2024-10-23
In this KEYMASTER conversation, Sven Rajala, International PKI Man of Mystery at Keyfactor and Jörgen Jansson, Principal Solution Engineer Nordics at Keyfactor, discuss the transition from FIPS 140-2 to FIPS 140-3, particularly focusing on Hardware Security Modules (HSMs) and the implications of the changes in standards.
Watch the KEYMASTER episode here:
The conversation highlights:
FIPS 140-3 has been around since 2019 and is gaining more attention as the deadline to phase out FIPS 140-2 approaches. The grace period for certifying FIPS 140-2 devices ended in 2021, and the final transition to FIPS 140-3 must occur by September 2026.
FIPS 140-3 is a long overdue update with modern security features that align with today’s hybrid threats. For instance, it requires keys moving in and out of HSMs to be encrypted, which wasn’t part of the old standard. FIPS 140-3 also modernizes the management of security roles and responsibilities within HSMs.
The conversation distinguishes FIPS 140-3 from security levels (Level 1, 2, 3, 4), which relate to different physical and operational protections of the HSM. For example, Level 4 devices are extremely tamper-resistant, used in environments like the military. Most industry use cases still rely on Level 3 for HSMs, which offers good security without extreme tamper protection.
The question of whether existing HSM hardware can be upgraded to FIPS 140-3 compliance depends on the vendor. Some platforms can be upgraded through firmware updates, while others might require new hardware purchases. It is important to talk with the vendor to assess the specific requirements for your HSM platform.
Future-proofing HSMs to support post-quantum cryptography is also critical, especially for long-term PKI infrastructures. HSM buyers should consider PQC support and FIPS 140-3 for future security needs.
Sven recommends checking out the NIST website for detailed Security Policy documents from HSM vendors, for in-depth understanding of how their devices meet FIPS 140-3 requirements.
The transition to FIPS 140-3 introduces enhanced security for HSMs, but organizations must plan for hardware compatibility, future-proofing with PQC, and vendor-specific migration strategies. Conversations with vendors are crucial to ensure smooth transitions and continued compliance beyond 2026.