FIPS (Federal Information Processing Standards) Compliance in Office & PDF File API
- 4 minutes to read
Federal Information Processing Standards (FIPS) were developed by the National Institute of Standards and Technology (NIST). These standards apply to computer systems used by non-military government agencies and contractors. FIPS define security requirements for cryptographic modules and algorithms used in software.
DevExpress components and libraries are designed for FIPS compliance. This means our products use cryptographic algorithms that meet NIST standards. This compliance is important for organizations that handle sensitive data and must follow strict security requirements.
Note
FIPS defines approved cryptographic algorithms and implementations, but many commonly available algorithms (such as MD5, SHA-1, RC4) are not compliant due to known security weaknesses. In .NET, enforcement varies by runtime: .NET Framework may block non-compliant algorithms and throw exceptions when FIPS mode is enabled. In contrast, newer runtimes (.NET 5+/8+) may allow them to execute without error even though they remain non-compliant. Ensure that both the algorithm and its implementation meet FIPS requirements for their target environment.
Format Support and FIPS Compliance
The table below lists file formats supported by DevExpress Office File API and their FIPS compliance:
| Format | Encryption Algorithm | Revision | FIPS Compliance |
|---|---|---|---|
| PDF 1.1-1.3 | RC4 40-bit | R2 | Not compliant |
| PDF 1.1-1.3 | RC4 40-bit | R2 | Not compliant |
| PDF 1.4-1.5 | RC4 128-bit | R3/R4 | Not compliant |
| PDF 1.6-1.7 | AES-128 | R4 | Compliant |
| PDF 1.7 Extension 3 | AES-256 | R5 | Not compliant |
| PDF 2.0 | AES-256 improved | RE | Compliant |
| DOC (Word 97–2003) | RC4 40-bit | — | Not compliant |
| DOC (Word 97–2003) | RC4 128-bit | — | Not compliant |
| DOCX (Word 2007+) | AES-128 (CBC) | — | Compliant |
| DOCX (Word 2010+) | AES-256 (CBC) | — | Compliant |
| XLS (Excel 97–2003) | RC4 40-bit | — | Not compliant |
| XLS (Excel 97–2003) | RC4 128-bit | — | Not compliant |
| XLSX (Excel 2007+) | AES-128 (CBC) | — | Compliant |
| XLSX (Excel 2010+) | AES-256 (CBC) | — | Compliant |
Behavior in FIPS Mode
DevExpress checks OperatingSystemLevelFipsMode.IsEnabled at the public API entry point before any cryptographic operation begins. When FIPS mode is active, and the requested operation requires a non-compliant algorithm, the library throws an exception: DevExpress.Utils.OperatingSystemLevelFipsMode+ComplianceViolationException. The exception message includes the name of the non-compliant algorithm and a recommended compliant alternative.
Your .NET Core or .NET 5+ application may previously have used non-compliant algorithms on FIPS-enforced machines without errors. It now throws a ComplianceViolationException.
Note
FIPS enforcement is a system-wide policy controlled by your IT or security team. We do not recommend disabling FIPS compliance in your development environment for testing purposes. Consult your organization’s security policy first.
Best Practices for FIPS Compliance
Switch to a FIPS-Compliant Format
Convert your documents to recommended FIPS compliant formats before deploying your application to FIPS environments. The table below lists the recommended compliant alternatives for common formats:
| Current format | Compliant replacement |
|---|---|
| Encrypted XLS | Encrypted XLSX |
| Encrypted DOC | Encrypted DOCX |
| PDF with ARC4 or AES-128 | PDF with AES-256 (PdfEncryptionAlgorithm.AES256) |
| XLSX / DOCX sheet or document protection with SHA-1 or MD5 hash algorithm | SHA-256 (or stronger) protection hash algorithm |
The following properties and parameters allow you to specify compliant algorithms when working with supported formats:
- PDF Document API: PdfEncryptionOptions.Algorithm
- Spreadsheet DocumentAPI: EncryptionOptions.Type
- Word Document API: DocumentEncryption.Type
Check for FIPS Mode and Notify a User
Use the DevExpress.Utils.OperatingSystemLevelFipsMode.IsEnabled property to detect FIPS mode before any API call, and display an actionable message instead of throwing an exception.
Update Existing Exception Handlers
If you are processing documents that may be encrypted with non-compliant algorithms, update existing exception handlers. Catch ComplianceViolationException instead of (or in addition to) TargetInvocationException.
using DevExpress.Utils;
try {
spreadsheet.LoadDocument("report.xls", "password");
}
catch (OperatingSystemLevelFipsMode.ComplianceViolationException ex) {
// previously caught as TargetInvocationException
ShowError("This file format is not supported in FIPS mode: " + ex.Message);
}
Note
Existing catch (SecurityException) blocks do not require changes because ComplianceViolationException is derived from System.Security.SecurityException.
Test FIPS Compliance
As a precaution, you can test FIPS compliance without an OS FIPS policy prior to app update/deployment. Set OperatingSystemLevelFipsMode.ForcedFipsMode = true at application startup to enforce FIPS checks in any environment: