Federal Information Processing Standards (FIPS) are essential for federal agencies and contractors to ensure the security of sensitive information, such as classified data, personally identifiable information, and financial data.
This article will describe some of the most common FIPS security standards, their importance, and how federal agencies and contractors use them. We will also discuss the recent updates to FIPS security standards, such as FIPS 140-3 and FIPS 186-5, and how they impact federal information security.
What Are the Federal Information Processing Standards?
Federal Information Processing Standards are created, maintained, and revised by the National Institute of Standards and Technology (NIST) to protect the confidentiality, integrity, and availability (the CIA triad) of data stored in federal IT systems.
FIPS security standards will cover many topics, including cryptography, identity and access management, risk management, and information security management.
They often provide a more detailed understanding of acceptable technologies, practices, and classifications that will support broader regulations and requirements found in NIST Special Publications.
FIPS standards are mandatory for use in federal government systems. They are often used as guidelines by state and local governments and private sector organizations that work with the government. Compliance with FIPS standards is required for many government contracts and grants and some industry certifications.
What Are Some of the Common FIPS Standards?
There are dozens of FIPS documents covering topics from impact level classification to encryption standards and other best practices.
Some of the more widespread FIPS documents impacting cybersecurity include:
FIPS 140-3 is the latest version of specifications for cryptographic modules, protecting sensitive information from the U.S. government and its contractors.
FIPS 140-3 replaces the previous standard (FIPS 140-2) and includes updated requirements for cryptographic modules. Some of the critical changes in FIPS 140-3 include:
- Algorithm Requirements: FIPS 140-3 introduces several new cryptographic algorithms and expanded key length requirements for encryption and hashing algorithms.
- Testing and Validation: FIPS 140-3 includes Pre-Operational Self-Testing (POST) requirements to address hybrid software and hardware encryption modules.
- Security Policy: FIPS 140-3 requires that all cryptographic modules have a formal security policy that specifies the module’s security functions, features, and services. Additionally, level 4 requirements include new multi-factor authentication (MFA) expectations.
- Security Requirements: FIPS 140-3 includes additional security requirements that cryptographic modules must meet. For example, modules must have mechanisms for detecting and preventing unauthorized access, tampering, or manipulation.
- Implementation Guidance: FIPS 140-3 provides more detailed guidance on implementing the standard’s requirements. This guidance includes examples of how to implement specific cryptographic functions and perform certain testing types.
FIPS 186 is a Federal Information Processing Standard specifying the digital signature algorithms federal agencies use to authenticate electronic documents and transactions.
FIPS 186-4 defines three digital signature algorithms:
- Digital Signature Algorithm (DSA)
- Elliptic Curve Digital Signature Algorithm (ECDSA)
- Rivest-Shamir-Adleman (RSA) encryption
FIPS 186 specifies the technical requirements for each of these algorithms, including the key sizes, the methods for generating keys and signatures, and the security parameters used in the signing and verification processes. The standard also includes requirements for the randomness of the keys and the generation of secure hash values.
The latest revision of FIPS 186 (FIPS 186-5) was released in February 2023 and will supersede 186-4. This new revision updated some of the requirements from its predecessor. Most notably, it removes the DSA as an appropriate solution except for those organizations using it before the full implementation of FIPS 186-5 in February 2024. It also adds the Edwards-Curve Digital Signature Algorithm (EDDSA) to the list of acceptable algorithms.
FIPS 199 is a standard developed by the National Institute of Standards and Technology (NIST). It provides guidelines for categorizing information and information systems based on their potential impact on organizational operations, assets, or individuals.
The purpose of FIPS 199 is to help organizations identify and prioritize their information security requirements. It does this by defining three categories of potential impact, each of which requires a different level of security control:
- Low Impact: Information that, if compromised, could cause a limited effect on organizational operations, assets, or stakeholders.
- Moderate Impact: Information that, if compromised, could cause a serious effect on organizational operations, assets, or stakeholders.
- High Impact: Information that, if compromised, could cause severe or catastrophic effects on organizational operations, assets, or stakeholders.
Organizations can use FIPS 199 to determine the appropriate security controls for information systems based on their categorization. For example, low-impact systems may require only basic security controls such as access control and backup procedures. In contrast, high-impact systems may require more stringent rules like encryption and intrusion detection.
FIPS 199 is often used with other security standards, such as the Federal Risk and Authorization Management Program (FedRAMP) and the Risk Management Framework (RMF), to help ensure that federal information systems are appropriately secured.
FIPS 200 draws from NIST 800-53 baselines and FIPS 199 to define minimum requirements for organizations to comply with Federal Information Security Management Act (FISMA) requirements.
This standard establishes the requirements for personal identity verification (PIV) cards used by federal employees and contractors to gain access to secure facilities and information systems. It specifies the technical and operational requirements for the cards, including the biometric and cryptographic technologies used for authentication.
FIPS 202 is a Federal Information Processing Standard that specifies the Secure Hash Algorithms (SHA-3) family of cryptographic hash functions. SHA-3 verifies the authenticity and integrity of data like digital signatures and certificates and is designed to provide better resistance to attacks with performance than earlier versions of SHA.
FIPS 202 is used by the U.S. government and its contractors to protect sensitive information and ensure the authenticity and integrity of digital data. It is also used by other organizations and industries that require strong cryptographic security, such as the financial and healthcare sectors.
Maintain a Bird’s-Eye View Over FIPS Compliance with Continuum GRC
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.