With this mini-update from the Cryptographic Technology Group (the responsible organization for developing the FIPS 140-3 publication), I am still comfortable with my guesses at the schedule I made in September 2012:
- 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective. The Derived Test Requirements have already been published by now. Modules may be validated by Labs for FIPS 140-3 requirements.
- 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.
- 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.
It looks like the official schedule has since been updated and the 140-3 timeline seems very uncertain. Do you have any additional information on this?
ReplyDeleteYou are correct. The FIPS 140-3 timeline has been updated to show all future status events as TBD. This is an indicator that FIPS 140-3 development will not hit any of the date ranges that I guesstimated in this post.
DeleteNo further updates have been shared with the FIPS Laboratories. The CMVP meets with all of the Laboratories in late September during the annual CMVP/Labs meeting. FIPS 140-3 will likely be a very short topic covered as the CMVP's involvement in the FIPS 140-3 process is strangely very limited. I do not expect any meaningful updates to come from the meeting.
Mark, At this point, would you guess that 140-3 is DOA?
ReplyDeleteThose interested can Google "FIPS 140 Quo Vadis" to see the current NIST thinking on FIPS 140 updates. Alignment with ISO/IEC 19790 is the proposed plan. Maybe someday FIPS 140-3 will actually happen!
ReplyDelete