In moving from FIPS 140-2 to FIPS 140-3, the CMVP has updated the standard to reflect changes in technology since the publication of FIPS 140-2.
FIPS 140-3 was announced on 12th January 2005. However, the publication of the draft revisions and its approval did not followed the original timeline. However, after many false starts, the final version was approved on March 22, 2019 and is now effective. CMVP will sccept FIPS 140-3 submissions from September 22, 2020 onwards.
FIPS 140-3 had a difficult gestation. The original draft was left dormant for so long that it was picked up and developed as an ISO standard, ISO/IEC 19790:2012. The new FIPS 140-3 standard is wrapper around this international standard with a set of annexes that add the algorithms required by the CMVP. The upshot of this is that although the FIPS 140-3 document is free to download, the useful content is only to be found in the ISO standard, which must be purchased from the ISO (https://www.iso.org/standard/52906.html).
Once FIPS 140-3 is effective, there is a transition period of one year, during which CMVP will accept both FIPS 140-2 and FIPS 140-3 submissions. From September 22, 2021, CMVP stops accepting FIPS 140-2 submissions for new validation certificates.
During its development, a number of the radical revisions have been removed so that the new standard feels like a natural evolution rather than a revolutionary update.
Software requirements are given greater prominence in a new area dedicated to software security, and an area specifying requirements to protect against non-invasive attacks is provided. However, in practice, this will in most cases not require significant changes to be made to products that are compliant at FIPS 140-2.
Reference to Common Criteria and requirements for the use of Common Criteria certified operating systems has been dropped from the requirements and there is more emphasis on audit requirements through the operational environment requirements.
The requirement for an FCC certificate for Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) compliance has been removed.
Major changes include the following:
The concept of a hybrid module has been formally added to the standard. A hybrid module is one whose cryptographic functionality is contained in software or firmware, which also includes some special purpose hardware within the cryptographic boundary of the module.
For module interfaces, an extra control output interface has been formalised and at level 3 and 4 the concept of a Trusted Channel has been added.
For level 2 software modules, there are extensive audit requirements in the operational environment requirements.
At level 4, two factor authentication of operators is now required (At least two of three: something known, something possessed, some physical property).
Physical security requirements have been added to counter non-invasive attacks at level 3 and level 4.
Design assurance requirements increase through the levels, so for example, at level 2 a functional specification is required and at level 3, a detailed design. Testing requirements have been introduced, with functional testing required at levels 1 and 2 and low-level testing required at level 3 and above.
New self-tests have been introduced. There is now the requirement for a pre-operational bypass test.
A software security section has been added to the requirements. These are summarised as follows:
The requirements are cumulative, with each subsequent level either augmenting or replacing the requirements of the previous level as appropriate.