PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.
Federal Information
Processing Standards
Copyright 2019, Faulkner Information Services. All Rights Reserved.
Docid: 00011446
Publication Date: 1908
Report Type: STANDARD
Preview
Federal Information Processing Standards (FIPS)
are developed by the United
States federal government for use by all non-military government agencies and
by government contractors. Every agency that does business with the US
government – including contractors – must adhere to these standards. An explanation of the FIPS currently in effect
is included here, along with recommendations for organizations that wish to
gain contracts with the US government.
Report Contents:
- Executive Summary
- Description
- Current View
- Outlook
- Recommendations
- Web Links
- Related Faulkner Reports
Executive Summary
[return to top of this report]
Agencies at all levels of government set regulatory standards for products and processes in order to
protect health, safety, and the environment.
Related Faulkner Reports |
Federal Information Security Management Act Tutorial |
In 1965, the Brooks Act
gave responsibility for federal information technology procurement standards to
the National Bureau of Standards, which has now become the National Institute
of Standards and Technology (NIST). To meet this requirement, NIST produces
Federal Information Processing Standards (FIPSs). FIPS compliance is mandatory
for every US government computer. Government contactors must ensure that they
are FIPS compliant whenever they deal with data that is protected by federal
government rules. NIST has traditionally relied on private sector
standards-setting processes when developing FIPSs.
Currently, there are nine FIPS in effect. Some of these standards replace previous ones, some are
long-standing standards that are still in effect. In addition, a new FIPS
standard will debut in September 2019. This report outlines each of
those standards and when it was put into effect. Although some standards could
be waived in the past, that is no longer the case. Organizations that want
to do business with the US government must be familiar with and compliant to
the FIPS requirements for any given project.
Description
[return to top of this report]
Under the Information
Technology Management Reform Act, the Secretary of Commerce approves standards
and guidelines that are developed by NIST for federal computer systems. These
standards and guidelines are issued by NIST as FIPS publications for use
government-wide. NIST develops FIPS when there are compelling federal
government requirements such as for security and interoperability and there are
no acceptable industry standards or solutions. The major focus of NIST
activities in information technology is developing tests, measurements, proofs
of concept, reference data, and other technical tools to support the
development of forward-looking technology. FIPS, however, may also be developed
when needed to assure the cost-effective security and privacy of sensitive
information in federal computer systems,
In accordance with the
National Technology Transfer and Advancement Act of 1995 and Administration
policies, NIST collaborates with national and international standards
committees, users, industry groups, consortia, and research and trade
organizations, to support the development of voluntary industry standards both
nationally and internationally. These are the preferred source of
standards to be used by the federal government. The use of voluntary industry
standards eliminates the cost to the government of developing its own
and furthers the policy of reliance upon the private sector to
supply goods and services to the government. FIPS are developed only when there
are no existing voluntary standards to address federal requirements for the
interoperability of different systems, for the portability of data and
software, and for computer security.
The process for adoption of FIPS is as follows:
- To assure an open process and opportunity for all interested parties to
comment on proposed FIPS, the NIST follows rule-making procedures modeled
after those established by the Administrative Procedures Act. - Announcement of the proposed
FIPS in the Federal Register for public review and comment. At the
same time, it is also announced on NIST’s Web site and on the CIO
Council’s Web site. - A 30- to 90-day period is
provided for review and for submission of comments on the proposed FIPS. - Comments received are reviewed
by NIST to determine if modifications to the proposed FIPS are needed. - Another announcement is made with discussion of the next steps and
development process details, which include:- Submission of candidate algorithms, methods, or techniques;
- Evaluation and testing by stakeholders and NIST;
- Conferences, workshops, and other events to discuss and analyze
submissions.
- Another announcement discusses NIST’s selection for the FIPS publication
or announces a draft FIPS publication and starts another comment period to
obtain stakeholder feedback. - Feedback is incorporated and NIST either issues another draft, soliciting
feedback in another announcement or prepares the final FIPS
publication. - After approval by NIST management, the FIPS publication and its supporting
documentation is sent to the Secretary of Commerce for approval. - If the Secretary approves the FIPS publication, NIST announces the
publication. - Once the announcement is issued, the new FIPS publication is posted on
NIST’s Web pages and announced through other communication channels.
Current
View
[return to top of this report]
Currently, there are nine FIPS in place that organization must adhere to when contracting with the US
government for IT projects. Those FIPS are detailed in Table 1.
