FIPS 140-3 is now published on the Federal Register. The important dates of interest with additional details follow:
FIPS 140-3 is effective September 22, 2019. This is likely the earliest date that the FIPS Labs will have the testing tools for FIPS 140-3 validations. NIST is expected to make the SP 800-140 series documents available.
FIPS 140-3 testing will begin on September 22, 2020. The CMVP will accept FIPS 140-3 validation test reports from the FIPS Labs.
FIPS 140-2 testing will continue for at least a year after FIPS 140-3 testing begins. We expect the CMVP to continue issuing FIPS 140-2 certificates at least until September 22, 2021. As a reminder, FIPS 140-2 certificates will remain active until their sunset date (typically 5 years after the original validation date). In the year 2026, Federal agencies may still be acquiring solutions using FIPS 140-2 modules validated in 2021.
Acumen Security helped KeyPair Consulting with the details in this post.
“FIPS Labs can begin testing to the FIPS 140-3 requirements anytime. The early adopters will face challenges in how to test certain requirements and which Implementation Guidance applies. It may not be practical for vendors to begin testing to the FIPS 140-3 requirements until we are closer to the middle of 2020.”
Ashit Vora, Co-founder and Laboratory Director of Acumen Security, a FIPS 140 accredited testing laboratory
KeyPair Consulting – expert guidance to meet your FIPS 140-2 and FIPS 140-3 goals