NIST updates standard for cryptography modules

NIST updates standard for cryptography modules

By Shruti Dat'

GCN Staff

The National Institute of Standards and Technology recently revised the government's systems security and encryption validation standard.

'The standard has not changed in focus or emphasis,' said Ray Snouffer, program manager for NIST's Cryptographic Module Validation Program (CMVP). 'We've removed the redundant areas and clarified the language.'

The Federal Information Processing Standard 140-1 includes 11 areas of security requirements and four levels of security. FIPS 140-1 mandates that federal agencies use FIPS-compliant cryptography modules to protect sensitive but unclassified information in government systems.


NIST reviews the standard at five-year intervals. FIPS 140-2 carries over the information from its predecessor and expands on it.

NIST validates cryptography products and agency modules at four labs, which test the products to ensure compliance with the standard. NIST and the Communications Security Establishment of the Government of Canada established CMVP six years ago, Snouffer said.

NIST updates the security standard based on lessons learned, public comments and a line-by-line review of validation tests, Snouffer said.

The updated FIPS 140-2 has reorganized but not changed the physical security requirements. The existing standard had overlapping information about physical security requirements, said Annabelle Lee, CMVP deputy director.

The updated standard also specifies that operating systems must comply with the specifications in the Common Criteria. Previously, NIST required that OSes meet the standards detailed in the National Security Agency's Trusted Computer Security Evaluation Criteria, or the Orange Book.

CMVP also has added a section about hacking and how to mitigate computer attacks. FIPS 140-2 includes a beefed-up self-test section for agencies to use when they change their cryptography.

The CMVP staff also reworded the standard. In FIPS 140-1, all requirements used an if-then phrasing, implying that the requirement was optional, Lee said.

But the new version uses if-shall phrasing. 'Every shall statement means you must do it,' Lee said. 'We do conformance and compliance, so you can't leave it open-ended or open to interpretation.'

Approval expected

NIST officials expect Commerce Secretary William M. Daley to approve the standard this summer. FIPS 140-2 would take effect six months after Daley's OK. NIST would give agencies an additional six-month transition period after the standard took effect.

'After the transition period, modules will no longer be tested against FIPS 140-1,' Lee said. NIST will allow agencies to use modules tested under FIPS 140-1 before the update, but ensuing versions of these modules must be validated with FIPS 140-2.

Snouffer said modules generally have a life of nine months, so federal agencies will make the transition from FIPS 140-1 to 140-2 gradually.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.