FIPS 140-3 Certification:
Validate with Confidence
Accelerate your products journey to FIPS 140-3 validation with Corsec’s proven expertise & end-to-end support for validation.
FIPS 140-3 Certification: Validate with Confidence
Accelerate your products journey to FIPS 140-3 validation with Corsec’s proven expertise & end-to-end support for validation.
What is FIPS 140-3?
The Federal Information Processing Standard 140-3 (FIPS 140-3) is the most recent U.S. and Canadian co-sponsored security standard for hardware, software, and firmware solutions. In U.S. government procurement, all solutions that use cryptography must complete FIPS 140-3 validation to ensure end users receive a high degree of security, assurance, and dependability. While FIPS certification is mandated only for U.S. federal purchases, industries like healthcare, finance, critical infrastructure, and IoT often rely on it as a benchmark for evaluating product security.
Corsec’s end-to-end FIPS validation support guides companies through the certification process, navigating the nuances and difficulties of the program seamlessly and efficiently for clients.
FIPS Compliant & FIPS Inside:
Pursuing FIPS 140-2 / FIPS 140-3 validation for your product is a great way to strengthen security. However, there is a substantial difference between achieving FIPS 140 validation and claiming your product is “FIPS compliant”. To clarify, Corsec has developed a quick reference guide to explore this topic further:
FIPS Process: Done Once, Done Right
FIPS 140-3 validation requires extensive analysis of the product for gaps, documentation creation, algorithm and entropy testing, lab review, and assistance through final CMVP certification issuance.
Corsec’s End-to-End Validation Methodology outsources all facets of the certification process – decreasing risk, increasing security, and accelerating sales; ultimately guaranteeing success: Done Once, Done Right!
Selecting the appropriate approach for your FIPS 140-3 validation is essential. Depending on your product’s architecture, the validation level chosen, the boundary you draw, and the required engineering changes, your path to certification could vary significantly. Therefore, careful planning upfront is critical.
FIPS Mandates: Applicability & Adoption
The use of FIPS 140-3 validated products is mandated by Section 5131 of the Information Technology Management Reform Act of 1996.
All products sold into U.S. federal agencies are required to complete FIPS 140-3 validation if they use cryptography in security systems that process Sensitive But Unclassified (SBU) information.
Security requirements are outlined in full within the NIST FIPS 140-3 PUB.
FIPS Requirements: Testing & Criteria
FIPS 140-3 defines eleven Derived Test Requirements (DTRs) that specify the criteria necessary to demonstrate conformance to the standard. In addition, each section describes the methods that a testing lab will use to test the module. Note that the eleven sections of FIPS 140-3 have been updated from the previous FIPS 140-2 version of the standard:
- Cryptographic Module Specification
- Software / Firmware Security
- Operational Environment
- Non-Invasive Security
- Self-Tests
- Mitigation of Other Attacks
- Cryptographic Module Interfaces
- Roles, Services, & Authentication
- Physical Security
- Sensitive Security Parameter Management (SSPs)
- Life-Cycle Assurance
FIPS Levels: Security Evaluation
Within each of the eleven DTRs, there are four increasing qualitative security levels. At each level, greater amounts of evidence and engineering are required of the product in order to show compliance with the standard. FIPS 140-3 is retaining the 4 levels of validation: