Certifications

Updated Date: November 15, 2018

Government Regulations

F5 maintains an active product certification and evaluation program—aligned with government regulations—for maintaining a secure IT environment.

Federal Information Processing Standard (FIPS) 140-2

F5 offers virtual editions (VEs), Full-Box FIPS platforms, integrated hardware security model (HSM) PCI cards, and external (network HSM) FIPS solutions to meet the most rigorous compliance requirements and architectures. For details, please see the chart below.

For customers who only require a FIPS 140-2 Level 1 solution, the F5 FIPS BIG-IP VE incorporates a NIST-validated, software-based, cryptographic module for x86 platforms.

F5 Full-Box FIPS platforms provide device-level validation at FIPS 140-2 Level 2, including the application of tamper evident stickers.

F5 also offers a select set of BIG-IP platforms, which include a HSM that supports a FIPS 140-2 Level 2 implementation for RSA cryptographic key generation, use, and protection. Keys generated on, or imported into, a BIG-IP integrated HSM are not extractable in plain-text format. BIG-IP hardware devices with integrated HSMs come with a sealed epoxy cover that, if removed, will render the card useless and the keys inaccessible. For additional protection, the BIG-IP 10350v-F supports a FIPS 140-2 Level 3 implementation of the internal HSM. This security rating means that the 10350v-F HSM card includes tamper-resistance, which recognizes physical access attempts, cryptographic module manipulation, and/or tampering, and will destroy the keys and render the card useless.

F5 Full-Box FIPS platforms provide device level validation at FIPS 140-2 Level 2 including the application of Tamper Evident Stickers.

F5 also offers a select set of BIG-IP platforms, which include a Hardware Security Module (HSM), supporting a FIPS 140-2 Level 2 implementation for RSA cryptographic key generation, use, and protection. Keys generated on, or imported into, a BIG-IP integrated Hardware Security Module (HSM) are not extractable in plain-text format. BIG-IP hardware devices with integrated HSMs come with a sealed epoxy cover that, if removed, will render the card useless and the keys inaccessible. For additional protection, the BIG-IP 10350v-F supports a FIPS 140-2 Level 3 implementation of the Internal HSM. This security rating means that the 10350v-F HSM card includes tamper-resistance, which recognizes physical access attempts, cryptographic module manipulation, and/or tampering, and will destroy the keys and render the card useless.

F5 Model NIST Validated Cryptographic Modules Overall FIPS Level Security Policy Consolidated Validation Certificate


BIG-IP 10350v-F

(FIPS 140-2 Inside)

Partial: DFARS 252.204-7012 / NIST SP 800-171. 

Requires F5 F5®Device Cryptographic Module

Integrated Module:
Cavium Nitrox III CNN3560-NFBE-G
Level 3 Level 3 Security Policy FIPS 140-2 Validation Certificates:
Level 2: 2733
Level 3: 2733


BIG-IP 11000-F, 11050-F, 10200v-F, 7200v-F, 5250v-F

(FIPS 140-2 Inside)

Requires F5 F5®Device Cryptographic Module

Integrated Module:
Cavium Nitrox XL 1600-NFBE HSM Family
Level 2 Level 2 Security Policy FIPS 140-2 Validation Certificates:
Level 2: 1369
Level 3: 1511


BIG-IP, VIPRION, BIG-IP Virtual Edition on v11.2 and above

(FIPS 140-2 Inside)

Not Supported: DFARS 252.204-7012 / NIST SP 800-171.

External Module:
Thales nShield Connect 500+, nShield Connect 1500+, nShield Connect 6000+
Level 2/3 Level 2 Security Policy
Level 3 Security Policy
FIPS 140-2 Validation Certificates:
Level 2: 1203 and 1733
Level 3: 1197 and 1742

BIG-IP, VIPRION, BIG-IP VE v11.5 and above

(FIPS 140-2 Inside)

Not supported: DFARS 252.204-7012 / NIST SP 800-171. 

