The Trusted Computing Group (TCG) has released new guidance aimed at bolstering the security of sensitive data within federal systems against cyber attackers. The document, titled "TCG FIPS 140-3 Guidance for TPM 2.0," is designed to facilitate the availability of FIPS 140-3 certified cryptographic solutions, enabling government bodies to enhance their data protection measures.
At the core of this initiative is the Trusted Platform Module (TPM), which verifies that attached devices operate in a trusted manner. Olivier Collart, chair of the Security Evaluation Work Group at TCG, emphasised the urgency of this transition: “TPM 2.0 devices need to be compliant with the latest Federal Information Processing Standard (FIPS) to protect the sensitive data held by the government and regulated organisations. Vendors are now racing to become compliant to FIPS 140-3 before 2026.”
FIPS 140-3, established by the National Institute of Standards and Technology (NIST), outlines the mandatory criteria for cryptographic modules used by U.S. and Canadian government entities. By September 2026, all cryptographic modules must achieve FIPS 140-3 compliance to remain in use within government operations. TCG’s new guidance aims to streamline the transition from the previous FIPS 140-2 standard, offering vendors a roadmap to compliance.
The guidance details implementation recommendations and extensions for TPM 2.0, emphasising the new requirements for FIPS 140-3 'Level 1,' which focuses on basic encryption and key management capabilities. TCG president Joe Pennisi remarked, “The guidance provided by the Security Evaluation Work Group is essential, especially with the deadline for FIPS 140-3 looming over vendors. By making it easier to attain certification, government bodies—and critical sectors like healthcare—will gain access to a range of FIPS-certified solutions to address growing security concerns.”
With the publication of this guidance, an increase in adoption across the computing industry is anticipated, significantly enhancing data security measures for sensitive federal information.
