FIPS 140 (acronym for “Federal Information Processing Standard number 140”) is a US government standard, established by the National Institute of Standards and Technology (NIST), which specifies a series of requirements that must be met by an encryption module before it can be used in a Federal government system.  These requirements cover a range of subjects, from proper key management, to secure generation of random numbers, and from which encryption algorithms may be used, to module self-tests and error detection.

Put more simply, if a product performs encryption, the portion of that product which actually implements the encryption is the focus of FIPS 140. FIPS 140 is of interest to the embedded systems industry for several reasons:

First, under Section 5-131 of the Information Technology Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235), FIPS from NIST may be approved by the Secretary of Commerce and made binding to all Federal agencies.  FIPS 140 has been granted such approval, and therefore all Federal agencies are required to use FIPS 140-certified encryption to protect all sensitive information processed by all data processing systems, from embedded systems to mainframes.

This means that vendors cannot sell systems which use encryption to any Federal agency unless that system incorporates FIPS 140-certified encryption.

Why is there now a FIPS 140-3?

By mandate, NIST must review all Federal Information Processing Standards Publications every five years. Reviews determine if the standards should be modified, kept as-is, or deprecated as technology and government needs change. FIPS 140-2 was released in 2001 and came due for review in 2006. However, the CMVP had already begun planning for an update for FIPS 140-2 to reflect the ever-changing security technology industry. Although the existing FIPS 140-2 standard does a good job of addressing many validation needs, FIPS 140-3 will be designed to strengthen requirements, and update requirements in the face of new technologies, attacks, and techniques.

What will happen to FIPS 140-2?

Once FIPS 140-3 has been released, we will expect to see much of same transition rules as we say from FIPS 140-1 to FIPS 140-2. The new FIPS 140-3 will eventually completely replace FIPS 140-2. As with the prior transition we can expect to see a one year rollover and previous FIPS 140-2 validations most likely will not expire.

Due to the more stringent, revised requirements of the new release, it will likely be much harder to obtain FIPS 140-3 validation. For this reason, consulting companies expect to see a rush of vendors trying to achieve FIPS 140-2 certification before the end of the 1 year rollover period.

Revalidation will be possible under FIPS 140-2 still, but practically new versions will have to undergo a FIPS 140-3 validation after some time. Technically, a FIPS 140-3 revalidation might be called a new validation. However, FIPS 140-3 is just an evolution of FIPS 140-2, meaning that most of the technical points and work done for the prior validation can be reused. This will expedite certification under FIPS 140-3 and EMF believes this to be a good and timely investment.

Due to past experiences with the transition from FIPS 140-1 to FIPS 140-2, vendors looking to pursue a certification should consult with companies that assist in the certification process as early as possible in order to avoid common obstacles.

FIPS 140-2, like all Federal Information Processing Standards, is periodically reviewed, and changes and revisions are expected to be published in the form of the new FIPS 140-3. However, the draft FIPS 140-3 has not yet been finalized let alone signed into law. Although NIST is moving quickly towards this, it still takes significant time to publish and sign a FIPS into law. In addition, we expect NIST to provide transition time between the two standards, including roughly a one year rollover. FIPS 140-2 was signed into law in March 2001, but FIPS 140-1 validations could still be issued until March 2002. Thus, although plans for FIPS 140-3 are under way, vendors may still comfortably pursue FIPS 140-2 for some time.