July 29, 2013

Mini-update on the FIPS 140-3 schedule

The official schedule shows that the FIPS 140-3 document is now ready for publication (July 2013) and it will be presented to the Commerce Department for signature by the Secretary of Commerce in August 2013.  

With this mini-update from the Cryptographic Technology Group (the responsible organization for developing the FIPS 140-3 publication), I am still comfortable with my guesses at the schedule I made in September 2012:

  • 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective.  The Derived Test Requirements have already been published by now.  Modules may be validated by Labs for FIPS 140-3 requirements.
  • 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.  
  • 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.

Please note that the updated FIPS 140-3 document has not been made publicly available yet.

July 25, 2013

FIPS 140-2 Implementation Guidance updated

The CMVP published an update to the FIPS 140-2 Implementation Guidance (IG) on July 25, 2013.

Note:  You must read 9.10 if you have a software-only module. 

New Implementation Guidance:
  • 3.5 Documentation Requirements for Cryptographic Module Services
  • 9.9 Pair-Wise Consistency Self-Test When Generating a Key Pair
  • 9.10 Power-Up Tests for Software Module Libraries
  • D.11 References to the Support of Industry Protocols
Updated Implementation Guidance:
  • D.8 Key Agreement Methods
    • Resolution section has been updated.
  • D.9 Key Transport Methods
    • Resolution section has been updated.

July 3, 2013

99 FIPS 140-2 certificates during first 6 months of 2013

The CMVP is maintaining their pace for issuing FIPS 140-2 certificates.  Ninety-nine (99) FIPS 140-2 certificates have been issued during the first 6 months of 2013 (for comparison, 200 certificates were issued in all of 2012).

Here is the breakdown of certificates by the FIPS Laboratories for the first half of 2013: