Federal Information Processing Standards

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free

Federal Information
Processing Standards

by Karen M. Spring

Docid: 00011446

Publication Date: 1908

Report Type: STANDARD


Federal Information Processing Standards (FIPS)
are developed by the United
States federal government for use by all non-military government agencies and
by government contractors. Every agency that does business with the US
government – including contractors – must adhere to these standards. An explanation of the FIPS currently in effect
is included here, along with recommendations for organizations that wish to
gain contracts with the US government.

Report Contents:

Executive Summary

[return to top of this report]

Agencies at all levels of government set regulatory standards for products and processes in order to
protect health, safety, and the environment.

Federal Information Security Management Act Tutorial

In 1965, the Brooks Act
gave responsibility for federal information technology procurement standards to
the National Bureau of Standards, which has now become the National Institute
of Standards and Technology (NIST). To meet this requirement, NIST produces
Federal Information Processing Standards (FIPSs). FIPS compliance is mandatory
for every US government computer. Government contactors must ensure that they
are FIPS compliant whenever they deal with data that is protected by federal
government rules. NIST has traditionally relied on private sector
standards-setting processes when developing FIPSs.

Currently, there are nine FIPS in effect. Some of these standards replace previous ones, some are
long-standing standards that are still in effect. In addition, a new FIPS
standard will debut in September 2019. This report outlines each of
those standards and when it was put into effect. Although some standards could
be waived in the past, that is no longer the case. Organizations that want
to do business with the US government must be familiar with and compliant to
the FIPS requirements for any given project.


[return to top of this report]

Under the Information
Technology Management Reform Act, the Secretary of Commerce approves standards
and guidelines that are developed by NIST for federal computer systems. These
standards and guidelines are issued by NIST as FIPS publications for use
government-wide. NIST develops FIPS when there are compelling federal
government requirements such as for security and interoperability and there are
no acceptable industry standards or solutions. The major focus of NIST
activities in information technology is developing tests, measurements, proofs
of concept, reference data, and other technical tools to support the
development of forward-looking technology. FIPS, however, may also be developed
when needed to assure the cost-effective security and privacy of sensitive
information in federal computer systems,

In accordance with the
National Technology Transfer and Advancement Act of 1995 and Administration
policies, NIST collaborates with national and international standards
committees, users, industry groups, consortia, and research and trade
organizations, to support the development of voluntary industry standards both
nationally and internationally. These are the preferred source of
standards to be used by the federal government. The use of voluntary industry
standards eliminates the cost to the government of developing its own
and furthers the policy of reliance upon the private sector to
supply goods and services to the government. FIPS are developed only when there
are no existing voluntary standards to address federal requirements for the
interoperability of different systems, for the portability of data and
software, and for computer security.

The process for adoption of FIPS is as follows:

  • To assure an open process and opportunity for all interested parties to
    comment on proposed FIPS, the NIST follows rule-making procedures modeled
    after those established by the Administrative Procedures Act. 
  • Announcement of the proposed
    FIPS in the Federal Register for public review and comment. At the
    same time, it is also announced on NIST’s Web site and on the CIO
    Council’s Web site.
  • A 30- to 90-day period is
    provided for review and for submission of comments on the proposed FIPS.
  • Comments received are reviewed
    by NIST to determine if modifications to the proposed FIPS are needed.
  • Another announcement is made with discussion of the next steps and
    development process details, which include:

    • Submission of candidate algorithms, methods, or techniques;
    • Evaluation and testing by stakeholders and NIST;
    • Conferences, workshops, and other events to discuss and analyze
  • Another announcement discusses NIST’s selection for the FIPS publication
    or announces a draft FIPS publication and starts another comment period to
    obtain stakeholder feedback. 
  • Feedback is incorporated and NIST either issues another draft, soliciting
    feedback in another announcement or prepares the final FIPS
  • After approval by NIST management, the FIPS publication and its supporting
    documentation is sent to the Secretary of Commerce for approval. 
  • If the Secretary approves the FIPS publication, NIST announces the
  • Once the announcement is issued, the new FIPS publication is posted on
    NIST’s Web pages and announced through other communication channels. 


