Certifications

Updated Date: March 5, 2020

Government Regulations

F5 maintains an active product certification and evaluation program—aligned with government regulations—for maintaining a secure IT environment.

Federal Information Processing Standard (FIPS) 140-2

F5 offers virtual editions (VEs), full-box FIPS platforms, integrated hardware security module (HSM) PCI cards, and external (network HSM) FIPS solutions to meet the most rigorous compliance requirements and architectures. For details, please see the chart below.

For customers who only require a FIPS 140-2 Level 1 solution, the F5 FIPS BIG-IP VE incorporates a NIST-validated, software-based, cryptographic module for x86 platforms.

F5 full-box FIPS platforms provide device-level validation at FIPS 140-2 Level 2, including the application of tamper evident stickers.

F5 also offers a select set of BIG-IP platforms, which include an HSM that supports a FIPS 140-2 Level 2 implementation for RSA cryptographic key generation, use, and protection. Keys generated on, or imported into, a BIG-IP integrated HSM are not extractable in plain-text format. BIG-IP hardware devices with integrated HSMs come with a sealed epoxy cover that, if removed, will render the card useless and the keys inaccessible. For additional protection, several platforms support a FIPS 140-2 Level 3 implementation of the internal HSM. This security rating means that the internal HSM card includes tamper-resistance, which recognizes physical access attempts, cryptographic module manipulation, and/or tampering, and will destroy the keys and render the card useless.

FIPS logoFinally, F5 BIG-IP supports external (network) HSMs; see the table below for details.

FIPS Integration Support in the Public Cloud

  • AWS CloudHSM – With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. BIG-IP v14.1.0 and AWS versions 1.0.18 and 1.1.0.
  • Equinix SmartKey – HSM-grade security in an easy-to-use cloud service with built-in encryption and tokenization, and FIPS 140-2 Level 3 certification. BIG-IP v14.1.0 and SmartKey client version 2.9.804.

F5 FIPS Cryptographic Modules

F5 Model BIG-IP Software Release NIST Validated Cryptographic Module(s) Consolidated Validation Certificate(s) Additional Notes

Virtual Edition on the following hypervisors:

  • VMware ESXi
  • Hyper-V
  • KVM on Centos 7

Vendor Affirmation for

  • AWS
  • Azure
15.1 Cryptographic Module for BIG-IP Level 1
(in process)

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

10350v-F

i4000, i5000, i5820-DF, i7000, i7820-DF, i10800, i11800-DS, i15800

VIPRION B2250/B4450

15.1 F5 Device Cryptographic Module

Level 2
(in process)

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

vCMP on

i5000, i5820-DF, i7000, i7820-DF, i15800

 

VIPRION B2250/B4450

15.1 F5 vCMP Cryptographic Module Level 2
(in process)

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

Virtual Edition on the following hypervisors:

  • VMware ESXi
  • Hyper-V
  • KVM on Centos 7

Vendor Affirmation for

  • AWS
  • Azure
14.1.2 Cryptographic Module for BIG-IP Level 1
(in process)

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

10350v-F, i7800

14.1.2 F5 Device Cryptographic Module Level 2
(in process)

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

Virtual Edition on the following hypervisors:

  • VMware ESXi
  • Hyper-V

Vendor Affirmation for

  • AWS
  • Azure
14.1.0.3 Cryptographic Module for BIG-IP Level 1: 3596

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

5250v-F, 7200v-F, 10200v-F, 10350v-F

i4000, i5000, i5820-DF, i7000, i7820-DF, i10800, i11800-DS, i15800

VIPRION B2250/B4450

14.1.0.3 F5 Device Cryptographic Module Level 2: 3629

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

vCMP on

i5000, i5820-DF, i7000, i7820-DF, i15800

VIPRION B2250/B4450

14.1.0.3 F5 vCMP Cryptographic Module Level 2: 3623

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

Virtual Edition on the following hypervisors:

