Federal Information Processing Standards
(FIPS 140-2 and 140-3)
Overview, Goals, and Classification
FIPS are standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST). FIPS 140-3 is an information technology standards used to validate cryptographic modules in commercial-off-the-shelf (COTS) products. FIPS 140-3 validation projects are overseen by the Cryptographic Module Validation Program (CMVP), a joint U.S. and Canadian government program.
FIPS 140-3 provides a framework to ensure the confidentiality and integrity of the information protected by a cryptographic module. The cryptographic modules are developed by private sector vendors or open-source projects for use by public sector entities and regulated industries such as financial, healthcare, and energy.
Fortinet validates products to FIPS 140-2/-3 Level 1 and 2. All future certifications of Fortinet products will be FIPS 140-3 compliant after transitioning from FIPS 140-2 at the end of February, 2022. FIPS 140-2/3 provide four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4
- FIPS 140-3 Level 1 provides the lowest level of security with basic security requirements (at least one approved algorithm) applied to the firmware or software (e.g., FortiOS. A Level 1 certificate applies to effectively all the models supported by the certified build(s).
- FIPS 140-3 Level 2 includes all of Level 1’s requirements and adds hardware based requirements such as tamper-evidence (e.g., the FortiGate appliance, the FortiASIC chips). A Level 2 certificate applies to the exact combination of the certified build(s) and hardware model(s).
- FIPS 140-3 Level 3 and FIPS 140-3 Level 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened.
Note: FIPS 140-2/3 refers to “validated” products instead of “certified” products.
Ensure information systems meet the latest encryption standards defined by the government.
Enable organizations to build trust and credibility with government-approved security standards and compliant solutions.
Provide a security metric to use in the procurement of equipment containing cryptographic modules.
The public document that describes a FIPS-validated (-certified) product is called the FIPS Security Policy (SP). The SP describes the product and includes instructions for deploying the product in a FIPS-compliant manner. The SP also states exactly what configuration(s) of the product are validated such as hardware versions, firmware/software versions.
FIPS 140-2 Validation List
|FortiManager 6.2||FortiManager 6.2 Level 1|
|FortiManager 5.2||FortiManager-1000D Level 2|
|FortiManager 5.2||FortiManager-4000D Level 2|
|FortiAnalyzer 6.2||FortiAnalyzer 6.2 Level 1|
|FortiAnalyzer 5.2||FortiManager-1000D Level 2|
|FortiAnalyzer 5.2||FortiManager-4000D Level 2|
|FortiMail 6.0||FortiMail-2000E/3000E Level 2|
|FortiProxy 1.0||FortiProxy-400E/2000E/4000E Level 2|
|FortiSandbox||FortiSandbox – 1000F/2000E/3000E Level 2|
|FortiWeb 5.6||FortiWeb 5.6 Level 1|
|FortiWeb 5.6||FortiWeb-3000E/4000E Level 2|
|FortiWLM 8.5||FortiWLM-100D and FortiWLM-1000D Level 2|