What are the requirements for FIPS compliance, and how do FIPS, NIST, and FISMA relate? We’ve covered all the important points for a complete FIPS overview.
What does FIPS stand for? FIPS stands for Federal Information Processing Standards, and it is a program overseen by NIST and the Department of Commerce that requires specific security standards for data and encryption.
What Are FIPS and Why Are They Important for Cybersecurity?
Federal Information Processing Standards (FIPS) are security standards for federal and defense cybersecurity compliance, specifically focusing on data encryption.
Encryption is a necessary part of almost every cybersecurity compliance framework implemented today, and it is no different for government agencies and their contractors. Encryption protects data from unauthorized viewing either at rest or in transit and serves as one of the major bulwarks against data theft.
Organizations implementing encryption should not use outdated or compromised algorithms that fail to protect data meaningfully. To support modern, effective encryption for protected data under use by government agencies, and even private organizations, the U.S. government distributed these standards for public use. These standards focus on several different topic areas, primarily encryption and cryptography, and are overseen by the National Institute of Standards and Technology (NIST). These regulations serve an essential purpose of filling gaps for encryption standards when no acceptable industry standards exist for a particular application.
Are these regulations always required for government agencies? Not necessarily. Some federal compliance standards will not include any processing standards, while others may include several. Additionally, these standards are available for use by anyone, and often private organizations adopt these standards above and beyond their own industry compliance requirements.
What Are Current FIPS Standards?
There are several updated FIPS in practice today. These FIPS cover different encryption standards and can be used together or individually to shore up encryption standards or as part of larger compliance frameworks.
Some of the current FIPS in practice right now include the following:
Initially published in 2001, FIPS 140-2 is perhaps one of the more widespread implementations of cryptographic controls. It defines appropriate levels of cryptography to protect federal data and assure that cryptographic modules produced by private organizations can meet those levels of protection. Furthermore, FIPS 140-2 breaks down cryptographic security into four distinct levels, each with increasing privacy, data isolation, and management controls. This standard does not refer to specific encryption algorithms but, due to evolving security challenges, an appropriate encryption algorithm would need to meet the criteria in the document. Currently, AES-128, AES-192, and AES-256 all meet standards.
Often, documents refer to FIPS 140-2 compliance. This does not refer to an organization being compliant, but rather the cryptography an organization has implemented as part of its products or systems.
Recently, FIPS 140-3 was approved. However, it is still being implemented in government settings, and as such, FIPS 140-2 is still the standard most referenced by compliance documents.
FIPS 180-4, originally published in 2008 and recently updated in 2015, specifies appropriate hash algorithms to develop digests of messages. In cryptography, a “digest” is an alphanumeric string created by hashing a piece of information. This digest is unique to the content in question and will only change if the core content changes. These digests are a critical part of ensuring the integrity of transmitted information.
Published in 2013, FIPS 186-4 defines a suite of algorithms for developing digital signatures. Much like hashing, digital signatures can help authenticate that data has not been modified. Furthermore, signatures can also be used to verify the identity of the sender. This publication defines signature algorithms using three techniques: Digital Security Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), and Rivest–Shamir–Adleman (RSA).
FIPS 197 defines the Advanced Encryption Standard (AES). AES uses symmetric block cipher techniques for encryption with the capability of generating cryptographic keys of various sizes (128, 192, and 256 bits). Larger cryptographic keys correspond to more complex encryption standards. AES encryption standards are considered FIPS 140-2 compliant and more than suitable for many private sector compliance requirements.
Published in 2008, FIPS 198-1 defines a hash key authentication method using shared secret keys called message authentication codes alongside cryptographic hash functions called hash message authentication codes.
FIPS 199 is a 2004 publication that defines how IT experts and technology leaders should organize federal systems based on their relative levels of required confidentiality, integrity, and availability. The impact levels define how critical the information contained in these systems is and how damaging the loss of that data would be to agencies and constituents. FIPS 199 breaks information systems into low, moderate, and high impact levels, each with increasing security requirements. Other frameworks, namely FedRAMP, rely on FIPS 199 for their own compliance and security level designations.
FIPS 200 is a 2006 publication that superseded SP 800-26 and defines minimum security requirements for government agencies under the Information Technology Management Reform Act of 1996 (FISMA ). It serves as a cornerstone, along with NIST SP 800-53, for national cybersecurity, including the Cybersecurity Framework (CSF) and the Risk Management Framework.
Released in 2013, FIPS 201-2 is a set of standards used to verify the identities of federal employees and contractors. Identification and authentication are challenging practices, and this document introduces requirements for practices like physical identification, biometric authentication, and identity proofing. It also contains standards (or refers to outside standards) for practices like securing authentication information.
FIPS 202 defines Secure Hash Algorithm 3 for hashing, digital signatures, and other cryptographic applications. This hash algorithm supplements the Secure Hash Algorithms outlined in FIPS 180-4 to support strong information authentication and integrity maintenance.
These rules are not set in stone. As technology evolves and new security challenges arise, standards are often withdrawn, revised, and replaced with more advanced standards. For example, FIPS 46-3 (Data Encryption Standard) was withdrawn in 2005 because it no longer met the minimum requirements expected in federal security. As publications are withdrawn, new ones are typically added to address the limitations.
What Are FIPS Compliance Requirements?
The truth is that compliance can mean a lot of different things, and these things can change over time. More often than not, any compliance frameworks with specific encryption standards will refer to a publication. For example, almost all government compliance standards include one or more requirements (often FIPS 140-2 and some include FIPS 199) to help define different levels of compliance.
Compliance often only applies to certain parts of a compliance framework. An organization may never actually worry about compliance for itself, but it may look for technology vendors or products that adhere to some specifications. For example, a business in an industry that requires certain types of encryption may purchase and use FIPS 140-2 compliant products and services.
Consider FIPS Compliance and Compliant Technology
FIPS is not just for government agencies. The techniques and technologies outlined in these documents are useful for private organizations as well. Many choose to follow guidelines to offer clients strong technology or IT infrastructure to protect customer data.
Check out more about Kiteworks and FIPS Compliance. To learn more about how Kiteworks is FIPS compliant and provides comprehensive governance for content moving into, within, and out of your organization, schedule a demo.
Get email updates with our latest blogs news