[Federal Register Volume 70, Number 8 (Wednesday, January 12, 2005)]
[Notices]
[Pages 2122-2123]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-545]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 041217352-4352-01]


Announcing Development of Federal Information Processing Standard 
(FIPS) 140-3, a Revision of FIPS 140-2, Security Requirements for 
Cryptographic Modules

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; request for comments.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology announces 
that it plans to develop Federal Information Processing Standard (FIPS) 
140-3, which will supersede FIPS 140-2, Security Requirements for 
Cryptographic Modules. FIPS 140-2, approved by the Secretary of 
Commerce and announced in the Federal Register (June 27, 2001, Volume 
66, Number 124, Pages 34154-34155), identifies requirements for four 
levels of security for cryptographic modules that are utilized by 
Federal agencies to protect the security of Federal information 
systems. The Federal Information Security Management Act (FISMA) 
(Public Law 107-347) requires that all Federal agencies and their 
contractors use only those cryptographic-based security systems that 
were validated to FIPS 140-2 or to its predecessor, FIPS 140-1.

DATES: Comments on new and revised requirements for FIPS 140-3 must be 
received on or before Febrary 28, 2005.

ADDRESSES: Comments may be sent electronically to [email protected], 
or may be mailed to Information Technology Laboratory, ATTN: 
Development of FIPS 140-3, 100 Bureau Drive, Stop 8930, Gaithersburg, 
MD 20899-8930. All comments received will be available on the NIST Web 
site at: http://csrc.nist.gov/cryptval/

FOR FURTHER INFORMATION CONTACT: Mr. Allen Roginsky (301) 975-3603, 
National Institute of Standards and Technology, 100 Bureau Drive, STOP 
8930, Gaithersburg, MD 20899-8930. E-mail: [email protected].
    A copy of FIPS 140-2 is available electronically from the NIST Web 
site at: http://csrc.nist.gov/publications/fips/index.html.

SUPPLEMENTARY INFORMATION: FIPS 140-2, Security Requirements for 
Cryptographic Modules, superseded FIPS 140-1, which had been issued in 
1994. FIPS 140-1 specified that the standard be reviewed within five 
years to consider its continued usefulness and to determine whether new 
or revised requirements should be added. NIST conducted a review of 
FIPS 140-1 in 1998-99, and the standard was reaffirmed as FIPS 140-2 in 
2001 with technical modifications to address technological advances 
that had occurred since FIPS 140-1 had been issued.
    FIPS 140-2 identifies requirements for four increasing, qualitative 
levels of security for cryptographic modules. The four security levels 
cover a wide range of potential applications and a wide spectrum of 
information types, including data with the potential to cause low, 
moderate and serious impacts on organizations should there be a loss of 
confidentiality, integrity or availability of the data. In 1995, NIST 
and the Communications Security Establishment (CSE) of the Government 
of Canada established the Cryptographic Module Validation Program 
(CMVP) to validate cryptographic modules to FIPS 140-1 and other 
cryptography-based standards. Nearly 500 cryptographic modules and many 
implementations of cryptographic algorithms have been tested by 
National Voluntary Laboratory Accreditation Program (NVLAP) accredited, 
independent third-party laboratories and have been validated. Products 
validated by this program are used in Canada, the U.S., and many other 
countries. Federal government agencies are required to acquire products 
that have been validated under the CMVP when they use cryptographic-
based security systems to protect their information. The CMVP enables 
vendors of cryptographic products to use a common standard and a common 
testing

[[Page 2123]]

and validation process for their products.
    NIST plans to develop FIPS 140-3 to meet the new and revised 
requirements of Federal agencies for cryptographic systems, and to 
address technological and economic changes that have occurred since the 
issuance of FIPS 140-2. As the first step in the development of FIPS 
140-3, NIST invites comments from the public, users, the information 
technology industry, and Federal, State and local government 
organizations concerning the need for and recommendations for a new 
standard.
    NIST is especially interested in comments on the following issues:
    (1) Compatibility with industry standards.
    (2) New technology areas.
    (3) Introduction of additional levels of security.
    (4) Additional requirements specific to physical security.
    (5) Portability of applications (including operating systems) based 
on platform and/or environment.
    Following its review of the comments submitted in response to this 
notice, NIST will hold open, public workshops in 2005 to discuss the 
development of FIPS 140-3. These workshops will be announced in the 
Federal Register with information about participation. NIST expects to 
propose FIPS 140-3 for public review and comment before recommending 
the standard to the Secretary of Commerce for approval in 2006.
    NIST will develop a plan for a transition period for testing and 
validating modules to FIPS 140-3, and for agencies to develop plans to 
acquire products that are compliant with FIPS 140-3. The transition 
plan will also address the use by Federal agencies of cryptographic 
modules that have been validated for compliance to FIPS 140-1 and FIPS 
140-2.

    Authority: Federal Information Processing Standards (FIPS) are 
issued by the National Institute of Standards and Technology after 
approval by the Secretary of Commerce pursuant to Section 5131 of 
the Information Technology Management Reform Act of 1996 and the 
Federal Information Security Management Act of 2002 (Public Law 107-
347).

    E.O. 12866: This notice has been determined not to be significant 
for the purposes of E.O. 12866.

    Dated: January 5, 2005.
Hratch G. Semerjian,
Acting Director.
[FR Doc. 05-545 Filed 1-11-05; 8:45 am]
BILLING CODE 3510-CN-P