Answer Brief
The Distributed Management Task Force (DMTF) announced that its Security Protocol and Data Model (SPDM) has been officially incorporated into the U.S. FIPS 140-3 Implementation Guidance, establishing a new federal reference for hardware and firmware authentication.
Executive Summary: The Distributed Management Task Force (DMTF) announced that its Security Protocol and Data Model (SPDM) has been officially incorporated into the U.S. FIPS 140-3 Implementation Guidance, establishing a new federal reference for hardware and firmware authentication.
Why It Matters
The inclusion of the Security Protocol and Data Model (SPDM) in the FIPS 140-3 Implementation Guidance marks a significant transition for hardware security from industry best practice to a federal regulatory reference. SPDM facilitates secure communication between hardware components through authentication, attestation, and key exchange. Its adoption by the NIST Cryptographic Module Validation Program (CMVP) under Scenario 1 and the inclusion of its Key Derivation Function (KDF) in the Component Validation List (CVL) signals a shift toward standardized, interoperable hardware identity. For global infrastructure teams, this ensures that components from major vendors like Intel, Broadcom, and Samsung—which already utilize SPDM in PCIe SSDs, network controllers, and BMC chips—now align with the highest levels of US federal security requirements. This move specifically targets the mitigation of firmware tampering and supply chain vulnerabilities by enforcing a verifiable chain of trust at the hardware level.
Event Type: policy
Importance: high
Affected Companies
- Broadcom
- DMTF
- HPE
- Intel
- Micron
- Samsung
Affected Sectors
- Cloud Infrastructure
- Cybersecurity
- Government
- Semiconductors
Key Numbers
- Scenario Designation: Scenario 1
Timeline
- FIPS 140-3 Implementation Guidance updated to include SPDM
- DMTF announces SPDM's inclusion in federal cryptographic validation frameworks