  • VMware ESXi
  • Hyper-V

Vendor Affirmation for

  • AWS
  • Azure
13.1.1 Cryptographic Module for BIG-IP Level 1: 2911

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

4000, 5250v-F, 7200v-F, 10200v-F, 10350v-F

i4000, i5000, i5820-DF, i7000, i7820-DF, i10800, i11800-DS, i15800

VIPRION B2250/B4450

13.1.1 F5 Device Cryptographic Module Level 2: 3450

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

vCMP on

VIPRION B2250/B4450

13.1.1 F5 vCMP Cryptographic Module Level 2: 3439

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

4000, 7000, 10350v-F

i4000, i5000, i7000

VIPRION B2250/B4450

13.1.0 F5 Device Cryptographic Module Level 2: 3142

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

vCMP on

VIPRION B2250/B4450

13.1.0 F5 vCMP Cryptographic Module Level 2: 3179

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

Virtual Edition on the following hypervisors:

  • VMware ESXi
  • Hyper-V

Vendor Affirmation for

  • AWS
  • Azure
12.1.2 HF1 Cryptographic Module for BIG-IP Level 1: 2911

Supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

Integrated Cryptographic Modules

F5 Model
Integrated Modules
NIST Validated Cryptographic Module(s) Consolidated Validation Certificate(s) Additional Notes
10350v-F, i5820-DF, i7820-DF NITROXIII CNN35XX-NFBE-G HSM Family Level 3: 2495

NITROXIII is FIPS-inside

Partially supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

5250v-F, 7200v-F, 10200v-F NITROX XL CN16XX-NFBE HSM Family Level 3: 1369

NITROX XL is FIPS-inside

Partially supported:

DFARS 252.204-7012 / NIST SP 800-171 for CUI

External Cryptographic Modules

F5 Systems
External Modules
NIST Validated Cryptographic Module(s) Consolidated Validation Certificate(s) Additional Notes
BIG-IP, VIPRION, and Virtual Edition v11.2 and above

Thales

nShield Connect 500+,

nShield Connect 1500+,

nShield Connect 6000+

Level 2: 1203 and 1733

Level 3: 1197 and 1742

Not supported: DFARS 252.204-7012 / NIST SP 800-171
BIG-IP, VIPRION, and Virtual Edition v11.5 and above SafeNet Luna SA 6000

Level 2: 1347

Level 3: 1167

Not supported: DFARS 252.204-7012 / NIST SP 800-171

Historical FIPS

F5 BIG-IP 6900F and 8900F, while FIPS 140-2 compliant, cannot support a necessary firmware upgrade to their HSM, and therefore, have been moved to a historical FIPS list. To find the certificate, go to the CMVP Validated Module search page and perform an Advanced search with “Validation Status” = “Historical”.

F5 Model NIST Validated Cryptographic Modules Overall FIPS Level Security Policy Consolidated Validation Certificate
BIG-IP 6900F, 8900F Integrated Module:
Cavium Nitrox XL CN1520-VBD-04-0201
Level 2 Level 2 Security Policy
Level 3 Security Policy
FIPS 140-2 Validation Certificates:
Level 2: 1360
Level 3: 1361

Key benefits of using F5 FIPS-compliant solutions:

  • High-performance SSL—Industry-leading performance, with industry recommended standards.
  • Unified platform—BIG-IP is able to consolidate an HSM that provides secure key storage with application delivery solution that has SSL key management and certificate management on a single device. Other solutions require a separate system or a FIPS-certified card for each web server, but the BIG-IP system’s key management framework allows a highly scalable secure infrastructure that can handle higher traffic levels. Organizations can also easily add new services to the infrastructure.
  • Secure resources—F5 solutions safeguard the integrity of businesses by keeping corporate resources safe and protecting corporate brands.

DFARS 252.204-7012 / NIST SP 800-171 for Confidential Unclassified Information (CUI) is a US Department of Defense Contractor mandate as of December 2017, and is met through FIPS validated solutions covering asymmetric and symmetric crypto operations. Specific F5 FIPS platforms meet this requirement directly, or through the addition of the F5 FIPS module. See above for qualifying platforms and details.
 

Common Criteria for Information Technology Security Evaluation (Common Criteria, CC)

Common Criteria is an international standard (ISO 15408) for the evaluation of security properties of an IT product. This set of requirements evaluates hardware, software, firewalls, and servers. The evaluation goal is to provide a level of assurance that a device or software securely handles data, and has no elements that could compromise its integrity. 

