New guidance to accelerate the availability of FIPS 140-3 certified cryptographic solutions and enable government bodies to better protect critical data has been published by the  Trusted Computing Group (TCG).

A Trusted Platform Module (TPM) is used to check whether a device it is attached to is behaving in a predictable, trusted manner. Through the ‘TCG FIPS 140-3 guidance for TPM 2.0’ document from the Security Evaluation Work Group, vendors can ensure their TPM-enabled devices gain the necessary certification for use by government bodies. As a result, these organizations can use these for cryptographic operations, empowering them to ensure the integrity and security of their systems.

“TPM 2.0 devices need to be compliant with the latest Federal Information Processing Standard (FIPS) if they’re to protect the sensitive data held by the government and regulated organizations,” said Chair of the Security Evaluation Work Group at TCG, Olivier Collart. “Vendors are now racing to become compliant to FIPS 140-3 before 2026. Our guidance gives them the guidance they need to be successful in these endeavours.”

FIPS 140-3 refers to the third iteration of standards set out by the National Institute of Standards and Technology (NIST) for the protection of sensitive and valuable data. It provides the mandatory criteria which cryptographic modules must follow for use by government bodies in the United States and Canada.

By September 2026, all cryptographic modules must be FIPS 140-3 compliant in order to be used in government operations. The guidance document published by TCG is designed to ease the transition from FIPS 140-2 for vendors, outlining the steps they must take to achieve compliance before the deadline closes.

The guidance provides implementation recommendations and extensions for the TPM 2.0 necessary for successful FIPS 140-3 evaluation. It also focuses on new requirements of FIPS 140-3 ‘Level 1’ required by NIST for basic encryption and key management capabilities.

“The guidance provided by the Security Evaluation Work Group is essential, especially with the deadline for FIPS 140-3 looming over vendors”, said TCG President Joe Pennisi. “Because TCG has made it easier to attain certification, government bodies – as well as those operating in critical private sectors like healthcare – will have a significant number of FIPS certified solutions available to them to best address growing security concerns.”

Recently, STMicroelectronics became the first company to receive FIPS 140-3 certification for a TPM product. Now the guidance document is published, further adoption is expected to be accelerated across the computing industry.

Full details on the guidance document can be found on the TCG website.

– ENDS –

About TCG
TCG is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry specifications and standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.

TCG enables secure computing through open standards and specifications. Benefits of TCG include protection of business-critical data and systems, secure authentication and strong protection of user identities, and the establishment of strong machine identity and network integrity. More than a billion devices include TCG technologies.

X: @TrustedComputin

LinkedIn: https://www.linkedin.com/company/trusted-computing-group/