FIPS 140-3 Solutions
Published in 2019, FIPS 140-3 Is the Latest Version of the Federal Information Processing Standard Security Requirements for Cryptographic Modules
The industry is now transitioning from FIPS 140-2 to FIPS 140-3. How will this impact technology companies selling to the federal government? Read this page to find more about FIPS 140-3 certification and FIPS 140-3 solutions.
What is FIPS 140-3?
-
FIPS 140-3 is the third update to the FIPS 140 benchmark established by the National Institute of Standards and Technology (NIST) to specify security requirements for cryptographic modules and testing methodology for confirming conformance. It will eventually completely replace FIPS 140-2
-
FIPS 140-3 began validation testing in September 2020 and is based upon the ISO/IEC 19790 international standard
-
NIST issued the first FIPS 140-3 certifications in December 2022
-
FIPS 140-2 testing is now closed, but those certifications will remain valid until they sunset in 2026, so the transition will be gradual. Since SafeLogic’s RapidCert program does not require additional FIPS 140-2 testing, it is not affected by testing being closed.
SafeLogic’s FIPS 140-3 Solution Strategy
-
SafeLogic is actively working on validating FIPS 140-3 modules and obtaining certificates for these validations
-
SafeLogic continues to support and provide FIPS 140-2 validated modules and certificates for its clients
-
SafeLogic continues to keep its clients’ FIPS 140-2 certificates in Active status
-
When FIPS 140-3 certification and solutions are available, SafeLogic will offer its clients the opportunity to migrate to the new modules and certificates
FIPS 140-3 for SafeLogic Customers
-
As a SafeLogic customer, there is no need to worry about the FIPS 140-3 transition because SafeLogic has you covered and can make this happen for you in a seamless fashion, all as part of our MaintainCert white-glove managed service
-
There is absolutely no rush to get to FIPS 140-3 because SafeLogic continues to maintain an active FIPS 140 certification for your company
-
Procurement officers do not care whether you have a FIPS 140-3 or 140-2 certificate as long as you have an Active certificate in your company’s name (i.e., you’re FIPS 140 validated).
-
In addition, at this point, there are almost no 140-3 validated modules, and the length of the 140-3 validation queue is a huge unknown.
How do FIPS 140-2 and FIPS 140-3 Compare?
FIPS 140 security requirements cover areas related to the secure design and implementation of a cryptographic module. FIPS 140-2 imposed requirements in eleven areas, while FIPS 140-3 imposes requirements in twelve.
| FIPS 140-2 Requirement Areas | FIPS 140-3 Requirement Areas |
| Cryptographic Key Management | General |
| Cryptographic Module Ports and Interfaces | Cryptographic Module Specification |
| Cryptographic Module Specification | Cryptographic Module Interfaces |
| Design Assurance | Roles, Services, and Authentication |
| EMI/EMC | Software/Firmware Security |
| Finite State Model | Operational Environment |
| Mitigation of Other Attacks | Physical Security |
| Operational Environment | Non-Invasive Security |
| Physical Security | Sensitive Security Parameter Management |
| Roles, Services, and Authentication | Self Tests |
| Self Tests | Life-Cycle Assurance |
| Mitigation of Other Attacks |
In the past, working with a CMVP lab and NIST to get a new cryptographic module FIPS 140-2 validated and certified could take as long as two years, including backlog time.
While it is too early to tell how long FIPS 140-3 validation and certification will take, given the expanded scope of the FIPS 140-3 requirements it is possible it will take even longer than for FIPS 140-2.