Iso Iec 24759

[Clinio Lofton]

ISOIEC 24759:2014 specifies the methods to be used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012/Cor.1:2015. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.

Vendors can use this International Standard as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2012/Cor.1:2015 before they apply to the testing laboratory for testing.

Almost done!

You are only one step away from joining the ISO subscriber list. Please confirm your subscription by clicking on the email we've just sent to you. You will not be registered until you confirm your subscription. If you can't find the email, kindly check your spam folder and/or the promotions tab (if you use Gmail).

ISO/IEC 24759:2017 specifies the methods to be used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.

This document also specifies the requirements for information that vendors provide to testing laboratories as supporting evidence to demonstrate their cryptographic modules' conformity to the requirements specified in ISO/IEC 19790:2012.

Vendors can use this document as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2012 before they apply to the testing laboratory for testing.

Federal Information Processing Standards Publication (FIPS) 140-3 became effective September 22, 2019, permitting CMVP to begin accepting validation submissions under the new scheme beginning September 2020. The FIPS 140-3 standard introduces some significant changes in the management over the previous standard. Rather than encompassing the module requirements directly, FIPS 140-3 references International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790. The testing for these requirements will be in accordance with ISO/IEC 24759.

The use of the ISO documents require several procedural changes in the management and execution of the validation process from the existing FIPS 140-2 process currently in effect. The figure below demonstrates the flow of the requirements for the FIPS 140-3 process.

The ISO/IEC 19790 specifies the cryptographic module requirements, along with the associated guidance issued through the Annexes. ISO/IEC 24759 extracts the requirements of ISO/IEC 19790 and associates vendor information and lab procedures to assure the requirements are met.

The CMVP manages the variances allowed in the ISO/IEC 19790 and ISO/IEC 24759 through the SP 800-140x documents. Specifically, the SP 800-140 provides additional evidence and testing that is necessary to meet CMVP cryptographic module requirement evidence, while also providing to ISO/IEC recommended adjustments to the existing standard when next reviewed. The remaining SP 800-140A through SP 800-140F provide additional requirements for vendor evidence, security policy, approved encryption and key management, authentication and non-invasive physical security requirements.

Clarification or interpretation of the requirements and assurance measures are included in the Implementation Guidance, which are often technology specific. A standalone document, the FIPS 140-3 CMVP management manual, addresses the programmatic procedures and requirements of the process. In addition, NVLAP Handbook 150-17 identifies CMVP specific NVLAP requirements which includes requirements in quality systems, personnel, environmental conditions, test and calibration methods, equipment, test quality assurance, and reporting results control.

Independent test labs holding appropriate NVLAP accreditation, manage and perform the testing process. The labs create a submission package with the results of the assessment which CMVP reviews and coordinates any resulting comments with the lab. Upon satisfactory agreement, a validation is issued and added to the database of validated modules hosted on the CMVP website.

Federal Information Processing Standards FIPS 140-3 identifies the Cryptographic Module Validation Program (CMVP), a joint effort of the US and Canadian governments, as the validation authority for implementing a program utilizing the ISO/IEC 19790:2012 requirements standard and ISO/IEC 24759:2017 derived test methods. The standard also established the CMVP technical requirements to be contained in NIST Special Publications: SP 800-140, SP 800-140A, SP 800-140B, SP 800-140C, SP 800-140D, SP 800-140E,and SP 800-140F. These security requirements must be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information (hereafter referred to as sensitive information). This standard will supersede FIPS 140-2, Security Requirements for Cryptographic Modules, in its entirety.

ISO/IEC 19790:2012 specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunication systems. This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location). This International Standard specifies four security levels for each of 11 requirement areas with each security level increasing security over the preceding level.

NIST Special Publication (SP) 800-140D replaces the approved sensitive parameter generation and establishment methods requirements of ISO/IEC 19790 Annex D. As a validation authority, the Cryptographic Module Validation Program (CMVP) may supersede this Annex in its entirety. This document supersedes ISO/IEC 19790 Annex D and ISO/IEC 24759 paragraph 6.16.

NIST Special Publication (SP) 800-140E replaces the approved authentication mechanism requirements of ISO/IEC 19790 Annex E. As a validation authority, the Cryptographic Module Validation Program (CMVP) may supersede this Annex in its entirety with its own list of approved authentication mechanisms. This document supersedes ISO/IEC 19790 Annex E and ISO/IEC 24759 paragraph 6.17.

Validated ModulesSearchCaveatsModules In ProcessModules In Process ListImplementation Under Test ListEntropy ValidationsEntropy Source Validation SearchEntropy Validation AnnouncementsESVEntropy Source Validation WorkshopEntropy Validation DocumentsProgrammatic TransitionsCMVP FIPS 140-2 Management ManualCMVP FIPS 140-2 Related ReferencesCMVP FIPS 140-3 Management ManualCMVP FIPS 140-3 Related ReferencesFIPS 140-2 IG AnnouncementsFIPS 140-2 Announcements ArchiveFIPS 140-3 IG AnnouncementsSP 800-140 Series Supplemental InformationSP 800-140B: CMVP Security Policy RequirementsSP 800-140C: Approved Security FunctionsSP 800-140D: Approved SSP Generation and Establishment MethodsFIPS 140-2 ResourcesFIPS 140-3 ResourcesUse of FIPS 140-3 or FIPS 140-2 Logo and PhrasesCVP Certification Exam InformationNIST Cost Recovery FeesCST Lab Accreditation and FeesArchived NoticesCMVP Validation Process

Together, we are creating the worldwide leader in cybersecurity, protecting more applications, data and identities than any other company and enabling tens of thousands of organizations to deliver trusted digital services to billions of consumers around the world every day.

Although post-quantum is projected to be a few years away, an enterprise must start planning today to be post-quantum ready. Take this free risk assessment to learn if your organization is at risk of a post-quantum breach.

Whether it's securing the cloud, meeting compliance mandates or protecting software for the Internet of Things, organizations around the world rely on Thales to accelerate their digital transformation.

Thales Partner Ecosystem includes several programs that recognize, rewards, supports and collaborates to help accelerate your revenue and differentiate your business. Provide more value to your customers with Thales's Industry leading solutions. Learn more to determine which one is the best fit for you.

In cryptographic security, adherence to standards is paramount to ensure the protection of sensitive data and to meet compliance and regulatory needs. FIPS 140 (Federal Information Processing Standard), is a set of security requirements for cryptographic modules defined by the National Institute of Standards and Technology (NIST) and managed by both the United States and Canada, as part of the Cryptographic Module Validation Program (CMVP). FIPS 140-validated modules are mandatory for protecting cryptographic keys and performing cryptographic operations for many government applications.

FIPS 140-3 will allow the certification of Post-Quantum Cryptography (PQC) algorithms, as it will ensure cryptographic modules are prepared to address the challenges and threats posed by quantum attacks. Implementing FIPS 140-3 validated security solutions is an essential part of building a quantum-safe crypto agile security posture, ensuring organizations stay data protected today, and into the future.

3a8082e126