What IT Do. How IT Do IT.

, ,

FIPS: What are the guidelines and why they are important?  

What are FIPS? What are the guidelines and why are they important.

Terri Williams
5–8 minutes
, , , ,
(FIPS) Publication 140-2 is a U.S. government standard - The Cryptographic Module Validation Program (CMVP), a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules to the Security Requirements for Cryptographic Modules standard.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996.

 ‘FIPS’ or Federal Information Processing Standards are guidelines developed by the US government relating to cybersecurity. FIPS can sound intimidating, dense, or incomprehensible. FIPS compliance is crucial in network security for businesses and their service providers in ensuring the protection of sensitive information and maintaining the integrity of systems and networks.

A ‘managed service provider’ or MSP is when businesses outsource certain services to specialist companies. For MSPs maintaining compliance with FIPS can be an essential part of the services they provide. Thus, a proficient understanding of what FIPS are, what they do, and what they mean is essential. 

What is FIPS? 

FIPS stands for ‘Federal Information Processing Standards’. The term refers to a series of computer security standards developed by the United States Federal Government in line with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. More specifically, FIPS is a security standards framework developed by the National Institute of Standards and Technology (NIST). 

FIPS determine certain requirements for a range of cybersecurity matters, including computer encryption schemes, key generation methods, computer security, and interoperability (amongst other things), and stipulate which are acceptable. They are generally only developed in areas where there are still no industry standard guidelines for solutions to a specific government requirement. 

Who uses FIPS? 

Compliance with FIPS is usually only mandatory for non-military federal government agencies, contractors, and vendors. They apply specifically to departments that deal with, store, share, and disseminate sensitive but unclassified information (SBU) and data. 

Any agencies that are responsible for federally rolled out programs such as unemployment insurance, student loans, Medicare, and Medicaid are required to comply with FISMA (which requires compliance with FIPS). This also applies to private sector agents that have procured government contracts. They do not apply to national security systems. 

However, since the FIPS are publicly available, they can be, and are often, adopted by private sector actors on a voluntary basis. And in general, given it is a US However, since the FIPS are publicly available, they can be, and are often, adopted by private sector actors on a voluntary basis. 

Generally, given it is a US government-mandated framework, it’s also widely acknowledged internationally as a robust and trustworthy security standard. 

Why are FIPS necessary? 

FIPS address the fact that although there are multiple different ways that you can, for example, encrypt information, not all methods are equally secure or effective. For this reason, the federal government vets and approves certain schemes that meet their requirements and sets those as a standard for its agencies.  

What are the different FIPS series? 

The term ‘FIPS’ is an umbrella term for several different standards relating to specific security concerns. Here are just a few examples: 

FIPS-140-2 and 3 relate to cryptography modules 

FIPS – 201-2 – Personal Identity Verification (PIV) of Federal Employees and Contractors 

FIPS-186-4 – Digital Signature Standard 

FIPS-197 – Advanced Encryption Standards 

FIPS- 199 Relate to Standards for Security Categorization of Federal Information and Information Systems 

What are FIPS 140-2 and FIPS 140-3? 

These are both sets of standards that are frequently referred to within a cyber-security context. FIPS-140-2/3 both relate to the standard security requirements for cryptographic modules. FIPS-140-2 is being phased out replaced by FIPS-140-3, and this transition is currently underway. On September 22, 2026, all FIPS 140-2 certificates are placed on the historical list.

Level 1 – The lowest security level that imposes minimum requirements and requires all components to be ‘production grade’ 

Level 2 – Added requirements for physical-tamper evidence as well as role-based authentication 

Level 3 – Further obligation to strengthen security against attackers, the use of identity-based authentication, as well as a physical separation between interfaces 

Level 4 – The most stringent level that necessitates robust physical security measures against environmental attacks 

 Are All FIPS Mandatory? 

No. FIPS are not always mandatory for Federal agencies. The applicability section of each FIPS details when the standard is applicable and mandatory. FIPS do not apply to national security systems (as defined in Title III, Information Security, of FISMA). 

State agencies administering federal programs like unemployment insurance, student loans, Medicare, and Medicaid must comply with FISMA. Private sector companies with government contracts must also comply with FISMA, which mandates the use of FIPS. 

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products.
FIPS accreditation indicates that a certain solution meets the requirements by government regulation. IT product or solution that is FIPS accredited, contractors can use the product.

How are FIPS developed? 

FIPS are only really developed if no acceptable industry standards already exist and where there is an explicit governmental need for them in a particular space. First, the proposed FIPS are announced on the Federal Register, NIST’s electronic pages, and the Chief Information Officers Council page. Comments and reviews are welcomed on the proposal for a period of up to 90 days. 

Following this, relevant amendments and modifications are applied to the proposed draft. Once completed, a justification document is made that contextualizes updates, modifications, or the choice to keep certain aspects the same. When the Secretary of Commerce has approved the proposed FIPS, an announcement to this effect is published on the NIST’s website. 

When are FIPS withdrawn? 

When industry standards are developed, then FIPS for that specific area become defunct and are withdrawn. This can also happen if a certain commercial product lays down the new standard and it becomes widely available.   

What does it mean to be FIPS compliant? 

FIPS accreditation indicates that a certain solution meets the requirements laid out by the government regulation. If a certain IT product or solution is accredited in this way, it means that US federal agencies and their contractors can use the product immediately. To become compliant, all components of a security solution (hardware and software) must be tested and approved by a NIST accredited independent laboratory. 

Why are FIPS important? 

Given the rigorous testing that FIPS entail, they are considered a dependable security standard. Plus, they’re a useful baseline for any entities that need to implement security standards within their infrastructure. Because government entities GE are required under the National Technology Transfer and Advancement Act (1995) to utilize technical industry standards, the standard developed by voluntary bodies rather than GE investing in the development of their own standards would be correct. 

When are FIPS useful for MSPs? 

You may come across clients that operate under certain FIPS frameworks. This means as an MSP, you’ll have to be aware of the requisite standards and what it means to be compliant. From a patching perspective especially, awareness of FIPS is crucial. This is because if you blindly apply patches or allow automated patching to occur, you may inadvertently allow non-compliant patches to be applied to your network. 

Conclusion

Once they’re broken down, FIPS aren’t so daunting. The most important thing is to keep up with the latest developments in the regulations and standards. 

What are the current FIPS? 

The most current FIPS can be found below and on NIST’s Current FIPS webpage

Number Title 
140-2 Security Requirements for Cryptographic Modules — 01 May 25 (Supersedes FIPS PUB 140-1, 1994 January 11).   
180-4 Secure Hash Standard (SHS) — 2015 August 
186-4 Digital Signature Standard (DSS) — 13 July 
197 Advanced Encryption Standard (AES)– 2001 November 26 
198-1 The Keyed-Hash Message Authentication Code (HMAC)– 2008 July 
199 Standards for Security Categorization of Federal Information and Information Systems– 2004 February 
200 Minimum Security Requirements for Federal Information and Information Systems– 2006 March 
201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors — 2013 August 
202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions – 2015 August 

One response to “FIPS: What are the guidelines and why they are important?  ”

  1. patwilly99 Avatar
    patwilly99

    Good information I did not know about. Thanks for sharing!

    Like

    Reply

Leave a reply to patwilly99 Cancel reply

Trending