Compliance FAQs: Federal Information Processing Standards (FIPS)

This content last updated 07/03/2024. (Note: Content may not be the most current.)

• What are Federal Information Processing Standards (FIPS)?
• What are the current FIPS?
• Are All FIPS mandatory?
• Can federal agencies waive mandatory FIPS?
• How can FIPS be used by non-government organizations?
• How are FIPS developed and when are they withdrawn?

What are Federal Information Processing Standards (FIPS)?

FIPS are standards for federal computer systems that are developed by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce in accordance with the Information Technology Management Reform Act of 1996 and Computer Security Act of 1987. These standards are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the Federal Government, many in the private sector voluntarily use these standards.

What are the current FIPS?

The list of current FIPS—those that have been published, plus draft FIPS posted for comment—can be found on NIST’s Current FIPS webpage.

Are All FIPS mandatory?

No. FIPS are not always mandatory for federal agencies. The applicability section of each FIPS details when the standard is applicable and mandatory. FIPS do not apply to national security systems (as defined in Title III, Information Security, of the Federal Information Security Management Act (FISMA) of 2002).

State agencies administering federal programs like unemployment insurance, student loans, Medicare, and Medicaid must comply with FISMA. Private sector companies with government contracts must also comply with FISMA, which mandates the use of FIPS.

Can federal agencies waive mandatory FIPS?

No. The Computer Security Act of 1987 contained a waiver process for FIPS; however, this Act was superseded by FISMA of 2002 (as amended by the Federal Information Security Modernization Act (FISMA) of 2014), which no longer allows this practice. Some FIPS may still contain language referring to the “waiver process,” but this no longer valid.

How can FIPS be used by non-government organizations?

While FIPS are required for Federal Government organizations, the standards are valuable resources for non-government organizations looking to secure their information and systems and establish strong information security programs.

How are FIPS developed and when are they withdrawn?

Please visit Procedures for Developing FIPS (Federal Information Processing Standards) Publications for current information on how FIPS are developed and when they are withdrawn. 

The NIST Standards Information Center makes every effort to provide accurate and complete information. Various data such as names, telephone numbers, links to websites, etc. may change prior to updating. We welcome suggestions on how to improve this FAQ and correct errors. The Standards Information Center provides this information “AS-IS.” NIST and the Standards Information Center make NO WARRANTY OF ANY TYPE, including NO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NIST makes no warranties or representations as to the correctness, accuracy, completeness, or reliability of the information. As a condition of using the FAQs, you explicitly release NIST/Standards Information Center from any and all liabilities for any damage of any type that may result from errors or omissions in the FAQ or other data. Some of the documents referenced point to information created and maintained by other organizations. The Standards Information Center does not control and cannot guarantee the relevance, timeliness, or accuracy of these materials.