Government Regulations

FIPS are standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST). FIPS 140-2 and 140-3 are information technology standards used to validate cryptographic modules in commercial-off-the-shelf (COTS) products.  FIPS 140-2 and 140-3 validation projects are overseen by the Cryptographic Module Validation Program (CMVP), a joint U.S. and Canadian government program.

FIPS 140-2 and 140-3 provide a framework to ensure the confidentiality and integrity of the information protected by a cryptographic module. The cryptographic modules are developed by private sector vendors or open-source projects for use by public sector entities and regulated industries such as financial, healthcare, and energy.  

Fortinet currently validates products to FIPS 140-2 Levels 1 and 2. FIPS 140-2 indicates the second revision of the standard. FIPS 140-2 submissions will be accepted until the fall of 2021. Fortinet’s transition to FIPS 140-3 will start in 2021 with the first FIPS 140-3 based certificates expected in 2022. FIPS 140 defines four levels of security:

• FIPS 140-2 Level 1 applies to the firmware or software (e.g., FortiOS. A Level 1 certificate applies to effectively all the models supported by the certified build(s).
• FIPS 140-2 Level 2 includes hardware (e.g., the FortiGate appliance, the FortiASIC chips) – a Level 2 certificate applies to the exact combination of the certified build(s) and hardware model.
• FIPS 140-2 Level 3 and FIPS 140-2 Level 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened, etc. 

Note: FIPS 140 refers to “validated” products instead of “certified” products.