NIST, Computer Security Division, Computer Security Resource Center
FIPS 140-3 PUB Development
Security Requirements for Cryptographic Modules
| FIPS 140-3 Development Status | |
|---|---|
TBD |
Validation under FIPS 140-2 ends. |
|
TBD |
FIPS 140-3 effective. Labs may begin accepting modules for validation under FIPS 140-3. |
TBD |
Derived Test Requirements are published. |
|
TBD |
FIPS 140-3 presented to the Commerce Department for signature by the Secretary of Commerce. |
TBD |
Document prepared for publication. |
2Q 2013 |
Public comments addressed. |
1 Oct 2012 |
Public comments period closes. |
30 Aug 2012 |
Additional public comments requested on the FIPS 140-3 (Second Draft) – 30 days comments period. |
1Q 2012 |
Public comments period for the changes made in the third draft of FIPS 140-3 standard. |
4Q 2011 |
The Federal Register Notice announcing the changes made in the third draft of the FIPS 140-3 standard in response to the public comments received on the second draft is prepared and submitted for approval. |
3Q 2011 |
Third draft of the standard is ready for management review. |
2Q 2011 |
Internal comments period for the third draft ended and all received comments are addressed by the TWG. |
Dec 2010 |
Third draft of the standard prepared for internal review. |
Oct 2010 |
All public comments received for the revised (second) draft of FIPS 140-3 are processed and have been resolved. |
11 Mar 2010 |
Public comment period for second draft of FIPS 140-3 closed. A complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST's responses to these comments may be accessed here. |
|
11 Dec 2009
|
The Revised Draft of FIPS 140-3 published for public comments. This draft addressed the comments received on the first public draft posted in July 2007 and from the FIPS 140-3 Software Security Workshop held by NIST on March 18, 2008. |
18 Mar 2008 |
FIPS 140-3 Software Security Workshop |
12 Oct 2007 |
The public comment period for the first draft of FIPS 140-3 has closed. |
11 Oct 2007 |
Public comment period for first draft of FIPS 140-3 will end. |
13 Jul 2007 |
Announcing Public Draft of Federal Information Processing Standard (FIPS) 140-3 [PDF Draft: 07-13-2007], a revision of FIPS 140-2, Security Requirements for Cryptographic Modules. [Docket No. 070321067–7068–01] |
31 Mar 2007 |
First public draft of FIPS 140-3 has been completed. This draft is undergoing the standard NIST and DoC administrative review and release process. Once this process is complete, a Federal Register Notice will be published and the draft will be made available for a public review and comment. This page will be updated as soon as a date is known when this process is completed and it will be available. |
26 Sep 2005 |
Physical Security Testing Workshop held September 26-29, 2005. |
28 Feb 2005 |
Comments on new and revised requirements for FIPS 140-3 ended. |
12 Jan 2005 |
Announcing Development of Federal Information Processing Standard (FIPS) 140-3, a revision of FIPS 140-2, Security Requirements for Cryptographic Modules - [Docket No. 041217352-4352-01] |
NOTE: Please continue to direct all your questions regarding the FIPS 140-2 standard and the cryptographic modules testing and validation to the CMVP, contacts listed here.
Announcements
- A Federal Register Notice [Docket No.: 070321067-2100-03] was published on 8.30.2012 announcing NIST’s request for additional comments on specific sections of Federal Information Processing Standard 140-3 (Second Draft), Security Requirements for Cryptographic Modules, to clarify and resolve inconsistencies in the public comments received in response to the Federal Register (74 FR 91333) notice of December 11, 2009. The Second Draft can be downloaded from http://csrc.nist.gov/news_events/index.html. The list of these specific sections can be found here. Comments on sections not specifically listed will not be considered.
Please submit comments on these specific sections before October 1, 2012 using the template provided at http://csrc.nist.gov/publications/drafts/fips140-3/revised-fips140-3_comments-template.dot. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Michaela Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov, with a Subject: “Additional Comments - FIPS 140-3 (Second Draft).”
- Announcing FIPS 140-3 Revised DRAFT Security Requirements for Cryptographic Modules
A Federal Register Notice [Docket No. 070321067-91333-02] was published regarding a public comment period on the the Revised Draft of FIPS 140-3. The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing. All comments to the Revised Draft FIPS 140-3 must be received on or before March 11, 2010; please use the template provided. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Michaela Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov, with "Comments on the Revised Draft FIPS 140-3" in the subject line.
- Announcing First Public Draft of Federal Information Processing Standard (FIPS) 140-3, a revision of FIPS 140-2, Security Requirements for Cryptographic Modules
A Federal Register Notice [Docket No. 070321067–7068–01] was published regarding a public comment period on the first public draft of FIPS 140-3. The comment period ends on October 11, 2007. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive—Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899–8930.
- Presentations and papers presented at the Physical Security Testing Workshop presented by the CMVP and IPA/Instac
- Announcing Development of Federal Information Processing Standard (FIPS) 140-3, a Revision of FIPS 140-2, Security Requirements for Cryptographic Modules
A Federal Register Notice [Docket No. 041217352-4352-01] was published regarding a public comment period on FIPS PUB 140-2 to provide input on the development of FIPS 140-3. The comment period ended February 28, 2005. NIST and CSEC are currently developing a draft document which will be submitted for public comment later this year. A detailed development schedule will be available shortly. As part of the development activity, NIST may hold public workshops addressing various sections of the proposed standard or as a whole. These will be posted as details become available.