External Module:
SafeNet Luna SA 6000
Level 2/3 Level 2 Security Policy
Level 3 Security Policy
FIPS 140-2 Validation Certificates:
Level 2: 1347
Level 3: 1167

BIG-IP Virtual Edition (v12.1.2 HF1 on VMware ESXi 5.5, AWS on Xen HVM domU, and Microsoft Azure on Hyper-V virtual machine)

(v13.1.1 on VMware ESXi 6.5, AWS on Xen 4.2.amazon, Hyper-V 10.0, and Microsoft Azure on Hyper-V virtual machine)

(FIPS 140-2 inside)

Supported: DFARS 252.204-7012 / NIST SP 800-171 for CUI

Software Module:
Cryptographic Module for BIG-IP®
Level 1 Level 1 VE
Security Policy
FIPS 140-2 Validation Certificates:
Level 1: 2911

BIG-IP 5000/7000 Series, 10350v-F, BIG-IP i4000/i5000/i7000 Series, VIPRION B2250/B4450 (v13.1)

Supported: DFARS 252.204-7012 / NIST SP 800-171 for CUI

Hardware and Firmware Module:
F5® Device Cryptographic Module
Level 2 Level 2
Security Policy
FIPS 140-2
Validation
Certificates:
Level 2: 3142

VIPRION B2250/B4450 vCMP

Supported: DFARS 252.204-7012 / NIST SP 800-171 for CUI

Firmware Module:
F5® vCMP Cryptographic Module
Level 2 Level 2 Security Policy FIPS 140-2
Validation Certificates:
Level 2: 3179

Historical FIPS

F5 BIG-IP 6900F and 8900F, while FIPS 140-2 compliant, cannot support a necessary firmware upgrade to their HSM, and therefore, have been moved to a historical FIPS list.

F5 Model NIST Validated Cryptographic Modules Overall FIPS Level Security Policy Consolidated Validation Certificate

BIG-IP 6900F, 8900F

Integrated Module:
Cavium Nitrox XL CN1520-VBD-04-0201
Level 2 Level 2 Security Policy
Level 3 Security Policy
FIPS 140-2 Validation Certificates:
Level 2: 1360
Level 3: 1361

Key benefits of using F5 FIPS-compliant solutions:

  • High-performance SSL—Industry-leading performance, with industry recommended standards.
  • Unified platform—BIG-IP is able to consolidate an HSM that provides secure key storage with application delivery solution that has SSL key management and certificate management on a single device. Other solutions require a separate system or a FIPS-certified card for each web server, but the BIG-IP system’s key management framework allows a highly scalable secure infrastructure that can handle higher traffic levels. Organizations can also easily add new services to the infrastructure.
  • Secure resources—F5 solutions safeguard the integrity of businesses by keeping corporate resources safe and protecting corporate brands.

DFARS 252.204-7012 / NIST SP 800-171 for Confidential Unclassified Information (CUI) is a US Department of Defence Contractor mandate as of December 2017, and is met through a FIPS validated solutions covering asymmetric and symmetric crypto operations. Specific F5 FIPS platforms meet this requirement directly, or through the addition of the F5 FIPS module. See above for qualifying platforms and details.

Common Criteria for Information Technology Security Evaluation (Common Criteria, CC)

Common Criteria is an international standard (ISO 15408) for the evaluation of security properties of an IT product. This set of requirements evaluates hardware, software, firewalls, and servers. The evaluation goal is to provide a level of assurance that a device or software securely handles data, and has no elements that could compromise its integrity. Each Evaluation Assurance Level (EAL) requires progressively more detailed information about the design and testing of the device or software under evaluation. (Please note that the EAL classification system is being replaced by collaborative Protection Profiles, which have been designed for specific technologies and specify the requirements claimed in the Security Target, as well as assurance activities for those requirements.)

Common Criteria provides assurance to the U.S. Department of Defense and federal intelligence agencies that products they purchase follow presidential requirements for operating secure information systems. Other federal agencies and some financial enterprises find it significantly easier to buy Common Criteria-approved products for their sensitive deployments. F5 has achieved EAL 2+ and EAL 4+ certifications. Network Device and Firewall collaborative Protection Profile certifications are in process. See chart and links below for details.

