What Is FIPS Mode—and Why Don’t Pure Storage Products Need It?

Note: Not all storage hardware or software exposes a FIPS mode toggle. In the case of Pure Storage arrays, FIPS-compliant encryption is always on—by design—using modules independently validated to FIPS 140-3. There is no configuration step or switch required (or possible) to enable or disable FIPS mode. If FIPS compliance is a requirement, customers should look for explicit statements of FIPS certification in system specifications or documentation. Always verify with the vendor that the product has been independently validated, and understand that not every secure storage device will utilize a user-configurable “FIPS mode” as some platforms do.

Every day, government agencies are entrusted with data that can impact lives, national security, and the public’s faith in government itself. Whether it’s a city police department analyzing bodycam footage, a health agency managing medical records, or a federal contractor processing classified documents, the stakes are high. In this environment, artificial intelligence (AI) is a game-changer—but only if the underlying data infrastructure is secure, resilient, and compliant with the highest standards.

That’s where the Federal Information Processing Standards (FIPS) come in. We’ve already delved into FIPS, generally. In this blog, we’ll focus more on what FIPS mode and FIPS validation are and how they enable cyber resiliency within a company.

Quick Recap: What Are the Federal Information Processing Standards (FIPS)?

Established in 1974, the Federal Information Processing Standards (FIPS) are a set of federal security standards designed for protecting sensitive data and systems leveraged by U.S. government agencies and the contractors and vendors they work with. They’re specifically meant to inform the operation of cryptographic modules—algorithms that encrypt data stored within the system or device. 

Encryption modules for information technology and computer security programs that are running in FIPS mode will perform FIPS-compliant functions such as key generation, encryption, and decryption. 

What Is NIST?

Imagine the early days of digital government: data scattered across mainframes, little standardization, and a growing awareness that information—whether a Social Security number or a defense plan—was both an asset and a target. The National Institute of Standards and Technology (NIST) emerged as the federal government’s answer to this challenge, developing a comprehensive set of guidelines, controls, and best practices to help agencies protect their most sensitive information.

NIST security standards are more than just technical checklists. They’re a living framework for risk management, designed to help agencies:

• Identify and assess vulnerabilities
• Detect and respond to cyber threats
• Recover from incidents and maintain operational continuity

NIST’s frameworks, such as the Cybersecurity Framework (CSF) 2.0 and the Special Publication (SP) 800 series, have become the gold standard not just for federal agencies, but for any organization—public or private—that wants to demonstrate a commitment to security, transparency, and public trust.

FIPS: The Federal Standard for Data Security

Now, let’s zoom back in on FIPS. Developed and maintained by NIST, FIPS provides the technical backbone for federal data security, especially around encryption and cryptographic modules. If you’re storing, transmitting, or processing sensitive government data, FIPS isn’t optional—it’s mandatory.

What does FIPS compliance look like in practice?

Encryption: All sensitive data, whether at rest or in transit, must be protected using FIPS-validated cryptographic algorithms (like AES-256).

• Physical security: Hardware (like storage arrays) must be protected in secure data centers, with strict access controls and monitoring.
• Authentication: Systems must use secure authentication mechanisms, including multi-factor authentication and cryptographic tokens, to prevent unauthorized access.
• Auditing and monitoring: FIPS-compliant systems must log all security events, enabling agencies to detect and respond to incidents quickly.

For federal agencies, contractors, and any organization working with government data, FIPS compliance is often the gatekeeper for contracts, grants, and continued funding. But it’s more than a procurement hurdle—it’s a signal to the public that their information is being guarded with the utmost care.

What is FIPS mode?

FIPS mode is a configuration setting available on certain hardware and software systems, such as data storage arrays, operating systems, and network devices. When enabled, FIPS mode ensures that the system uses only FIPS-validated cryptographic algorithms and modules for encryption and other security functions. This helps to protect sensitive data and meet regulatory requirements for organizations that handle classified or sensitive information. While running in FIPS mode does not guarantee that a system is fully FIPS compliant, it is a critical step toward achieving compliance, especially when combined with other security measures and validation processes.

FIPS Mode FAQs

1. Can FIPS Mode Be Disabled?

Yes, FIPS mode can be disabled. When FIPS mode is disabled, non-FIPS compliant functions are no longer restricted.

2. What Technology Can Be Put in FIPS Mode?

Any technology or system that can run FIPS-compliant encryption algorithms or operations can be put into FIPS mode. 