Common Criteria provides assurance to the U.S. Department of Defense and federal intelligence agencies that products they purchase follow presidential requirements for operating secure information systems. Other federal agencies and some financial enterprises find it significantly easier to buy Common Criteria-approved products for their sensitive deployments. F5 has achieved certifications against the Network Device and Firewall Collaborative Protection Profiles, as well as EAL 2+ and EAL 4+ certifications. See chart and links below for details.

Deutsches IT-Sicherheitszertifikat

Common Criteria Certification

F5 Model Software Release Certification Information Security Target

10350v-F

I5000 series including i5820-DF, i7000 series including i7820-DF, i10000-series, i11000-series, i15000-series

VIPRION B2250/B4450

vCMP

BIG-IP Virtual Edition on the following hypervisors:

  • VMware ESXi 6.5.0
  • Hyper-V version 10.0 on Windows Server 2019

KVM on Centos 7

15.1 LTM+AFM (In process)

Collaborative Protection Profile for Network Devices v2.1

PP Module for Stateful Traffic Filter Firewalls Version 1.2

10350v-F

I5000 series including i5820-DF, i7000 series including i7820-DF, i10000-series, i11000-series, i15000-series

VIPRION B2250/B4450

vCMP

BIG-IP Virtual Edition on the following hypervisors:

  • VMware ESXi 6.5.0
  • Hyper-V version 10.0 on Windows Server 2019

KVM on Centos 7

15.1 LTM+APM

(In process)

Collaborative Protection Profile for Network Devices v2.1

BIG-IP Virtual Edition on the following hypervisors:

  • VMware ESXi 6.5.0
  • Hyper-V version 10.0 on Windows Server 2019

KVM on Centos 7

14.1.2

LTM+AFM

CSEC 2019021

(In process)

Collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0e

BIG-IP Virtual Edition on the following hypervisors:

  • VMware ESXi 6.5.0
  • Hyper-V version 10.0 on Windows Server 2019

KVM on Centos 7

14.1.2

LTM+APM

CSEC 2019022

(In process)

Collaborative Protection Profile for Network Devices Version 2.1

10350v-F

I5000 series including i5820-DF, i7000 series including i7820-DF, i10000-series, i11000-series, i15000-series

VIPRION B2250/B4450

vCMP

14.1.0.3 LTM+AFM

CSEC 2019003

NIAP PCL

Collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0e

10350v-F

I5000 series including i5820-DF, i7000 series including i7820-DF, i10000-series, i11000-series, i15000-series

VIPRION B2250/B4450

vCMP

14.1.0.3 LTM+APM

CSEC 2019004

NIAP PCL

Collaborative Protection Profile for Network Devices v2.1

10350v-F

i5000-series, i7000-series, i10000-series, i11000-series, i15000-series

VIPRION B2250/B4450

vCMP

13.1.1 LTM+AFM

CSEC 2017016

NIAP PCL

Collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0e

10350v-F

i5000-series, i7000-series, i10000-series, i11000-series, i15000-series

VIPRION B2250/B4450

vCMP

13.1.1 LTM+APM

CSEC 2017021

 

NIAP PCL

Collaborative Protection Profile for Network Devices Version 2.0e

10350v-F

i5000-series, i7000-series

VIPRION B2250/B4450

vCMP

12.1.3.4 LTM+AFM

CSEC 2017004

NIAP PCL

Collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 1.0

10350v-F

i5000-series, i7000-series

VIPRION B2250/B4450

vCMP

12.1.3.4 LTM+APM

CSEC 2017005

NIAP PCL

Collaborative Protection Profile for Network Devices Version 1.0
BIG-IP 11.5.1 ADF-Base (LTM+AFM) BSI-DSZ-CC-0856-2017 EAL4+ Security Target
Based on the NIAP Protection profile for Network Devices Version 1.1 and Network Device Protection Profile Extended Package Stateful Traffic Filter Firewall Version 1.0
BIG-IP 11.5.1 ADC-AP (LTM+APM) BSI-DSZ-CC-0975-2018 EAL4+ Security Target
Based on the NIAP Protection profile for Network Devices Version 1.1
BIG-IP 6900, 8900, 11050 10.2.2 LTM + ACA+ PSM NIAP Common Criteria Certificate EAL 2+ F5 Networks BIG-IP Local Traffic Manager Security Target

