You, Me and FIPS 140-3 - A Guide to the New Standard and Transition

Explore the key changes and implications of the new FIPS 140-3 cryptographic module validation standard in this 46-minute conference talk from RSA Conference. Delve into the differences between FIPS 140-2 and FIPS 140-3, examining new terminology, testing requirements, and security considerations. Learn about the transition timeline, the fate of existing FIPS 140-2 certificates, and how to navigate the validation process under the new standard. Gain insights into the challenges faced by labs and the Cryptographic Module Validation Program (CMVP) in adapting to evolving security needs. Discover practical advice for staying informed and preparing for the FIPS 140-3 transition, with a focus on its impact on cryptographic module development and certification.

Syllabus

Intro
Objectives for this briefing
What is FIPS? Why is it important?
Challenges with FIPS 140-2 module validations
FIPS lab customer feedback hotline ...
How has CMVP coped with passage of time?
How have labs coped with challenges?
FIPS 140-3..... Vaporware?
March 22nd, 2019 - FIPS 140-3 officially signed!
NIST SP 800-140: Important Supplemental Docs (cont'd)
What happens to the "duct tape"?
New Terms: SSPS, CSPs and PSPs
New Terms: New Output Types Defined
New Terms: Vendor Testing, Low-Level Testing & EOL
The Diff: Dash-2 vs. Dash-3 Snapshot
The Diff: Those Dang Self-tests (continued)
The Diff: Roles, Services and Authentication
The Diff: Let's get physical (Physical Security)
The Diff: Software/Firmware and OS Security
The Diff: Actual Non-Invasive Security Requirements
The Diff: It's "Zeroisation", Not "Zeroization"!
FIPS 140-3 transition: Important dates
Apply: Can I achieve BOTH FIPS 140-2 and FIPS 140-3?
Apply: In closing, points to remember ...
Apply: How to stay in the loop?