U.S. Department of Health and Human Services
With the passage of FISMA in 2002, there is no longer a statutory provision to allow for agencies to waive mandatory FIPS. The waiver provision had been included in the Computer Security Act of 1987; however, FISMA supersedes that Act. Therefore, the references to the "waiver process" contained in many of the FIPS listed below are no longer operative.
Note, however, that not all FIPS are mandatory; consult the applicability section of each FIPS for details. FIPS do not apply to national security systems (as defined in FISMA). The detailed guidance on implementing FIPS can be found on: http://csrc.nist.gov/publications/PubsSPs.html
Page 6 of 8
Information Security and the EPLC Compulsory Standards