360° View of FIPS 140-3 Certification (C20b)
Since accepting FIPS 140-3 reports on 22 September 2020, the atsec CST lab has submitted almost a dozen reports to the CMVP. Some of them are currently in the coordination phase. They expect to receive the first FIPS 140-3 certificate by the time of ICMC22. This talk will share experience with the FIPS 140-3 validation process. It will cover the significant differences in FIPS requirements from 140-2 to 140-3 including Security Policy, source code review, algorithm testing and certificate annotation, functional testing, entropy analysis, report preparation and submission via Web Cryptik, CMVP comments, and lab coordination. They will propose some areas of improvement for vendors, labs, and CMVP to work together to smooth out and shorten the FIPS 140-3 validation process.