Announcing Issuance of Federal Information Processing Standard (FIPS) 140-3, Security Requirements for Cryptographic Modules, 18493-18495 [2019-08817]
Download as PDF
<![CDATA[
Federal Register / Vol. 84, No. 84 / Wednesday, May 1, 2019 / Notices
jbell on DSK30RV082PROD with NOTICES
expanding domain with a range of
applications and a broad diversity of
designs. NIST’s Engineering Laboratory
will be developing methods to evaluate
performance of exoskeletons in two key
areas (1) The fit and motion of the
exoskeleton device with respect to the
users’ body and (2) The impact that
using an exoskeleton has on the
performance of users executing tasks
that are representative of activities in
industrial settings. The results of these
experiments will inform future test
method development at NIST, other
organizations, and under the purview of
the new American Society for Testing
Materials (ASTM) Committee F48 on
Exoskeletons and Exosuits.
For the first research topic, NIST will
evaluate the usefulness of a NIST
prototype apparatus for measuring the
difference in performance of a person
wearing an exoskeleton versus the
person’s baseline without the
exoskeleton while positioning loads and
tools. The NIST Position and Load Test
Apparatus for Exoskelons (PoLoTAE),
which presents abstractions of
industrial task challenges, will be
evaluated in this research.
For the second research topic, NIST
will evaluate a method for measuring
the alignment of an exoskeleton to
human joint (knee) and any relative
movement between the exoskeleton and
user. Measurement methods prototyped
by NIST for evaluating exoskeleton on
mannequin position and motion will be
applied to human subjects to verify the
usefulness of optical tracking system
and designed artifacts worn by users as
measurement methods.
Participants will be chosen from
volunteers within NIST and adult NIST
visitors to participate in the study.
Gender and size diversity will be sought
in the population of participants. No
personally identifiable information (PII)
will be recorded unless subject consent
for PII disclosure is received. NIST
intends to publish information on the
analysis and results.
II. Method of Collection
Participants will give informed
consent prior to participating in the
research. Information may be collected
via a paper background questionnaire
which may include disclosure of health
information which may be relevant for
safety and research reasons. Data will be
collected using a combination of heart
rate monitor, and video and still
cameras to collect time and subject
activity to correlate heart rate with
activity and an optical tracking system
which detects markers. Participants will
be asked to complete a paper survey
once data is collected for the research.
VerDate Sep<11>2014
19:24 Apr 30, 2019
Jkt 247001
III. Data
OMB Control Number: 0693–0083.
Form Number(s): None.
Type of Review: Revision and
extension of a current information
collection.
Affected Public: Individuals or
households.
Estimated Number of Respondents:
250.
Estimated Time per Response: 1.5
hours.
Estimated Total Annual Burden
Hours: 375 hours.
Estimated Total Annual Cost to
Public: $0.
IV. Request for Comments
NIST invites comments on: (a)
Whether the proposed collection of
information is necessary for the proper
performance of the functions of the
agency, including whether the
information will have practical utility;
(b) the accuracy of the agency’s estimate
of the burden (including hours and cost)
of the proposed collection of
information; (c) ways to enhance the
quality, utility, and clarity of the
information to be collected; and (d)
ways to minimize the burden of the
collection of information on
respondents, including through the use
of automated collection techniques or
other forms of information technology.
Comments submitted in response to
this notice will be summarized and/or
included in the request for OMB
approval of this information collection;
they also will become a matter of public
record.
Sheleen Dumas,
Departmental Lead PRA Officer, Office of the
Chief Information Officer, Commerce
Department.
[FR Doc. 2019–08816 Filed 4–30–19; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 170810743–8858–01]
RIN 0693–XC079
Announcing Issuance of Federal
Information Processing Standard
(FIPS) 140–3, Security Requirements
for Cryptographic Modules
National Institute of Standards
and Technology (NIST), Commerce.
ACTION: Notice.
