FIPS 140-3 is the long-awaited update to FIPS 104-2 which was established on May 25, 2001. This updated validation process is finally capable of addressing the cryptographic modules that have evolved since 2001.
This validation process includes testing with respect to certain standards or protocols and then the issuing of an official certificate from NIST (National Institute of Standards and Technology) confirming compliance with FIPS 140-3.
The Federal Information Processing Standard (FIPS) is a series of standards by the U.S. Government designed to keep both cryptographic modules secure.
FIPS specifies the security requirements for cryptographic modules with a primary focus on protecting sensitive but unclassified information. The standards are mandated by the United States and Canadian governments.
A FIPS validation certificate is the minimum security requirement for whitelisting technology programs in both government and regulated industries such as legal, finance, healthcare.
The FIPS 140 series establishes one overall validation scheme applicable to all cryptographic modules regardless of their purpose or end-use application.
Under the Federal Information Security Management Act (FISMA), the following entities are required to abide by FIPS standards:
Other industries such as finance and healthcare, are also opting to adhere to FIPS standards because of its advanced focus on protecting sensitive data.
The primary differentiator between the two standards is that FIPS 140-3 incorporates two existing standards with slight modifications to its annexes.
The ISO/IEC 19790:2012 specifies the requirements for selecting, using, and managing cryptographic modules to improve the protection of sensitive resources.
Just like FIPS 140-2, this standard specifies four levels of security for each of the 11 requirements areas, where the degree of security increases as each level progresses.
ISO 24759:2017 will become the derived testing requirement for all testing labs, The methods outlined in this document specifies objective test requirements to enforce a unified testing process across all testing laboratories.
The requirements of both ISO/IEC 19790:2012 and ISO 24759:2017 are harmonized so that conformance to the testing standards specified in ISO 24759:2017 demonstrates compliance with ISO/IEC 19790:2012.
The International FIPS 140-3 standard is now more closely aligned with international ISO/IEC standards, so vendors and organizations will find it easier to upgrade to the new standards.
FIPS 140-2 only addressed security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation - design, implementation, and final operational deployment.
Some other general differences between the two standards are outlined below:
The self-test differences between 140-2 and 140-3 are outlined below:
The differences between services, authentication and roles are outlined below:
The physical security differences between FIPS 140-2 and FIPS 140-3 are outlined below. These changes primarily occur at security levels 3 and 4.
The software and OS security differences between FIPS 140-2 and FIPS 140-3 are as follows:
Refer to the following list for updated information about FIPS 140-3 compliance and the specific revisions to legacy 140-2 standards.
If you don't comply with FIPS 140-3, you're at risk of hefty fines imposed by NIST.
An undervalued benefit of compliance is the confirmation that all processes are operating as expected. By not pursuing FIPS 140-3 validation, this verification from an independent body is not received, which could lead to reduced interoperability and poor IT system integrations.
FIPS 140-3 validation is mandatory for all entities that process Sensitive But Unclassified (SBU) information relating to federal government departments. This includes third-party vendors, contractors, cloud technology providers, and any organization deploying solutions into a U.S federal agency SBU ecosystem.
For more details on the FIPS 104-3 validation process, refer to the FIPS 104-3 implementation guide by the National Institute of Standards and Technology Canadian Centre for Cyber Security
The security of your sensitive resources must be maintained long after receiving your FIPS 140-3 validation certificate. UpGuard combines data leak detection with Third_Party Risk management to create the world's most comprehensive attack surface monitoring solution
Test the vulnerability of your website, CLICK HERE for a FREE instant security score now.