FIPS 140-3 is here.
On Sunday, September 22, Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules went into effect. FIPS 140-3 is the replacement for 140-2, which had been the gold standard for unclassified but sensitive data hardware security since 2001.
While it’s good to see updates on a technical and cryptographic baseline that has not seen revisions since 2002, FIPS has been widely adopted outside the governmental agencies for which it was developed. If your organization has been tied to FIPS, you might have questions.
What is FIPS 140-3 and how does it differ from FIPS 140-2?
The Federal Information Processing Standard is a U.S and Canadian standard for validating the security of cryptographic hardware. Up until now, if a product was FIPS 140-2 certified you knew it was tested and validated by the U.S. and Canadian governments. Although it is a governmental standard, FIPS 140-2 has been adopted in the private sector as best practice.
FIPS 140-3 is the newest version, although technically it represents the U.S.’s decision to adopt a previously-existing international standard: ISO/IEC 19790, with some modifications to its annexes. Because FIPS 140-3 is more closely aligned with international ISO/IEC standards than its predecessor, some organizations may worry about how the changes will impact them.
There shouldn’t be any need for concern: as FIPS 140-2 did before it, FIPS 140-3 provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. This iteration of FIPS has necessary changes related to the design, implementation, and operation of a cryptographic module.
The fact that the U.S. is adopting an international standard (that’s also been widely adopted by sectors like finance and healthcare) is encouraging.
The security community has a saying: don’t “roll your own encryption algorithm or protocol.” One small mistake can undermine the entirety of the cryptographic process. Cryptographic components are one of the hardest implementations both in software and hardware to get perfectly right.
This is an area where agreed-upon standards set forth by NIST are necessary for government procurement and the protection of sensitive information.
What does FIPS 140-3 mean for the federal government and its vendors?
FIPS 140-3 will exist alongside FIPS 140-2 for some time; FIPS 140-2 validation will continue for a year after FIPS 140-3 validation goes into effect. There’s also a 5-year sunset period on FIPS 140-2 certificates. So although testing for FIPS 140-3 can start immediately, agencies don’t need to jump into FIPS 140-3 with both feet immediately.
That said, this update is long overdue, considering the rate at which technology evolves. Government agencies and their contractors are in particular need of updated standards; vendors to the U.S. government retain a wealth of unclassified but sensitive information. Therefore, they’re a prime target for intelligence-gathering efforts by foreign nations. In my 10 years of intelligence contracting experience, I have always considered government vendors and contractors as the weakest link of security and information leaks.
Government on-site premise security has always been top-notch — especially post-Snowden — but that security doesn’t always extend to the contractors’ premises. Even when there were strong supply chain and third-party risk professionals working for the agency, there still seemed to exist a ripe opportunity for sophisticated actors to get a foothold in the nation's most secure networks.
Thinking beyond FIPS 140-03
Compliance with FIPS 140-3 is important, but remember; it is just a standard.
While baselines and standards serve as a good starting point for both manufacturers and buyers of hardware, they need to be viewed as just that: a good starting point, but not the end-all, be-all to the security of that product.
You can still have unsecured hardware that is FIPS-certified; FIPS 140-2 only applies to the cryptographic modules of a device and not the entirety of the device, so buyers who see a FIPS 140-2-certified piece of hardware may perceive the entire product as secure where the standard only applies to a specific sub-component. (It doesn’t help that some vendors are interested in FIPS validation for marketing reasons as opposed to a complete commitment to security.)
Your commitment to security needs to go beyond FIPS certification, but this newly updated standard is an excellent place to start.