[Federal Register Volume 59, Number 7 (Tuesday, January 11, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-539]
[[Page Unknown]]
[Federal Register: January 11, 1994]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
[Docket No. 900820-3141]
RIN No. 0693-AA68
Approval of Federal Information Processing Standards (FIPS)
Publication 140-1, Security Requirements for Cryptographic Modules
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: The purpose of this notice is to announce that the Secretary of
Commerce has approved a revision of Federal Information Processing
Standard 140, General Security Requirements for Equipment Using the
Data Encryption Standard, which will be published as FIPS Publication
140-1. This revised standard supersedes FIPS 140 in its entirety.
-----------------------------------------------------------------------
SUMMARY: On January 8, 1991, a notice was published in the Federal
Register (56 FR 681) that a revision of Federal Information Processing
Standards Publication (FIPS PUB) 140, General Security Requirement for
Equipment Using the Data Encryption Standard, was being proposed for
Federal use.
The written comments submitted by interested parties and other
material available to the Department relevant to this proposed revision
were reviewed by NIST. On the basis of this review, NIST recommended
that the Secretary approve the revised standard as Federal Information
Processing Standards Publication (FIPS PUB) 140-1, and prepared a
detailed justification document for the Secretary's review in support
of that recommendation.
The detailed justification document which was presented to the
Secretary is part of the public record and is available for inspection
and copying in the Department's Central Reference and Records
Inspection Facility, room 6020, Herbert C. Hoover Building, 14th Street
between Pennsylvania and Constitution Avenue, NW., Washington, DC
20230.
This FIPS contains two sections: (1) An announcement section, which
provides information concerning the applicability, implementation, and
maintenance of the standard; and (2) a specifications section which
deals with the technical requirements of the standard. Only the
announcement section of the standard is provided in this notice.
EFFECTIVE DATE: This standard is effective on January 11, 1994.
ADDRESSES: Interested parties may purchase copies of this standard,
including the technical specifications portion, from the National
Technical Information Service (NITS). Specific ordering information
from NTIS for this revised standard is set out in the Where to Obtain
Copies Section of the announcement section of the standard.
FOR FURTHER INFORMATION CONTACT:
Mr. Miles E. Smid, National Institute of Standards and Technology,
Gaithersburg, MD 20899, telephone (301) 975-2938.
Dated: January 4, 1994.
Samuel Kramer,
Associate Director.
Federal Information Processing Standards Publication 140-1
(Date)
Announcing the Standard for Security Requirements for Cryptographic
Modules
Federal Information Processing Standards Publications (FIPS
PUBS) are issued by the National Institute of Standards and
Technology (NIST) after approval by the Secretary of Commerce
pursuant to Section 111(d) of the Federal Property and
Administrative Services Act of 1949 as amended by the Computer
Security Act of 1987, Public Law 100-235.
1. Name of Standard. Security Requirements for Cryptographic
Modules (FIPS PUB 140-1).
2. Category of Standard. Computer Security.
3. Explanation. This standard specifies the security
requirements that are to be satisfied by a cryptographic module
utilized within a security system protecting unclassified
information within computer and telecommunication systems (including
voice systems). The standard provides four increasing, qualitative
levels of security: Level 1, Level 2, Level 3, and Level 4. These
levels are intended to cover the wide range of potential
applications and environments in which cryptographic modules may be
employed. The security requirements cover areas related to the
secure design and implementation of a cryptographic module. These
areas include basic design and documentation, module interfaces,
authorized roles and services, physical security, software security,
operating system security, key management, cryptographic algorithms,
electromagnetic interference/electromagnetic compatibility (EMI/
EMC), and self-testing. This standard supersedes FIPS 140, General
Security Requirements for Equipment Using the Data Encryption
Standard, in its entirety.
4. Approving Authority. Secretary of Commerce.
5. Maintenance Agency. Department of Commerce, National
Institute of Standards and Technology, (Computer Systems
Laboratory).
6. Cross Index.
a. FIPS PUB 46-1, Data Encryption Standard.
b. FIPS PUB 48, Guidelines on Evaluation of Techniques for
Automated Personal Identification.
c. FIPS PUB 74, Guidelines for Implementing and Using the NBS
Data Encryption Standard.
d. FIPS PUB 81, DES Modes of Operation.
e. FIPS PUB 83, Guideline of User Authentication Techniques for
Computer Network Access Control.
f. FIPS PUB 112, Password Usage.
g. FIPS PUB 113, Computer Data Authentication.
h. FIPS PUB 171, Key Management Using ANSI X9.17.
i. FIPS PUB 180, Secure Hash Standard.
j. Special Publication 500-157, Smart Card Technology: New
Methods for Computer Access Control.
k. Special Publication 800-2, Public Key Cryptography.
Other NIST publications may be applicable to the implementation
and use of this standard. A list (NIST Publications List 91) of
currently available computer security publications, including
ordering information, can be obtained from NIST.
