Federal Information Processing Standards
(FIPS 140-2 and 140-3)
Overview, Goals, and Classification
FIPS are standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST). FIPS 140-3 is an information technology standards used to validate cryptographic modules in commercial-off-the-shelf (COTS) products. FIPS 140-3 validation projects are overseen by the Cryptographic Module Validation Program (CMVP), a joint U.S. and Canadian government program.
FIPS 140-3 provides a framework to ensure the confidentiality and integrity of the information protected by a cryptographic module. The cryptographic modules are developed by private sector vendors or open-source projects for use by public sector entities and regulated industries such as financial, healthcare, and energy.
Fortinet validates products to FIPS 140-2/-3 Level 1 and 2. All future certifications of Fortinet products will be FIPS 140-3 compliant after transitioning from FIPS 140-2 at the end of February, 2022. FIPS 140-2/3 provide four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4
- FIPS 140-3 Level 1 provides the lowest level of security with basic security requirements (at least one approved algorithm) applied to the firmware or software (e.g., FortiOS. A Level 1 certificate applies to effectively all the models supported by the certified build(s).
- FIPS 140-3 Level 2 includes all of Level 1’s requirements and adds hardware based requirements such as tamper-evidence (e.g., the FortiGate appliance, the FortiASIC chips). A Level 2 certificate applies to the exact combination of the certified build(s) and hardware model(s).
- FIPS 140-3 Level 3 and FIPS 140-3 Level 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened.
Note: FIPS 140-2/3 refers to “validated” products instead of “certified” products.
Ensure information systems meet the latest encryption standards defined by the government.
Enable organizations to build trust and credibility with government-approved security standards and compliant solutions.
Provide a security metric to use in the procurement of equipment containing cryptographic modules.