The latest revision of the FIPS 140 is finally here!
On May 1, 2019, the Federal Information Processing Standard (FIPS) 140-3 was signed by the US Secretary of Commerce, as published in this Federal Register Notice. The FIPS 140-3 will be effective as of September 22, 2019 and testing against the new standard will begin a year later, on September 22, 2020. FIPS 140-2 testing will continue for at least a year after FIPS 140-3 testing begins. Certificates have a 5 year sun-set period, so it is expected that both FIPS revisions will coexist for some years.
After FIPS 140-1 in 1994 and FIPS 140-2 in 2001, this is the third release of this de facto security measuring bar for any IT product implementing or using cryptography. It is a standard with which nCipher has a long pedigree, as altogether the company has achieved more than 120 Level 2 and Level 3 certificates. In fact, nCipher’s first ever FIPS certificate is about to reach the age of majority. We also have the honor to be the first company to achieve a level 3 validation to the FIPS 140-1 standard for a combined key management and cryptographic accelerator, and to be the first company to achieve a FIPS 140-2 validation for a Hardware Security Module.
Both security and technology move at a rapid pace, and an update to FIPS 140 was long overdue. FIPS 140-3 is a wrapper of ISO/IEC 19790:2012 and ISO/IEC 24759:2017, which was developed from FIPS 140-2 and the initial drafts of FIPS 140-3. To assist in developing products for validation, NIST will also introduce the SP 800-140 series of Special Publications, and Implementation Guidance documents as a means to have control over approved cryptographic mechanisms, testing and documentation requirements. The fact that NIST is leveraging the use of international standards and promoting collaboration forums such as the Cryptographic Module User’s Forum (CMUF), where developers, labs and other industry stakeholders can interact, comment and even create working groups to tackle real problems are a recognition that modern security certifications are best developed as a community effort. Promoting the use of ISO/IEC 19790 could open the door to an international harmonization of test and validation results and it will also be very interesting to see how this plays out with the cybersecurity and certification initiatives that are happening in the EU.
ISO/IEC 19790:2012 introduces exciting enhancements to the security requirements. To highlight a few:
- The approved mode of operation indicator is applicable to all levels and has to be reported by each service offered by the module
- Stricter zeroisation requirements on Critical Security Parameters (CSPs)
- Authentication data complexity is no longer allowed to the enforced by procedural means and must be enforced by the module
- Physical security at Level 3 now requires the module to detect and react to out of range voltage or temperature (EFP), or alternatively undergo environmental failure testing (EFT). For Level 4, EFP and protection against fault injection is now required
- Introduction of multiple factor authentication requirement for Level 4. New assurance requirements for the development lifecycle of the module. It introduces key security practices such as developer testing of the module and the use of automated security diagnostic tools, e.g. static analysis
- Non-invasive security is introduced as an optional requirement and will cover guidance for testing against side channel attacks
The use of FIPS 140 validated modules for key protection and cryptographic operations is mandatory for government applications in the United States and Canada, and in many other countries. Many entities in the private sector also require FIPS 140. At nCipher we welcome the new standard and we are already looking forward to taking our products to the next step, ready and validated against FIPS 140-3!