[Federal Register Volume 72, Number 134 (Friday, July 13, 2007)]
[Notices]
[Pages 38566-38567]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-13654]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 070321067-7068-01]


Announcing Draft Federal Information Processing Standard (FIPS) 
140-3, Security Requirements for Cryptographic Modules

AGENCY: National Institute of Standards and Technology (NIST), 
Department of Commerce.

ACTION: Notice; request for comments.

-----------------------------------------------------------------------

SUMMARY: This notice announces Draft Federal Information Processing 
Standard 140-3, Security Requirements for Cryptographic Modules, for 
public review and comment. The draft standard, designated ``Draft FIPS 
140-3,'' is proposed to supersede FIPS 140-2.
    FIPS 140-1 was first published in 1994. In 2001 FIPS 140-2 
superseded FIPS 140-1. FIPS 140-2 specified that it will be reviewed 
within five years. In 2005, NIST solicited public comments on 
reaffirming the standard. The comments received by NIST supported 
maintaining the standard. The comments also supported updating the 
standard due to advances in technology. The proposed revision can be 
found at http://csrc.nist.gov/publications/drafts.html#fips140-3 and is 
now available for public review and comment.
    Prior to the submission of this proposed standard to the Secretary 
of Commerce for review and approval, it is essential that consideration 
is given to the needs and views of the public, users, the information 
technology industry, and Federal, State and local government 
organizations. The purpose of this notice is to solicit such views.

DATES: Comments must be received on or before October 11, 2007.

ADDRESSES: Written comments may be sent to: Chief, Computer Security 
Division, Information Technology Laboratory, Attention: Dr. Allen 
Roginsky, 100 Bureau Drive--Stop 8930,

[[Page 38567]]

National Institute of Standards and Technology, Gaithersburg, MD 20899-
8930. Electronic comments may also be sent to: [email protected].
    The current FIPS 140-2 standard can be viewed electronically at: 
http://csrc.nist.gov/. Comments received in response to this notice 
will be published electronically at http://csrc.nist.gov/cryptval/140-3.htm.

FOR FURTHER INFORMATION CONTACT: Dr. Allen Roginsky, Computer Security 
Division, 100 Bureau Drive, Stop 8930, National Institute of Standards 
and Technology, Gaithersburg, MD 20899-8930, telephone (301) 975-3603.

SUPPLEMENTARY INFORMATION: FIPS 140-1, Security Requirements for 
Cryptographic Modules was issued in 1994 and was superseded by FIPS 
140-2 in 2001. FIPS 140-2 identifies requirements for four security 
levels for cryptographic modules to provide for a wide spectrum of data 
sensitivity (e.g., low value administrative data, million dollar funds 
transfers, and life protecting data), and a diversity of application 
environments.
    Over 1600 modules have been tested by accredited private-sector 
laboratories and validated to-date as conforming to this standard. The 
standard provided that it be reviewed within five years to consider its 
continued usefulness and whether new or revised requirements should be 
added.
    A notice was published in the Federal Register (Volume 70, Number 
8) on January 12, 2005, soliciting public comments on reaffirming the 
standard. The comments supported reaffirmation of the standard, but 
suggested technical modifications to address advances in technology 
since the standard was originally issued. Using these comments, NIST 
prepared Draft FIPS 140-3.
    The most important differences between this Draft FIPS 140-3 and 
the current FIPS 140-2 standard are: Specifying five security levels 
instead of four; having a separate section for software security; 
requiring to mitigate against the non-invasive attacks when validating 
at higher security levels; introducing a notion of public security 
parameters; allowing to defer various self-tests until certain 
conditions are met; and strengthening the requirements on user 
authentication and integrity testing.

    Authority: Federal Information Processing Standards (FIPS) are 
issued by the National Institute of Standards and Technology after 
approval by the Secretary of Commerce pursuant to Section 5131 of 
the Information Technology Management Reform Act of 1996 and the 
Federal Information Security Management Act of 2002 (Pub. L. 107-
347).
    E.O. 12866: This notice has been determined not to be significant 
for the purposes of E.O. 12866.

    Dated: July 5, 2007.
James M. Turner,
Deputy Director, NIST.
 [FR Doc. E7-13654 Filed 7-12-07; 8:45 am]
BILLING CODE 3510-13-P