Quick Overview: FIPS 140-3

FIPS 140 series is a well-known standard in the field of cryptography. FIPS stands for Federal Information Processing Standard and it basically provides security requirements for cryptographic modules. This standard is mandated by the US and Canada for compliance with products that use cryptography. Although, many other governments use this standard for evaluating crypto-based products.

New standard FIPS 140-3 based on existing ISO/IEC 19790 and ISO/IEC 24759 has been released and it will succeed FIPS 140-2. This standard specifies four levels of security levels for each of the 11 requirements areas.

Related Standards: FIPS 140-3

ISO/IEC 19790: 2012 provides security requirements for cryptographic modules.

ISO/IEC 24759: 2017 provides Derived Testing Requirements (DTRs).

ISO/IEC 20543: 2019 provides security techniques for Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408.

ISO/IEC 29128-1:2023 provides a framework for the verification of cryptographic protocols.

ISO/IEC 18367:2016 provides Security techniques for cryptographic algorithms and security mechanisms conformance testing.

ISO/IEC 17825:2016 provides security techniques for testing methods for the mitigation of non-invasive attack classes against cryptographic modules.

ISO/IEC TS 30104:2015 provides security techniques for Physical Security Attacks, Mitigation Techniques, and Security Requirements.

March 22, 2019: Fips 140-3 officially signed by US authorities

NIST SP 800-140 series serves as the requirements of CMVP.

The list of NIST 800-140 series is listed below:

(1) NIST SP 800-140: FIPS 140-3 Derived Test Requirements (DTR)

(1) NIST SP 800-140A: Vendor Documentation Requirements for eleven requirements (ISO Annex A)

(2) NIST SP 800-140B: Module Security Policy Requirements (ISO Annex B)

(3) NIST SP 800-140C: Approved Security Functions such as block ciphers, asymmetric encryption, MAC, key management, random bit generation, etc. (ISO Annex C)

(4) NIST SP 800-140D: Sensitive Security Parameter Key Generation and Sensitive Security Parameter Key Establishment (ISO Annex D)

(5) NIST SP 800-140E: Approved Authentication Methods (ISO Annex E)

(6) NIST SP 800-140F: Approved non-invasive attack mitigation test metrics (ISO Annex F)

FIPS 140-3 Requirements and Security Levels

New Terms used in FIPS 140-3

(1) Public Security Parameters (PSP)

Public Keys, certificates, etc.

(2) Critical Security Parameters (CSP)

Secret and Private cryptographic keys, authentication data, etc.

(3) Sensitive Security Parameters (SSP)

It includes both PSPs and CSPs. Automated SSP transport or SSP agreement using approved methods.

(4) Confidentiality and integrity-related requirements with CSPs

(5) Only integrity-related requirements for PSPs

(6) Pre-Operational self-tests

(7) Periodic self-tests

(8) Conditional fault test: Self-test must fail on detecting a fault in a cryptographic algorithm.

(9) Vendor Testing is required at all levels.

(10) Low-level testing is required at SL3 and SL4

(11) End of Life: SL1 requires a procedure for secure sanitization while SL3 and SL4 require a procedure for secure destruction of the module.

Implementation Schedule

Date	Activity
March 22, 2019	FIPS 140-3 Approved
September 22, 2019	FIPS 140-3 Effective Date Draft of SP 800-140x available for public comment
March 22, 2020	Publication of SP 800-140x series
September 22, 2020	CMVP accepts FIPS 140-3 submission
September 21, 2021	CMVP stops accepting FIPS 140-2 for new certificates
September 22, 2026	Remaining FIPS 140-2 certificates move to the Historical list