AGENCY:
This notice announces the
Secretary of Commerce’s issuance of
Federal Information Processing
SUMMARY:
PO 00000
Frm 00020
Fmt 4703
Sfmt 4703
18493
Standard (FIPS) 140–3, Security
Requirements for Cryptographic
Modules. FIPS 140–3 includes
references to existing International
Organization for Standardization/
International Electrotechnical
Commission (ISO/IEC) 19790:2012(E)
Information technology—Security
techniques—Security requirements for
cryptographic modules and ISO/IEC
24759:2017(E) Information technology—
Security techniques—Test requirements
for cryptographic modules. As
permitted by the standards, the NIST
Special Publication (SP) series 800–140
will specify updates, replacements, or
additions to the currently cited ISO/IEC
standard as necessary.
DATES: FIPS 140–3 is effective
September 22, 2019. FIPS 140–3 testing
will begin on September 22, 2020. FIPS
140–2 testing will continue for at least
a year after FIPS 140–3 testing begins.
ADDRESSES: FIPS 140–3 is available
electronically from the NIST website at:
https://csrc.nist.gov/publications/fips.
Comments that were received on the
proposed changes are also published
electronically at https://csrc.nist.gov/
projects/fips-140-3-development.
FOR FURTHER INFORMATION CONTACT:
Michael Cooper, (301) 975–8077,
National Institute of Standards and
Technology, 100 Bureau Drive, Mail
Stop 8930, Gaithersburg, MD 20899–
8930, email: michael.cooper@nist.gov.
SUPPLEMENTARY INFORMATION: NIST has
been participating in the ISO/IEC
process for developing standards for
cryptographic modules and working
closely with international industry to
unify several cryptographic security
standards. ISO/IEC 19790:2012(E),
Information technology—Security
techniques—Security requirements for
cryptographic modules, is an
international standard based on updates
of the earlier versions of FIPS 140,
Security Requirements for
Cryptographic Modules. ISO/IEC
24759:2017(E), Information
technology—Security techniques—Test
requirements for cryptographic modules
is an international standard based on
the Derived Test Requirements for FIPS
140–2, Security Requirements for
Cryptographic Modules. The National
Technology Transfer and Advancement
Act (NTTAA), Public Law 104–113,
directs Federal agencies with respect to
their use of and participation in the
development of voluntary consensus
standards. The NTTAA’s objective is for
Federal agencies to adopt voluntary
consensus standards, wherever possible,
in lieu of creating proprietary, nonconsensus standards. The
implementation of commercial
E:\FR\FM\01MYN1.SGM
01MYN1
jbell on DSK30RV082PROD with NOTICES
18494
Federal Register / Vol. 84, No. 84 / Wednesday, May 1, 2019 / Notices
cryptography, which is used to protect
U.S. non-national security information
and information systems, is now
commoditized and built, marketed and
used globally. Therefore, FIPS 140–3
applies ISO/IEC 19790:2012(E) and ISO/
IEC 24759:2017(E) as the security
requirements for cryptographic
modules. The SP 800–140 series, which
is currently under development, will be
used to specify updates, replacements,
or additions to requirements as allowed
by ISO/IEC 19790:2012(E), with the
Cryptographic Module Validation
Program (CMVP) executing the role of
the validation authority as defined in
the ISO/IEC standard.1 During the
transition period prior to FIPS 140–3
becoming effective, FIPS 140–2 testing
will continue, and NIST will introduce
the SP 800–140 series documents (at
https://csrc.nist.gov/publications/
sp800). The series is expected to consist
of:
• SP 800–140, FIPS 140–3 Derived
Test Requirements (DTR);
• SP 800–140A, CMVP
Documentation Requirements;
• SP 800–140B, CMVP Security Policy
Requirements;
• SP 800–140C, CMVP Approved
Security Functions;
• SP 800–140D, CMVP Approved
Sensitive Security Parameter Generation
and Establishment Methods;
• SP 800–140E, CMVP Approved
Authentication Mechanisms; and
• SP 800–140F, CMVP Non-Invasive
Attack Mitigation Test Metrics.
FIPS 140–1, first published in 1994,
was developed by a government and
industry working group. The working
group identified requirements for four
security levels for cryptographic
modules to provide for a wide spectrum
of data sensitivity (e.g., low value
administrative data, million-dollar
funds transfers, and life protecting data)
and a diversity of application
environments (e.g., a guarded facility,
an office, and a completely unprotected
location). Four security levels were
specified for each of 11 requirement
areas. Each security level offered an
increase in security over the preceding
level. These four increasing levels of
security allowed cost-effective solutions
that were appropriate for different
degrees of data sensitivity and different
application environments.
