[Federal Register Volume 59, Number 7 (Tuesday, January 11, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-539]


[[Page Unknown]]

[Federal Register: January 11, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE
[Docket No. 900820-3141]
RIN No. 0693-AA68

 

Approval of Federal Information Processing Standards (FIPS) 
Publication 140-1, Security Requirements for Cryptographic Modules

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: The purpose of this notice is to announce that the Secretary of 
Commerce has approved a revision of Federal Information Processing 
Standard 140, General Security Requirements for Equipment Using the 
Data Encryption Standard, which will be published as FIPS Publication 
140-1. This revised standard supersedes FIPS 140 in its entirety.

-----------------------------------------------------------------------

SUMMARY: On January 8, 1991, a notice was published in the Federal 
Register (56 FR 681) that a revision of Federal Information Processing 
Standards Publication (FIPS PUB) 140, General Security Requirement for 
Equipment Using the Data Encryption Standard, was being proposed for 
Federal use.
    The written comments submitted by interested parties and other 
material available to the Department relevant to this proposed revision 
were reviewed by NIST. On the basis of this review, NIST recommended 
that the Secretary approve the revised standard as Federal Information 
Processing Standards Publication (FIPS PUB) 140-1, and prepared a 
detailed justification document for the Secretary's review in support 
of that recommendation.
    The detailed justification document which was presented to the 
Secretary is part of the public record and is available for inspection 
and copying in the Department's Central Reference and Records 
Inspection Facility, room 6020, Herbert C. Hoover Building, 14th Street 
between Pennsylvania and Constitution Avenue, NW., Washington, DC 
20230.
    This FIPS contains two sections: (1) An announcement section, which 
provides information concerning the applicability, implementation, and 
maintenance of the standard; and (2) a specifications section which 
deals with the technical requirements of the standard. Only the 
announcement section of the standard is provided in this notice.

EFFECTIVE DATE: This standard is effective on January 11, 1994.

ADDRESSES: Interested parties may purchase copies of this standard, 
including the technical specifications portion, from the National 
Technical Information Service (NITS). Specific ordering information 
from NTIS for this revised standard is set out in the Where to Obtain 
Copies Section of the announcement section of the standard.

FOR FURTHER INFORMATION CONTACT:
Mr. Miles E. Smid, National Institute of Standards and Technology, 
Gaithersburg, MD 20899, telephone (301) 975-2938.


    Dated: January 4, 1994.
Samuel Kramer,
Associate Director.

Federal Information Processing Standards Publication 140-1

(Date)

