NIST invites comments on latest version of FIPS 140 standard for cryptographic modules

Eleven years after the most-recent version of FIPS-140 was issued, and seven years after it announced its intention to issue a third version, the National Institute of Standards and Technology (NIST) is still wrestling with a handful of “gaps and inconsistencies” among the various comments to that third version that have been submitted by members of the public.

To try to sort out those inconsistencies, NIST has invited the public to submit further comments by October 1, 2012 on a range of issues related to security requirements for cryptographic modules. Those issues include “trusted channels, “trusted roles,” physical security, sensitive security parameters and operator authentication mechanisms, according to a Federal Register notice published by NIST on August 30.

The draft standard, known as Federal Information Processing Standard (FIPS) 140-3, is intended to replace FIPS 140-2, which was put in place in 2001 as a substitute for FIPS 140-1, which was originally issued in 1994.

“FIPS 140-2 identifies requirements for four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and life protecting data), and a diversity of application environments,” explains the notice.

The current FIPS 140-2 standard and the proposed draft can be seen by clicking here.

Comments about the draft FIPS 140-3 standard can be made by sending an email to FIPS140-3@nist.gov

Further information is available from Dr. Michaela Iorga, of NIST’s computer division, at 301-975-8431.