FIPS 140-4 Draft Available

The CMVP posted a proposed draft of FIPS 140-4 today. This draft includes a warning statement that vendors are strongly advised not to design to requirements of draft FIPS 140-4 if they conflict with the requirements of FIPS 140-2.

(sigh)

Let's recap where we stand with FIPS 140-4:

1. No schedule. The Division Chief position at NIST has still not been "officially" filled. Expect no progress or schedule before the new Division Chief is announced.
2. No surprise. The FIPS 140-4 draft is an 11 page document that points to ISO/IEC 19790:2012. 
3. No overlap. If you are the proactive type, do not jump to the draft standard too early. Meeting a FIPS 140-4 requirement will not allow you a free pass on an annoying FIPS 140-2 requirement if they conflict.   

The Vendor and Lab communities need to become more active in driving FIPS 140-4. 

QUESTION: "How can I positively influence the adoption of FIPS 140-4?" 

ANSWER: Contact Charles Romine, the Director of the Information Technology Laboratory at NIST. In the FOREWORD section of the FIPS 140-4 draft, the Director welcomes all comments. (A physical address is provided in the draft but a quick search on nist.gov shows the following e-mail for Dr. Romine: charles.romine@nist.gov)

Make "FIPS 140-4 Feedback" the subject of your e-mail.

Here are some things to think about when crafting your feedback to the Director:

1. With the current 13 year-old FIPS 140-2 standard, will you be satisfied testing your future products to those aging requirements?
2. Can you make the world a better place for government agencies by designing your products to more relevant requirements?
3. Share your development lead times with the Director. Express how important it is for you to understand (and plan for) requirement changes.

My feedback e-mail has already been sent.

Mark Minnoch is an Account Manager at InfoGard Laboratories.  He covers FIPS 140-4 updates like TMZ covers a paparazzi-dodging star.