Announcing the Standard for Security Requirements for Cryptographic 
Modules

    Federal Information Processing Standards Publications (FIPS 
PUBS) are issued by the National Institute of Standards and 
Technology (NIST) after approval by the Secretary of Commerce 
pursuant to Section 111(d) of the Federal Property and 
Administrative Services Act of 1949 as amended by the Computer 
Security Act of 1987, Public Law 100-235.
    1. Name of Standard. Security Requirements for Cryptographic 
Modules (FIPS PUB 140-1).
    2. Category of Standard. Computer Security.
    3. Explanation. This standard specifies the security 
requirements that are to be satisfied by a cryptographic module 
utilized within a security system protecting unclassified 
information within computer and telecommunication systems (including 
voice systems). The standard provides four increasing, qualitative 
levels of security: Level 1, Level 2, Level 3, and Level 4. These 
levels are intended to cover the wide range of potential 
applications and environments in which cryptographic modules may be 
employed. The security requirements cover areas related to the 
secure design and implementation of a cryptographic module. These 
areas include basic design and documentation, module interfaces, 
authorized roles and services, physical security, software security, 
operating system security, key management, cryptographic algorithms, 
electromagnetic interference/electromagnetic compatibility (EMI/
EMC), and self-testing. This standard supersedes FIPS 140, General 
Security Requirements for Equipment Using the Data Encryption 
Standard, in its entirety.
    4. Approving Authority. Secretary of Commerce.
    5. Maintenance Agency. Department of Commerce, National 
Institute of Standards and Technology, (Computer Systems 
Laboratory).
    6. Cross Index.
    a. FIPS PUB 46-1, Data Encryption Standard.
    b. FIPS PUB 48, Guidelines on Evaluation of Techniques for 
Automated Personal Identification.
    c. FIPS PUB 74, Guidelines for Implementing and Using the NBS 
Data Encryption Standard.
    d. FIPS PUB 81, DES Modes of Operation.
    e. FIPS PUB 83, Guideline of User Authentication Techniques for 
Computer Network Access Control.
    f. FIPS PUB 112, Password Usage.
    g. FIPS PUB 113, Computer Data Authentication.
    h. FIPS PUB 171, Key Management Using ANSI X9.17.
    i. FIPS PUB 180, Secure Hash Standard.
    j. Special Publication 500-157, Smart Card Technology: New 
Methods for Computer Access Control.
    k. Special Publication 800-2, Public Key Cryptography.
    Other NIST publications may be applicable to the implementation 
and use of this standard. A list (NIST Publications List 91) of 
currently available computer security publications, including 
ordering information, can be obtained from NIST.
    7. Applicability. This standard is applicable to all Federal 
agencies that use cryptographic-based security systems to protect 
unclassified information within computer and telecommunication 
systems (including voice systems) that are not subject to Section 
2315 of Title 10, U.S. Code, or Section 3502(2) of Title 44, U.S. 
Code. This standard shall be used in designing, acquiring and 
implementing cryptographic-based security systems within computer 
and telecommunication systems (including voice systems), operated by 
a Federal agency or by a contractor of a Federal agency or other 
organization that processes information (using a computer or 
telecommunications system) on behalf of the Federal Government to 
accomplish a Federal function. Federal agencies which use 
cryptographic-based security systems for protecting classified 
information may use those systems for protecting unclassified 
information in lieu of systems that comply with this standard. Non-
Federal government organizations are encouraged to adopt and use 
this standard when it provides the desired security for protecting 
valuable or sensitive information.
    8. Applications. Cryptographic-based security systems may be 
utilized in various computer and telecommunication (including voice) 
applications (e.g., data storage, access control and personal 
identification, radio, facsimile, video) and in various environments 
(e.g., centralized computer facilities, office environments, hostile 
environments). The cryptographic services (e.g., encryption, 
authentication, digital signature, key management) provided by a 
cryptographic module will be based on many factors which are 
specific to the application and environment. The security level of a 
cryptographic module shall be chosen to provide a level of security 
appropriate for the security requirements of the application and 
environment in which the module is to be utilized and the security 
services which the module is to provide. The security requirements 
for a particular security level include both the security 
requirements specific to that level and the security requirements 
that apply to all modules regardless of the level. System 
characteristics not related to security (e.g., telecommunications 
interoperability) are beyond the scope of this standard.
    9. Specifications. Federal Information Processing Standard 
(FIPS) 140-1, Security Requirements for Cryptographic Module 
(affixed).
    10. Implementations. This standard covers implementations of 
cryptographic modules including, but not limited to, hardware 
components or modules, software programs or modules, computer 
firmware, or any combination thereof. Cryptographic modules that are 
validated by NIST, or that comply with the requirements of the FIPS 
140-1 implementation and FIPS 140 acquisition schedules in Section 
14 of the announcement of this standard, will be considered as 
complying with this standard. Information about the FIPS 140-1 
validation program can be obtained from the National Institute of 
Standards and Technology, Computer Systems Laboratory, Gaithersburg, 
MD 20899.
    11. FIPS Approved Security Methods. Cryptographic modules that 
comply with this standard shall employ cryptographic algorithms, 
cryptographic key generation algorithms and key distribution 
techniques, and authentication techniques that have been FIPS 
approved for protecting Federal Government unclassified information. 
FIPS approved cryptographic algorithms, cryptographic key generation 
algorithms and key distribution techniques, and authentication 
techniques include those that are either:
    a. Specified in a Federal Information Processing Standard 
(FIPS), or
    b. Adopted in a FIPS and specified either in an appendix to the 
FIPS or in a document referenced by the FIPS.
    If a cryptographic module is required to incorporate a trusted 
operating system, then the module shall employ trusted operating 
systems that have been evaluated by a NIST accredited evaluation 
authority and against a FIPS approved evaluation criteria.
    Information about approved cryptographic methods and approved 
operating system evaluation authorities and criteria can be obtained 
from NIST.
    12. Interpretation. Resolution of questions regarding this 
standard will be provided by NIST. Questions concerning the content 
and specifications should be addressed to: Director, Computer 
Systems Laboratory, ATTN: FIPS 140-1 Interpretation, National 
Institute of Standards and Technology, Gaithersburg, MD 20899.
    13. Export Control. Certain cryptographic devices and technical 
data regarding them are deemed to be defense articles (i.e., 
inherently military in character) and are subject to Federal 
government export controls as specified in Title 22, Code of Federal 
Regulations, parts 120-128. Some exports of cryptographic modules 
conforming to this standard and technical data regarding them must 
comply with these Federal regulations and be licensed by the U.S. 
Department of State. Other exports of cryptographic modules 
conforming to this standard and technical data regarding them fall 
under the licensing authority of the Bureau of Export Administration 
of the U.S. Department of Commerce. The Department of Commerce is 
responsible for licensing cryptographic devices used for 
authentication, access control, proprietary software, automatic 
teller machines (ATMs), and certain devices used in other equipment 
and software. For advice concerning which agency has licensing 
authority for a particular cryptographic device, please contact the 
respective agencies.

TN11JA94.000

    14. Implementation Schedule. Table 1 summarizes the 
implementation schedule for FIPS 140-1. The effective date of this 
standard is June 30, 1994.
    From approval of FIPS 140-1 to its effective date, agencies may 
purchase equipment with FIPS 140-1 cryptographic modules that have 
been affirmed in writing from the manufacturer as complying with 
this standard. From June 30, 1994 until six months after the 
establishment of the FIPS 140-1 validation program by NIST, agencies 
that have determined a need for equipment with cryptographic modules 
shall purchase equipment with FIPS 140-1 cryptographic modules that 
have been affirmed in writing by the manufacturer as complying with 
this standard. A copy of the written affirmation shall have been 
sent to the Director, Computer Systems Laboratory, National 
Institute of Standards and Technology, Gaithersburg, MD 20899.

