It could be less time-consuming for electronic device manufacturers to bring their wares to U.S. and international markets as a result of new requirements issued by the National Institute of Standards and Technology (NIST).
That is because NIST updated the Federal Information Processing Standard (FIPS) for testing the effectiveness of a device’s data encryption.
New Tool for Safety-Critical Software
NIST Framework Used to Secure Railcar Purchase
Govt., Private Sector Need to Unite on Cyber: Report
Safety, Security, Privacy in Interconnected World
Virtually all devices that receive and process electronic data — hardware used in laptops and cell phones as well as software that also exchanges information through networks — use some form of encryption to protect this data from prying eyes.
FIPS 140-3: Security Requirements for Cryptographic Modules specifies the requirements a device’s encryption system must meet if it is to be used by the federal government. The standard affects the broader IT market because of the number of other organizations that interact with the government.
The newly released FIPS 140-3 modernizes the standard and essentially makes the U.S. standard a “pointer” indicating manufacturers should now use the international standard, which NIST helped to develop.
Any product that adheres to the international standard — known as ISO 19790 — will therefore use an encryption approach acceptable within and outside the United States. This should streamline a manufacturer’s process for bringing a device to market because it reduces redundancy for companies trying to sell products internationally.
“Technology changes rapidly,” said NIST computer scientist Mike Cooper. “Testing takes a long time and every day a company spends on it is a day its product is not on the market. We want to minimize that, because there’s a limited time window before a product becomes obsolete.”
Like previous FIPS 140 versions, the first of which was created in 1982, FIPS 140-3 will be used primarily by laboratories that test new products’ encryption algorithms. Its influence, however, will be far wider.
Companies that wish to sell their goods abroad have had to put their devices through further testing regimes to satisfy other countries, but the update eliminates that need, Cooper said.
“For large manufacturers, this allows them to say they’ve proved their cryptography in many countries at once,” he said. “It also allows for transfer of test results across borders. It gives us a better way to accept test results since they’ve been tested according to the same standard.”
The change also will help companies resolve a nagging dilemma: Remaining in compliance with industry standards while also updating their products to address security vulnerabilities.
“Before this update, if we discovered a vulnerability or added a feature we’d need to go through an entire recertification round. That takes months, but our software development lifecycles are far shorter than that,” said Dominic Rizzo, who is the technical lead on Google’s Titan Security Key, a product that helps protect the supply chain. “With this change, the benefit to the government is they will get our best work faster.”