7. Specifications.Federal Information Processing Standard (FIPS)197,Advanced Encryption Standard(AES)(affixed). 8.Implementations.The algorithm specified in this standard may be implemented in software,firmware,hardware,or any combination thereof.The specific implementation may depend on several factors such as the application,the environment,the technology used,etc.The algorithm shall be used in conjunction with a FIPS approved or NIST recommended mode of operation.Object Identifiers(OIDs)and any associated parameters for AES used in these modes are available at the Computer Security Objects Register (CSOR),located at http://csrc.nist.gov/csor/[2]. Implementations of the algorithm that are tested by an accredited laboratory and validated will be considered as complying with this standard.Since cryptographic security depends on many factors besides the correct implementation of an encryption algorithm,Federal Government employees,and others,should also refer to NIST Special Publication 800-21,Guideline for Implementing Cryptography in the Federal Government,for additional information and guidance (NIST SP 800-21 is available at http://csrc.nist.gov/publications/) 9. Implementation Schedule.This standard becomes effective on May 26,2002 10.Patents.Implementations of the algorithm specified in this standard may be covered by U.S.and foreign patents. 11.Export Control.Certain cryptographic devices and technical data regarding them are subject to Federal export controls.Exports of cryptographic modules implementing this standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Export Administration of the U.S.Department of Commerce.Applicable Federal government export controls are specified in Title 15,Code of Federal Regulations(CFR)Part 740.17:Title 15,CFR Part 742;and Title 15,CFR Part 774,Category 5,Part 2. 12. Qualifications.NIST will continue to follow developments in the analysis of the AES algorithm.As with its other cryptographic algorithm standards,NIST will formally reevaluate this standard every five years. Both this standard and possible threats reducing the security provided through the use of this standard will undergo review by NIST as appropriate,taking into account newly available analysis and technology.In addition,the awareness of any breakthrough in technology or any mathematical weakness of the algorithm will cause NIST to reevaluate this standard and provide necessary revisions. 13.Waiver Procedure.Under certain exceptional circumstances,the heads of Federal agencies,or their delegates,may approve waivers to Federal Information Processing Standards (FIPS).The heads of such agencies may redelegate such authority only to a senior official designated pursuant to Section 3506(b)of Title 44,U.S.Code.Waivers shall be granted only when compliance with this standard would a.adversely affect the accomplishment of the mission of an operator of Federal computer system or b.cause a major adverse financial impact on the operator that is not offset by government- wide savings. iⅱiii 7. Specifications. Federal Information Processing Standard (FIPS) 197, Advanced Encryption Standard (AES) (affixed). 8. Implementations. The algorithm specified in this standard may be implemented in software, firmware, hardware, or any combination thereof. The specific implementation may depend on several factors such as the application, the environment, the technology used, etc. The algorithm shall be used in conjunction with a FIPS approved or NIST recommended mode of operation. Object Identifiers (OIDs) and any associated parameters for AES used in these modes are available at the Computer Security Objects Register (CSOR), located at http://csrc.nist.gov/csor/ [2]. Implementations of the algorithm that are tested by an accredited laboratory and validated will be considered as complying with this standard. Since cryptographic security depends on many factors besides the correct implementation of an encryption algorithm, Federal Government employees, and others, should also refer to NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government, for additional information and guidance (NIST SP 800-21 is available at http://csrc.nist.gov/publications/). 9. Implementation Schedule. This standard becomes effective on May 26, 2002. 10. Patents. Implementations of the algorithm specified in this standard may be covered by U.S. and foreign patents. 11. Export Control. Certain cryptographic devices and technical data regarding them are subject to Federal export controls. Exports of cryptographic modules implementing this standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce. Applicable Federal government export controls are specified in Title 15, Code of Federal Regulations (CFR) Part 740.17; Title 15, CFR Part 742; and Title 15, CFR Part 774, Category 5, Part 2. 12. Qualifications. NIST will continue to follow developments in the analysis of the AES algorithm. As with its other cryptographic algorithm standards, NIST will formally reevaluate this standard every five years. Both this standard and possible threats reducing the security provided through the use of this standard will undergo review by NIST as appropriate, taking into account newly available analysis and technology. In addition, the awareness of any breakthrough in technology or any mathematical weakness of the algorithm will cause NIST to reevaluate this standard and provide necessary revisions. 13. Waiver Procedure. Under certain exceptional circumstances, the heads of Federal agencies, or their delegates, may approve waivers to Federal Information Processing Standards (FIPS). The heads of such agencies may redelegate such authority only to a senior official designated pursuant to Section 3506(b) of Title 44, U.S. Code. Waivers shall be granted only when compliance with this standard would a. adversely affect the accomplishment of the mission of an operator of Federal computer system or b. cause a major adverse financial impact on the operator that is not offset by government￾wide savings