Share
This content last updated 11/15/2019. (Note: Content may not be the most current.)
- What are Federal Information Processing Standards (FIPS)?
- What are the current FIPS?
- Are All FIPS Mandatory?
- Can Agencies waive mandatory FIPS?
- What does FIPS mean for non-government organizations?
- When are FIPS withdrawn?
- How are FIPS developed?
What are Federal Information Processing Standards (FIPS)?
FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards.
What are the current FIPS?
The most current FIPS can be found on NIST’s Current FIPS webpage.
Number | Title |
140-2 | Security Requirements for Cryptographic Modules -- 01 May 25 (Supersedes FIPS PUB 140-1, 1994 January 11). |
180-4 | Secure Hash Standard (SHS) -- 2015 August |
186-4 | Digital Signature Standard (DSS) -- 13 July |
197 | Advanced Encryption Standard (AES)-- 2001 November 26 |
198-1 | The Keyed-Hash Message Authentication Code (HMAC)-- 2008 July |
199 | Standards for Security Categorization of Federal Information and Information Systems-- 2004 February |
200 | Minimum Security Requirements for Federal Information and Information Systems-- 2006 March |
201-2 | Personal Identity Verification (PIV) of Federal Employees and Contractors -- 2013 August |
202 | SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions - 2015 August |
Are All FIPS Mandatory?
No. FIPS are not always mandatory for Federal agencies. The applicability section of each FIPS details when the standard is applicable and mandatory. FIPS do not apply to national security systems (as defined in Title III, Information Security, of FISMA).
State agencies administering federal programs like unemployment insurance, student loans, Medicare, and Medicaid must comply with FISMA.Private sector companies with government contracts must also comply with FISMA, which mandates the use of FIPS.
Can Agencies waive mandatory FIPS?
The Computer Security Act of 1987 contained a waiver process for FIPS; however, this Act was superseded by FISMA of 2002, which no longer allows this practice. Some FIPS may still contain language referring to the “waiver process,” but this no longer valid.
What does FIPS mean for non-government organizations?
While FIPS is required for federal government users, the standards are valuable resources for non-government organizations looking to establish strong information security programs.
When are FIPS withdrawn?
When industry standards become available the federal government will withdraw a FIPS. Federal government departments and agencies are directed by the National Technology Transfer and Advancement Act of 1995 (P.L. 104-113), to use technical industry standards that are developed by voluntary consensus standards bodies. This eliminates the cost to the government of developing its own standards.
In other cases, a FIPS may be withdrawn when a commercial product that implements the standard becomes widely available.
How are FIPS developed?
NIST follows rulemaking procedures modeled after those established by the Administrative Procedures Act.
1. The proposed FIPS is announced in the following manners:
- in the Federal Register for public review and comment
- on NIST's electronic pages (http://www.nist.gov/itl/fips.cfm )
- on the electronic pages of the Chief Information Officers Council (http://cio.gov)
The text and associated specifications, if applicable, of the proposed FIPS are posted on the NIST electronic pages.
2. A 30 to 90-day period is provided for review and for submission of comments on the proposed FIPS to NIST.
3.Comments received in response to the Federal Register notice and to the other notices are reviewed by NIST to determine if modifications to the proposed FIPS are needed.
4. A detailed justification document is prepared, analyzing the comments received and explaining whether modifications were made, or explaining why recommended changes were not made.
5. NIST submits the recommended FIPS, the detailed justification document, and recommendations as to whether the standard should be compulsory and binding for Federal government use, to the Secretary of Commerce for approval.
6. A notice announcing approval of the FIPS by the Secretary of Commerce is published in the Federal Register, and on NIST's electronic pages.
7. A copy of the detailed justification document is filed at NIST and is available for public review.
The NIST Standards Information Center makes every effort to provide accurate and complete information. Various data such as names, telephone numbers, links to websites, etc. may change prior to updating. We welcome suggestions on how to improve this FAQ and correct errors. The Standards Information Center provides this information “AS-IS.” NIST and the Standards Information Center make NO WARRANTY OF ANY TYPE, including NO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NIST makes no warranties or representations as to the correctness, accuracy, completeness, or reliability of the information. As a condition of using the FAQs, you explicitly release NIST/Standards Information Centerfrom any and all liabilities for any damage of any type that may result from errors or omissions in the FAQ or other data. Some of the documents referenced point to information created and maintained by other organizations. The Standards Information Center does not control and cannot guarantee the relevance, timeliness, or accuracy of these materials.
Standards