Corsec is often asked when the next version of the Federal Information Processing Standard (FIPS 140-3), is expected to be released. It is an important question as product vendors are trying to adapt their certification strategies; either by validating their products prior to any changes that could sidetrack their current efforts, or by validating post release in order to stay at the forefront of security hardening requirements.
CMVP, the governing body over FIPS in the U.S., recently stated at the International Cryptographic Module Conference (ICMC), that their goal is to have an updated FIPS standard which points to a version of the International Organization of Standardization (ISO) 19790 by the end of 2016. In order to do this, they hope to submit paperwork to the head of the Department of Commerce by November 2016. Which begs the question, why are we discussing an ISO requirement if we are focused on adhering to a FIPS update?
In order to answer this complex question, let’s take a step back and dive into the history of ISO 19790 and FIPS 140.
FIPS 140-2 is a co-sponsored standard developed by the U.S. and Canada to establish specific security requirements for various software and hardware products. For all products that make use of cryptography and are used in security systems that process sensitive but unclassified information, a FIPS validation is required. ISO 19790, which is used internationally, was originally based off of FIPS 140-2 and has continued to evolve over the past ten years. Several countries and industries have accepted ISO 19790 as a baseline standard for security and mandate the products they procure to at a minimum meet this standard. The U.S. and Canada have continued to update and use FIPS 140-2, but after fifteen years of using the current FIPS 140-2 requirements, an overhaul was deemed necessary and thus the conversation around FIPS 140-3 emerged.
At present time, it appears that the U.S. and Canada will continue to use a FIPS, although the FIPS 140-3 will point to ISO 19790 for the requirements. This method of referencing the ISO requirement allows the U.S. and Canada to provide additional guidance deemed necessary by both governing bodies within the FISP 140-3 standard. By creating and keeping their own validation policy, the two governments are able to mandate their own requirements for approved cryptographic algorithms, approved random number generators, and approved key establishment techniques.
There are still CMVP accredited labs all around the world that should continue to be accredited to testing against the coming FIPS 140-3. However, it is important to note that products that only achieve validation against the ISO 19790 standard in Japan, Korea, Turkey, and Spain will not be viewed as the same as achieving FIPS 140-3 through a CMVP accredited lab when it comes to U.S. and Canada federal purchasing.
Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications and requirements: