What is FIPS 140-3? The Critical Updates You Must Be Aware Of

FIPS 140-3 is the long-awaited update to FIPS 104-2 which was established on May 25, 2001. This updated validation process is finally capable of addressing the cryptographic modules that have evolved since 2001.

This validation process includes testing with respect to certain standards or protocols and then the issuing of an official certificate from NIST (National Institute of Standards and Technology) confirming compliance with FIPS 140-3.

What are the FIPS Series of Standards?

The Federal Information Processing Standard (FIPS) is a series of standards by the U.S. Government designed to keep both cryptographic modules secure.

FIPS specifies the security requirements for cryptographic modules with a primary focus on protecting sensitive but unclassified information. The standards are mandated by the United States and Canadian governments.

A FIPS validation certificate is the minimum security requirement for whitelisting technology programs in both government and regulated industries such as legal, finance, healthcare.

The FIPS 140 series establishes one overall validation scheme applicable to all cryptographic modules regardless of their purpose or end-use application.

Under the Federal Information Security Management Act (FISMA), the following entities are required to abide by FIPS standards:

• U.S government agencies
• U.S government contractors
• Third-parties working for federal government agencies
• Cybersecurity organizations selling to regulated industries

Other industries such as finance and healthcare, are also opting to adhere to FIPS standards because of its advanced focus on protecting sensitive data.

What is the Difference Between FIPS 140-2 and FIPS 140-3?

The primary differentiator between the two standards is that FIPS 140-3 incorporates two existing standards with slight modifications to its annexes.

ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules

The ISO/IEC 19790:2012 specifies the requirements for selecting, using, and managing cryptographic modules to improve the protection of sensitive resources.

Just like FIPS 140-2, this standard specifies four levels of security for each of the  11 requirements areas, where the degree of security increases as each level progresses.

ISO 24759:2017 - Test Requirements for Cryptographic Modules

ISO 24759:2017 will become the derived testing requirement for all testing labs, The methods outlined in this document specifies objective test requirements to enforce a unified testing process across all testing laboratories.

The requirements of both ISO/IEC 19790:2012 and ISO 24759:2017 are harmonized so that conformance to the testing standards specified in ISO 24759:2017 demonstrates compliance with ISO/IEC 19790:2012.

The International FIPS 140-3 standard is now more closely aligned with international ISO/IEC standards, so vendors and organizations will find it easier to upgrade to the new standards.

FIPS 140-2 only addressed security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation - design, implementation, and final operational deployment.

Some other general differences between the two standards are outlined below:

• Many of the "lessons learned" points from FIPS 140-2 have been addressed in FIPS 104-3
• References to Evaluation Assurance Levels (EALs) and Common Criteria terms have been removed in FIPS 104-3
• SP 800-140E introduces strong authentication requirements at security levels 2 and above.
• FIPS 104-3 will focus on hybrid models and entropy.
• There are physical security changes at security levels 3 and 4.
• 104-3 introduces mobile development and life cycle requirements.
• 104-3 addresses cryptography module delivery and "First Use" requirements.
• FIPS 104-3 introduces mitigation testing using test metrics as defined by SP 800-140F.
• There are more prescriptive security policy requirements in FIPS 104-3.

The self-test differences between 140-2 and 140-3 are outlined below:

• Updated pre-operational self-tests - integrity tests, bypass tests, and critical functions tests.
• FIPS 140-3 includes error Detection Code integrity tests for hardware modules at security level 1.
• FIPS 104-3 introduces the new Conditional Cryptographic Algorithm self-tests - must be performed prior to initial use.
• Conditional bypass testing now requires an approved integrity technique - checks must be initiated by the module immediately before and after changes
• Pairwise Consistency Tests (PCT) are required for digital signature generation and verification, SSP agreements, and key transport.

The differences between services, authentication and roles are outlined below:

• With FIPS 140-3 the "user" role is now optional. Only the "Crypto-Officer" role is required.
• "Show version" service is now mandatory.
• Authentication protocols must be enforced by the module at security level 2, as opposed to the procedural mechanisms in FIPS 140-2.
• Password designs must comply with SP 800-140E
• Security level 4 now requires multi-factor authentication.
• Authentication data now must be modified at first use.

The physical security differences between FIPS 140-2 and FIPS 140-3 are outlined below. These changes primarily occur at security levels 3 and 4.

• There are now temperature constraints to the application of epoxy resins.
• Tampering level seals at security level 3 now require numbering or unique identifiers.
• Security level 3 now requires Environemtnral Failure Testing (EFT), or Environmental Failure Protection (EFP).
• Security level 4 now requires Environmental Failure Protection (EFP) for voltage and temperature.
• Security level 4 now requires protection from fault induction.

The software and OS security differences between FIPS 140-2 and FIPS 140-3 are as follows:

• Security level 2 can now be attained by software modules without common criteria dependency.
• Security level 2 OS requirements for FIPS 140-3 are now similar to Common Criteria OSPP.
• Only code in executable form can be included in Security Level 2 - no source code or scripts are permitted.
• FIPS 104-3 will not require security level 3 software model valuations.
• Error Detection Codes (EDC) are no longer acceptable for firmware

Where Can I Find More Information About FIPS 140-3 and How To Comply With its Requirements?

Refer to the following list for updated information about FIPS 140-3 compliance and the specific revisions to legacy 140-2 standards.

SP 800-140 A-F replaces current FIPS 140-2 Annexes A-D with the addition of new CMVP requirements.

• NIST SP 800-140: FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759.
• NIST SP 800-140 Annex A: CMVP Validation Authority Updates to ISO/IEC 24759.
• NIST SP 800-140 Annex B: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B.
• NIST SP 800-140 Annex C: CMVP Validation Authority Updates to ISO/IEC 24759.
• NIST SP 800-140 Annex D: CMVP Validation Authority Updates to ISO/IEC 24759.
• NIST SP 800-140 Annex E: CMVP Validation Authority Requirements for ISO/IEC 19790 Annex E and ISO/IEC 24579 Section 6.17.
• NIST SP 800-140 Annex F: CMVP Validation Authority Updates to ISO/IEC 24759.

What are the Consequences of Noncompliance with FIPS 140-3?

If you don't comply with FIPS 140-3, you're at risk of hefty fines imposed by NIST.

An undervalued benefit of compliance is the confirmation that all processes are operating as expected. By not pursuing FIPS 140-3 validation, this verification from an independent body is not received, which could lead to reduced interoperability and poor IT system integrations.

Who Needs to Comply with FIPS 104-3?

FIPS 140-3 validation is mandatory for all entities that process Sensitive But Unclassified (SBU) information relating to federal government departments. This includes third-party vendors, contractors, cloud technology providers, and any organization deploying solutions into a U.S federal agency SBU ecosystem.

For more details on the FIPS 104-3 validation process, refer to the FIPS 104-3 implementation guide by the National Institute of Standards and Technology Canadian Centre for Cyber Security