This page is currently queued for revision.
NIST FIPS 140-3*
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|CST||Cryptographic and Security Testing|
|CMVP||Cryptographic Module Validation Program|
|FIPS||Federal Information Processing Standard|
|NIST||National Institute of Standards and Technology|
|NVLAP||National Voluntary Laboratory Accreditation Program|
|SBU||Sensitive But Unclassified|
A federal standard for accrediting and distinguishing secure and well-architected cryptographic modules produced by private sector vendors who seek to or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries (this includes financial services and healthcare) that collect, store, transfer, or share data that is deemed to be "sensitive" but not classified (i.e., Secret/Top Secret).
FIPS 140 Publication Series was issued by NIST to coordinate the requirements and standards for cryptography modules covering both hardware and software components for cloud and traditional computing environments.
The primary goal for the FIPS 140-3 standard is to accredit and distinguish secure and well-architected cryptographic modules produced by private sector vendors who seek to or are in the process of having their solutions and services certified for us in U.S. government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified.
FIPS 140-3 is only for sensitive but unclassified (SBU) data.
FIPS 140-3 is essentially just a list of approved cryptosystems.
The FIPS 140-3 standard provides four distinct levels of qualitative security intended to cover a range of potential applications and environments with emphasis on secure design and implementation of a cryptographic module.
Includes 11 sections:
- Cryptographic module specification
- Cryptographic module interfaces
- Roles, services, and authentication
- Software/firmware security
- Operating environment
- Physical security
- Non-invasive security
- Sensitive security parameter management
- Life-cycle assurance
- Mitigation of other attacks
The CMVP validates cryptographic modules to FIPS 140-3 and other cryptography-based standards. The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. In the CMVP, vendors of cryptographic modules use independent, accredited CST laboratories to have their modules tested. NVLAP accredited laboratories perform cryptographic module compliance/conformance testing.
Some important sections that were included in FIPS 140-2 but are no longer explicitly referenced in FIPS 140-3 include:
- Finite state model
- Cryptographic key management
- Electromagnetic interference/electromagnetic compatibility (EMI/EMC)
Security Level 1
Requires production-grade equipment and externally tested algorithms.
This is the lowest level of security.
Security Level 2
Adds requirements for physical tamper-evidence and role-based authentication. Software implementations must run on an Operating System approved to Common Criteria at EAL2.
- Detection and tampering.
Security Level 3
Adds requirements for physical tamper-resistance and identity-based authentication. There must also be physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module. Private keys can only enter or leave in encrypted form.
- Prevention and Detection
Security Level 4
This level makes the physical security requirements more stringent, requiring the ability to be tamper-active, erasing the contents of the device if it detects various forms of environmental attack.
This is the highest level of security.