Federal Information Processing Standard
(FIPS 140-2 and 140-3)
Overview, Goals, and Classification
FIPS are standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST). FIPS 140-2 and 140-3 are information technology standards used to validate cryptographic modules in commercial-off-the-shelf (COTS) products. FIPS 140-2 and 140-3 validation projects are overseen by the Cryptographic Module Validation Program (CMVP), a joint U.S. and Canadian government program.
FIPS 140-2 and 140-3 provide a framework to ensure the confidentiality and integrity of the information protected by a cryptographic module. The cryptographic modules are developed by private sector vendors or open-source projects for use by public sector entities and regulated industries such as financial, healthcare, and energy.
Fortinet currently validates products to FIPS 140-2 Levels 1 and 2. FIPS 140-2 indicates the second revision of the standard. FIPS 140-2 submissions will be accepted until the fall of 2021. Fortinet’s transition to FIPS 140-3 will start in 2021 with the first FIPS 140-3 based certificates expected in 2022. FIPS 140 defines four levels of security:
- FIPS 140-2 Level 1 applies to the firmware or software (e.g., FortiOS. A Level 1 certificate applies to effectively all the models supported by the certified build(s).
- FIPS 140-2 Level 2 includes hardware (e.g., the FortiGate appliance, the FortiASIC chips) – a Level 2 certificate applies to the exact combination of the certified build(s) and hardware model.
- FIPS 140-2 Level 3 and FIPS 140-2 Level 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened, etc.
Note: FIPS 140 refers to “validated” products instead of “certified” products.
Ensure information systems meet the latest encryption standards defined by the government.
Enable organizations to build trust and credibility with government-approved security standards and compliant solutions.
Provide a security metric to use in the procurement of equipment containing cryptographic modules.