Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Compliance FAQs: Federal Information Processing Standards (FIPS)

This content last updated 11/15/2019. (Note: Content may not be the most current.)

What are Federal Information Processing Standards (FIPS)?

FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards.

What are the current FIPS?

The most current FIPS can be found on NIST’s Current FIPS webpage.

Number

Title

140-2

Security Requirements for Cryptographic Modules -- 01 May 25 (Supersedes FIPS PUB 140-1, 1994 January 11).  

180-4

Secure Hash Standard (SHS) -- 2015 August

186-4

Digital Signature Standard (DSS) -- 13 July

197

Advanced Encryption Standard (AES)-- 2001 November 26

198-1

The Keyed-Hash Message Authentication Code (HMAC)-- 2008 July

199

Standards for Security Categorization of Federal Information and Information Systems-- 2004 February

200

Minimum Security Requirements for Federal Information and Information Systems-- 2006 March

201-2

Personal Identity Verification (PIV) of Federal Employees and Contractors -- 2013 August

202

SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions - 2015 August

Are All FIPS Mandatory?

No. FIPS are not always mandatory for Federal agencies. The applicability section of each FIPS details when the standard is applicable and mandatory. FIPS do not apply to national security systems (as defined in Title III, Information Security, of FISMA).

State agencies administering federal programs like unemployment insurance, student loans, Medicare, and Medicaid must comply with FISMA. Private sector companies with government contracts must also comply with FISMA, which mandates the use of FIPS.

Can Agencies waive mandatory FIPS?

The Computer Security Act of 1987 contained a waiver process for FIPS; however, this Act was superseded by FISMA of 2002, which no longer allows this practice. Some FIPS may still contain language referring to the “waiver process,” but this no longer valid.

What does FIPS mean for non-government organizations?

While FIPS is required for federal government users, the standards are valuable resources for non-government organizations looking to establish strong information security programs.

When are FIPS withdrawn?

When industry standards become available the federal government will withdraw a FIPS. Federal government departments and agencies are directed by the National Technology Transfer and Advancement Act of 1995 (P.L. 104-113), to use technical industry standards that are developed by voluntary consensus standards bodies. This eliminates the cost to the government of developing its own standards.

In other cases, a FIPS may be withdrawn when a commercial product that implements the standard becomes widely available.

How are FIPS developed?

NIST follows rulemaking procedures modeled after those established by the Administrative Procedures Act.

1. The proposed FIPS is announced in the following manners:

The text and associated specifications, if applicable, of the proposed FIPS are posted on the NIST electronic pages.

2. A 30 to 90-day period is provided for review and for submission of comments on the proposed FIPS to NIST.

3. Comments received in response to the Federal Register notice and to the other notices are reviewed by NIST to determine if modifications to the proposed FIPS are needed.

4. A detailed justification document is prepared, analyzing the comments received and explaining whether modifications were made, or explaining why recommended changes were not made.

5. NIST submits the recommended FIPS, the detailed justification document, and recommendations as to whether the standard should be compulsory and binding for Federal government use, to the Secretary of Commerce for approval.

6. A notice announcing approval of the FIPS by the Secretary of Commerce is published in the Federal Register, and on NIST's electronic pages.

7. A copy of the detailed justification document is filed at NIST and is available for public review.

 


The NIST Standards Information Center makes every effort to provide accurate and complete information. Various data such as names, telephone numbers, links to websites, etc. may change prior to updating. We welcome suggestions on how to improve this FAQ and correct errors. The Standards Information Center provides this information “AS-IS.” NIST and the Standards Information Center make NO WARRANTY OF ANY TYPE, including NO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NIST makes no warranties or representations as to the correctness, accuracy, completeness, or reliability of the information. As a condition of using the FAQs, you explicitly release NIST/Standards Information Center from any and all liabilities for any damage of any type that may result from errors or omissions in the FAQ or other data. Some of the documents referenced point to information created and maintained by other organizations. The Standards Information Center does not control and cannot guarantee the relevance, timeliness, or accuracy of these materials. 

Contacts

Created July 10, 2018, Updated July 8, 2021