The Cryptographic Module Validation Program (CMVP) issues the first FIPS 140-3 certificates

The CMVP published four FIPS 140-3 certificates today, marking the first modules to go through testing and validation under the new version of the FIPS 140 standard. FIPS 140-3 became effective on September 22, 2019, and testing began on September 22, 2020. FIPS 140-3 has been mandatory for new modules since September 22, 2021.

The certified modules are:

Certificate #4389 - Apple corecrypto Module v11.1 [Intel, User, Software]

Certificate #4390 - Apple corecrypto Module v11.1 [Intel, Kernel, Software]

Certificate #4391 - Apple corecrypto Module v11.1 [Apple silicon, User, Software]

Certificate #4392 - Apple corecrypto Module v11.1 [Apple silicon, Kernel, Software]

We want to thank the CMVP for their leadership and hard work in adopting ISO/IEC 19790 and 24759 as the successor to FIPS 140-2 and, in particular, the NIST CMVP for establishing the infrastructure to support the validation under FIPS 140-3. In this process, atsec helped in various ways, including with the transition from the desktop version of the Cryptik tool to the web-based Web Cryptik. atsec also spearheaded the effort to educate the cryptographic module community with a series of trainings in the Cryptographic Module User Forum as well as presentations at the International Cryptographic Module Conference, e.g. Swapneela Unkule's presentation “360 View Of FIPS 140-3 Certification”, where she laid out the differences in the submission procedures between FIPS 140-2 and FIPS 140-3.

We are happy to see the first FIPS 140-3 certificates published - happy for atsec, for the technical community, our customers, and the CMVP. We hope to see many more certificates in the coming months and years.