Praetorian Secure

Regulatory Compliance

Home Resources Regulations FIPS

FIPS

E-mail Print

 

Praetorian Secure has a firm understanding of the Federal Information Processing Standards (FIPS).  Under the Information Technology Management Reform Act, (FIPS), Public Law 104-106, the U.S. Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide.  NIST continues to add revisions and periodic review is required to maintain compliance. Below are the key areas of FIPS

 

  • 140-2 Security Requirements for Cryptographic Modules

  • 180-3   Secure Hash Standard (SHS)

  • 181   Automated Password Generator

  • 185  Escrowed Encryption Standard (EES)

  • 186-3   Digital Signature Standard (DSS)

  • 188   Standard Security Label for Information Transfer

  • 190   Guideline for the Use of Advanced Authentication Technology Alternatives

  • 191   Guideline for the Analysis of Local Area Network Security

  • 196   Entity Authentication Using Public Key Cryptography

  • 197   Advanced Encryption Standard (AES),

  • 198-1   The Keyed-Hash Message Authentication Code (HMAC )

  • 199   Standards for Security Categorization of Federal Information and Information Systems

  • 200   Minimum Security Requirements for Federal Information and Information Systems

  • 201-1   Personal Identity Verification for Federal Employees and Contractors

 

For applications or devices that include cryptography, U.S. federal government agencies are required to use a cryptographic product that has been FIPS 140-2 validated or Common Criteria (CC) validated, and most CC protection profiles rely on FIPS validation for cryptographic security. The FIPS 140-2 is currently in being revised to 140-3.  The FIPS 140 requirement is applicable to all U.S. government departments and agencies which use cryptographic-based security systems to protect unclassified information, including any organization selling products to U.S. and Canadian government agencies.  With the passage of the Federal Information Security Management Act (FISMA) of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards (FIPS). The waiver provision had been included in the Computer Security Act of 1987; however, FISMA supersedes that Act. Therefore, the references to the "waiver process" contained in many of the FIPS are no longer operative.  

 

For more information: http://www.nist.gov/itl/fips.cfm

  •