FIPS 140-3

The cryptographic modules are produced by the private sector or open source communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.

On August 12, 2015, NIST formally released a statement on the Federal Register asking for comments on the potential use of portions of ISO/IEC 19790:2014 in the update of FIPS 140-2.

The update process for FIPS 140 was hamstrung by deep technical issues in topics such as hardware security[3] and apparent disagreement in the US government over the path forward.

The now abandoned 2013 draft of FIPS 140-3 had required mitigation of non-invasive attacks when validating at higher security levels, introduced the concept of public security parameter, allowed the deference of certain self-tests until specific conditions are met, and strengthened the requirements on user authentication and integrity testing.

The FIPS 140 standard established the Cryptographic Module Validation Program (CMVP) as a joint effort by the NIST and the Communications Security Establishment (CSEC) for the Canadian government, now handled by the CCCS, the Canadian Centre for Cyber Security, a new centralized initiative within the CSEC agency.