In 2001, FIPS 140–2 superseded FIPS
140–1. FIPS 140–2 incorporated changes
in applicable standards and technology
since the development of FIPS 140–1 as
well as changes that were based on
1 ISO/IEC
19790 defines the validation authority
as the entity that will validate the test results for
conformance to this international standard.
VerDate Sep<11>2014
19:24 Apr 30, 2019
Jkt 247001
comments received from the public.
Though the standard was reviewed after
five years, consensus to move forward
was not achieved until the 2012 revision
of ISO/IEC 19790.
FIPS 140–3 supercedes FIPS 140–2.
FIPS 140–3 aligns with ISO/IEC
19790:2012(E) with modifications of the
Annexes allowed by the specific user
communities. The testing for these
requirements shall be in accordance
with ISO/IEC 24759:2017(E), with the
modifications, additions or deletions of
vendor evidence and testing allowed as
a validation authority under paragraph
5.2 of ISO/IEC 24759:2017(E).
On August 12, 2015, NIST published
a notice in the Federal Register (80 FR
48295) requesting public comments on
the potential use of ISO/IEC standards
for cryptographic algorithm and
cryptographic module testing,
conformance, and validation activities,
currently specified by FIPS 140–2.
Comments were submitted by 17
entities, including four accredited
cryptographic testing laboratories, eight
vendors of cryptographic modules, one
industry association, and four
individuals. Some comments only
addressed specific aspects of the
proposal. Eleven of the comments
supported a revised standard, five were
neutral and one was opposed. Many
comments asked for clarification on the
continued use of implementation
guidance and administration guidance
to the testing laboratories. NIST will
consolidate the implementation
guidance and administration guidance
into the SP 800–140 series documents,
which will be made available for public
review and comment. Other comments
provided feedback on perceived market
demand, comparisons of test coverage
between FIPS 140–2 and the ISO/IEC
standards and the potential risks that
might be assumed with the use of the
ISO/IEC standard. Most of the
commenters were concerned about the
payment model for accessing and
obtaining the ISO/IEC standards
compared with the free access to the
current FIPS 140–2. All of the
suggestions, questions, and
recommendations within the scope of
NIST’s request for comments were
carefully reviewed, and changes were
made to the FIPS, where appropriate.
Some comments submitted questions or
raised issues that were related but
outside the scope of this FIPS.
Comments that were outside the scope
of this FIPS, but that were within the
scope of one of the related Special
Publications, are deferred for later
consideration in the context of
development of the SP 800–140 series.
PO 00000
Frm 00021
Fmt 4703
Sfmt 4703
The following is a summary and
analysis of the comments received
during the public comment period, and
NIST’s responses to them, including the
interests, concerns, recommendations,
and issues considered in the
development of FIPS 140–3:
Comment: Nine commenters
responded that they have been asked by
customers about testing for ISO/IEC
standards or have had requests to test
using the ISO/IEC standard.
Response: NIST will be revising its
guidance by moving to the ISO/IEC
standards embraced in FIPS 140–3.
Comment: Seven commenters
responded that they were concerned
about the ability of researchers,
academics and small organizations to
obtain the ISO/IEC standard due to the
payment model used by ISO/IEC.
Response: NIST intends to work with
the appropriate parties to help ensure
that the ISO/IEC standard will be made
reasonably available to researchers,
academics and small organizations.
Comment: Eleven commenters
indicated that changing to the ISO/IEC
standard did not increase the risk of
using cryptography or decrease trust in
the use of cryptography as compared to
the current FIPS 140–2.
Response: NIST intends to make the
normative reference to the ISO/IEC
standard specific to a version that NIST
believes is acceptable to provide
assurances in the cryptography used by
the Federal Government. In its role as
the approval authority 2 under ISO/IEC
19790:2012(E), NIST is permitted to
replace most of the supporting
requirements with NIST guidance, most
of which are currently utilized in the
existing FIPS 140–2.
