What is FIPS 140-3?

With advanced cyberattacks on the rise, technology that handles and encrypts critical data must be secure and reliable at all times, at all levels. 

In this blog, you'll learn more about FIPS 140-3, why it's important, and how it differs from FIPS 140-2 to enhance protection of data-at-rest, data-in-transit, and data-in-use.

What is FIPS 140-3?

Released in 2019, FIPS 140-3 (Federal Information Processing Standard 140-3) is the latest U.S. and Canadian co-sponsored security standard for hardware, firmware, and software solutions. 

This standard is a benchmark for validating the effectiveness, security, and dependability of cryptographic hardware. So a FIPS 140-3-certified product has been formally tested and validated by both the U.S. and Canadian governments. 

FIPS 140-3's predecessor, FIPS 140-2, has been adopted worldwide by government and non-government sectors as a standard cybersecurity best practice. 

When FIPS 140-3 was released, a sunset period was announced for all FIPS 140-2 certificates. As of April 2022, FIPS 140-3 supersedes FIPS 140-2. 

Who has to comply with FIPS 140-3?

Any entity that processes Sensitive But Unclassified (SBU) information relating to the federal government needs to comply with FIPS 140-3. 

This ranges from third-party vendors, contractors, cloud technology providers, and any organization that provides solutions to be integrated within the federal government's SBU ecosystem.

Organizations that do not comply with FIPS 140-3 are at risk of being fined by NIST (National Institute of Standards and Technology). 

Compliance with FIPS 140-3 has the added benefit of verification from a third party that all processes are operating as expected, avoiding interoperability and integration issues. 

How is FIPS 140-3 different from FIPS 140-2?

The main differentiation between FIPS 140-2 and FIPS 140-3 is that FIPS 140-3 incorporates two existing standards with slight modifications. 

Let's take a look at each:

ISO/IEC 19790:2012 - Security Requirements for Cryptographic Modules

This standard specifies the requirements for selecting, using, and managing cryptographic modules to improve the protection of sensitive resources; it also specifies four levels of security for each of the 11 requirements, where the degree of security increases as each level progresses. 

ISO 24759:2017 - Test Requirements for Cryptographic Modules

This will become the derived testing requirement (DTR) for all testing labs. The methods outlined here specify objective test requirements to enforce a unified testing process across all testing laboratories. 

What does this mean?

The requirements of both ISO/IEC 19790:2012 and ISO 24759:2017 are harmonized so that conformance to the testing standards outlined in ISO 24759:2017 demonstrate compliance with ISO/IEC 19790:2012. 

FIPS 140-3 is now more closely aligned with ISO/IEC standard, so vendors and organizations will have an easier time upgrading to the new standards.

Other differences are outlined in the next section. 

Any entity that processes Sensitive But Unclassified (SBU) information relating to the federal government needs to comply with FIPS 140-3. 

What are the requirements of FIPS 140-3?

FIPS 140-2 only addresses security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation--from design, implementation, and final operational deployment. 

FIPS 140-3 has 11 derived test requirements (DTRs) detailing the requirements that need to be met in order to demonstrate conformance to the standard. Each requirement also describes the methods that the testing lab will take to test the module. 

All requirements have been updated from the FIPS 140-2 versions: 

Let's take a look at each: 

