Are FIPS and other NIST InfoSec standards and criteria accepted commercially?

Financial services applications
Security management
Security products
I know that information security decision makers and policy makers within the Federal government rely heavily on standards such as FIPS certification from the National Institute of Standards and Technology (NIST). How much weight is there placed on a product or service that has met certification requirements from NIST in non-government verticals? For example, would a bank, healthcare company, or manufacturing company choose a FIPS-certified VPN or Firewall over a comparable VPN or firewall product that has not been certified? Thanks in advance for your feedback and comments.

Answer Wiki

Thanks. We'll let you know when a new response is added.

I come from the Financial Services industry. I can’t speak for all financial services companies, but I can share how my company would look at it.

We are very much market driven. If a market segment or an important client needed their financial services provider to be FIPS-compliant, we would very likely choose the FIPS-certified product over the non-certified product.

Otherwise the decision may be based upon
– the company’s political climate
– the company’s risk tolerance
– what information is being protected (i.e., all customer data vs. limited subset of public information)
– the cost comparison
– the vendors’ customer responsiveness and support
– the internal business line’s willingness to absorb any extra costs

I have not (yet) experienced any pressure from regulatory agencies to favor the FIPS-compliant products or services. Our independent auditing firm that qualifies financial statements under Sarbanes-Oxley has not applied any similar pressure.

In summary, for my company the answer is not an automatic ‘yes’ unless it would be vital for customer service.

I hope this helps you.

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Wickedstick
    FIPS is a standards and guidlines developed mainly for Federal use. That doesn't mean others can't use it or base their decisions the same way (cheap way to come up with your standards - they're already written) but many may not apply to civilian environments. I'm going to base my purchasing decisions on other factors and could really care less if it is FIPS compliant.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: