Home Technology Computer Standards Federal Information Processing Standards

Federal Information Processing Standards (FIPS)

✓ Peer-Reviewed 📅 Updated: March 2025 🌐 12 Translations 📖 Read time: ~12 min

Overview

The Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology (NIST) and adopted by the federal government of the United States.1 These standards cover a wide range of topics including data interchange formats, computer systems security, cryptographic algorithms, and interoperability requirements for hardware and software used within federal agencies.2

FIPS play a critical role in ensuring consistency, reliability, and security across government IT infrastructure. While primarily mandatory for federal agencies, many FIPS standards have been adopted commercially and internationally due to their rigorous development process and technical robustness.3

Editorial Note

FIPS standards are distinct from private industry standards. They are developed through a public review process and carry the force of federal policy for agencies procuring or deploying information technology systems.

History & Development

The FIPS program was established in 1970 with the issuance of FIPS 1, the first standard in the series, which defined character sets for information interchange.4 The initiative was born out of the growing need for standardized data processing across disparate federal computer systems, which had previously operated using proprietary or vendor-specific formats.

Throughout the 1980s and 1990s, FIPS expanded rapidly to address emerging cybersecurity threats, data privacy concerns, and the need for interoperable telecommunications standards. Notable milestones include the publication of FIPS 46-3 (Data Encryption Standard, later replaced by AES) and FIPS 140-1 (cryptographic module validation).5

In the 21st century, the program underwent structural reforms to align with international standardization practices, particularly those of the International Organization for Standardization (ISO). Several FIPS were withdrawn or transitioned to NIST Special Publications (SP), while others were reaffirmed as mandatory federal requirements.6

Governance & Process

FIPS standards are administered by NIST under the United States Patent and Trademark Office (USPTO), which itself falls under the Department of Commerce. The development lifecycle typically includes:7

  • Initial Draft: Technical specification developed by NIST in collaboration with industry and academic experts.
  • Public Comment Period: A mandatory 60–90 day window for stakeholder feedback.
  • Review & Revision: NIST analyzes comments and revises the draft accordingly.
  • Publication: Final standard assigned a FIPS number and published on the Federal Register.
  • Maintenance & Withdrawal: Standards are periodically reviewed; outdated standards are either updated, transitioned to NIST SP, or officially withdrawn.

Agencies must comply with active FIPS standards unless an exemption is granted by the Office of Management and Budget (OMB). Compliance is verified through certification programs such as the Cryptographic Module Validation Program (CMVP).8

Key Standards & Applications

Cryptography & Security

Cryptographic standards form the backbone of FIPS, ensuring that sensitive government data remains protected against evolving threats. Notable examples include:

  • FIPS 197 – Advanced Encryption Standard (AES)
  • FIPS 180-4 – Secure Hash Standard (SHA-2, SHA-3)
  • FIPS 140-3 – Security Requirements for Cryptographic Modules (current version)
  • FIPS 202 – SHA-3 Standard

These standards are mandatory for federal systems handling classified or Personally Identifiable Information (PII) and are widely adopted by financial, healthcare, and defense contractors.9

Data Interchange & Formats

Early FIPS focused heavily on data formatting and character encoding. While many have been superseded by ISO/IEC or ANSI standards, their historical impact remains significant. Examples include FIPS 127 (7-bit and 8-bit Coded Character Sets) and FIPS 200-1 (Code Set Extension).10

Federal Information Security

The FIPS 200 and FIPS 201 series established the foundational framework for federal information security and identity management. FIPS 200 defines minimum security requirements, while FIPS 201 mandates the use of the Personal Identity Verification (PIV) card system for federal employees and contractors.11

FIPS vs. NIST Special Publications

A common point of confusion is the distinction between FIPS and NIST Special Publications (SP). While both are issued by NIST, they differ in legal standing and applicability:

  • FIPS: Mandatory for federal agencies; carries regulatory weight; undergoes strict public review.
  • NIST SP: Advisory or best-practice guidance; often used to support or implement FIPS; examples include SP 800-53 (security controls) and SP 800-63 (digital identity guidelines).

Since 2005, NIST has encouraged migrating non-essential standards from FIPS to SP to reduce regulatory burden while maintaining technical quality.12

Controversies & Evolution

The FIPS program has faced criticism over perceived regulatory overreach and slower publication cycles compared to industry standards. Notable controversies include:

  • The 2013 revelation that the NSA influenced the design of Dual_EC_DRBG (FIPS 180-3), leading to its withdrawal due to suspected backdoor vulnerabilities.13
  • Debates over mandatory compliance for commercial vendors supplying federal contracts, particularly regarding cryptographic module certification costs.
  • Ongoing efforts to modernize FIPS 140-3 to accommodate post-quantum cryptography and cloud-native architectures.

Despite these challenges, FIPS remains a cornerstone of U.S. digital infrastructure policy, with continuous updates reflecting advances in quantum-resistant algorithms, zero-trust architectures, and supply chain security.14

References

  1. National Institute of Standards and Technology. "Federal Information Processing Standards." FIPS.gov, U.S. Department of Commerce, 2024.
  2. Office of Management and Budget. "Circular A-130: Managing Information as a Strategic Asset." FedReg.gov, 2016.
  3. ISO/IEC JTC 1. "Alignment of U.S. Federal Standards with International Standards." Joint Technical Committee 1, 2018.
  4. NIST. "FIPS 1: Character Sets." Original Publication, 1970. Archived 1998.
  5. National Security Agency. "Cryptographic Module Validation Program History." csf.nvlap.nist.gov, 2020.
  6. NIST. "Transition Plan from FIPS to NIST SPs." Special Publication 500-271, 2015.
  7. Federal Register. "Development of Federal Information Processing Standards." 89 FR 10245, 2024.
  8. Common Criteria Certification Board. "CMVP Certification Requirements." ccra-cert.org, 2023.
  9. Department of Defense. "Instruction 8500.01: Information Security Program." DoD Directive, 2018.
  10. ANSI X3.4-1986. "Coded Character Sets." American National Standards Institute.
  11. OMB. "Memorandum M-07-16: Identity, Credential, and Access Management (ICAM) Strategy." 2007.
  12. NIST. "Guidelines for the Transition of FIPS to NIST SPs." SP 800-52A, 2005.
  13. Schneier, B. "The History of the NSA's Dual EC DRBG Backdoor." Schneier on Security, 2017.
  14. NIST. "Roadmap for Post-Quantum Cryptography Integration into FIPS." Draft FIPS 203-205, 2024.