1. Cryptographic Module Specification: FIPS 140-3 defines five types of cryptographic modules or boundaries that can be validated: hardware module, firmware module, software module, hybrid-software module, and hybrid-firmware modules. Hybrid modules, which were restricted to Level 1 validations in FIPS 140-2, no longer have a level limitation.
2. Software and Firmware Security: This is a new section that introduces Integrity Testing, but it does not apply to hardware-specific embodiments. 
3. Operational Requirements: This section has been updated to eliminate the need for software modules at Level 2 to be Common Criteria (CC) certified, but there are many new requirements that coincide with CC that must be addressed.
4. Non-Invasive Security: This section outlines documentation and testing requirements for protecting the module from attacks performed in the absence of direct physical contact to components. 
5. Self-Tests: This section adds new requirements for Periodic Self-Tests and Conditional Fault Detection Tests, and it also renames Power On Self-Tests to Operational Self-Tests. 
6. Mitigation of Other Attacks: This section addresses any additional attack-preventing functionality that is not directly called out in previous test requirements. 
7. Cryptographic Module Interfaces: This section defines the interfaces or commands used by each module type. These new interfaces are: Hardware Module Interfaces (HMI), Software or Firmware Module Interfaces (SFMI), Hybrid-Software Module Interfaces (HSMI), and Control Output Interface. 
8. Roles, Services, and Authentication: The roles are: Crypto Officer, User, and Maintenance. (FIPS 140-3 only mandates a Crypto Officer.) The services are: show status, perform self-tests, perform approved security function, show modules versioning information, and perform zeroization. The authentication piece requires multi-factor authentication. 
9. Physical Security: Security can come in one of three forms: single-chip, multiple-chip, and multiple-chip standalone. There are additional requirements at Level 2,  Level 3, and Level 4. 
10. Sensitive Security Parameter (SSP) Management: This section covers SSP input and output requirements at each level, including information on Random Bit Generation (RBG), CSP Encryption, and zeroization. New sections such as Critical Security Parameters (CSPs) and Public Security Parameters (PSPs) have been added here. 
11. Lifecycle Assurance: This section details security requirements on how the device was designed, developed, and is intended to operate; it also includes requirements for the module's end-of-life. In addition, the requirements from FIPS 140-2's section on Finite State Model (FSM) are included here.

What are the different levels of FIPS 140-3?

Within each of the 11 DTRs, there are four increasing qualitative security levels. At each level, greater amounts of evidence and engineering are needed to show a product's compliance with FIPS 140-3. 

Let's take a look at the requirements of each level: 

Level 1

1. Validation of at least one approved algorithm or security function
2. Production-grade evaluated components

Level 2

1. All Level 1 requirements
2. Role-base authentication and physical security requirements for tamper evidence

Level 3 

1. All Level 1 and 2 requirements
2. Identity-based authentication, physical security mechanisms for tamper detection, and tamper response
3. Physical or logical separation between interfaces by which Critical Security Parameters enter and leave the module. (Private keys can only enter and leave in encrypted form.)
4. Module must detect and react to out-of-range voltage or temperature--also known as environmental failure protection, or EFP--or alternatively undergo environmental failure testing (EFT).

Level 4

1. All Level 1, 2, and 3 requirements
2. Increasingly stringent physical security mechanisms to detect and reply to tampering, including environmental attacks. (The contents of the device are deleted if any attack is detected.)
3. Environmental failure protection, protection against fault injection, and multi-factor authentication. 

Within each of the 11 DTRs, there are four increasing qualitative security levels. At each level, greater amounts of evidence and engineering are needed to show a product's compliance with FIPS 140-3. 

FIPS 140-3 and Trenton Systems

At Trenton Systems, our USA-made, high-performance computing solutions protect critical data at-rest, in-transit, and in-use across the hardware, firmware, software, and network stack with advanced, multi-layer cybersecurity technologies.

Our 5G-powered, edge compute systems can support both FIPS 140-2 and FIPS 140-3 self-encrypting drives (SEDs) to keep large amounts of sensitive information safe from unauthorized access and maintain operational integrity. 

In both rack mount and small form factor, we customize our systems per our customers' most complex security requirements, incorporating next-gen SEDs from a variety of different manufacturers such as Micron and UDInfo.

Zero-trust architected with Intel® hardware-based security technologies like PFR, SGX, and TME, our solutions ensure that applications across the commercial, military, and industrial sectors are guarded against the most sophisticated of cyberattacks. 

Final thoughts

With a heightened risk of cyberattacks and an increasingly interconnected technological ecosystem, protecting data-at-rest, data-in-transit, and data-in-use is of the utmost importance now more than ever. 

Requiring organizations to meet FIPS 140-2 and FIPS 140-3 certification is a crucial step in ensuring the security, integrity, and functionality of applications across the government, military, and critical infrastructure landscape. 

In partnership with Intel®, Trenton Systems stands at the forefront of developing critical, cybersecure mission computers to provide our warfighters with a strategic, tactical, and operational advantage. 

Want to learn more about how you can construct a secure computing system with the latest encryption technologies? Just reach out us anytime here. 

We'd be happy to help. 🙂 🇺🇸

• "FIPS 140-3" - Corsec
• "WHAT IS FIPS 140-3?" - Entrust