April 23, 2014

FIPS 140-3 is Dead

Let's all agree to stop referring to "FIPS 140-3" as the next revision of FIPS 140-2.

Instead, let's use "FIPS 140-4" to identify the follow-on standard that the United States Department of Commerce will eventually approve.

Here are the latest developments and my projections for FIPS 140-4:
  • The Division Chief of NIST's Computer Security Division has moved into a new role. Matthew Scholl is now the Acting Division Chief.
  • Since Matt Scholl is serving in an "Acting" role, expect no progress on FIPS 140-4 until the Division Chief role is officially filled. (NOTE: This is absolutely no dig on Matt -- he understands the FIPS 140 revision history very well and I imagine he is being asked to focus on other matters as Acting Division Chief)
  • I suspect the new Division Chief will have someone in NIST put a bow on ISO/IEC 19790:2012 and present it as FIPS 140-4 to the Secretary of Commerce for signature.
With these developments and projections in mind, here is my guess at a FIPS 140-4 schedule:

Activity Estimated
Completion Date
3-6 months Division Chief role filled at NIST; FIPS 140-4 presented to
the Secretary of Commerce
Aug-Oct 2014
Up to 6 months Secretary of Commerce signs FIPS 140-4 Feb-Apr 2015
6 months FIPS 140-4 effective; FIPS 140-2 transition period begins Aug-Oct 2015
6 months FIPS 140-2 transition period ends Feb-Apr 2016

The FIPS 140-2 transition period is expected to be a 6 month period where cryptographic modules may be tested to FIPS 140-2 requirements or FIPS 140-4 requirements.

Mark Minnoch is an Account Manager at InfoGard Laboratories.  His guesses at a FIPS 140-4 schedule and next year's Superbowl champ are always free.


  1. Hi, Marc.

    So what is the lesson from the removal of the 140-4 draft from the CMVP web site:

    Paul Suhler
    Now with HGST

  2. Hi Paul!

    It's hard to say. But, we have been told directly to advise vendors that they should NOT be starting to develop with the 140-4 requirements in mind. So, the new standard is still a ways off. NIST is still actively trying to fill the Division Chief position at this point.

  3. Thanks for this very useful info you have provided us. I will bookmark this for future reference and refer it to my friends. More power to your blog.
    emi testing lab

  4. At the NIST cyber security conference in September, Apostol Vassilev will give a talk in the research track on FIPS 140, Quo Vadis? Maybe we should start planning for FIPS 140-5?

    Apostol Vassilev, NIST