TN11JA94.001

    For a one year period following the six months after the 
establishment of the FIPS 140-1 validation program, agencies shall 
purchase either equipment with validated FIPS 140-1 cryptographic 
modules, or equipment whose cryptographic modules have been 
submitted for FIPS 140-1 validation. After this period, only FIPS 
140-1 validated cryptographic modules will be considered as meeting 
the provisions of this standard.
    Table 2 summarizes the schedule for acquisition of FIPS 140 
compliant equipment. For up to three years following June 30, 1994, 
equipment with cryptographic modules complying to FIPS 140, General 
Security Requirements for Equipment Using the Data Encryption 
Standard (formerly Federal Standard 1027), may be purchased in lieu 
of equipment with modules that comply with this standard. These 
modules either shall have been endorsed by the National Security 
Agency (NSA) as complying to Federal Standard 1027, or shall be 
affirmed in writing by the manufacturer as complying to FIPS 140. 
NSA endorsed modules shall have been endorsed prior to December, 
1993. A list of endorsed products (NSA Endorsed Data Encryption 
Standard (DES) Products List) is available from the NSA. For modules 
affirmed by the manufacturer as complying with FIPS 140, a copy of 
the written affirmation shall have been sent by the manufacturer to 
the Director of the Computer Systems Laboratory at NIST prior to 
June 30, 1994. A list of these methods is available from NIST.
    Equipment purchased under the above conditions may continue to 
be used for the lifetime of the equipment without the need for 
further affirmation or validation for conformance to this standard.
    15. Qualifications. The security requirements specified in this 
standard are based upon information provided by many sources within 
the Federal government and private industry. The requirements are 
designed to protect against adversaries mounting cost-effective 
attacks on unclassified government or commercial data (e.g., 
hackers, organized crime, economic competitors). The primary goal in 
designing an effective security system is to make the cost of any 
attack greater than the possible payoff.
    While the security requirements specified in this standard are 
intended to maintain the security of a cryptographic module, 
conformance to this standard does not guarantee that a particular 
module is secure. It is the responsibility of the manufacturer of a 
cryptographic module to build the module in a secure manner.
    Similarly, the use of a cryptographic module that conforms to 
this standard in an overall system does not guarantee the security 
of the overall system. The responsible authority in each agency 
shall assure that an overall system provides an acceptable level of 
security.
    Since a standard of this nature must be flexible enough to adapt 
to advancements and innovations in science and technology, this 
standard will be reviewed every 5 years in order to consider new or 
revised requirements that may be needed to meet technological and 
economic changes.
    16. Waiver Procedure. Under certain exceptional circumstances, 
the heads of Federal agencies may approve waivers to Federal 
Information Processing Standards (FIPS). The head of such agency may 
redelegate such authority only to a senior official designated 
pursuant to Section 3506(b) of Title 44, U.S. Code. Waivers shall be 
granted only when:
    a. Compliance with a standard would adversely affect the 
accomplishment of the mission of an operator of a Federal computer 
system, or
    b. Cause a major adverse financial impact on the operator which 
is not offset by Government-wide savings.
    Agency heads may act upon a written waiver request containing 
the information detailed above. Agency heads may also act without a 
written waiver request when they determine that conditions for 
meeting the standard cannot be met. Agency heads may approve waivers 
only by a written decision which explains the basis on which the 
agency head made the required finding(s). A copy of each such 
decision, with procurement sensitive or classified portions clearly 
identified, shall be sent to: National Institute of Standards and 
Technology; ATTN: FIPS Waiver Decisions, Technology Building, Room 
B-154; Gaithersburg, MD 20899.
    In addition, notice of each waiver granted and each delegation 
of authority to approve waivers shall be sent promptly to the 
Committee on Government Operations of the House of Representatives 
and the Committee on Government Affairs of the Senate and shall be 
published promptly in the Federal Register.
    When the determination on a waiver applies to the procurement of 
equipment and/or services, a notice of the waiver determination must 
be published in the Commerce Business Daily as a part of the notice 
of solicitation for offers of an acquisition or, if the waiver 
determination is made after that notice is published, by amendment 
to such notice.
    A copy of the waiver, any supporting documents, the document 
approving the waiver and any supporting and accompanying documents, 
with such deletions as the agency is authorized and decides to make 
under Section 552(b) of Title 5, U.S. Code, shall be part of the 
procurement documentation and retained by the agency.
    17. Where to obtain copies. Copies of this publication are 
available for sale by the National Technical Information Service, 
U.S. Department of Commerce, Springfield, VA 22161. When ordering, 
refer to Federal Information Processing Standards Publication 140-1 
(FIPS PUB 140-1), and title. When microfile is desired, this should 
be specified. Payment may be made by check, money order, credit 
card, or deposit account.

[FR Doc. 94-539 Filed 1-10-94; 8:45 am]
BILLING CODE 3510-CN-M