Hardware That Can Be Put in FIPS Mode

The types of hardware that can be put into FIPS mode include hardware that performs cryptographic functions, such as:

• Data storage arrays (e.g., self-encrypting drives)
• Network devices, such as routers, firewalls, and network switches
• Security devices

Software That Can Have FIPS Mode Enabled

The types of software that can have FIPS mode enabled include systems or software that run encryption modules, such as:

• Operating systems
• Encryption software
• Virtual private networks (VPNs)
• SIEM software or network intrusion detection systems

3. What Networks and Industries Need FIPS Mode?

The networks or industries that need FIPS mode are contractually obligated to and are typically those networks within the United States handling classified information for the U.S. government. These can include:

• Federal and government networks
• Law enforcement, national security, and national defense networks
• Healthcare networks
• Military networks
• Critical infrastructure, including the utilities sector, energy, power, and power grid networks

FIPS Mode: More Than a Switch—A Security Mindset

Think of FIPS mode as a security “lockdown.” When a storage system or device is operating in FIPS mode, it’s only using FIPS-validated cryptographic functions. Non-compliant algorithms are disabled. This ensures that every bit and byte—whether it’s a classified document or a citizen’s health record—is encrypted and protected according to the most rigorous standards.

But FIPS mode is only part of the story, because there’s also FIPS validation. True FIPS validation means the product has been independently tested and certified by accredited labs, with every cryptographic function scrutinized for vulnerabilities. For government agencies, this isn’t just about compliance—it’s about resilience in the face of ransomware, insider threats, and nation-state adversaries

Learn more abut FIPS compliance and how it’s determined.

How Does FIPS Validation Boost Cyber Resiliency?

For government agencies and regulated organizations, FIPS validation is more than a compliance checkbox—it’s a cornerstone of a resilient, defensible cybersecurity posture. By adhering to the FIPS, organizations gain not only robust encryption, but also a holistic, standardized approach to safeguarding sensitive data and keeping systgems running in the face of evolving threats.

Uncompromising Data Protection

FIPS-validated storage systems use rigorously tested cryptographic modules—such as AES-256 encryption—to secure data both at rest and in transit. This means that even if an adversary gains physical access to storage media, the information remains indecipherable and unusable. The “encrypt everything” philosophy mandated by FIPS ensures that all data, regardless of where it resides, is protected without degrading system performance. For agencies handling sensitive but unclassified information (SBU), this level of assurance is critical, especially as cyber adversaries grow more sophisticated.

Multi-Layered Security Architecture

FIPS compliance extends well beyond encryption. It requires a comprehensive security framework that addresses:

• Physical security: FIPS standards mandate strict controls over physical infrastructure, including secure data centers, access restrictions, surveillance, and environmental safeguards to prevent unauthorized tampering or theft.
• Authentication: Secure authentication mechanisms—such as multi-factor authentication and cryptographic tokens—are required to ensure that only authorized personnel can access critical systems and data.
• Auditing and monitoring: FIPS-compliant systems must provide robust logging, monitoring, and reporting capabilities. This enables real-time detection of suspicious activity, supports incident response, and satisfies regulatory reporting requirements.

Ransomware Defense and Incident Recovery

With ransomware attacks on the rise, FIPS-compliant storage offers a crucial line of defense. By enforcing strong encryption, access controls, and secure key management, organizations can prevent malicious actors from encrypting or exfiltrating data—even if perimeter defenses are breached. The standardized controls required by FIPS help ensure that, in the event of an attack, critical data remains protected and recoverable, minimizing downtime and data loss.

Enabling Business Continuity and Public Trust

Implementing FIPS-validated solutions delivers tangible benefits beyond technical security:

• Regulatory alignment: FIPS compliance supports adherence to other mandates like HIPAA, FISMA, and CMMC, reducing compliance complexity and audit overhead.
• Market access: For government agencies and contractors, FIPS validation is often a prerequisite for doing business, opening doors to new contracts and funding opportunities.
• Reputation and trust: Demonstrating FIPS compliance signals to citizens, partners, and oversight bodies that your organization takes data protection seriously, reinforcing public trust and confidence.

Standardization for Interoperability

FIPS provides a common security baseline across agencies and vendors, enabling secure data exchange and interoperability regardless of platform or technology stack. This standardization is essential for modern government operations, where collaboration and data sharing are mission-critical.

Why Pure Storage Arrays May Not Require (or Expose) “FIPS Mode”

Conclusion

FIPS mode is a very specific configuration for devices and systems that must be FIPS compliant, but it’s important to note that it is not a catchall nor will it be appropriate for every device or system. Not all data storage devices are able to be FIPS compliant or run in FIPS mode. If you need a FIPS-compliant data storage device, look for a storage array that explicitly notes FIPS compliance in its system documentation (e.g., technical specs and user manuals) or check a vendor’s documentation or reach out to technical support.ot all data storage devices are able to be FIPS compliant or run in FIPS mode. If you need a FIPS-compliant data storage device, look for a storage array that explicitly notes FIPS compliance in its system documentation (e.g., technical specs and user manuals) or check a vendor’s documentation or reach out to technical support.

BUYER’S GUIDE, 14 PAGES

Reevaluating Your Virtualization Strategy?

Explore your options in our guide to modern virtualization.

Read the Guide