[return to top of this report]

Currently, there are nine FIPS in place that organization must adhere to when contracting with the US
government for IT projects. Those FIPS are detailed in Table 1.

Table 1.
Current FIPS in Place

FIPS Number





August 2015

SHA-3 Standard: Permutation-Based Hash and
Extendable-Output Functions

This standard specifies
the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data. Each
of the SHA-3 functions is based on an instance of the KECCAK algorithm that
NIST selected as the winner of the SHA-3 Cryptographic Hash Algorithm
Competition. This standard also specifies the KECCAK-p family of mathematical
permutations, including the permutation that underlies KECCAK, in order to
facilitate the development of additional permutation-based cryptographic
functions. The SHA-3 family consists of four cryptographic hash functions,
called SHA3-224, SHA3-256, SHA3-384, and SHA3-512, and two extendable-output
functions (XOFs), called SHAKE128 and SHAKE256.


August 2013

Personal Identity Verification for Federal Employees and

This standard specifies the
architecture and technical requirements for a common identification standard
for federal employees and contractors. The overall goal is to achieve
appropriate security assurance for multiple applications by efficiently
verifying the claimed identity of individuals seeking physical access to
federally controlled government facilities and electronic access to
government information systems.


March 2006

Minimum Federal
Requirements for Federal Information and Information Systems

The second standard that
was specified by the Federal Information Security Management Act of 2002
(FISMA). It is an integral part of the risk management framework that NIST
has developed to assist federal agencies in providing levels of information
security based on levels of risk. FIPS 200 specifies minimum security
requirements for federal information and information systems and a risk-based
process for selecting the security controls necessary to satisfy the minimum


February 2004

Standards for Security
Categorization of Federal Information and Information Systems

Addresses one of the requirements
specified in the Federal Information Security Management Act (FISMA) of 2002,
which requires all federal agencies to develop, document, and implement
agency-wide information security programs for the information and information
systems that support the operations and the assets of the agency, including
those provided or managed by another agency, contractor, or other source.
FIPS 199 provides security categorization standards for information and
information systems. Security categorization standards make available a
common framework and method for expressing security. They promote the
effective management and oversight of information security programs,
including the coordination of information security efforts throughout the
civilian, national security, emergency preparedness, homeland security, and
law enforcement communities. Such standards also enable consistent reporting
to OMB and Congress on the adequacy and effectiveness of information security
policies, procedures, and practices.


July 2008

The Keyed-Hash Message
Authentication Code (HMAC)

(Supersedes FIPS 198) This standard describes a
keyed-hash message authentication code (HMAC), a mechanism for message
authentication using cryptographic hash functions. HMAC can be used with any
iterative approved cryptographic hash function, in combination with a shared
secret key.


November 26, 2001

Advanced Encryption

The Advanced Encryption
Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be
used to protect electronic data. The AES algorithm is a symmetric block
cipher that can encrypt (encipher) and decrypt (decipher) information.
Encryption converts data to an unintelligible form called ciphertext;
decrypting the ciphertext converts the data back into its original form,
called plaintext.


July 2013

Digital Signature
Standard (DSS)

The standard specifies a
suite of algorithms that can be used to generate a digital signature. Digital
signatures are used to detect unauthorized modifications to data and to
authenticate the identity of the signatory. In addition, the recipient of
signed data can use a digital signature as evidence in demonstrating to a third
party that the signature was, in fact, generated by the claimed signatory.
This is known as non-repudiation, since the signatory cannot easily repudiate
the signature at a later time. 


August 2015

Secure Hash Standard (SHS)

standard specifies hash algorithms that can be used to generate digests of
messages. The digests are used to detect whether messages have been changed
since the digests were generated. 


May 25, 2001

Security Requirements for
Cryptographic Modules

(Supersedes FIPS 140-1)
This Federal Information Processing Standard specifies the security
requirements that will be satisfied by a cryptographic module, providing four
increasing, qualitative levels intended to cover a wide range of potential
applications and environments. The areas covered, related to the secure
design and implementation of a cryptographic module, include specification;
ports and interfaces; roles, services, and authentication; finite state
model; physical security; operational environment; cryptographic key
management; electromagnetic interference/electromagnetic compatibility
(EMI/EMC); self-tests; design assurance; and mitigation of other attacks.


