NIST Special Publication 800-140BR1 Security Policy Format (G13b)
The creation of the security policy (SP) document has changed as part of the FIPS 140-3 validation process. It is now auto-generated following guidance from Special Publication 800-140BR1 (SP 800-140BR1). Vendors and users of SP documents have found the auto-generated output to be problematic compared to the previously allowed format, which vendors could define to meet their business purposes.
This talk provides an overview of the SP generation process, discusses current challenges with the auto-generation approach, and offers ways to improve the SP 800-140BR1 output format to ensure users receive the best possible results. The SP document is intended to help buyers determine whether the security parameters of cryptographic modules meet their requirements. The talk emphasizes that automation should not result in less useful or harder-to-understand outputs and presents enhancement suggestions to improve the process for vendors, labs, and users.