Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions. See background information for more details.
FIPS documents are available online through the FIPS home page:
Information about Voluntary Industry Standards
The American National Standards Institute (ANSI) operates the National Standards System Network (NSSN). This powerful reference tool provides 24-hour access to over 65,000 references to standards and specifications from the U.S. government, U.S. private sector organizations and international standards organizations. To access, open the NSSN World Wide Web site at: http://www.nssn.org
The Federal Information Security Management Act does not include a statutory provision allowing agencies to waive the provisions of mandatory Federal Information Processing Standards (FIPS). Waivers approved by the head of agencies had been allowed under the Computer Security Act, which was superseded by FISMA. Therefore, the waiver procedures included in many FIPS are no longer in effect.
The applicability sections of each FIPS should be reviewed to determine if the FIPS is mandatory for agency use. FIPS do not apply to national security systems (as defined in Title III, Information Security, of FISMA).
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
The major focus of NIST activities in information technology is developing tests, measurements, proofs of concept, reference data and other technical tools to support the development of pivotal, forward-looking technology.
Under Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 (Public Law 107-347), NIST develops standards, guidelines, and associated methods and techniques for Federal computer systems.
- including those needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems,
- when there are compelling Federal requirements and there are no existing voluntary industry standards.
Use of Voluntary Industry Standards
- In accordance with the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113) and Administration policies, NIST supports the development of voluntary industry standards both nationally and internationally as the preferred source of standards to be used by the Federal government. The use of voluntary industry standards eliminates the cost to the government of developing its own standards, and furthers the policy of reliance upon the private sector to supply goods and services to the government.
- NIST collaborates with national and international standards committees, users, industry groups, consortia, and research and trade organizations, to get needed standards developed.
- Federal Information Processing Standards (FIPS) are developed only when there are no existing voluntary standards to address Federal requirements for the interoperability of different systems, for the portability of data and software, and for computer security.
Process for Adoption of FIPS
- To assure an open process and an opportunity for all interested parties to comment on proposed Federal Information Processing Standards (FIPS), the National Institute of Standards and Technology follows rule-making procedures modeled after those established by the Administrative Procedures Act.
- NIST announces the proposed FIPS in the Federal Register for public review and comment. At the same time that the proposed FIPS is announced in the Federal Register, it is also announced on NIST’s electronic pages (http://www.nist.gov/itl/fips.cfm ). To encourage review by senior information technology officials, the proposed FIPS is announced on the electronic pages of the Chief Information Officers Council (http://cio.gov. The text and associated specifications, if applicable, of the proposed FIPS are posted on the NIST electronic pages.
- A 30 to 90-day period is provided for review and for submission of comments on the proposed FIPS to NIST.
- Comments received in response to the Federal Register notice and to the other notices are reviewed by NIST to determine if modifications to the proposed FIPS are needed.
- A detailed justification document is prepared, analyzing the comments received and explaining whether modifications were made, or explaining why recommended changes were not made.
- NIST submits the recommended FIPS, the detailed justification document, and recommendations as to whether the standard should be compulsory and binding for Federal government use, to the Secretary of Commerce for approval.
- A notice announcing approval of the FIPS by the Secretary of Commerce is published in the Federal Register, and on NIST’s electronic pages.
- A copy of the detailed justification document is filed at NIST and is available for public review.