7. Applicability. This standard is applicable to all Federal
agencies that use cryptographic-based security systems to protect
unclassified information within computer and telecommunication
systems (including voice systems) that are not subject to Section
2315 of Title 10, U.S. Code, or Section 3502(2) of Title 44, U.S.
Code. This standard shall be used in designing, acquiring and
implementing cryptographic-based security systems within computer
and telecommunication systems (including voice systems), operated by
a Federal agency or by a contractor of a Federal agency or other
organization that processes information (using a computer or
telecommunications system) on behalf of the Federal Government to
accomplish a Federal function. Federal agencies which use
cryptographic-based security systems for protecting classified
information may use those systems for protecting unclassified
information in lieu of systems that comply with this standard. Non-
Federal government organizations are encouraged to adopt and use
this standard when it provides the desired security for protecting
valuable or sensitive information.
8. Applications. Cryptographic-based security systems may be
utilized in various computer and telecommunication (including voice)
applications (e.g., data storage, access control and personal
identification, radio, facsimile, video) and in various environments
(e.g., centralized computer facilities, office environments, hostile
environments). The cryptographic services (e.g., encryption,
authentication, digital signature, key management) provided by a
cryptographic module will be based on many factors which are
specific to the application and environment. The security level of a
cryptographic module shall be chosen to provide a level of security
appropriate for the security requirements of the application and
environment in which the module is to be utilized and the security
services which the module is to provide. The security requirements
for a particular security level include both the security
requirements specific to that level and the security requirements
that apply to all modules regardless of the level. System
characteristics not related to security (e.g., telecommunications
interoperability) are beyond the scope of this standard.
9. Specifications. Federal Information Processing Standard
(FIPS) 140-1, Security Requirements for Cryptographic Module
(affixed).
10. Implementations. This standard covers implementations of
cryptographic modules including, but not limited to, hardware
components or modules, software programs or modules, computer
firmware, or any combination thereof. Cryptographic modules that are
validated by NIST, or that comply with the requirements of the FIPS
140-1 implementation and FIPS 140 acquisition schedules in Section
14 of the announcement of this standard, will be considered as
complying with this standard. Information about the FIPS 140-1
validation program can be obtained from the National Institute of
Standards and Technology, Computer Systems Laboratory, Gaithersburg,
MD 20899.
11. FIPS Approved Security Methods. Cryptographic modules that
comply with this standard shall employ cryptographic algorithms,
cryptographic key generation algorithms and key distribution
techniques, and authentication techniques that have been FIPS
approved for protecting Federal Government unclassified information.
FIPS approved cryptographic algorithms, cryptographic key generation
algorithms and key distribution techniques, and authentication
techniques include those that are either:
a. Specified in a Federal Information Processing Standard
(FIPS), or
b. Adopted in a FIPS and specified either in an appendix to the
FIPS or in a document referenced by the FIPS.
If a cryptographic module is required to incorporate a trusted
operating system, then the module shall employ trusted operating
systems that have been evaluated by a NIST accredited evaluation
authority and against a FIPS approved evaluation criteria.
Information about approved cryptographic methods and approved
operating system evaluation authorities and criteria can be obtained
from NIST.
12. Interpretation. Resolution of questions regarding this
standard will be provided by NIST. Questions concerning the content
and specifications should be addressed to: Director, Computer
Systems Laboratory, ATTN: FIPS 140-1 Interpretation, National
Institute of Standards and Technology, Gaithersburg, MD 20899.
13. Export Control. Certain cryptographic devices and technical
data regarding them are deemed to be defense articles (i.e.,
inherently military in character) and are subject to Federal
government export controls as specified in Title 22, Code of Federal
Regulations, parts 120-128. Some exports of cryptographic modules
conforming to this standard and technical data regarding them must
comply with these Federal regulations and be licensed by the U.S.
Department of State. Other exports of cryptographic modules
conforming to this standard and technical data regarding them fall
under the licensing authority of the Bureau of Export Administration
of the U.S. Department of Commerce. The Department of Commerce is
responsible for licensing cryptographic devices used for
authentication, access control, proprietary software, automatic
teller machines (ATMs), and certain devices used in other equipment
and software. For advice concerning which agency has licensing
authority for a particular cryptographic device, please contact the
respective agencies.
TN11JA94.000
14. Implementation Schedule. Table 1 summarizes the
implementation schedule for FIPS 140-1. The effective date of this
standard is June 30, 1994.
From approval of FIPS 140-1 to its effective date, agencies may
purchase equipment with FIPS 140-1 cryptographic modules that have
been affirmed in writing from the manufacturer as complying with
this standard. From June 30, 1994 until six months after the
establishment of the FIPS 140-1 validation program by NIST, agencies
that have determined a need for equipment with cryptographic modules
shall purchase equipment with FIPS 140-1 cryptographic modules that
have been affirmed in writing by the manufacturer as complying with
this standard. A copy of the written affirmation shall have been
sent to the Director, Computer Systems Laboratory, National
Institute of Standards and Technology, Gaithersburg, MD 20899.