Comment: One commenter expressed
concern that adoption of an
international, consensus based standard
would put the US in the position of
using future versions of the ISO/IEC
standard as it is updated and evolves.
Response: NIST plans on continuing
its robust participation in the relevant
ISO/IEC working groups, and will
thoroughly discuss any changes
necessary to keep these requirements
relevant. If an update or change is made
to the ISO/IEC standards that NIST does
not feel is adequate for the security
needs of the Federal Government, NIST
will have the flexibility to adopt a
different standard. By working with
ISO/IEC experts, NIST can maintain
flexibility within the standards as
allowed by the validation authorities as
2 ISO/IEC 19790 defines the approval authority as
any national or international organization/authority
mandated to approve and/or evaluate security
functions.
E:\FR\FM\01MYN1.SGM
01MYN1
Federal Register / Vol. 84, No. 84 / Wednesday, May 1, 2019 / Notices
described in the ISO/IEC standards.
Should these measures prove
insufficient, NIST can, through FIPS
140–3 or the SP 800–140 series
development process, create a revised
standard, controlled by NIST, to
maintain the most secure posture
possible.
FIPS 140–3 is available electronically
from the NIST website at: https://
csrc.nist.gov/publications/fips.
Authority: 44 U.S.C. 3553(f)(1), 15 U.S.C.
278g–3.
Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2019–08817 Filed 4–30–19; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
RIN 0648–XG874
Taking of Marine Mammals Incidental
to Specific Activities; Taking of Marine
Mammals Incidental to Pile Driving and
Removal Activities During
Construction of a Cruise Ship Berth,
Hoonah, Alaska
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice; proposed incidental
harassment authorization; request for
comments on proposed authorization
and possible renewal.
AGENCY:
NMFS has received a request
Duck Point Development II, LLC. (DPD)
for authorization to take marine
mammals incidental pile driving and
removal activities during construction
of a second cruise ship berth and new
lightering float at Cannery Point (Icy
Strait) on Chichagof Island near
Hoonah, Alaska. Pursuant to the Marine
Mammal Protection Act (MMPA), NMFS
is requesting comments on its proposal
to issue an incidental harassment
authorization (IHA) to incidentally take
marine mammals during the specified
activities. NMFS is also requesting
comments on a possible one-year
renewal that could be issued under
certain circumstances and if all
requirements are met, as described in
Request for Public Comments at the end
of this notice. NMFS will consider
public comments prior to making any
final decision on the issuance of the
requested MMPA authorizations and
agency responses will be summarized in
the final notice of our decision.
jbell on DSK30RV082PROD with NOTICES
SUMMARY:
VerDate Sep<11>2014
19:24 Apr 30, 2019
Jkt 247001
Comments and information must
be received no later than May 31, 2019.
ADDRESSES: Comments should be
addressed to Jolie Harrison, Chief,
Permits and Conservation Division,
Office of Protected Resources, National
Marine Fisheries Service. Physical
comments should be sent to 1315 EastWest Highway, Silver Spring, MD 20910
and electronic comments should be sent
to ITP.Egger@noaa.gov.
Instructions: NMFS is not responsible
for comments sent by any other method,
to any other address or individual, or
received after the end of the comment
period. Comments received
electronically, including all
attachments, must not exceed a 25megabyte file size. Attachments to
electronic comments will be accepted in
Microsoft Word or Excel or Adobe PDF
file formats only. All comments
received are a part of the public record
and will generally be posted online at
https://www.fisheries.noaa.gov/permit/
incidental-take-authorizations-undermarine-mammal-protection-act without
change. All personal identifying
information (e.g., name, address)
voluntarily submitted by the commenter
may be publicly accessible. Do not
submit confidential business
information or otherwise sensitive or
protected information.
FOR FURTHER INFORMATION CONTACT:
Stephanie Egger, Office of Protected
Resources, NMFS, (301) 427–8401.
Electronic copies of the application and
supporting documents, as well as a list
of the references cited in this document,
may be obtained online at: https://
www.fisheries.noaa.gov/permit/
incidental-take-authorizations-undermarine-mammal-protection-act. In case
of problems accessing these documents,
please call the contact listed above.
