Out of Bounds—A Look into FIPS 140-3 Boundary Definitions and Requirements (C20a)
Labs often encounter questions from Vendors dealing with defining a prospective module’s cryptographic boundary properly. In the past, simply defining a firmware module as software that is contained within a non-modifiable memory was sufficient. Now, firmware code is broken up into many small components that can be loaded in and out of the boundary. This talk reviews the definitions around what makes a module’s cryptographic boundary found in FIPS 140-3. The speaker will compare it with FIPS 140-2’s definition and requirements, noting where they differ from the current definitions. Finally, with the release of the ISO 19790 and ISO 24758 final drafts looming in the horizon, they will examine what the future holds and what can be expected with the future FIPS 140-3.