FIPS 140-2 and 140-3

FIPS is a cryptographic validation program jointly run by the US and Canadian governments. FIPS 140 is the standard and the -2 indicates the second revision of the standard. FIPS 140-2 is the currently active version of the standard. The transition to FIPS 140-3 is expected to start in the fall of 2020.

Note: FIPS refers to “validated” products instead of “certified” products.

Within FIPS 140-2 there are 4 levels:

  • Level 1 applies to the firmware or software (e.g. FortiOS) – a Level 1 certificate applies to effectively all the models supported by the certified build(s)
  • Level 2 brings in the hardware (e.g. the FortiGate appliance, the FortiASIC chips) – a Level 2 certificate applies to the exact combination of the certified build(s) and hardware model
  • Levels 3 and 4 add requirements such as physical tamper switches on the chassis, automatic zeroization of keys when the chassis is opened, etc. 

Fortinet currently validates products to FIPS 140-2 Levels 1 and 2.

Security Policies

The public document that describes a FIPS validated (certified) product is called the FIPS Security Policy (SP). The SP describes the product and includes instructions for deploying the product in a FIPS compliant manner. The SP also states exactly what configuration(s) of the product are validated – e.g. hardware versions, firmware/software versions, etc.

FIPS 140-2 validation list: