Introduction
FIPS publications are intended for use by federal government agencies to protect non-national security federal information systems. FIPS publications do not apply to national security systems (as defined in Title III, Information Security, of FISMA). FIPS publications may be adopted and used by non-federal government organizations and private sector organizations.
NIST develops FIPS publications when required by statute and/or there are compelling federal government requirements for cybersecurity and NIST has determined that there are no acceptable voluntary consensus standards available.
NIST works closely with stakeholders in government, industry, academia, and other organizations during the FIPS publication development process. The development process provides multiple opportunities for stakeholder input. FIPS publications become official federal government standards when approved by the Secretary of Commerce and announced in the Federal Register. FIPS publications are reviewed by NIST at least every 5 years in order to determine whether they should remain unchanged, revised, or withdrawn.
To support international voluntary consensus standards development, NIST may collaborate with standards developing organizations to have a FIPS publication’s technical specifications adopted as an international standard. NIST may also consider harmonizing a FIPS publication with an international standard.
See ITL’s main FIPS page for additional FIPS publications information and links.
FIPS Publication Development
After either: i) being directed by executive action or legislative statute, or ii) determining the possible need for standardization, NIST will take many or all of the following steps to develop a new or revised FIPS publication (the exact steps and their order may vary):
- At any point during the development process, NIST may choose to hold a public event such as a conference or workshop to allow for the review of proposals and comments all by interested parties.
- A Federal Register Notice (FRN):
- announces NIST’s intent to develop/revise a FIPS publication; and
- starts a comment period (typically 30 to 90 days) to get stakeholder feedback.
- NIST incorporates feedback into its decision-making process.
- Another FRN:
- announces next steps and development process details, such as:
- submission of candidate algorithms, methods or techniques;
- evaluation and testing by stakeholders and NIST; and
- conferences, workshops, online discussion forums to analyze and discuss submissions.
- includes a summary of public comments received, and links to the original comments posted on csrc.nist.gov;
- may solicit new comments, specifying another comment period.
- Another FRN:
- may announce NIST’s selection for the FIPS publication or announces a draft FIPS publication; and
- starts a comment period (typically 30 to 90 days) to get stakeholder feedback.
- NIST incorporates feedback, and either:
- issues a subsequent draft, soliciting feedback in another FRN; or
- prepares the final FIPS publication.
- After approval by NIST management, the FIPS publication, along with supporting documentation, is sent to the Secretary of Commerce for approval.
- If the Secretary approves the FIPS publication, NIST prepares a final FRN, that announces the approved FIPS publication.
- When the FRN is released, the FIPS publication is posted on csrc.nist.gov and www.nist.gov, and announced through various media channels.
For additional details about cryptography-related FIPS publications, see NIST Internal Report (NISTIR) 7977, NIST Cryptographic Standards and Guidelines Development Process.
FIPS Publication Withdrawal
FIPS publications are reviewed by NIST every five years. The NIST review determines if a FIPS publication has been superseded by other documents or describes outdated technology or processes. Based upon such a determination, NIST takes the following steps to withdraw a FIPS publication:
- A Federal Register Notice (FRN):
- announces NIST’s intent to withdraw specific FIPS publications, including brief rationale; and
- starts a (typically) 30- to 90-day public comment period to get stakeholder feedback.
- NIST evaluates the comments received, and determines whether to continue with the withdrawal.
- The Secretary of Commerce receives NIST’s recommendation to withdraw FIPS publications.
- If the Secretary approves, then another FRN:
- announces the withdrawal;
- includes a summary of comments received and links to the original comments posted on csrc.nist.gov.
- NIST’s online publication databases are updated to reflect the withdrawal.
- Cover sheet with information about the withdrawal is appended to the online FIPS.