Skip to content Skip to navigation Skip to footer

Government Regulations

Federal Information Processing Standards

(FIPS 140-2 and 140-3)

Overview, Goals, and Classification


FIPS are standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST). FIPS 140-3 is an information technology standards used to validate cryptographic modules in commercial-off-the-shelf (COTS) products.  FIPS 140-3 validation projects are overseen by the Cryptographic Module Validation Program (CMVP), a joint U.S. and Canadian government program.


FIPS 140-3 provides a framework to ensure the confidentiality and integrity of the information protected by a cryptographic module. The cryptographic modules are developed by private sector vendors or open-source projects for use by public sector entities and regulated industries such as financial, healthcare, and energy.  


Fortinet validates products to FIPS 140-2/-3 Level 1 and 2. All future certifications of Fortinet products will be FIPS 140-3 compliant after transitioning from FIPS 140-2 at the end of February, 2022. FIPS 140-2/3 provide four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4

  • FIPS 140-3 Level 1 provides the lowest level of security with basic security requirements (at least one approved algorithm) applied to the firmware or software (e.g., FortiOS. A Level 1 certificate applies to effectively all the models supported by the certified build(s).
  • FIPS 140-3 Level 2 includes  all of Level 1’s requirements and adds hardware based requirements such as tamper-evidence (e.g., the FortiGate appliance, the FortiASIC chips). A Level 2 certificate applies to the exact combination of the certified build(s) and hardware model(s).
  • FIPS 140-3 Level 3 and FIPS 140-3 Level 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened.

Note: FIPS 140-2/3 refers to “validated” products instead of “certified” products.

Key Principles


Ensure information systems meet the latest encryption standards defined by the government.


Enable organizations to build trust and credibility with government-approved security standards and compliant solutions.


Provide a security metric to use in the procurement of equipment containing cryptographic modules.

Security Policies

The public document that describes a FIPS-validated (-certified) product is called the FIPS Security Policy (SP). The SP describes the product and includes instructions for deploying the product in a FIPS-compliant manner. The SP also states exactly what configuration(s) of the product are validated such as hardware versions, firmware/software versions.

FIPS 140-2 Validation List