[vc_row][vc_column][vc_column_text]This is a very frequently asked question, and we have been fielding questions from clients on how to deal with FIPS 140-3 for years now.\u00a0 But, for years the advice has uniformly been:\u00a0 \u201cDon\u2019t worry about FIPS 140-3; you only need to deal with FIPS 140-2 right now.\u201d\u00a0 But that\u2019s a very unsatisfying answer, especially when there have been folks actively proclaiming \u201cWoe betide ye, for FIPS 140-3 is nigh upon you\u2026 Panic now, and start validating!\u201d\u00a0 So let\u2019s delve a little more deeply and examine which FIPS validation is right for you.<\/p>\n

What is a FIPS Validation<\/strong>?<\/span><\/h3>\n

First off, let\u2019s be clear on what we are talking about:\u00a0 Federal Information Processing Standards Publication 140-3 (FIPS 140-3) would be a new standard that would replace FIPS 140-2<\/a><\/span> in the same way that FIPS 140-2 replaced FIPS 140-1.\u00a0 The government began drafting FIPS 140-3 in 2005, and various versions of the new\u00a0draft FIPS validation\u00a0have been released for public comment over the last seven years, most recently in August 2012.\u00a0 If (or when) FIPS 140-3 is signed there would be a one-year rollover period.\u00a0 Until that one-year rollover is finished, vendors will be able to start FIPS validation efforts against FIPS 140-2 or FIPS 140-3.\u00a0 Once the rollover period ends, new FIPS validation efforts will only be able to begin against FIPS 140-3.\u00a0 This is the same process that happened when FIPS 140-2 was signed.<\/p>\n

However, older FIPS validation effort under 140-2 will remain active until their sunset date.\u00a0 If a product was validated against FIPS 140-2 it can still be sold even when only FIPS 140-3 validations can be started.\u00a0 In fact, vendors will likely be able to update any FIPS validation for products long after FIPS 140-3 is published.\u00a0 Any government requirement for FIPS 140-3 will also be satisfied by FIPS 140-2.\u00a0 For this reason, any FIPS validation (whether it be for FIPS 140-2 or FIPS 140-3) will remain valuable for customers selling to the federal government.<\/p>\n

So if both versions of the standard were in effect, which one would a vendor want to pursue?\u00a0 Since every draft of FIPS 140-3 has increased the security requirements, documentation requirements, and validation complexity, it is a sure bet that the newer FIPS validation will cost more effort for a vendor.\u00a0 Furthermore, since FIPS 140-3 will be a new standard with entirely new Derived Test Requirements (especially for the proposed non-invasive physical security testing portions), there will be extra time arguing with laboratories and the CMVP on exactly how those are applied.\u00a0 Thus, FIPS 140-3 validation will initially be a bit of a bleeding-edge experience, and FIPS 140-2 will be a known quantity, but both will satisfy the same government requirement.<\/p>\n

About the only solid argument I\u2019ve heard for choosing to pursue FIPS 140-3 over FIPS 140-2 is that there may be a marketing advantage for having the newer, shinier FIPS validation standard met.\u00a0 However, my experience was that when FIPS 140-2 came out, many vendors kept dusting off their FIPS 140-1 validations (and even updating them) for three to five years before they saw the necessity to replace with FIPS 140-2.\u00a0 There seemed to be marginal value to bragging on having met FIPS 140-2 first.\u00a0 But that\u2019s no reason not to prepare for FIPS 140-3 where one can do so economically.\u00a0 So we have been advising our customers for years to implement requirements that have been included in most FIPS 140-3 drafts rather than the more lax ones in FIPS 140-2 \u2013 especially where those requirements do not cause significant product delay or development costs.<\/p>\n

So when exactly will FIPS 140-2 actually be gone?\u00a0 Pay no attention to the folks saying \u201cThe end is nigh.\u201d\u00a0 The development efforts on FIPS 140-3 were transferred a little over a year ago from the CMVP folks who work actively on FIPS 140-2 testing to another group within NIST.\u00a0 After that transition, the new FIPS 140-3 draft development faced some complications, not the least of which is that work did not stop on ISO 19790.\u00a0 ISO 19790 was at first an internationalized version of FIPS 140-2 that matched FIPS 140-2 requirements exactly, but the latest version diverged from the FIPS 140-3 drafts, but was more in line with what the CMVP would like to see in a new FIPS validation\u00a0standard.\u00a0 This may have caused additional delays to better harmonize FIPS 140-3 with ISO 19790, which is happening now.<\/p>\n

So again, when exactly will FIPS 140-2 be dead and done!? Well, if they were to agree on a draft of FIPS 140-3, then it must be published in the federal register, may require a public comment cycle (let\u2019s say there\u2019s only one cycle and that takes six months for sake of argument), and put it on the Secretary of the Department of Commerce\u2019s desk for signature.\u00a0 Let\u2019s assume that the Secretary (a political appointee) has actually been appointed (an acting Secretary would not normally sign a FIPS validation), and signs the law within six months (which is a reasonable pace for FIPS validation progress).\u00a0 Let\u2019s further assume that the overworked folks at the CMVP also write and publish Derived Test Requirements for FIPS 140-3 in less than six months after the standard is published (not a safe assumption, but it\u2019s possible).\u00a0 Okay, given all of these assumptions\u2026 add in the leap year\u2026 carry the one\u2026 Hmm\u2026 Maybe you should start your validation effort against FIPS 140-2, finish that validation, sell lots of products on new federal deals, and we\u2019ll still have time to help you revalidate against FIPS 140-3 as soon as it\u2019s published.[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"

This is a very frequently asked question, and we have been fielding questions from clients on how to deal with FIPS 140-3 for years now. But, for years the advice has uniformly been: \u201cDon\u2019t worry about FIPS 140-3; you only need to deal with FIPS 140-2 right now.\u201d But that\u2019s a very unsatisfying answer, especially when there have been folks actively proclaiming \u201cWoe betide ye<\/p>\n","protected":false},"author":2,"featured_media":6403,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,5],"tags":[82,4],"class_list":["post-1294","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-fips-140-2","tag-certification-process","tag-fips-140-2","infinite-scroll-item","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","no-featured-image-padding"],"yoast_head":"\n