Question

Are FIPS and other NIST InfoSec standards and criteria accepted commercially?

Compliance, Laws, Regulations, standards, Vendors, CIO, Security, Security management, Security products, Financial services applications

I know that information security decision makers and policy makers within the Federal government rely heavily on standards such as FIPS certification from the National Institute of Standards and Technology (NIST). How much weight is there placed on a product or service that has met certification requirements from NIST in non-government verticals? For example, would a bank, healthcare company, or manufacturing company choose a FIPS-certified VPN or Firewall over a comparable VPN or firewall product that has not been certified?

Thanks in advance for your feedback and comments.

I come from the Financial Services industry. I can't speak for all financial services companies, but I can share how my company would look at it.

We are very much market driven. If a market segment or an important client needed their financial services provider to be FIPS-compliant, we would very likely choose the FIPS-certified product over the non-certified product.

Otherwise the decision may be based upon
- the company's political climate
- the company's risk tolerance
- what information is being protected (i.e., all customer data vs. limited subset of public information)
- the cost comparison
- the vendors' customer responsiveness and support
- the internal business line's willingness to absorb any extra costs


I have not (yet) experienced any pressure from regulatory agencies to favor the FIPS-compliant products or services. Our independent auditing firm that qualifies financial statements under Sarbanes-Oxley has not applied any similar pressure.

In summary, for my company the answer is not an automatic 'yes' unless it would be vital for customer service.

I hope this helps you.