FIPS Number |
Date |
Title |
Description |
---|---|---|---|
202 |
August 2015 |
SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions |
This standard specifies |
201-2 |
August 2013 |
Personal Identity Verification for Federal Employees and |
This standard specifies the |
200 |
March 2006 |
Minimum Federal |
The second standard that |
199 |
February 2004 |
Standards for Security |
Addresses one of the requirements |
198-1 |
July 2008 |
The Keyed-Hash Message |
(Supersedes FIPS 198) This standard describes a |
197 |
November 26, 2001 |
Advanced Encryption |
The Advanced Encryption |
186-4 |
July 2013 |
Digital Signature |
The standard specifies a |
180-4 |
August 2015 |
Secure Hash Standard (SHS) |
This |
140-2 |
May 25, 2001 |
Security Requirements for |
(Supersedes FIPS 140-1) |
Outlook
[return to top of this report]
In March 2019, the Secretary of Commerce approved FIPS 140-3, Security
Requirements for Cryptographic Modules. The standard will be used to design and
implement cryptographic modules that federal departments operate or are operated
for them. It provides four levels of security to cover a wide range of possible
applications and environments. The security requirements cover areas related to
the secure design, implementation, and operation of a cryptographic module. The
area include:
- Cryptographic module specification
- Cryptographic module interfaces
- Roles, services, and authentication
- Software/firmware security
- Operating environment
- Physical security
- Non-invasive security
- Sensitive security parameter management
- Self-tests
- Lifecycle assurance
- Attack mitigation
FIPS 140-3 will go into effect on September 22, 2019 and will undergo testing
through the Cryptographic Module Validation Program, beginning in September
2020. Testing of FIPS 140-2 will continue for at least one year after FIPS 140-3
testing commences. The FIPS 140-3 standard will reference two existing
international standards:
- International Organization for Standardization/International
Electrotechnical Commission 19790:2012(E), Information Technology – Security
Techniques – Security Requirements for Cryptographic Modules. - International Organization for Standardization/International
Electrotechnical Commission 24759:2017(E), Information Technology – Security
Techniques – Test Requirements for Cryptographic Modules.
In January 2015, NIST proposed that six FIPS should be withdrawn because they
were obsolete and had not been updated. A notice was published in the Federal
Register later that month to announce the proposed withdrawal and to ask for
comments from the public, users, the IT sector, and federal, state, and local
government organizations regarding the withdrawals. One industry organization
provided commentary, stating that it agreed with the withdrawal of one of the
standards, FIPS 185, Escrowed Encryption Standard. In October 2015, the six FIPS
standards (FIPS 181, FIPS 185, FIPS 188, FIPS 190, FIPS 191, and FIPS 196) were
all withdrawn.
Current FIPS are also constantly under inspection. Once FIPS have made it
through all of the steps required for design and approval of a standard, they
are released in their final form to the public. Sometimes certain FIPS are
withdrawn. This is typically due to the standards not having been updated to
adopt current or revised industry standards. NIST reviews each FIPS standard
every five years to determine if it is still applicable or if it has been
superseded by other documents. Withdrawing a FIPS publication requires the
following steps:
- A Federal Register notice is made regarding the potential withdrawal of
the FIPS publication. This explains the reason behind the potential
withdrawal and initiates a comment period (typically between 30 and 90 days)
to gain stakeholder feedback. - NIST reviews the comments received and decides whether or not to continue
the withdrawal process. - The Secretary of Commerce receives NIST’s recommendation for the
withdrawal of the FIPS publication. - If the Secretary approves the withdrawal, another announcement is made,
which discusses the withdrawal and includes a summary of the comments
received. - NIST’s online publication databases are updated to reflect the
withdrawal. - A cover sheet with information is appended to the online FPS.
Recommendations
[return to top of this report]
Organizations that wish to
work with federal agencies should invest the time necessary to become familiar
with, and compliant with all FIPS requirements that apply to their lines of
business. Compliance can be performed in-house or by using a qualified
consultant. Should an organization choose to become compliant without outside
help, there are training opportunities that demystify the compliance process.
Organizations that wish to
be involved in the FIPS establishment process, either from the perspective of
input, or from the perspective of developing standards, should get involved in
the standards industry.
Web Links
[return to top of this report]
Department of Commerce: https://www.commerce.gov/
Federal Register: https://www.federalregister.gov/
International Electrotechnical Commission: https://www.iec.ch/
International Organization for Standardization: https://www.iso.org/
National Institute of Standards and Technology: https://www.nist.gov
About the Author
[return to top of this report]
Karen M. Spring is a staff editor for Faulkner Information
Services, tracking several high-tech industries. She has research experience in
various topics including network security, data breaches, malware, public
safety, business continuity and resilience and vulnerabilities. She has written
on high-tech topics for publications in the k-12 and higher education industry.
Ms. Spring started her career as a marketing specialist for two computer
distributors, working closely with such clients as 3Com, IBM, Okidata, Unisys,
and Acer.
[return to top of this report]