Business & Technology
Like many companies that sell to the United States Federal government, Fortinet adheres to the rules related to the Trade Agreements Act (TAA). The TAA was enacted in 1979 to foster fair and open international trade, based on trade agreements between the United States and foreign countries and, for certain product purchases by the Federal government, to limit the countries in which those products may be manufactured. The TAA hasn't changed much over the years, except for which countries are designated TAA compliant.
Certain U.S. Government procurement is limited to "TAA compliant" products that must be either manufactured or "substantially transformed" in the United States or a country on the TAA-approved list. Organizations that sell products to the government, where the government orders TAA-compliant products, are required to make sure their products are in fact TAA-compliant.
Right now, countries that are TAA compliant include World Trade Organization Government Procurement Agreement Countries, Free Trade Agreement Countries, Least Developed Countries, and Caribbean Basin Countries.
In today’s global economy, many products are assembled or made up of components from multiple countries. Determining TAA eligibility requires companies to perform a “substantial transformation” analysis of the end-product. For purposes of TAA compliance, “substantial transformation” occurs when an end product undergoes a complex assembly process resulting in a change in name, character, and use.
For a Fortinet hardware end-product to be TAA eligible, the following actions must all take place in the TAA country:
For software products, the software must be built in a TAA country, and Fortinet’s software is developed and built in the United States and Canada. CBP (Customs and Border Protection) has consistently held that conducting a software build—compiling source code into object code—results in substantial transformation for software products. All Fortinet TAA products (hardware and software) are validated to confirm they meet all of the requirements listed above.
It's also important to note that, although TAA requires a manufacturer to analyze and control the assembly process of a product to determine eligibility, supply chain risk management goes beyond TAA compliance, and Fortinet is committed to not only TAA compliance but also to proper broad supply chain risk management.
To ensure TAA compliance, Fortinet has implemented numerous TAA processes, controls and checks-and-balances across different teams and taken additional steps to enhance our best practices. The following procedures have been implemented by Fortinet to ensure that all TAA products purchased by the Federal government are in fact TAA-compliant.
In establishing our TAA processes and controls, our objective was to design processes and internal controls that go beyond industry standards, to ensure full and irreproachable TAA compliance. We have worked with TAA experts to ensure the measures Fortinet has implemented go beyond industry standards.
For TAA validated products, we also have protections beyond TAA compliance standards. We design and develop our software and other technology in the United States and Canada, and applicable USG products are specially configured with a license to ensure Federal government customers only receive software updates from designated servers located in the US.
Although TAA compliance can be complicated, these processes improve transparency and ensure full compliance and trustworthiness. They enable US Government procurement personnel to be confident that our products are what they say they are, were manufactured where we say they were, and that they go beyond the strictest standards for TAA compliance.
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.