July 18, 2011

FIPS 140-2 Implementation Guidance updated

The FIPS 140-2 Implementation Guidance was updated on July 15, 2011.  The NIST website shows the following changes:

New Implementation Guidance:
  • 11.1 Mitigation of Other Attacks
  • D.4 Requirements for Vendor Affirmation of NIST SP 800-56B
  • D.5 Requirements for Vendor Affirmation of NIST SP 800-108
  • D.6 Requirements for Vendor Affirmation of NIST SP 800-132
  • D.7 Requirements for Vendor Affirmation of NIST SP 800-135
Updated Implementation Guidance:
  • G.3 Partial Validations and Not Applicable Areas of FIPS 140-2
    • Modified in regard to new IG 11.1
  • G.6 Modules with both a FIPS mode and a non-FIPS mode
    • Clarification that all implemented algorithms shall be referenced on the validation certificate.
  • G.8 Revalidation Requirements
    • Added security policy requirements for revalidation Scenarios 1 and 4
  • G.13 Instructions for Validation Information Formatting
    • Added examples for CVL and KTS
  • 1.4 Binding of Cryptographic Algorithm Validation Certificates
    • Added examples of an operational environment change
  • D.1 CAVP Requirements for Vendor Affirmation of NIST SP 800-56A
    • Modified the testing for primitives
  • D.2 Acceptable Key Establishment Protocols
    • Modified the transition text and key agreement guidance