The National Institute of Standards and Technology (NIST) develops FIPS publications when required by statute and/or there are compelling federal government requirements for cybersecurity. FIPS publications are issued by NIST after approval by the Secretary of Commerce, pursuant to the Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235).
The Federal Information Security Management Act (FISMA) of 2002 (as amended by the Federal Information Security Modernization Act (FISMA) of 2014) does not include a statutory provision allowing federal agencies to waive the provisions of mandatory FIPS publications. Waivers approved by the heads of agencies had previously been allowed under the Computer Security Act, which was superseded by FISMA. Therefore, the waiver procedures included in several FIPS publications are no longer in effect.
The applicability sections of each FIPS publication should be reviewed to determine if the publication is mandatory for federal agency use.
FIPS publications do not apply to national security systems (as defined in Title III, Information Security, of FISMA).
FIPS publications may be adopted and used by non-federal government organizations and private sector organizations.
An individual FIPS publication may use document conventions to state requirements, recommended options, or permissible actions within the publication (e.g., ‘shall,’ ‘should,’ or ‘may’). For example, a FIPS publication may use: “shall” statements to indicate what is necessary to correctly implement its requirements; “should” statements to indicate a recommendation; and “may” statements to indicate a permissible action.
FIPS publications are not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
In general, the use of an essential patent claim (one whose use would be required for compliance with the guidance or requirements of a FIPS publication) may be considered if technical reasons justify this approach. In such cases, a patent holder would have to agree to either a Royalty-Free (RF) or Royalty-Bearing (RB) license on terms which are Reasonable and Non-Discriminatory (RAND).
Any mention of commercial products within FIPS publications is for informational purposes only; it does not imply recommendation or endorsement by NIST.