Digital Cinema Initiatives, LLC (DCI)

Informative Announcement
Regarding FIPS 140-2 to FIPS 140-3 Transition
March 2009

[Click here for PDF of this page]

This document provides information about the transition of FIPS 140-2 to FIPS 140-3, as these FIPS standards are applied in the DCI Digital Cinema System Specification (DCSS).

The DCSS relies upon the US government's Federal Information Processing Standard (FIPS) 140 for establishing physical and logical protection criteria for the "type 1" Secure Processing Block (SPB). Chapter 9 of the DCSS defines the security processing functions for each type 1 SPB. Each such SBP must be FIPS 140-2 certified to "level 3" as a prerequisite to DCSS compliance.

The National Institute of Standards and Technology (NIST) is currently planning the transition from the present FIPS 140-2 standard to FIPS 140-3. Ratification of FIPS 140-3 is expected in Q3 of 2009, to be followed by an estimated 12 month transition period. The FIPS 140-3 development web site shows an approximate 6 month overlap period from Q1 to Q3 of 2010 during which both 140-2 and 140-3 certifications can be undertaken, after which 140-2 conformance testing will terminate (see http://csrc.nist.gov/groups/STM/cmvp/standards.html#01).

Following FIPS guidelines, once an SPB device type has been FIPS 140 certified it maintains its FIPS certificate indefinitely, so long as its design (hardware or software) remains unchanged. Therefore, continued production of such SPBs will continue to meet DCSS requirements (which are currently tied to FIPS 140-2) indefinitely. Should an SPB undergo a design change, FIPS 140 guidelines dictate the extent that recertification is required. Thus new or modified SPB devices will undergo either FIPS 140-2 or FIPS 140-3 conformance testing as a function of when they are submitted for FIPS 140 review. After the termination of FIPS 140-2 testing all devices must thereafter undergo FIPS 140-3 testing.

Once the FIPS 140-3 standard is ratified the DCSS will be updated to reflect the requirements for both 140-2 and 140-3. SPB devices certified for either FIPS 140 version will be considered DCSS compliant with respect to FIPS 140 requirements. Prior to the beginning of FIPS 140-3 conformance testing the DCI Compliance Test Plan will also be updated to provide for DCI compliance testing of either FIPS 140-2 or FIPS 140-3 certified devices.

A copy of the FIPS 140-3 draft specification is available for download at:
http://csrc.nist.gov/publications/fips/fips140-3/fips1403Draft.pdf. At the time of this writing there do not appear to be changes as a result of this transition that will significantly impact FIPS requirements as applied to the DCSS. However the FIPS 140-3 draft spec will undergo a comment and edit period prior to ratification.