Here are the latest dates from NIST's FIPS 140-3 Pub Development page:
- On October 1, 2012, the additional public comments period closes for specific sections of the second draft of FIPS 140-3 (comments on sections not specifically listed will not be considered).
- During 2Q of 2013 (April/May/June), all public comments will be addressed by NIST.
- The remaining schedule milestones do not have target dates so this is where I begin my guessing...
Here are my thoughts on the remainder of FIPS 140-3 schedule:
- The scope of the current public comment period is focused. My approach is to pick more aggressive dates than I have in the past as I do not anticipate any significant changes to the working draft.
- 3Q of 2013 (July/August/September) - FIPS 140-3 presented to the Commerce Department for signature.
- 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective. The Derived Test Requirements have already been published by now. Modules may be validated by Labs for FIPS 140-3 requirements.
- 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.
- 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.
In other news, ISO/IEC 19790:2012 was published in August 2012. This is an international standard that evolved from the original FIPS 140-3 draft. The Derived Test Requirements for 19790, ISO/IEC 24759, may be published in 4Q 2013 (October/November/December). If the FIPS 140-3 publication followed an alternate path to adopt 19790 (with allowances for US and Canadian specific security functions and other requirements), then the overall schedule may be a Quarter sooner than my estimated schedule above. There are no official plans for FIPS 140-3 to adopt 19790.
Official FIPS 140-3 Pub Development
ISO / IEC 19790:2012