Business & Technology

Fortinet and TAA Compliance: Exceeding Best Practices

By John Whittle | June 24, 2021

Like many companies that sell to the United States Federal government, Fortinet adheres to the rules related to the Trade Agreements Act (TAA). The TAA was enacted in 1979 to foster fair and open international trade, based on trade agreements between the United States and foreign countries and, for certain product purchases by the Federal government, to limit the countries in which those products may be manufactured. The TAA hasn't changed much over the years, except for which countries are designated TAA compliant.

Certain U.S. Government procurement is limited to "TAA compliant" products that must be either manufactured or "substantially transformed" in the United States or a country on the TAA-approved list. Organizations that sell products to the government, where the government orders TAA-compliant products, are required to make sure their products are in fact TAA-compliant. 

Right now, countries that are TAA compliant include World Trade Organization Government Procurement Agreement Countries, Free Trade Agreement Countries, Least Developed Countries, and Caribbean Basin Countries.

In today’s global economy, many products are assembled or made up of components from multiple countries. Determining TAA eligibility requires companies to perform a “substantial transformation” analysis of the end-product. For purposes of TAA compliance, “substantial transformation” occurs when an end product undergoes a complex assembly process resulting in a change in name, character, and use. 

TAA Compliance

For a Fortinet hardware end-product to be TAA eligible, the following actions must all take place in the TAA country: 

  • The end-product must be assembled in a TAA country – i.e., PCBA (printed circuit board assembly) must be assembled in a TAA country, including mounting the CPU
  • The TAA software and BIOS must be loaded and programmed in a TAA country
  • The end-product must be fully tested in a TAA country. 

For software products, the software must be built in a TAA country, and Fortinet’s software is developed and built in the United States and Canada. CBP (Customs and Border Protection) has consistently held that conducting a software build—compiling source code into object code—results in substantial transformation for software products. All Fortinet TAA products (hardware and software) are validated to confirm they meet all of the requirements listed above.

It's also important to note that, although TAA requires a manufacturer to analyze and control the assembly process of a product to determine eligibility, supply chain risk management goes beyond TAA compliance, and Fortinet is committed to not only TAA compliance but also to proper broad supply chain risk management. 

Fortinet’s TAA Compliance Best Practices

To ensure TAA compliance, Fortinet has implemented numerous TAA processes, controls and checks-and-balances across different teams and taken additional steps to enhance our best practices. The following procedures have been implemented by Fortinet to ensure that all TAA products purchased by the Federal government are in fact TAA-compliant.

  • The Fortinet operations team manages all contract manufacturers for TAA products to ensure visibility, consistency, and full compliance. In addition, we require all contract manufacturers to certify they have manufactured Fortinet TAA products in adherence with the TAA. 
  • We regularly validate the manufacturing process for all TAA-eligible products to ensure Fortinet contract manufacturers are meeting established TAA requirements and their contractual obligations. 
  • We work with third-party organizations and internal teams to perform periodic audits to confirm that TAA controls are being consistently and properly applied internally and in our supply chain.
  • Fortinet has centralized its labeling process for TAA products in one Fortinet-owned facility located in Union City, California. When a product is received at this facility, the country of origin, or COO, is checked, confirmed, and entered into our enterprise resource planning system for tracking and auditing purposes. 
  • After the COO is validated and the product is confirmed TAA compliant, all Fortinet TAA-validated products are clearly labeled, by appending a special TAA code to the product (with a USG, or US Government, SKU), to indicate that the product is TAA compliant and can be sold to the United States Government. Those product numbers are then published on a separate price list provided to the Fortinet Federal, Inc. team, authorized Federal distributors, and approved channel partners. 
  • Our quality assurance team then separately inspects each “–USG” SKU / TAA product to ensure that each device complies with TAA requirements. 
  • Fortinet has also consolidated the distribution of all of our TAA-validated products to just two federally authorized distributors. This strict control measure helps ensure that only TAA-validated products are provided to government agencies. And U.S. Federal business is conducted through Fortinet Federal, Inc., a wholly owned subsidiary located in Reston VA, which is staffed with individuals holding high-level clearances.
  • To maintain strict compliance, we deliver annual TAA training to our operations personnel to ensure that TAA standards are understood and that only validated products are provided to US government customers that require TAA compliance.

Compliance is an Ongoing Process of Transparency

In establishing our TAA processes and controls, our objective was to design processes and internal controls that go beyond industry standards, to ensure full and irreproachable TAA compliance. We have worked with TAA experts to ensure the measures Fortinet has implemented go beyond industry standards. 

For TAA validated products, we also have protections beyond TAA compliance standards. We design and develop our software and other technology in the United States and Canada, and applicable USG products are specially configured with a license to ensure Federal government customers only receive software updates from designated servers located in the US. 

Although TAA compliance can be complicated, these processes improve transparency and ensure full compliance and trustworthiness. They enable US Government procurement personnel to be confident that our products are what they say they are, were manufactured where we say they were, and that they go beyond the strictest standards for TAA compliance.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.