Which FIPS Validation Is Right? 140-2 or 140-3?

This is a very frequently asked question, and we have been fielding questions from clients on how to deal with FIPS 140-3 for years now.  But, for years the advice has uniformly been:  “Don’t worry about FIPS 140-3; you only need to deal with FIPS 140-2 right now.”  But that’s a very unsatisfying answer, especially when there have been folks actively proclaiming “Woe betide ye, for FIPS 140-3 is nigh upon you… Panic now, and start validating!”  So let’s delve a little more deeply and examine which FIPS validation is right for you.

What is a FIPS Validation?

First off, let’s be clear on what we are talking about:  Federal Information Processing Standards Publication 140-3 (FIPS 140-3) would be a new standard that would replace FIPS 140-2 in the same way that FIPS 140-2 replaced FIPS 140-1.  The government began drafting FIPS 140-3 in 2005, and various versions of the new draft FIPS validation have been released for public comment over the last seven years, most recently in August 2012.  If (or when) FIPS 140-3 is signed there would be a one-year rollover period.  Until that one-year rollover is finished, vendors will be able to start FIPS validation efforts against FIPS 140-2 or FIPS 140-3.  Once the rollover period ends, new FIPS validation efforts will only be able to begin against FIPS 140-3.  This is the same process that happened when FIPS 140-2 was signed.

However, older FIPS validation effort under 140-2 will not expire – they are grandfathered in.  If a product was validated against FIPS 140-2 it can still be sold even when only FIPS 140-3 validations can be started.  In fact, vendors will likely be able to update any FIPS validation for products long after FIPS 140-3 is published.  Any government requirement for FIPS 140-3 will also be satisfied by FIPS 140-2.  For this reason, any FIPS validation (whether it be for FIPS 140-2 or FIPS 140-3) will remain valuable for customers selling to the federal government.

So if both versions of the standard were in effect, which one would a vendor want to pursue?  Since every draft of FIPS 140-3 has increased the security requirements, documentation requirements, and validation complexity, it is a sure bet that the newer FIPS validation will cost more effort for a vendor.  Furthermore, since FIPS 140-3 will be a new standard with entirely new Derived Test Requirements (especially for the proposed non-invasive physical security testing portions), there will be extra time arguing with laboratories and the CMVP on exactly how those are applied.  Thus, FIPS 140-3 validation will initially be a bit of a bleeding-edge experience, and FIPS 140-2 will be a known quantity, but both will satisfy the same government requirement.

About the only solid argument I’ve heard for choosing to pursue FIPS 140-3 over FIPS 140-2 is that there may be a marketing advantage for having the newer, shinier FIPS validation standard met.  However, my experience was that when FIPS 140-2 came out, many vendors kept dusting off their FIPS 140-1 validations (and even updating them) for three to five years before they saw the necessity to replace with FIPS 140-2.  There seemed to be marginal value to bragging on having met FIPS 140-2 first.  But that’s no reason not to prepare for FIPS 140-3 where one can do so economically.  So we have been advising our customers for years to implement requirements that have been included in most FIPS 140-3 drafts rather than the more lax ones in FIPS 140-2 – especially where those requirements do not cause significant product delay or development costs.

So when exactly will FIPS 140-2 actually be gone?  Pay no attention to the folks saying “The end is nigh.”  The development efforts on FIPS 140-3 were transferred a little over a year ago from the CMVP folks who work actively on FIPS 140-2 testing to another group within NIST.  After that transition, the new FIPS 140-3 draft development faced some complications, not the least of which is that work did not stop on ISO 19790.  ISO 19790 was at first an internationalized version of FIPS 140-2 that matched FIPS 140-2 requirements exactly, but the latest version diverged from the FIPS 140-3 drafts, but was more in line with what the CMVP would like to see in a new FIPS validation standard.  This may have caused additional delays to better harmonize FIPS 140-3 with ISO 19790, which is happening now.

So again, when exactly will FIPS 140-2 be dead and done!? Well, if they were to agree on a draft of FIPS 140-3, then it must be published in the federal register, may require a public comment cycle (let’s say there’s only one cycle and that takes six months for sake of argument), and put it on the Secretary of the Department of Commerce’s desk for signature.  Let’s assume that the Secretary (a political appointee) has actually been appointed (an acting Secretary would not normally sign a FIPS validation), and signs the law within six months (which is a reasonable pace for FIPS validation progress).  Let’s further assume that the overworked folks at the CMVP also write and publish Derived Test Requirements for FIPS 140-3 in less than six months after the standard is published (not a safe assumption, but it’s possible).  Okay, given all of these assumptions… add in the leap year… carry the one… Hmm… Maybe you should start your validation effort against FIPS 140-2, finish that validation, sell lots of products on new federal deals, and we’ll still have time to help you revalidate against FIPS 140-3 as soon as it’s published.