AGENCY:

National Institute of Standards and Technology (NIST), Department of Commerce.

ACTION:

Notice; request for comments.

SUMMARY:

This notice announces Draft Federal Information Processing Standard 140-3, Security Requirements for Cryptographic Modules, for public review and comment. The draft standard, designated “Draft FIPS 140-3,” is proposed to supersede FIPS 140-2.

FIPS 140-1 was first published in 1994. In 2001 FIPS 140-2 superseded FIPS 140-1. FIPS 140-2 specified that it will be reviewed within five years. In 2005, NIST solicited public comments on reaffirming the standard. The comments received by NIST supported maintaining the standard. The comments also supported updating the standard due to advances in technology. The proposed revision can be found at http://csrc.nist.gov/​publications/​drafts.html#fips140-3 and is now available for public review and comment.

Prior to the submission of this proposed standard to the Secretary of Commerce for review and approval, it is essential that consideration is given to the needs and views of the public, users, the information technology industry, and Federal, State and local government organizations. The purpose of this notice is to solicit such views.

DATES:

Comments must be received on or before October 11, 2007.

ADDRESSES:

Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive—Stop 8930, Start Printed Page 38567National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov.

The current FIPS 140-2 standard can be viewed electronically at: http://csrc.nist.gov/​. Comments received in response to this notice will be published electronically at http://csrc.nist.gov/​cryptval/​140-3.htm.

FOR FURTHER INFORMATION CONTACT:

Dr. Allen Roginsky, Computer Security Division, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930, telephone (301) 975-3603.

SUPPLEMENTARY INFORMATION:

FIPS 140-1, Security Requirements for Cryptographic Modules was issued in 1994 and was superseded by FIPS 140-2 in 2001. FIPS 140-2 identifies requirements for four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and life protecting data), and a diversity of application environments.

Over 1600 modules have been tested by accredited private-sector laboratories and validated to-date as conforming to this standard. The standard provided that it be reviewed within five years to consider its continued usefulness and whether new or revised requirements should be added.

A notice was published in the Federal Register (Volume 70, Number 8) on January 12, 2005, soliciting public comments on reaffirming the standard. The comments supported reaffirmation of the standard, but suggested technical modifications to address advances in technology since the standard was originally issued. Using these comments, NIST prepared Draft FIPS 140-3.

The most important differences between this Draft FIPS 140-3 and the current FIPS 140-2 standard are: Specifying five security levels instead of four; having a separate section for software security; requiring to mitigate against the non-invasive attacks when validating at higher security levels; introducing a notion of public security parameters; allowing to defer various self-tests until certain conditions are met; and strengthening the requirements on user authentication and integrity testing.

Authority: Federal Information Processing Standards (FIPS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 (Pub. L. 107-347). E.O. 12866: This notice has been determined not to be significant for the purposes of E.O. 12866.