Federal Information Processing Standards (FIPS) are a collection of standards created and maintained by the National Institute of Standards and Technology (NIST) aimed at improving computer security and interoperability for use within non-military government agencies and by government contractors and vendors who work with the agencies. In this article, we will discuss the different FIPS series, how they are developed, when and why they are withdrawn, who needs to comply with FIPS standards, and the importance of FIPS compliance for businesses.
What are the Federal Information Processing Standards?
FIPS are standards and guidelines for federal computer systems that are developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce.
These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards.
What are all the FIPS series?
The most current FIPS series include:
- FIPS 140-2: Security Requirements for Cryptographic Modules
- FIPS 180-4: Secure Hash Standard (SHS)
- FIPS 186-4: Digital Signature Standard (DSS)
- FIPS 197: Advanced Encryption Standard (AES)
- FIPS 198-1: The Keyed-Hash Message Authentication Code (HMAC)
- FIPS 199: Standards for Security Categorization of Federal Information and Information Systems
- FIPS 200: Minimum Security Requirements for Federal Information and Information Systems
- FIPS 201-2: Personal Identity Verification (PIV) of Federal Employees and Contractors
- FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
How are FIPS developed?
NIST follows rulemaking procedures modeled after those established by the Administrative Procedures Act:
- The proposed FIPS is announced publicly, including in the Federal Register, on NIST’s electronic pages, and on the electronic pages of the Chief Information Officers Council.
- A 30 to 90-day period is provided for review and submission of comments on the proposed FIPS to NIST.
- Comments received are reviewed by NIST to determine if modifications to the proposed FIPS are needed.
- A detailed justification document is prepared, analyzing the comments received and explaining whether modifications were made or why recommended changes were not made.
- NIST submits the recommended FIPS, the detailed justification document, and recommendations as to whether the standard should be compulsory and binding for Federal government use, to the Secretary of Commerce for approval.
- A notice announcing approval of the FIPS by the Secretary of Commerce is published in the Federal Register and on NIST’s electronic pages.
- A copy of the detailed justification document is filed at NIST and is available for public review.
How are FIPS withdrawn?
When industry standards become available, the federal government will withdraw a FIPS.
Federal government departments and agencies are directed by the National Technology Transfer and Advancement Act of 1995 (P.L. 104-113) to use technical industry standards that are developed by voluntary consensus standards bodies.
This eliminates the cost to the government of developing its own standards. In other cases, a FIPS may be withdrawn when a commercial product that implements the standard becomes widely available.
Who needs to comply with FIPS standards?
Organizations that need to comply with FIPS standards include:
- Federal government organizations handling sensitive data
- Federal agencies, contractors, and service providers
- State agencies administering federal programs like unemployment insurance, student loans, Medicare, and Medicaid
- Private sector companies with government contracts
Are all FIPS mandatory?
No, FIPS are not always mandatory for federal agencies. The applicability section of each FIPS details when the standard is applicable and mandatory. FIPS do not apply to national security systems (as defined in Title III, Information Security, of FISMA).
How do companies comply with FIPS standards?
To comply with FIPS standards, companies must meet the requirements outlined in the relevant FIPS publications. This typically involves a combination of implementing FIPS-compliant security measures, such as encryption and authentication schemes, and adhering to specific guidelines for federal information and information systems.
Why is it important for companies to be FIPS compliant?
There are several reasons why it is essential for companies to be FIPS compliant:
- Compliance with government regulations: Meeting FIPS standards allows companies to demonstrate that they are following the necessary security requirements to work with government agencies.
- Enhanced security: By adhering to FIPS standards, organizations can ensure that their information security measures remain strong and up-to-date, protecting sensitive data and proprietary information from potential threats.
- Competitive advantage: Organizations that comply with FIPS standards can position themselves as more secure and reliable, attracting a wider range of potential clients, including government agencies.
- Risk management: Implementing best practices in line with FIPS standards can assist organizations in managing risk and addressing vulnerabilities.
Conclusion
FIPS are essential standards for federal government systems and provide a valuable framework for non-government organizations looking to establish robust information security programs. By adhering to FIPS standards and staying informed about revisions and new requirements, organizations can ensure that they remain compliant and protect sensitive data and systems, while also enhancing their competitiveness in the market.