FIPS 140-2 and 140-3

FIPS is a cryptographic validation program jointly run by the US and Canadian governments. FIPS 140 is the standard and the -2 indicates the second revision of the standard. FIPS 140-2 is the currently active version of the standard. FIPS 140-2 submissions will be accepted until the fall of 2021. Fortinet’s transition to FIPS 140-3 is will start in 2021 with the first 140-3 based certificates expected in 2022.

Note: FIPS refers to “validated” products instead of “certified” products.

Within FIPS 140-2 there are 4 levels:

• Level 1 applies to the firmware or software (e.g. FortiOS) – a Level 1 certificate applies to effectively all the models supported by the certified build(s)
• Level 2 brings in the hardware (e.g. the FortiGate appliance, the FortiASIC chips) – a Level 2 certificate applies to the exact combination of the certified build(s) and hardware model
• Levels 3 and 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened, etc. 

Fortinet currently validates products to FIPS 140-2 Levels 1 and 2.

The public document that describes a FIPS validated (certified) product is called the FIPS Security Policy (SP). The SP describes the product and includes instructions for deploying the product in a FIPS compliant manner. The SP also states exactly what configuration(s) of the product are validated – e.g. hardware versions, firmware/software versions, etc.