complete validations before FIPS 140-3 is an option.

Is NIST accepting comments on the new release?

The comment period for the second public draft has ended. You can download the draft here . This document was released on December 11, 2009 and comments were accepted until March 11, 2010.

The first public draft of FIPS 140-3 was released on July 13, 2007. The draft was available for public review and comment until October 11, 2007.

When should we start looking at FIPS 140-3?

Even though FIPS 140-3 is still in draft phase, it is always good to start early in the development process since any FIPS 140 validation effort takes time and planning. In some instances, it may take 6 months or more to prepare for a FIPS 140 validation effort. Therefore, it is best to consider all options as early as possible in order to reap the most benefits and ROI from your validation effort.

Corsec saw many customers through the transition from FIPS 140-1 to FIPS 140-2 and can represent you if you have concerns regarding the FIPS 140-3 draft. We provide services that help to educate you in regards to the many options you now face. Our customized requirements and analysis tutorials are designed to help you plan your approach and avoid potential obstacles.

The best place to start with the validation process is with a Corsec 2-day workshop, during which time two Corsec experts visit your facility and conduct an in depth evaluation and training session with your team, including representatives from C-level management, engineering, development, sales and marketing. The workshop covers the entire validation process and requirements.

At the end of the two-day course, Corsec provides a written report that evaluates your specific product as it relates to each validation standard. We also provide a roadmap of each milestone required to secure your validation, and a firm fixed price quote that covers our fee to have us manage your validation beginning to end. Should you decide to hire Corsec to provide this turn-key service, you’ll know up front the cost, timeframe and level of effort involved, and you’ll know that when we’re finished, you will have completed your successful product certification.

Can I copy this FAQ?

This FAQ is © 2007 Corsec Security, Inc.; all rights reserved. If you contact us and tell us how you want to use the FAQ, we will almost surely grant you permission to do so in writing.