SUPPLEMENTARY INFORMATION:
DATES:
Background
The MMPA prohibits the ‘‘take’’ of
marine mammals, with certain
exceptions. Sections 101(a)(5)(A) and
(D) of the MMPA (16 U.S.C. 1361 et
seq.) direct the Secretary of Commerce
(as delegated to NMFS) to allow, upon
request, the incidental, but not
intentional, taking of small numbers of
marine mammals by U.S. citizens who
engage in a specified activity (other than
commercial fishing) within a specified
geographical region if certain findings
are made and either regulations are
issued or, if the taking is limited to
harassment, a notice of a proposed
incidental take authorization may be
provided to the public for review.
Authorization for incidental takings
shall be granted if NMFS finds that the
PO 00000
Frm 00022
Fmt 4703
Sfmt 4703
18495
taking will have a negligible impact on
the species or stock(s) and will not have
an unmitigable adverse impact on the
availability of the species or stock(s) for
taking for subsistence uses (where
relevant). Further, NMFS must prescribe
the permissible methods of taking and
other ‘‘means of effecting the least
practicable adverse impact’’ on the
affected species or stocks and their
habitat, paying particular attention to
rookeries, mating grounds, and areas of
similar significance, and on the
availability of such species or stocks for
taking for certain subsistence uses
(referred to in shorthand as
‘‘mitigation’’); and requirements
pertaining to the mitigation, monitoring
and reporting of such takings are set
forth.
National Environmental Policy Act
To comply with the National
Environmental Policy Act of 1969
(NEPA; 42 U.S.C. 4321 et seq.) and
NOAA Administrative Order (NAO)
216–6A, NMFS must review our
proposed action (i.e., the issuance of an
incidental harassment authorization)
with respect to potential impacts on the
human environment. This action is
consistent with categories of activities
identified in Categorical Exclusion B4
(incidental harassment authorizations
with no anticipated serious injury or
mortality) of the Companion Manual for
NOAA Administrative Order 216–6A,
which do not individually or
cumulatively have the potential for
significant impacts on the quality of the
human environment and for which we
have not identified any extraordinary
circumstances that would preclude this
categorical exclusion. Accordingly,
NMFS has preliminarily determined
that the issuance of the proposed IHA
qualifies to be categorically excluded
from further NEPA review.
We will review all comments
submitted in response to this notice
prior to concluding our NEPA process
or making a final decision on the IHA
request.
Summary of Request
On December 28, 2018 NMFS
received a request DPD for an IHA to
take marine mammals incidental to pile
driving and removal activities during
construction of a second cruise ship
berth and new lightering float at
Cannery Point (Icy Strait) on Chichagof
Island near Hoonah, Alaska. The
application was deemed adequate and
complete on April 3, 2019. The
applicant’s request is for take nine
species of marine mammals by Level B
harassment and three species by Level
A harassment. Neither DPD nor NMFS
E:\FR\FM\01MYN1.SGM
01MYN1
]]>Agencies
[Federal Register Volume 84, Number 84 (Wednesday, May 1, 2019)]
[Notices]
[Pages 18493-18495]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-08817]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 170810743-8858-01]
RIN 0693-XC079
Announcing Issuance of Federal Information Processing Standard
(FIPS) 140-3, Security Requirements for Cryptographic Modules
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice announces the Secretary of Commerce's issuance of
Federal Information Processing Standard (FIPS) 140-3, Security
Requirements for Cryptographic Modules. FIPS 140-3 includes references
to existing International Organization for Standardization/
International Electrotechnical Commission (ISO/IEC) 19790:2012(E)
Information technology--Security techniques--Security requirements for
cryptographic modules and ISO/IEC 24759:2017(E) Information
technology--Security techniques--Test requirements for cryptographic
modules. As permitted by the standards, the NIST Special Publication
(SP) series 800-140 will specify updates, replacements, or additions to
the currently cited ISO/IEC standard as necessary.
DATES: FIPS 140-3 is effective September 22, 2019. FIPS 140-3 testing
will begin on September 22, 2020. FIPS 140-2 testing will continue for
at least a year after FIPS 140-3 testing begins.
