FIPS Happens

Bill Church Thumbnail
Bill Church
Published February 03, 2023

I am excited to announce that we have successfully completed the FIPS 140-2 validation process for BIG-IP version 15.1.

The requirements for FIPS 140-2 validation are stringent, and passing validation often presents several technical challenges. These issues were compounded by the effects of the pandemic, which have prolonged the time taken to reach validation levels. However, our teams worked diligently to overcome these barriers to ultimately ensure that our customers have a safe and secure platform.

“At F5, we have a long and distinguished history of providing the U.S. public sector and other customers in highly regulated industries with solutions to help them operate and stay compliant,” said Joe Scherer, VP Americas FSE at F5. “With version 15.1, we have once again demonstrated our commitment to providing our customers with the highest level of security and compliance.”

This commitment is not new; we have an established track record of delivering validated software and platforms, due to our robust approach to developing secure software. This is something we are proud of, and it enables us to make sure that customers are provided with industry-leading capabilities.

We are now in the process of working towards FIPS 140-3 validation for BIG-IP version 16.1. This is the next step in continuing to provide our customers with the highest level of security and compliance.

FIPS 140-3 is an evolution of FIPS 140-2 and is the latest standard for cryptographic module security. It brings with it several benefits, including increased flexibility and scalability, improved security, and better alignment with international standards. This provides more flexibility and scalability than the previous standard, allowing vendors to tailor their products to specific customer needs.

FIPS 140-3 also introduces new security requirements, such as the need for a cryptographic module to use a secure boot process to ensure that only trusted software is loaded onto the module. It also requires that cryptographic modules use secure firmware updates, and that the module’s software and firmware be digitally signed to ensure that only trusted software is running on the module. While these are new requirements for FIPS 140, this is similar to something F5 has been doing with our iSeries appliances and our Trusted Platform Module (TPM) since version 14.1, putting us in a great position for future validation efforts. 

Finally, FIPS 140-3 better aligns with international standards, such as ISO/IEC 19790, which allows products to be more easily certified for use in different countries. This allows F5 customer systems to be more easily secured and compliant across a variety of industries outside of the U.S. public sector.

“We are delighted to reach this milestone and reaffirm our commitment to secure development,” Scherer continued. “We look forward to meeting the challenges of the upcoming FIPS 140-3 validation and maintain our leadership in the technology security space.”

To learn more, see the following resources: