July 29, 2013

Mini-update on the FIPS 140-3 schedule

The official schedule shows that the FIPS 140-3 document is now ready for publication (July 2013) and it will be presented to the Commerce Department for signature by the Secretary of Commerce in August 2013.  

With this mini-update from the Cryptographic Technology Group (the responsible organization for developing the FIPS 140-3 publication), I am still comfortable with my guesses at the schedule I made in September 2012:

  • 1Q of 2014 (January/February/March) - FIPS 140-3 becomes effective.  The Derived Test Requirements have already been published by now.  Modules may be validated by Labs for FIPS 140-3 requirements.
  • 3Q of 2014 (July/August/September) - the transition period for completing FIPS 140-2 reports ends. All new validation reports submitted must be validated to FIPS 140-3 requirements.  
  • 2015 - Any products in the planning cycle that are to be released in 2015 must be designed to meet FIPS 140-3 requirements.

Please note that the updated FIPS 140-3 document has not been made publicly available yet.


  1. It looks like the official schedule has since been updated and the 140-3 timeline seems very uncertain. Do you have any additional information on this?

    1. You are correct. The FIPS 140-3 timeline has been updated to show all future status events as TBD. This is an indicator that FIPS 140-3 development will not hit any of the date ranges that I guesstimated in this post.

      No further updates have been shared with the FIPS Laboratories. The CMVP meets with all of the Laboratories in late September during the annual CMVP/Labs meeting. FIPS 140-3 will likely be a very short topic covered as the CMVP's involvement in the FIPS 140-3 process is strangely very limited. I do not expect any meaningful updates to come from the meeting.

  2. Mark, At this point, would you guess that 140-3 is DOA?

  3. Those interested can Google "FIPS 140 Quo Vadis" to see the current NIST thinking on FIPS 140 updates. Alignment with ISO/IEC 19790 is the proposed plan. Maybe someday FIPS 140-3 will actually happen!