ADDRESSES: FIPS 140-3 is available electronically from the NIST website
at: https://csrc.nist.gov/publications/fips. Comments that were
received on the proposed changes are also published electronically at
https://csrc.nist.gov/projects/fips-140-3-development.
FOR FURTHER INFORMATION CONTACT: Michael Cooper, (301) 975-8077,
National Institute of Standards and Technology, 100 Bureau Drive, Mail
Stop 8930, Gaithersburg, MD 20899-8930, email: [email protected].
SUPPLEMENTARY INFORMATION: NIST has been participating in the ISO/IEC
process for developing standards for cryptographic modules and working
closely with international industry to unify several cryptographic
security standards. ISO/IEC 19790:2012(E), Information technology--
Security techniques--Security requirements for cryptographic modules,
is an international standard based on updates of the earlier versions
of FIPS 140, Security Requirements for Cryptographic Modules. ISO/IEC
24759:2017(E), Information technology--Security techniques--Test
requirements for cryptographic modules is an international standard
based on the Derived Test Requirements for FIPS 140-2, Security
Requirements for Cryptographic Modules. The National Technology
Transfer and Advancement Act (NTTAA), Public Law 104-113, directs
Federal agencies with respect to their use of and participation in the
development of voluntary consensus standards. The NTTAA's objective is
for Federal agencies to adopt voluntary consensus standards, wherever
possible, in lieu of creating proprietary, non-consensus standards. The
implementation of commercial
[[Page 18494]]
cryptography, which is used to protect U.S. non-national security
information and information systems, is now commoditized and built,
marketed and used globally. Therefore, FIPS 140-3 applies ISO/IEC
19790:2012(E) and ISO/IEC 24759:2017(E) as the security requirements
for cryptographic modules. The SP 800-140 series, which is currently
under development, will be used to specify updates, replacements, or
additions to requirements as allowed by ISO/IEC 19790:2012(E), with the
Cryptographic Module Validation Program (CMVP) executing the role of
the validation authority as defined in the ISO/IEC standard.\1\ During
the transition period prior to FIPS 140-3 becoming effective, FIPS 140-
2 testing will continue, and NIST will introduce the SP 800-140 series
documents (at https://csrc.nist.gov/publications/sp800). The series is
expected to consist of:
---------------------------------------------------------------------------
\1\ ISO/IEC 19790 defines the validation authority as the entity
that will validate the test results for conformance to this
international standard.
---------------------------------------------------------------------------
SP 800-140, FIPS 140-3 Derived Test Requirements (DTR);
SP 800-140A, CMVP Documentation Requirements;
SP 800-140B, CMVP Security Policy Requirements;
SP 800-140C, CMVP Approved Security Functions;
SP 800-140D, CMVP Approved Sensitive Security Parameter
Generation and Establishment Methods;
SP 800-140E, CMVP Approved Authentication Mechanisms; and
SP 800-140F, CMVP Non-Invasive Attack Mitigation Test
Metrics.
FIPS 140-1, first published in 1994, was developed by a government
and industry working group. The working group identified requirements
for four security levels for cryptographic modules to provide for a
wide spectrum of data sensitivity (e.g., low value administrative data,
million-dollar funds transfers, and life protecting data) and a
diversity of application environments (e.g., a guarded facility, an
office, and a completely unprotected location). Four security levels
were specified for each of 11 requirement areas. Each security level
offered an increase in security over the preceding level. These four
increasing levels of security allowed cost-effective solutions that
were appropriate for different degrees of data sensitivity and
different application environments.
In 2001, FIPS 140-2 superseded FIPS 140-1. FIPS 140-2 incorporated
changes in applicable standards and technology since the development of
FIPS 140-1 as well as changes that were based on comments received from
the public. Though the standard was reviewed after five years,
consensus to move forward was not achieved until the 2012 revision of
ISO/IEC 19790.
FIPS 140-3 supercedes FIPS 140-2. FIPS 140-3 aligns with ISO/IEC
19790:2012(E) with modifications of the Annexes allowed by the specific
user communities. The testing for these requirements shall be in
accordance with ISO/IEC 24759:2017(E), with the modifications,
additions or deletions of vendor evidence and testing allowed as a
validation authority under paragraph 5.2 of ISO/IEC 24759:2017(E).
