FIPS 140

From MgmtWiki
Jump to: navigation, search

Full Title

Federal Information Processing Standard 140 Security Requirements for Cryptographic Modules.

Context

Latest version as of 2019-05-22 is FIPS 140-3, version 3.


Comparisons

In 2001, FIPS 140-2 superseded FIPS 140-1. FIPS 140-2 incorporated changes in applicable standards and technology since the development of FIPS 140-1 as well as changes that were based on comments received from the vendor, laboratory, and user communities. Though the standard was reviewed after 5 years, consensus to move forward was not achieved until publication of the 2012 revision of International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790

FIPS 140-3 supersedes FIPS140-2. FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to CMVP (as a validation authority). The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), with the modifications, additions or deletions of vendor evidence and testing allowed as a validation authority under paragraph 5.2. Major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements.

ISO/IEC 19790:2012(E), Information technology — Security techniques — Security requirements for cryptographic modules, is an international standard based on updates of the earlier versions of FIPS 140, Security Requirements for Cryptographic Modules. ISO/IEC 24759:2017(E), Information technology — Security techniques — Test requirements for cryptographic modules is an international standard based on the Derived Test Requirements for FIPS 140-2, Security Requirements for Cryptographic Modules. It is currently in the best interest to use these standards, superseding those sections where national standards are permitted. Therefore, FIPS 140-3 is based on ISO/IEC 19790:2012/Cor.1:2015(E) and ISO/IEC 24759:2017(E). The following documents identify those elements that are superseded or modified.

The supported crypto suites are in the SP 800-140C doc.

The following search will show the versions of SP 800-140 that override the appendices in the ISO standard.

https://csrc.nist.gov/search?keywords=sp+800-140&ipp=25&sortBy=relevance&showOnly=publications%2Cprojects%2Cnews%2Cevents%2Cpresentations%2Cglossary%2Ctopics&topicsMatch=ANY&status=Final%2CDraft&series=FIPS%2CSP%2CNISTIR%2CITL+Bulletin%2CWhite+Paper%2CBuilding+Block%2CUse+Case%2CJournal+Article%2CConference+Paper%2CBook

References