Technical Tip: Differences between FIPS 140 and Common Criteria for FortiOS firmware (and info regarding FIPS FortiOS v7.2 and v7.4)
Description
This article discusses some differences between FIPS 140 and Common Criteria certification and how that can apply to the FortiOS FIPS-certified firmware. This is especially relevant for the 2026-2027 period as FortiOS v7.2 and v7.4 are still undergoing FIPS-related certification (see table at the bottom of the article for summarized info).
Scope
FortiGate, FIPS.
Solution
Historically, when Fortinet makes FIPS-validated firmware for the FortiGate available on the Fortinet Support Site, it has done so by releasing one (or in some cases two) FIPS-certified firmware builds for a given major/minor firmware branch in a folder labelled 'FIPS-CC-Certified'. FortiOS v6.4, v.7.0, and later introduced the concept of FIPS CVE-Patched firmware, which is placed into a separate folder and is discussed in further depth here: Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled.
Since Fortinet traditionally only releases a single FIPS Certified build per major/minor firmware branch, clients may not be aware that multiple separate programs are involved as part of the full certification process. For example, the FIPS Certified firmware for FortiOS v7.0 is FIPS-CC-70-6, and this firmware version has been certified for the following programs as part of the full process:
- FIPS 140-2 Level 1 (per NIST CMVP Certificate #4443).
- Common Criteria collaborative Protection Profile for Network Devices (NDcPP) version 2.2e (certificate link and validation report link).
- Common Criteria Evaluation Assurance Level 4 (EAL4) augmented with ALC_FLR.3 (certificate link and validation report link).
As a very brief overview of the above programs, the FIPS Certified firmware for FortiOS is generally expected to be separately certified for two main aspects, those being FIPS 140 and Common Criteria:
- FIPS 140 (such as 140-2 and the newer 140-3) specifically covers the integrity and security of the cryptographic module used within FortiOS and the FortiGate. This includes ensuring that the encryption algorithms are mathematically sound/secure, that crypto keys are generated in a secure manner, and that the 'boundary' of the cryptographic module is protected and accessed in an acceptable manner (which might include tamper-evident seals on the device).
- Common Criteria (through NDcPP, EAL, and recently EU CC) evaluates the entire FortiGate as a network device, including how it manages user and administrative permissions, logging/auditing, and protecting network traffic overall (such as mandating encryption standards for services like IKE/IPsec, HTTPS, RADIUS, etc.).
The above is important to understand because at the time of this writing (Q1 2026), FortiOS v7.2 and v7.4 are actively undergoing certification for both FIPS 140-3 and Common Criteria. Unlike previous FIPS Certified releases, the certification process for these current firmware versions has been subject to major delays related to review backlogs that were outside of Fortinet's control, and so these firmware versions are not yet fully certified for FIPS operation.
Furthermore, there may be some confusion over the current firmware that has been made available on the Fortinet Support Site, as FortiOS v7.2 currently has multiple folders for 'FIPS-CC-Certification-Pending' and 'FIPS-CC-Certified' (this is discussed further below):
FIPS-CC 7.2: Certified vs. Certification Pending
FIPS-CC 7.2: NDcPP vs. EAL4 Certified
FIPS-CC 7.2: Candidate
Summary of Certification for FIPS FortiOS v7.2 and v7.4:
The following table aims to provide a quick reference for the ongoing certification of FortiOS v7.2 and v7.4, which should help to clear the current confusion. For a general recommendation on firmware to use, see the next section below.
| FortiOS v7.2 | FortiOS v7.4 | |
| Federal Information Processing Standards (FIPS 140) | Certified: No (in-progress)
| Certified: No (in-progress)
|
| collaborative Protection Profile for Network Devices (NDcPP) | Certified: Yes (NDcPP v3.0e)
| Certified: No (in-progress)
|
| Evaluation Assurance Level (EAL) | Certified: Yes (EAL4+ALC_FLR.3)
| Certified: No (no plan to certify)
|
| European Union Cybersecurity Certification (EU CC) | Certified: No (no plan to certify)
| Certified: No (in-progress)
|
** NDcPP-certified FIPS-CC-72-5 (b9663) is an older build than the corresponding CVE-Patched FIPS-CC-72-5 (b9703, higher build = newer in series). Use the CVE-Patched version or later to be sure of compliance and also benefit from vulnerability fixes.
Recommendations:
As an overall recommendation for the long-run, clients should generally plan to use the latest CVE-Patched firmware version that can be found in whichever Fortinet Support Site folder is being assessed. To further avoid confusion, the current recommended folder path to use for both v7.2 and v7.4 is as follows, as these are the official locations for CVE-Patched builds:
/FortiGate/v7.00/7.2/FIPS-CC-Certification-Pending/7.2.8-FIPS-CC/FIPS-Candidate/CVE-Patched
/FortiGate/v7.00/7.4/FIPS-CC-Certification-Pending/7.4.4-FIPS-CC/FIPS-Candidate/CVE-Patched
Additionally, take care to check for ReadMe files in each firmware download directory, as one will be included for all proper FIPS builds and describes the vulnerabilities that have been resolved in the current release. In the long-run, it is probable that the multiple available directories will be coalesced into a single FIPS-CC-Certified folder similar to FortiOS v7.0 and earlier to reduce the confusion, but this is not likely to occur until after all of the certification efforts have been completed.
Related documents:
- NIST Cryptographic Module Validation Program (CMVP) - Validated Modules (for FIPS 140-2/140-3 certificates).
- Common Criteria Portal (for NDcPP and EAL certificates).
- EU Cybersecurity Certificates (for EU CC certificates).
- Technical Tip: FortiOS FIPS Resource List (for all other FortiOS-related FIPS information).