[return to top of this report]

In March 2019, the Secretary of Commerce approved FIPS 140-3, Security
Requirements for Cryptographic Modules. The standard will be used to design and
implement cryptographic modules that federal departments operate or are operated
for them. It provides four levels of security to cover a wide range of possible
applications and environments. The security requirements cover areas related to
the secure design, implementation, and operation of a cryptographic module. The
area include: 

  • Cryptographic module specification
  • Cryptographic module interfaces
  • Roles, services, and authentication
  • Software/firmware security
  • Operating environment
  • Physical security
  • Non-invasive security
  • Sensitive security parameter management
  • Self-tests
  • Lifecycle assurance
  • Attack mitigation

FIPS 140-3 will go into effect on September 22, 2019 and will undergo testing
through the Cryptographic Module Validation Program, beginning in September
2020. Testing of FIPS 140-2 will continue for at least one year after FIPS 140-3
testing commences. The FIPS 140-3 standard will reference two existing
international standards: 

  1. International Organization for Standardization/International
    Electrotechnical Commission 19790:2012(E), Information Technology – Security
    Techniques – Security Requirements for Cryptographic Modules.
  2. International Organization for Standardization/International
    Electrotechnical Commission 24759:2017(E), Information Technology – Security
    Techniques – Test Requirements for Cryptographic Modules.

In January 2015, NIST proposed that six FIPS should be withdrawn because they
were obsolete and had not been updated. A notice was published in the Federal
Register later that month to announce the proposed withdrawal and to ask for
comments from the public, users, the IT sector, and federal, state, and local
government organizations regarding the withdrawals. One industry organization
provided commentary, stating that it agreed with the withdrawal of one of the
standards, FIPS 185, Escrowed Encryption Standard. In October 2015, the six FIPS
standards (FIPS 181, FIPS 185, FIPS 188, FIPS 190, FIPS 191, and FIPS 196) were
all withdrawn. 

Current FIPS are also constantly under inspection. Once FIPS have made it
through all of the steps required for design and approval of a standard, they
are released in their final form to the public. Sometimes certain FIPS are
withdrawn. This is typically due to the standards not having been updated to
adopt current or revised industry standards. NIST reviews each FIPS standard
every five years to determine if it is still applicable or if it has been
superseded by other documents. Withdrawing a FIPS publication requires the
following steps:

  • A Federal Register notice is made regarding the potential withdrawal of
    the FIPS publication. This explains the reason behind the potential
    withdrawal and initiates a comment period (typically between 30 and 90 days)
    to gain stakeholder feedback. 
  • NIST reviews the comments received and decides whether or not to continue
    the withdrawal process. 
  • The Secretary of Commerce receives NIST’s recommendation for the
    withdrawal of the FIPS publication.
  • If the Secretary approves the withdrawal, another announcement is made,
    which discusses the withdrawal and includes a summary of the comments
  • NIST’s online publication databases are updated to reflect the
  • A cover sheet with information is appended to the online FPS. 


[return to top of this report]

Organizations that wish to
work with federal agencies should invest the time necessary to become familiar
with, and compliant with all FIPS requirements that apply to their lines of
business. Compliance can be performed in-house or by using a qualified
consultant. Should an organization choose to become compliant without outside
help, there are training opportunities that demystify the compliance process.

Organizations that wish to
be involved in the FIPS establishment process, either from the perspective of
input, or from the perspective of developing standards, should get involved in
the standards industry.

[return to top of this report]

Department of Commerce: https://www.commerce.gov/
Federal Register: https://www.federalregister.gov/
International Electrotechnical Commission: https://www.iec.ch/ 
International Organization for Standardization: https://www.iso.org/ 
National Institute of Standards and Technology: https://www.nist.gov

About the Author

[return to top of this report]

Karen M. Spring is a staff editor for Faulkner Information
Services, tracking several high-tech industries. She has research experience in
various topics including network security, data breaches, malware, public
safety, business continuity and resilience and vulnerabilities. She has written
on high-tech topics for publications in the k-12 and higher education industry.
Ms. Spring started her career as a marketing specialist for two computer
distributors, working closely with such clients as 3Com, IBM, Okidata, Unisys,
and Acer. 

[return to top of this report]