The FIPS 140-3 Rumors Are True

There is a high level of excitement from industry insiders today as NIST has finally made an official announcement about FIPS 140-3.

The most important takeaway? We have plenty of time to get ready.

FIPS 140-3 testing will not begin until September 22, 2020 while FIPS 140-2 testing will continue for a full year after that. That would indicate that Federal agencies will continue to accept current, active, and maintained FIPS 140-2 validations until 2026, when the last of the certificates are sunsetted. That’s more than 7 years from now.

As far as the standard itself, the rumors were true. NIST felt comfortable enough with ISO 19790 to use it as the basis for FIPS 140-3. They had participated in a leadership role in the development of updates to ISO 19790 in recent years and had prioritized the unification with international standards and streamlined process for the sake of technology vendors.

From the NIST news post:

“Technology changes rapidly,” said NIST computer scientist Mike Cooper. “Testing takes a long time and every day a company spends on it is a day its product is not on the market. We want to minimize that, because there’s a limited time window before a product becomes obsolete.”

Well that sounds like something straight out of the SafeLogic playbook, doesn’t it?

NIST will be issuing Annex publications that are designed to modify the guidance in ISO 19790 and create limitations on which functions are approved for US federal agency deployment. This will essentially make FIPS 140-3 a square amongst ISO 19790 rectangles. All FIPS 140-3 validated modules will be acceptable around the world, since the US benchmarks will be tighter than the published international standards, but not vice versa.

Again, from the NIST news post:

Because countries use varied encryption approaches, NIST is also creating a set of six other publications that list the algorithms that are approved for use within the U.S. These are NIST Special Publication (SP) 800-140 Volumes A-F, which function as an appendix to FIPS 140, and will be available at a later date. The SP volumes list what are essentially a subset of the algorithms that meet the ISO standard.

“These algorithms match up subject for subject with the ISO document,” Cooper said. “Putting them in this appendix allows the U.S. to adopt the ISO standard but still retain some control over what we allow.”

Regardless of the restrictions placed on tested modules by the Annex documents, the SafeLogic team is ready. The ISO 19790 standard, along with the ISO 24759 testing protocols, have been around for a while and are very familiar. Your existing RapidCert isn’t going anywhere, and when it’s time to transition, we’ll take care of you. That is a big part of the value that SafeLogic brings - you can tune out the noise, stay focused on your core product, and know that we have it covered. There will be no lapse in compliance, no loss of validated status, and no disturbance to your sales cycle.

If you’ve been considering whether or not to tackle FIPS 140-2, this should not affect your strategic decision. This version of the FIPS 140 standard will still be relevant for the next 7 years, remaining as the requirement for eligibility for procurement in federal and other regulated industries. Are you future-proofing anything else in your product for more than 7 years? Probably not. Kudos if you are, though.

No doubt there will be some false starts as the industry shifts to FIPS 140-3, which is a main reason for the extended transition time. SafeLogic will be aggressive in the pursuit of FIPS 140-3 and we will offer RapidCert for it, but don’t leave money on the table or risk market share by waiting. Proceed as planned, and we’ll take care of the transition when it’s time. This is what we do best.