FIPS 140-2 and 140-3
FIPS is a cryptographic validation program jointly run by the US and Canadian governments. FIPS 140 is the standard and the -2 indicates the second revision of the standard. FIPS 140-2 is the currently active version of the standard. FIPS 140-2 submissions will be accepted until the fall of 2021. Fortinet’s transition to FIPS 140-3 is will start in 2021 with the first 140-3 based certificates expected in 2022.
Note: FIPS refers to “validated” products instead of “certified” products.
Within FIPS 140-2 there are 4 levels:
- Level 1 applies to the firmware or software (e.g. FortiOS) – a Level 1 certificate applies to effectively all the models supported by the certified build(s)
- Level 2 brings in the hardware (e.g. the FortiGate appliance, the FortiASIC chips) – a Level 2 certificate applies to the exact combination of the certified build(s) and hardware model
- Levels 3 and 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened, etc.
Fortinet currently validates products to FIPS 140-2 Levels 1 and 2.
The public document that describes a FIPS validated (certified) product is called the FIPS Security Policy (SP). The SP describes the product and includes instructions for deploying the product in a FIPS compliant manner. The SP also states exactly what configuration(s) of the product are validated – e.g. hardware versions, firmware/software versions, etc.
FIPS 140-2 validation list:
FortiProxy-400E/2000E/4000E Level 2 (TBC)