Government Regulations
Federal Information Processing Standards
(FIPS 140-2 and 140-3)
Overview, Goals, and Classification
Panoramica
FIPS are standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST). FIPS 140-3 is an information technology standards used to validate cryptographic modules in commercial-off-the-shelf (COTS) products. FIPS 140-3 validation projects are overseen by the Cryptographic Module Validation Program (CMVP), a joint U.S. and Canadian government program.
Goals
FIPS 140-3 provides a framework to ensure the confidentiality and integrity of the information protected by a cryptographic module. The cryptographic modules are developed by private sector vendors or open-source projects for use by public sector entities and regulated industries such as financial, healthcare, and energy.
Classification
Fortinet validates products to FIPS 140-2/-3 Level 1 and 2. All future certifications of Fortinet products will be FIPS 140-3 compliant after transitioning from FIPS 140-2 at the end of February, 2022. FIPS 140-2/3 provide four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4
- FIPS 140-3 Level 1 provides the lowest level of security with basic security requirements (at least one approved algorithm) applied to the firmware or software (e.g., FortiOS. A Level 1 certificate applies to effectively all the models supported by the certified build(s).
- FIPS 140-3 Level 2 includes all of Level 1’s requirements and adds hardware based requirements such as tamper-evidence (e.g., the FortiGate appliance, the FortiASIC chips). A Level 2 certificate applies to the exact combination of the certified build(s) and hardware model(s).
- FIPS 140-3 Level 3 and FIPS 140-3 Level 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened.
Note: FIPS 140-2/3 refers to “validated” products instead of “certified” products.
Key Principles
Security
Ensure information systems meet the latest encryption standards defined by the government.
Compliance
Enable organizations to build trust and credibility with government-approved security standards and compliant solutions.
Validation
Provide a security metric to use in the procurement of equipment containing cryptographic modules.
Security Policies
The public document that describes a FIPS-validated (-certified) product is called the FIPS Security Policy (SP). The SP describes the product and includes instructions for deploying the product in a FIPS-compliant manner. The SP also states exactly what configuration(s) of the product are validated such as hardware versions, firmware/software versions.
FIPS 140-2 Validation List
| Certification |
|---|
| FortiOS 6.4/7.0 Level 1 |
| FortiGate VM 6.4/7.0 |
| Model | Certification |
|---|---|
| FortiManager 6.2 | FortiManager 6.2 Level 1 |
| FortiManager 5.2 | |
| FortiManager 5.2 | FortiManager-1000D Level 2 |
| FortiManager 5.2 | FortiManager-4000D Level 2 |
| Model | Certification |
|---|---|
| FortiAnalyzer 6.2 | FortiAnalyzer 6.2 Level 1 |
| FortiAnalyzer 5.2 | |
| FortiAnalyzer 5.2 | FortiManager-1000D Level 2 |
| FortiAnalyzer 5.2 | FortiManager-4000D Level 2 |
| Model | Certification |
|---|---|
| FortiMail 6.0 | |
| FortiMail 6.0 | FortiMail-2000E/3000E Level 2 |
| FortiProxy 1.0 | FortiProxy-400E/2000E/4000E Level 2 |
| FortiSandbox | FortiSandbox – 1000F/2000E/3000E Level 2 |
| FortiWeb 5.6 | FortiWeb 5.6 Level 1 |
| FortiWeb 5.6 | FortiWeb-3000E/4000E Level 2 |
| FortiWLM 8.5 | FortiWLM-100D and FortiWLM-1000D Level 2 |
