Yesterday, the CMVP posted a new draft of FIPS 140-4. While expected at some point this year, the timing of the posting came as a bit of a surprise (I personally believed that it would be released closer to ICMC). The content was a bit surprising, as well. Rather than provide the requirements for FIPS 140-4, the document simply provided a pointer to ISO/IEC 19790:2012 without modification.
Additionally there is a note providing this warning:
“Vendors are strongly advised not to design to requirements in the draft FIPS 140-4 if they conflict with the requirements of FIPS 140-2 until such time an announcement and transition is published by NIST.”
This warning is apt. However given the lead times to get a certifiable module ready, Acumen believes it would be a good idea to implement at least those requirements of ISO 19790 that are not in conflict with FIPS 140-2. This will ensure the “hump” to be compliant with FIPS 140-4 will be easier to navigate when the standard comes out of draft.
Fortunately, Acumen Security has performed an analysis between the current FIPS 140-2 and the ISO/IEC 19790:2012. Our white paper can be found here. Its a good guide on the salient points of ISO 19790 and identifies requirements that are not in conflict with FIPS 140-2. We would also like to point you to our blog on this topic: https://blog.acumensecurity.net/getting-ready-for-an-iso-19790-based-fips-140-next/
This is an exciting time to be in the government certification world. There are a ton of changes happening not just with FIPS 140 but also with Common Criteria. If you have any questions, not only about FIPS 140 but also other government certifications, give us a call or drop us an email. We are passionate about certifications and help you make the choices that are right for both you and your customers.
Update 7/8/2014: It appears the draft of FIPS 140-4 and related post has been removed from the CMVP website. We’ll let you know as we hear more.