Decision Not to Include Proposed FIPs 140 Requirement in CCSS v9.0

During the CCSS v9.0 review process, a proposed new requirement, 1.05.2.3, was introduced:

“The key material is isolated from other operating systems and application processes to avoid unauthorized access or leakage of key material. CCSS Level 3 requires FIPS 140 or equivalent.”

After careful consideration, the CCSS Steering Committee has decided not to include this control in the final version.

Why?

This decision was guided by extensive community feedback, research from both our Advocacy Group and our Steering Committee, and technical analysis shared during the review period. The key issue was the requirement for FIPS 140 certification, which presented several technical limitations:

• FIPS does not support widely used cryptographic curves in the blockchain space, such as secp256k1.
• Many secure, well-designed implementations in the crypto space can’t align with FIPS requirements, even if they follow strong security practices.
• It lacked flexibility to support emerging cryptographic tools and protocols being adopted across the ecosystem.

FIPS certified hardware and devices may (and often should) still be used as an encrypted storage method for key material, but given the lack of support for commonly used blockchain and cryptocurrency algorithms, it doesn’t make sense to require them for isolation in an operational environment.

The Outcome

The principle of isolating key material remains important, and the Standard reflects an adaptable approach. With the removal of the FIPS-specific requirement, CCSS v9.0 supports a wide range of secure implementations.

This decision underscores what CCSS is all about: a community-developed, technically sound standard that evolves alongside the industry it serves.