FIPS 140-3 is Coming: Time to Plan

FIPS 140-1 and FIPS 140-2 had quite a bit of longevity.  However, FIPS 140-3 is almost here.  Based on previous NIST standards development processes, the 140-3 standard will most likely have a publication date of a year from now.  So sometime in February/March 2014, FIPS 140-3 will be the dominate federal crypto module certification.  Not familiar with FIPS 140 at all?

Federal Information Processing Standard 140

FIPS 140 is a standard which was meant to coordinate the cryptographic modules’ software and hardware design of commercial IT products.  The standard identifies what the product must do to restrict software library access to the crypto modules and protect it from unauthorized use.  The program created by the National Institute of Standards in Information Technology (NIST), is thought to be one of the most successful and pervasive in US Government history.

Part of the standard breaks out specific levels that can be attained.

  • Security Level 1: the lowest of security requirements.  Attaining this level is done by showing compliance on a purely software layer of crypto isolation.  This is actually the minimum requirement for most US federal procurements and testing.
  • Security Level 2: A more robust security requirement as it adds physical tamper-evidence and role-based authentication
  • Security Level 3: Adds physical tamper-resistance – meaning the crypto modules are not accessible from unauthorized users/libraries.
  • Security Level 4: Adds a physical element against environmental attacks like heat, cold, water, etc.

The NIST accredited 22 test labs within trusted nations to do this testing. They are all located here on NIST’s official test lab list:  http://csrc.nist.gov/groups/STM/testing_labs/index.html

Once a product has been certified, they are given a certificate and put on the FIPS 140-1 and FIPS 140-2 Validated Products List: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

What’s New with FIPS 140-3

Public law requires NIST to review new cryptographic technologies every five years, so FIPS 140-3 is required.  An earlier draft (2007 draft 1) had a 5th security level, but that had since been abandoned in the most recent draft (2009 draft 2).  Here are some of the new things that commercial products with crypto libraries need to be aware of with FIPS 140-3:

  • the addition of software/firmware security – gone are the days of loading a new bootable operating system/firmware with embedded security.  For example, Cisco has already started including signed IOS binaries called .SSA and .SSP IOS images.  Take a look: http://www.networkworld.com/community/node/46950
    • This will likely take the most effort for embedded operating system vendors
  • Periodic Self-Tests – FIPS 140-2 required power-up and conditional self-tests, but never periodic self-tests.  NIST defines this as, “Acceptable means for the on-demand initiation of periodic self-tests are: resetting, rebooting, and power.”

Get Your Product Development Houses Prepared

The last thing a product needs is to lose a sale based on poor federal certification planning.  There’s no guarantee that a FIPS 140-2 certification will last forever in government procurements (or even be grandfathered).  They are likely to require FIPS 140-3 within a few years of its signature.  So plan well!