The National Institute of Standards and Technology (NIST) has released for public comment a new revision of one of its key computer security documents, a set of information processing standards governing the use of cryptographic modules by civilian federal agencies and government contractors.
The NIST document, the Revised Draft of Federal Information Processing Standards (FIPS) 140-3, updates the federal government's guiding document for testing and validation of cryptographic modules, which are computers' primary line of defense for confidential data. Each module receives a security level rating that depends on the amount of protection it provides. The revised draft of FIPS 140-3 will be available for public comment until March 11, 2010.
When completed, the update will be the third version of the original cryptography standards document, which was created in 1995 as FIPS 140-1 and first updated in 2001. NIST's William Burr says that another update is needed because of the evolution of computing systems, how they do cryptography, as well as the evolution of attacks. "It used to be these modules were a dedicated separate device, protecting a single link between two points. But in the majority of cases nowadays you're running a security program instead, on a general purpose computer— encrypting traffic over the Internet, connected by many links to different points," says Burr, a computer security specialist. "We're also now widely using cryptography on things like ID cards that are exposed to different kinds of attacks. We have to take these changes into account."
The Revised Draft incorporates improvements made to a previous draft, which was released for public comment in July 2007. This new second-round draft differs from both the 2007 document and the 2001 updated version (FIPS 140-2). Some of the Revised Draft's key changes include:
For more information, including details on how to comment on the Revised Draft, visit http://csrc.nist.gov/news_events/index.html#dec11.
* PDF copies of the Revised Draft of FIPS 140-3 can be downloaded from http://edocket.access.gpo.gov/2009/pdf/E9-29567.pdf.