FIPS and why everyone cares

FIPS stands for Federal Information Processing Standards, and is “run” by NIST. It is a set of standards that dictates how information is stored, processed, and managed in the federal government. It’s also leaked into the commercial sector through government contractors and the concept of “If it’s good enough for the government…”

Almost all of the FIPS standards are relevant to security. Ever hear of FIPS 197? It’s AES. A list of all FIPS documents is available through NIST, and if you’ve worked in information security, you’ve likely heard of at least 3-4 of them. The one I hear most often is FIPS 140-2. This is the standard for cryptographic implementation. An entire industry has grown up among independent testing laboratories that test a specific cryptographic implementation for compliance. And to feed that – the government won’t accept a cryptographic implementation unless it’s been certified. NIST issues a “certificate” and everything.

The FIPS 140-2 testing is quite rigorous, and until now was generally accepted as an “all clear to use” signal. There are some implementation problems that have just cropped up, and until someone knows what happened – bad testing, different implementation, etc., we won’t know if the FIPS testing program is broken or if it was just a bad apple.