 

Commercial Solutions for Classified (CSfC)

CSfC is a National Security Agency / Central Security Service (NSA/CSS) program to enable commercial products to be used in layered solutions protecting classified National Security Systems (NSS) data. There are two parts to this program: vendors apply to have their products listed on one or more of the components lists; and then integrators can choose from products on those lists to create solutions.  All listed components must have both Common Criteria Certification and FIPS validation for the product to be listed on the component list.

F5 Product Component Listing
BIG-IP 14.1.2 In process
BIG-IP 14.1.0.3 In process
BIG-IP 13.1.1 CSfC Traffic Filtering Firewall
BIG-IP 12.1 LTM+AFM CSfC Traffic Filtering Firewall

United States Government IPv6 Conformance Certification (USGv6)

The U.S. Office of Management and Budget (OMB) declared that all federal agencies are required to use IPv6 in their networks in OMB Memorandum M-05-22. United States Government IPv6 Conformance Certification (USGv6) is a set of technical standards for the acquisition of IPv6 capable hosts, routers, and network security devices. The National Institute of Standards and Technology (NIST) created the USGv6 conformance standards to support adoption of IPv6 in the U.S. government.

F5 BIG-IP is IPv6 Ready and USGv6 certified. View the announcement: F5 Receives IPv6-Ready Gold Logo and USGv6 Certifications

F5 Platforms Product Version Certification Information
BIG-IP 10000 series, VIPRION B4300 series 11.3.0 and all later versions USGv6
Results by UNH-IOL
BIG-IP 10000 series 11.3, 12.1 IPv6 Gold
Phase-2 Gold Logo ID #02-C-001106

Joint Interoperability Test Command (JITC) Public Key Enabled (PKE)

The Joint Interoperability Test Command (JITC) of the U.S. Department of Defense Information Systems Agency (DISA) provides risk-based Test Evaluation & Certification services, tools, and environments to ensure and enable the rapid deployment of interoperable and operationally effective information technology and national security systems. Clients or servers are tested to assure they are public key enabled (PKE) and able to provide security services, such as authentication, confidentiality, non-repudiation and access control. The JITC PKE test areas include NIST and JITC certifications, Online Certificate Status Protocol (OCSP), Certificate Revocation Lists (CRLs), and DoD Common Access Cards (CAC).

F5 BIG-IP is certified by the Department of Defense as PUBLIC KEY-ENABLED (PKE). View the announcement: F5 Receives Joint Interoperability Test Command (JITC) Certification

F5 Model Certification Details Comments
BIG-IP v 11.2 Certified Works with DoD Common Access Cards (CAC)

NIST 800-53

NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is a core standard defining how to approach information security and risk management within the federal government. Developed by NIST, DoD, the Intelligence Community, and the Committee on National Security Systems, this standard provides guidance on continuous monitoring and FISMA requirements. It also supports a risk-based approach to protecting critical missions and business functions.

F5 has distilled this 240-plus page document into an F5 iApp for NIST 800-53. The iApp provides several pages of relevant questions and tasks to assist the administrator in applying the relevant security controls on their BIG-IP device, saving organizations hours of management time and resources.

If your agency is looking to improve the DIACAP process, or looking to comply with FISMA, then the F5 NIST 800-53 iApp will help ensure the proper configuration settings on the BIG-IP are reviewed and set.

Learn more about using the F5 iApp Template

Department of Defense Information Network Approved Product List

The US Department of Defense DoDIN APL is a single consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification. DoDIN APL certifications verify the system complies with and is configured consistent with the DISA Field Security Office (FSO) Security Technical Implementation Guides (STIG).

For more information about the DoDIN APL process visit the DoDIN APL Testing and Certification Website.

Cert / TN Number Product External Certification
1630801 F5 Networks BIG-IP Rel. 13.1 Certification
1312201 F5 Networks BIG-IP Rel. 11.6 Certification

Additional Certifications

To get more information on the many other certifications F5 holds, contact F5 sales.