New encryption requirements, issued this week by the oldest physical science lab in the United States, should make it easier for devices that receive and process electronic data to go to market.
The National Institute of Standards and Technology, or NIST, a non-regulatory agency that sits under the U.S. Department of Commerce and is nearly indispensable when it comes to providing guidance to organizations assess risk, announced the new security requirements on Tuesday.
Specifically, the update applies to Federal Information Processing Standard (FIPS) 140-3, a standard for testing device data encryption.
Devices that receive and process electronic data, along with software that parses data through networks, need encryption to safeguard that data. Federal agencies, in addition to industries and governments as of late, can use FIPS as a basis for designing and implementing cryptographic modules to protect sensitive - but not classified - data.
“This should streamline a manufacturer’s process for bringing a device to market because it reduces redundancy for companies trying to sell products internationally,” NIST said in a statement on the update Tuesday.
Details on the update to FIPS, which supersedes FIPS 140-2, appeared on the Federal Register, an index of documents published by the National Archives and Records Administration, following the announcement on Wednesday. The update should set the standard for a device's encryption system if it's used by the federal government, and by extension the broader IT market, given "the number of other organizations that interact with the government."
The release was not unexpected; FIPS 140-3 was first approved by the Secretary of Commerce back in March.
“Technology changes rapidly,” Mike Cooper, a computer scientist with NIST who helped work on the initiative said this week. “Testing takes a long time and every day a company spends on it is a day its product is not on the market. We want to minimize that, because there’s a limited time window before a product becomes obsolete.”
The new requirement points manufacturers to the international standard, ISO 19790, which NIST helped develop, for the first time. Manufacturers looking to market their products abroad won’t have to grapple with additional tests now. Last reviewed and confirmed in 2018, ISO 19790 specifies four security levels for each 11 requirement areas, with each security level increasing security over the preceding level.
“For large manufacturers, this allows them to say that they’ve proved their cryptography in many countries at once,” Cooper said. “It also allows for transfer of test results across borders. It gives us a better way to accept test results since they’ve been tested according to the same standard.”
As NIST points out, the update helps alleviate another common problem, remaining in compliance with standards while updating products to address vulnerabilities. This aspect of the update – namely the efficiency it fosters - translates into a win for many companies, including Google, whose Dominic Rizzo told the agency "with this change, the benefit to the government is they will get our best work faster."
According to NIST, labs will use FIPS 140-3 to determine whether cryptographic algorithms in new products meet federal security requirements.
FIPS 140-3 doesn't goes into effect until September 22, later this year; testing begins a year after that date, on September 22, 2020.