Common Criteria Certification

F5 Model Software Release Certification Information Security Target

BIG-IP 6900, 8900, 11050

10.2.2 LTM + ACA+ PSM NIAP Common Criteria Certificate EAL 2+ F5 Networks BIG-IP Local Traffic Manager Security Target

BIG-IP

11.5.1 ADF-Base (LTM+AFM) BSI-DSZ-CC-0856-2017 EAL4+ Security Target
Based on the NIAP Protection profile for Network Devices Version 1.1 and Network Device Protection Profile Extended Package Stateful Traffic Filter Firewall Version 1.0

BIG-IP

11.5.1 ADC-AP (LTM+APM) BSI-DSZ-CC-0975-2018 EAL4+ Security Target
Based on the NIAP Protection profile for Network Devices Version 1.1

BIG-IP 10350-F, BIG-IP i5000/i7000 series, VIPRION B2250/B4450, vCMP

12.1.2 LTM+AFM CSEC 2017004 in Process Collaborative Protection Profile for Stateful Traffic Filter Firewalls v1.0

BIG-IP 10350-F, BIG-IP i5000/i7000 series, VIPRION B2250/B4450, vCMP

12.1.2 LTM+APM CSEC 2017005 in Process Collaborative Protection Profile for Network Devices v1.0

BIG-IP 10350-F, BIG-IP i5000/i7000 series, VIPRION B2250/B4450, vCMP

13.1.0 LTM+AFM CSEC 2017016 in Process Collaborative Protection Profile for Stateful Traffic Filter Firewalls v2.0E

BIG-IP 10350-F, BIG-IP i5000/i7000 series, VIPRION B2250/B4450, vCMP

13.1.0 LTM+APM CSEC 2017021 in Process Collaborative Protection Profile for Network Devices v2.0E

United States Government IPv6 Conformance Certification (USGv6)

The U.S. Office of Management and Budget (OMB) declared that all federal agencies are required to use IPv6 in their networks in OMB Memorandum M-05-22. United States Government IPv6 Conformance Certification (USGv6) is a set of technical standards for the acquisition of IPv6 capable hosts, routers, and network security devices The National Institute of Standards and Technology (NIST) created the USGv6 conformance standards to support adoption of IPv6 in the U.S. government.

F5 BIG-IP is IPv6 Ready and USGv6 certified. View the announcement: F5 Receives IPv6-Ready Gold Logo and USGv6 Certifications

Platforms Product Version Certification Information

BIG-IP 10000 series

11.3, 12.1 IPv6 Gold
Phase-2 Gold Logo ID #02-C-001106

BIG-IP 10000 series, VIPRION B4300 series

11.3.0 and all later versions USGv6
Results by UNH-IOL

JITC PKE

The Joint Interoperability Test Command (JITC) of the U.S. Department of Defense Information Systems Agency (DISA) provides risk-based Test Evaluation & Certification services, tools, and environments to ensure and enable the rapid deployment of interoperable and operationally effective information technology and national security systems. Clients or servers are tested to assure they are public key enabled (PKE) and able to provide security services, such as authentication, confidentiality, non-repudiation and access control. The JITC PKE test areas include NIST and JITC certifications, Online Certificate Status Protocol (OCSP), Certificate Revocation Lists (CRLs), and DoD Common Access Cards.

F5 BIG-IP is certified by the Department of Defense as PUBLIC KEY-ENABLED (PKE). View the announcement: F5 Receives Joint Interoperability Test Command (JITC) Certification

Model Certification Details Comments

BIG-IP v 11.2

Certified Works with DoD Common Access Cards (CAC)

NIST 800-53

NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is a core standard defining how to approach information security and risk management within the federal government. Developed by NIST, DoD, the Intelligence Community, and the Committee on National Security Systems, this standard provides guidance on continuous monitoring and FISMA requirements. It also supports a risk-based approach to protecting critical missions and business functions.

F5 has distilled this 240-plus page document into an F5 iApp for NIST 800-53. The iApp provides several pages of relevant questions and tasks to assist the administrator in applying the relevant security controls on their BIG-IP device, saving organizations hours of management time and resources.

If your agency is looking to improve the DIACAP process, or looking to comply with FISMA, then the F5 NIST 800-53 iApp will help ensure the proper configuration settings on the BIG-IP are reviewed and set.

Learn more about using the F5 iApp Template

DoDIN APL (Department of Defense Information Network Approved Product List)

The US Department of Defense DoDIN APL is a single consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification. DoDIN APL certifications verify the system complies with and is configured consistent with the DISA Field Security Office (FSO) Security Technical Implementation Guides (STIG).

For more information about the DoDIN APL process visit the DoDIN APL Testing and Certification Website.

Cert / TN Number Product External Certification

1312201

F5 Networks BIG-IP Rel. 11.6 Certification

1630801

F5 Networks BIG-IP Rel. 13.0 Certification

Additional Certifications

To get more information on the many other certifications F5 holds, contact F5 sales.