Important News:CryptoComply FIPS 140-3 Early Access Program is now open. Learn more!

What is FIPS 140-3? Understanding Federal Information Processing Standard 140-3

FIPS 140-3 Solutions

The industry is now transitioning from FIPS 140-2 to FIPS 140-3.  How will this impact technology companies selling to the federal government?  Read this page to find more about FIPS 140-3 certification and FIPS 140-3 solutions.

What is FIPS 140-3?

  • FIPS 140-3 is the third update to the FIPS 140 benchmark established by the National Institute of Standards and Technology (NIST) to specify security requirements for cryptographic modules and testing methodology for confirming conformance. It will eventually completely replace FIPS 140-2

  • FIPS 140-3 began validation testing in September 2020 and is based upon the ISO/IEC 19790 international standard

  • NIST issued the first FIPS 140-3 certifications in December 2022

  • FIPS 140-2 testing is now closed, but those certifications will remain valid until they sunset in 2026, so the transition will be gradual. Since SafeLogic’s RapidCert program does not require additional FIPS 140-2 testing, it is not affected by testing being closed.

FIPS 140-3

 

SafeLogic's FIPS 140-3 Solution Strategy

FIPS 140-3 EAP

 

Learn More About the FIPS 140-3 Early Access Program

  • SafeLogic's FIPS 140-3 version of CryptoComply has completed the "Implementation Under Test" phase where it went through extensive testing at a FIPS 140-3 certified lab. It is now on NIST's FIPS 140-3 "Module in Process" list

  • SafeLogic customers can download and test the pre-certified versions of CryptoComply FIPS 140-3 by joining the Early Access Program
  • SafeLogic continues to support and provide FIPS 140-2 validated modules and certificates for its clients

  • SafeLogic continues to keep its clients’ FIPS 140-2 certificates in Active status

  • When FIPS 140-3 certification and solutions are available, SafeLogic will offer its clients the opportunity to migrate to the new modules and certificates 

FIPS 140-3 for SafeLogic Customers

  • As a SafeLogic customer, there is no need to worry about the FIPS 140-3 transition because SafeLogic has you covered and can make this happen for you in a seamless fashion, all as part of our MaintainCert white-glove managed service

  • There is absolutely no rush to get to FIPS 140-3 because SafeLogic continues to maintain an active FIPS 140 certification for your company

  • Procurement officers do not care whether you have a FIPS 140-3 or 140-2 certificate as long as you have an Active certificate in your company’s name (i.e., you’re FIPS 140 validated).

  • In addition, at this point, there are almost no 140-3 validated modules, and the length of the 140-3 validation queue is a huge unknown.

FIPS-140-3-CMVP_Management_Manual_v2_0-3_pdf

 

How do FIPS 140-2 and FIPS 140-3 Compare?

FIPS 140 security requirements cover areas related to the secure design and implementation of a cryptographic module. FIPS 140-2 imposed requirements in eleven areas, while FIPS 140-3 imposes requirements in twelve.

FIPS 140-2 Requirement Areas FIPS 140-3 Requirement Areas
Cryptographic Key Management General
Cryptographic Module Ports and Interfaces Cryptographic Module Specification
Cryptographic Module Specification Cryptographic Module Interfaces
Design Assurance Roles, Services, and Authentication
EMI/EMC Software/Firmware Security
Finite State Model Operational Environment
Mitigation of Other Attacks Physical Security
Operational Environment Non-Invasive Security
Physical Security Sensitive Security Parameter Management
Roles, Services, and Authentication Self Tests
Self Tests Life-Cycle Assurance
  Mitigation of Other Attacks

 

In the past, working with a CMVP lab and NIST to get a new cryptographic module FIPS 140-2 validated and certified could take as long as two years, including backlog time.

While it is too early to tell how long FIPS 140-3 validation and certification will take, given the expanded scope of the FIPS 140-3 requirements it is possible it will take even longer than for FIPS 140-2.

Want to learn more about how SafeLogic can help with your FIPS 140-3 effort? Speak with one of our experts!