Electronic device manufacturers should find it less time-consuming to bring their products to both the U.S. and international markets as a result of new requirements issued by the National Institute of Standards and Technology, which has updated the Federal Information Processing Standard (FIPS) for testing the effectiveness of a device’s data encryption, NIST explained in a release.
Virtually all devices that receive and process electronic data, including hardware used in laptops and cell phones as well as software that also exchanges information through networks, use some form of encryption to secure data.
FIPS 140-3: Security Requirements for Cryptographic Modules specifies the requirements a device’s encryption system must meet if it is to be used by federal government agencies. The standard affects the broader IT market because of the number of other organizations that interact with the U.S. government. Announced today on the Federal Register, the newly released FIPS 140-3 modernizes the standard and essentially makes the U.S. standard a “pointer” indicating that manufacturers should now use the international standard, which NIST helped to develop.
Any product that uses the international standard — known as ISO 19790 — will therefore use an encryption approach that is acceptable both within and outside the United States, NIST said. This should simplify a manufacturer’s process for bringing a device to market because it eliminates redundant processes for companies trying to sell products internationally.
“Technology changes rapidly,” said NIST computer scientist Mike Cooper. “Testing takes a long time and every day a company spends on it is a day its product is not on the market. We want to minimize that, because there’s a limited time window before a product becomes obsolete.”
Like previous FIPS 140 versions, the first of which was created in 1982, FIPS 140-3 will be used primarily by laboratories that test new products’ encryption algorithms. Its influence, however, will be far wider, according to NIST.
Companies that wish to sell their goods abroad have had to put their devices through further prescribed testing regimes to satisfy the requirements of other countries, but the update eliminates that need, Cooper said.
“For large manufacturers, this allows them to say that they’ve proved their cryptography in many countries at once,” he said. “It also allows for transfer of test results across borders. It gives us a better way to accept test results since they’ve been tested according to the same standard.”
The change also will help companies resolve a wearisome dilemma: remaining in compliance with industry standards while also updating their products to address security vulnerabilities that sometimes occur.
“Before this update, if we discovered a vulnerability or added a feature we’d need to go through an entire recertification round. That takes months, but our software development lifecycles are far shorter than that,” said Dominic Rizzo, who is the technical lead on Google’s Titan Security Key, a product that helps protect the supply chain. “With this change, the benefit to the government is they will get our best work faster.”
Because countries use varied encryption approaches, NIST is also creating a set of six other publications that list the algorithms that are approved for use within the U.S. These are NIST Special Publication (SP) 800-140 Volumes A-F, which function as an appendix to FIPS 140, and will be available at a later date, NIST said. The SP volumes list what are essentially a subset of the algorithms that meet the ISO standard.
“These algorithms match up subject for subject with the ISO document,” Cooper said. “Putting them in this appendix allows the U.S. to adopt the ISO standard but still retain some control over what we allow.”
Cooper also said that NIST would be introducing an automated service to speed validation further. For the last step in the validation process, testing labs need to submit the results of a given device’s performance to NIST, and NIST employees have had to check to make sure the results contain the correct data. The new automated cryptography validation protocol (ACVP) will be able to perform this step automatically.
“If a lab submits the results in the right format and all the required data is present, our server will be able to approve the validation,” Cooper said. “We plan to have ACVP ready in April of this year.”