Government Regulations

FIPS are standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST). FIPS 140-3 is an information technology standards used to validate cryptographic modules in commercial-off-the-shelf (COTS) products.  FIPS 140-3 validation projects are overseen by the Cryptographic Module Validation Program (CMVP), a joint U.S. and Canadian government program.

FIPS 140-3 provides a framework to ensure the confidentiality and integrity of the information protected by a cryptographic module. The cryptographic modules are developed by private sector vendors or open-source projects for use by public sector entities and regulated industries such as financial, healthcare, and energy.  

Fortinet validates products to FIPS 140-2/-3 Level 1 and 2. All future certifications of Fortinet products will be FIPS 140-3 compliant after transitioning from FIPS 140-2 at the end of February, 2022. FIPS 140-2/3 provide four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4

• FIPS 140-3 Level 1 provides the lowest level of security with basic security requirements (at least one approved algorithm) applied to the firmware or software (e.g., FortiOS. A Level 1 certificate applies to effectively all the models supported by the certified build(s).
• FIPS 140-3 Level 2 includes  all of Level 1’s requirements and adds hardware based requirements such as tamper-evidence (e.g., the FortiGate appliance, the FortiASIC chips). A Level 2 certificate applies to the exact combination of the certified build(s) and hardware model(s).
• FIPS 140-3 Level 3 and FIPS 140-3 Level 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened.

Note: FIPS 140-2/3 refers to “validated” products instead of “certified” products.

The public document that describes a FIPS-validated (-certified) product is called the FIPS Security Policy (SP). The SP describes the product and includes instructions for deploying the product in a FIPS-compliant manner. The SP also states exactly what configuration(s) of the product are validated such as hardware versions, firmware/software versions.