On August 12, 2015, NIST published a notice in the Federal Register
(80 FR 48295) requesting public comments on the potential use of ISO/
IEC standards for cryptographic algorithm and cryptographic module
testing, conformance, and validation activities, currently specified by
FIPS 140-2. Comments were submitted by 17 entities, including four
accredited cryptographic testing laboratories, eight vendors of
cryptographic modules, one industry association, and four individuals.
Some comments only addressed specific aspects of the proposal. Eleven
of the comments supported a revised standard, five were neutral and one
was opposed. Many comments asked for clarification on the continued use
of implementation guidance and administration guidance to the testing
laboratories. NIST will consolidate the implementation guidance and
administration guidance into the SP 800-140 series documents, which
will be made available for public review and comment. Other comments
provided feedback on perceived market demand, comparisons of test
coverage between FIPS 140-2 and the ISO/IEC standards and the potential
risks that might be assumed with the use of the ISO/IEC standard. Most
of the commenters were concerned about the payment model for accessing
and obtaining the ISO/IEC standards compared with the free access to
the current FIPS 140-2. All of the suggestions, questions, and
recommendations within the scope of NIST's request for comments were
carefully reviewed, and changes were made to the FIPS, where
appropriate. Some comments submitted questions or raised issues that
were related but outside the scope of this FIPS. Comments that were
outside the scope of this FIPS, but that were within the scope of one
of the related Special Publications, are deferred for later
consideration in the context of development of the SP 800-140 series.
The following is a summary and analysis of the comments received
during the public comment period, and NIST's responses to them,
including the interests, concerns, recommendations, and issues
considered in the development of FIPS 140-3:
Comment: Nine commenters responded that they have been asked by
customers about testing for ISO/IEC standards or have had requests to
test using the ISO/IEC standard.
Response: NIST will be revising its guidance by moving to the ISO/
IEC standards embraced in FIPS 140-3.
Comment: Seven commenters responded that they were concerned about
the ability of researchers, academics and small organizations to obtain
the ISO/IEC standard due to the payment model used by ISO/IEC.
Response: NIST intends to work with the appropriate parties to help
ensure that the ISO/IEC standard will be made reasonably available to
researchers, academics and small organizations.
Comment: Eleven commenters indicated that changing to the ISO/IEC
standard did not increase the risk of using cryptography or decrease
trust in the use of cryptography as compared to the current FIPS 140-2.
Response: NIST intends to make the normative reference to the ISO/
IEC standard specific to a version that NIST believes is acceptable to
provide assurances in the cryptography used by the Federal Government.
In its role as the approval authority \2\ under ISO/IEC 19790:2012(E),
NIST is permitted to replace most of the supporting requirements with
NIST guidance, most of which are currently utilized in the existing
FIPS 140-2.
---------------------------------------------------------------------------
\2\ ISO/IEC 19790 defines the approval authority as any national
or international organization/authority mandated to approve and/or
evaluate security functions.
---------------------------------------------------------------------------
Comment: One commenter expressed concern that adoption of an
international, consensus based standard would put the US in the
position of using future versions of the ISO/IEC standard as it is
updated and evolves.
Response: NIST plans on continuing its robust participation in the
relevant ISO/IEC working groups, and will thoroughly discuss any
changes necessary to keep these requirements relevant. If an update or
change is made to the ISO/IEC standards that NIST does not feel is
adequate for the security needs of the Federal Government, NIST will
have the flexibility to adopt a different standard. By working with
ISO/IEC experts, NIST can maintain flexibility within the standards as
allowed by the validation authorities as
[[Page 18495]]
described in the ISO/IEC standards. Should these measures prove
insufficient, NIST can, through FIPS 140-3 or the SP 800-140 series
development process, create a revised standard, controlled by NIST, to
maintain the most secure posture possible.
FIPS 140-3 is available electronically from the NIST website at:
https://csrc.nist.gov/publications/fips.
Authority: 44 U.S.C. 3553(f)(1), 15 U.S.C. 278g-3.
Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2019-08817 Filed 4-30-19; 8:45 am]
BILLING CODE 3510-13-P
