SESSION ID: ACB-R01 You, Me and FIPS 140-3: A Guide to the New Standard and Transition Ryan Thomas CST Laboratory Manager Acumen Security Twitter: @acumensec #RSAC #RSAC FIPS 140-2 is HOW OLD? ▪ It’s hard to believe FIPS 140-2 turned 18 years old in May 2019 …. ▪ FIPS 140-2 is old enough to drive … ▪ In most countries it's old enough to vote or go to university! 2 2 Nothing much has changed since 2001, right? Original xbox console Apple’s 1st Gen iPod Nokia 3360 3 #RSAC #RSAC Objectives for this briefing What is this FIPS thing? Why is it important? Current challenges with “Dash-2” What took so long!?! New terms in “Dash-3” Key differences between “Dash-2” and “Dash-3” Key dates for the transition What will happen to existing FIPS 140-2 certificates? Apply: Acumen’s advice and tips to survive the transition 4 What is FIPS? Why is it important? Federal Information Processing Standard (FIPS) by U.S. Government Security Requirements for Cryptographic Modules For protection of “Sensitive But Unclassified information” (SBU) Dash “2” is the second iteration Mandated by U.S. and Canadian governments Established internationally as defacto benchmark for cyber security products that do crypto Minimum bar for whitelisting programs in regulated industries like finance, healthcare, legal and utilities 5 #RSAC #RSAC Who is the CMVP? Responsible for administration and oversight of FIPS 140-2 module validations Joint effort between U.S. National Institute of Standards and Technology (NIST) and Canada’s Canadian Centre for Cyber Security (CCCS) Independent 3rd party testing labs (like Acumen) accredited by NVLAP Labs conduct FIPS functional testing and source review on CMVP’s behalf CMVP ultimately validate submissions and issue FIPS validation certificates 6 #RSAC Challenges with Dash-2 Challenges with FIPS 140-2 module validations #RSAC 2001 standard wasn’t written for SoCs, nested hypervisors, virtual HSMs or different cloud-based solutions etc. It has become SO difficult applying 18-year-old requirements and reinterpreting them for modern cyber security products and technologies! 8 #RSAC FIPS lab customer feedback hotline … Self-tests are no fun! Sledgehammer for Error Handling! Questionable value in some cases All or nothing – no flexibility Ex. CRNGT on software RNGs? If self-tests fail traffic must be squelched! Each library instantiation must POST Wut? Why no Cloud!?! So very, very Esoteric !! Platform detail requirements Additional help often necessary to navigate the FIPS “lore” Must specify tested hardware Correct interpretations can be key! 9 9 How has CMVP coped with passage of time? Implementation Guidance document grown to 250 pages (it was ~65 pages in 2002) Many “shalls” and “shall nots” IGs published in isolation for many years (no industry feedback) Process is not agile, reactive, slowwwwwww 10 #RSAC How have labs coped with challenges? My job on a day-to-day basis involves shoe-horning modern cyber security products into “FIPS-able” modules A lot of out of the box thinking and a pragmatic view of the requirements is needed to achieve FIPS validations 11 #RSAC #RSAC OK. What the BLEEP took So Long!?! #RSAC FIPS 140-3 ….. Vaporware? There were actually two successors to Dash-2 Several reasons lead to the delay … Progress grinded to a halt … Talk of moving to FIPS 140-4!?! ~2012 ISO version gained a lot of traction Even after decision made … regime changes, red tape & bureaucracy delayed things further 13 #RSAC FIPS 140-3: A NEW Hope March 22nd, 2019 - FIPS 140-3 officially signed! Official confirmation of US decision to use ISO/IEC 19790:2012/Cor 1:2015 to replace FIPS 140-2 ISO 24759:2017 will serve as the Derived Testing Requirements NIST SP 800-140 series serve as requirements for the CMVP – Clarify and replace ISO/IEC 19790 Annexes with SP 800-140A - F – Living documents that can be updated by CMVP – These are NEW DTRs! 15 #RSAC NIST SP 800-140: Important Supplemental Docs SP 800-140 A - F replace current FIPS 140-2 Annexes A-D and supplement the ISO with additional CMVP requirements: – NIST SP 800-140 – CMVP updates to ISO/IEC 24759 DTR Additional caveats, clarification and documentation requirements – NIST SP 800-140A – Vendor Documentation Requirements (ISO Annex A) Focus on remediation of CVEs in the module – NIST SP 800-140B – Module Security Policy Requirements (ISO Annex B) Module Security Policies to grow substantially (sigh….) 16 #