TN11JA94.001
For a one year period following the six months after the
establishment of the FIPS 140-1 validation program, agencies shall
purchase either equipment with validated FIPS 140-1 cryptographic
modules, or equipment whose cryptographic modules have been
submitted for FIPS 140-1 validation. After this period, only FIPS
140-1 validated cryptographic modules will be considered as meeting
the provisions of this standard.
Table 2 summarizes the schedule for acquisition of FIPS 140
compliant equipment. For up to three years following June 30, 1994,
equipment with cryptographic modules complying to FIPS 140, General
Security Requirements for Equipment Using the Data Encryption
Standard (formerly Federal Standard 1027), may be purchased in lieu
of equipment with modules that comply with this standard. These
modules either shall have been endorsed by the National Security
Agency (NSA) as complying to Federal Standard 1027, or shall be
affirmed in writing by the manufacturer as complying to FIPS 140.
NSA endorsed modules shall have been endorsed prior to December,
1993. A list of endorsed products (NSA Endorsed Data Encryption
Standard (DES) Products List) is available from the NSA. For modules
affirmed by the manufacturer as complying with FIPS 140, a copy of
the written affirmation shall have been sent by the manufacturer to
the Director of the Computer Systems Laboratory at NIST prior to
June 30, 1994. A list of these methods is available from NIST.
Equipment purchased under the above conditions may continue to
be used for the lifetime of the equipment without the need for
further affirmation or validation for conformance to this standard.
15. Qualifications. The security requirements specified in this
standard are based upon information provided by many sources within
the Federal government and private industry. The requirements are
designed to protect against adversaries mounting cost-effective
attacks on unclassified government or commercial data (e.g.,
hackers, organized crime, economic competitors). The primary goal in
designing an effective security system is to make the cost of any
attack greater than the possible payoff.
While the security requirements specified in this standard are
intended to maintain the security of a cryptographic module,
conformance to this standard does not guarantee that a particular
module is secure. It is the responsibility of the manufacturer of a
cryptographic module to build the module in a secure manner.
Similarly, the use of a cryptographic module that conforms to
this standard in an overall system does not guarantee the security
of the overall system. The responsible authority in each agency
shall assure that an overall system provides an acceptable level of
security.
Since a standard of this nature must be flexible enough to adapt
to advancements and innovations in science and technology, this
standard will be reviewed every 5 years in order to consider new or
revised requirements that may be needed to meet technological and
economic changes.
16. Waiver Procedure. Under certain exceptional circumstances,
the heads of Federal agencies may approve waivers to Federal
Information Processing Standards (FIPS). The head of such agency may
redelegate such authority only to a senior official designated
pursuant to Section 3506(b) of Title 44, U.S. Code. Waivers shall be
granted only when:
a. Compliance with a standard would adversely affect the
accomplishment of the mission of an operator of a Federal computer
system, or
b. Cause a major adverse financial impact on the operator which
is not offset by Government-wide savings.
Agency heads may act upon a written waiver request containing
the information detailed above. Agency heads may also act without a
written waiver request when they determine that conditions for
meeting the standard cannot be met. Agency heads may approve waivers
only by a written decision which explains the basis on which the
agency head made the required finding(s). A copy of each such
decision, with procurement sensitive or classified portions clearly
identified, shall be sent to: National Institute of Standards and
Technology; ATTN: FIPS Waiver Decisions, Technology Building, Room
B-154; Gaithersburg, MD 20899.
In addition, notice of each waiver granted and each delegation
of authority to approve waivers shall be sent promptly to the
Committee on Government Operations of the House of Representatives
and the Committee on Government Affairs of the Senate and shall be
published promptly in the Federal Register.
When the determination on a waiver applies to the procurement of
equipment and/or services, a notice of the waiver determination must
be published in the Commerce Business Daily as a part of the notice
of solicitation for offers of an acquisition or, if the waiver
determination is made after that notice is published, by amendment
to such notice.
A copy of the waiver, any supporting documents, the document
approving the waiver and any supporting and accompanying documents,
with such deletions as the agency is authorized and decides to make
under Section 552(b) of Title 5, U.S. Code, shall be part of the
procurement documentation and retained by the agency.
17. Where to obtain copies. Copies of this publication are
available for sale by the National Technical Information Service,
U.S. Department of Commerce, Springfield, VA 22161. When ordering,
refer to Federal Information Processing Standards Publication 140-1
(FIPS PUB 140-1), and title. When microfile is desired, this should
be specified. Payment may be made by check, money order, credit
card, or deposit account.
[FR Doc. 94-539 Filed 1-10-94; 8:45 am]
BILLING CODE 3510-CN-M