F5 maintains an active product certification and evaluation program—aligned with government regulations—for maintaining a secure IT environment.
For BIG-IP, F5 offers several FIPS solutions to meet the most rigorous compliance requirements and architectures. For details of BIG-IP release / system validated combinations, please see the chart below.
FIPS certificates have a lifespan and when they are sunset are moved to a historical FIPS list. To find the certificate, go to the CMVP Validated Module search page and perform an Advanced search with “Validation Status” = “Historical”.
DFARS 252.204-7012 / NIST SP 800-171 for Confidential Unclassified Information (CUI) is a US Department of Defense Contractor mandate as of December 2017 and is met through FIPS validated solutions covering asymmetric and symmetric crypto operations. Specific F5 FIPS platforms meet this requirement directly, or through the addition of the F5 FIPS module. See above for qualifying platforms and details.
CSfC is a National Security Agency / Central Security Service (NSA/CSS) program to enable commercial products to be used in layered solutions protecting classified National Security Systems (NSS) data. There are two parts to this program: vendors apply to have their products listed on one or more of the components lists; and then integrators can choose from products on those lists to create solutions. All listed components must have both Common Criteria Certification and FIPS validation for the product to be listed on the component list. See the table below for F5 listings.
The US Department of Defense DoDIN APL is a single consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification. DoDIN APL certifications verify the system complies with and is configured consistent with the DISA Field Security Office (FSO) Security Technical Implementation Guides (STIG). See the table below for F5 listings.
For more information about the DoDIN APL process visit the DoDIN APL Testing and Certification Website.
The U.S. Office of Management and Budget (OMB) declared that all federal agencies are required to use IPv6 in their networks in OMB Memorandum M-21-07. United States Government IPv6 Conformance Certification (USGv6) is a set of technical standards for the acquisition of IPv6 capable hosts, routers, and network security devices. The National Institute of Standards and Technology (NIST) created the USGv6 conformance standards to support adoption of IPv6 in the U.S. government. See the table below for F5 listings.
F5 BIG-IP is IPv6 Ready and USGv6 certified. View the announcement: F5 Receives IPv6-Ready Gold Logo and USGv6 Certifications
The Joint Interoperability Test Command (JITC) of the U.S. Department of Defense Information Systems Agency (DISA) provides risk-based Test Evaluation & Certification services, tools, and environments to ensure and enable the rapid deployment of interoperable and operationally effective information technology and national security systems. Clients or servers are tested to assure they are public key enabled (PKE) and able to provide security services, such as authentication, confidentiality, non-repudiation, and access control. The JITC PKE test areas include NIST and JITC certifications, Online Certificate Status Protocol (OCSP), Certificate Revocation Lists (CRLs), and DoD Common Access Cards (CAC).
F5 BIG-IP is certified by the Department of Defense as PUBLIC KEY-ENABLED (PKE). View the announcement: F5 Receives Joint Interoperability Test Command (JITC) Certification
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is a core standard defining how to approach information security and risk management within the federal government. Developed by NIST, DoD, the Intelligence Community, and the Committee on National Security Systems, this standard provides guidance on continuous monitoring and FISMA requirements. It also supports a risk-based approach to protecting critical missions and business functions.
F5 has distilled this 240-plus page document into an F5 iApp for NIST 800-53 Rev 4. The iApp provides several pages of relevant questions and tasks to assist the administrator in applying the relevant security controls on their BIG-IP device, saving organizations hours of management time and resources.
If your agency is looking to improve the DIACAP process, or looking to comply with FISMA, then the F5 NIST 800-53 Rev 4 iApp will help ensure the proper configuration settings on the BIG-IP are reviewed and set.
The reports below cover the degree of conformance for the following accessibility standard/guidelines:
Revised Section 508 Edition (Based on VPAT® Version 2.4) – F5 BIG-IP v17.1
Revised Section 508 Edition (Based on VPAT® Version 2.4) – F5 BIG-IP v16.1
Revised Section 508 Edition (Based on VPAT® Version 2.4) – F5 BIG-IP v15.1
Revised Section 508 Edition (Based on VPAT® Version 2.4) - F5 Distributed Cloud Console
Revised Section 508 Edition (Based on VPAT® Version 2.5) – F5 F5OS Release v1.8.1
Revised Section 508 Edition (Based on VPAT® Version 2.4) - F5 NGINX Plus Release 33
Service providers want assurance that their cloud-native solution is interoperable, secure and optimized for performance and efficiency. F5 and its partners will certify set-up, onboarding, integration, deployment, and life cycle management of F5 BIG-IP Next SPK and Carrier-Grade Aspen Mesh in a cloud-native environment with vendor CNFs.
To get more information on the many other certifications F5 holds, contact F5 sales.
