FIPS 140-3
FIPS OVERVIEW
NIST CMVP (Cryptographic Module Validation Program) is a joint initiative by NIST and the Canadian Centre for Cyber Security that validates cryptographic modules for compliance with FIPS 140-3, ensuring they meet federal security standards.
The Federal Information Processing Standards (FIPS), developed by NIST, set security benchmarks for protecting sensitive data—originally for U.S. government systems but now widely adopted across industries. A key part of FIPS compliance is the Security Policy, which outlines how cryptographic modules meet specific requirements. These policies are publicly available on the NIST website. FIPS 140-3, defines four levels of security for cryptographic modules, ranging from basic encryption to advanced physical protection.
BIG -IP TMOS FIPS 140-3 Validated Modules
Model Version | Platforms | Level | NIST LINK | Notes |
BIG IP TMOS v17.1.0,1 | r5900, r5920-DF, r10900, r10920-DF, r12900-DS, rSeries, VELOS CX410 BX110, VE | Level 2 | Supported DFARS 252.204-7012 / NIST SP 800-171 for CUI | |
BIG IP TMOS v17.1.0,1 | Viprion, iseries | Level 2 | Supported DFARS 252.204-7012 / NIST SP 800-171 for CUI | |
BIG IP TMOS v17.5 | Virtual Edition (VE) | Level 1 | Supported DFARS 252.204-7012 / NIST SP 800-171 for CUI |
F5OS FIPS 140-3 Validated Modules
Model Version | Platforms | Level | NIST LINK | NOTES |
F5OS A v1.5.1 | r4000 series, r5000 series including r5920-DF, r10000 series, including r10920-DF, r12000 series VELOS BX110/CX410, BX520/CX410, BX520/CX1610 | Level 2 | Supported DFARS 252.204-7012 / NIST SP 800-171 for CUI | |
F5OS A v1.7.0 (r12k only) | r12k only | Level 2 | Supported DFARS 252.204-7012 / NIST SP 800-171 for CUI | |
F5OS C v1.6.0 | Virtual Edition | Level 1 | Supported DFARS 252.204-7012 / NIST SP 800-171 for CUI |
How to Access the "Modules in Process" List and Find F5
- Click the provided link below
This will take you directly to the Modules in Process list. - Scroll down the page
There is no search icon, so you’ll need to manually browse the list. - Look for vendors listed alphabetically
The list is organized in A–Z order by vendor name. - Find and click on F5
Once you locate F5 in the list, click on it to view the related module(s) Cryptographic Module Validation Program | CSRC
Current F5 Modules On The In Process List:
BIG-IP Tenant Cryptographic Module v17.5 | F5, Inc. | FIPS 140-3 | Comment Resolution (5/18/2026) |
Cryptographic Module for BIG-IP v17.5 | F5, Inc. | FIPS 140-3 | Comment Resolution (5/21/2026) |
Device Cryptographic Module v17.5 | F5, Inc. | FIPS 140-3 | Comment Resolution (5/11/2026) |
F5OS-C Cryptographic Module v1.8.1 | F5, Inc. | FIPS 140-3 | Review (5/14/2026) |
F5 HSM/FIPS Platform Implementations
Common Criteria
COMMON CRITERIA OVERVIEW
The Common Criteria for Information Technology Security Evaluation (CC) is an internationally recognized standard (ISO/IEC 15408) used to assess the security of IT products and systems. It provides a structured framework for:
- Defining security requirements
- Evaluating product implementations
- Ensuring consistent and repeatable assurance levels
Common Criteria is recognized by over 30 countries through the Common Criteria Recognition Arrangement (CCRA), allowing a product evaluated in one member country to be accepted by all others.
BIG IP - TMOS Certified Modules
DoDIN Approved Product LIST (APL)
DoDIN APL OVERVIEW
The Department of Defense Information Network Approved Products List (DoDIN APL) is the official list of technologies authorized for use across DoD networks. Managed by the Defense Information Systems Agency (DISA), the APL ensures that only products meeting strict Interoperability (IO) and Cybersecurity (CS) standards are deployed within the DoD environment.
*** The DoDIN APL program will end on September 30, 2025, and DISA will keep the APL repository available through FY 2026. As the program sunsets, cybersecurity requirements will shift to DISA’s Security Technical Implementation Guides (STIGs), which provide standardized security configuration requirements for DoD systems. STIGs are DoD‑approved configuration standards used to harden systems and reduce vulnerabilities.
What does "Approved Products List" mean?
Your product has successfully completed the Department of Defense Information Network (DoDIN) certification process. It has met all required cybersecurity and interoperability standards and is now listed on the Approved Products List (APL), making it eligible for procurement and deployment across DoD networks.
How to Access the "Approved Products List" and Find F5
Click the provided link below
This will take you directly to the DoDIN APL Approved Products List:
Visit the DoDIN APL site Use the search filters
You can search by Device Type, Vendor, or Keywords to narrow down the list. Look for vendors listed alphabetically
If you prefer to browse manually, the list is organized in A–Z order by vendor name. Find and click on F5
Once you locate F5 in the list, click on it to view the approved product(s) and certification details. F5 Approved Products
Model BIG-IP iSeries and Virtual Edition (VE) Version 16.1.2 Tracking Number (TN) 2302301 |
Product Info:i5820-DF, i7820-DF, i15000, i15820-DF, VE |
Certified Device Types:Firewall (FW), Virtual Private Network (VPN), Intrusion Prevention Systems (IPS), Cybersecurity Tools (CST). |
CSfC Component List
CSfC COMPONENT LIST OVERVIEW
The Commercial Solutions for Classified (CSfC) program, managed by the National Security Agency (NSA), enables the use of commercial IT products in layered solutions to protect classified National Security System (NSS) data. The CSfC Component List is a curated catalog of products that meet the security and interoperability requirements defined by NSA’s Capability Packages (CPs) and Protection Profiles (PPs). (Supports secure, layered solutions for classified communications).
What does "Listed on the Component List" mean?
Your product has successfully met the requirements of the Commercial Solutions for Classified (CSfC) program. It has passed both Common Criteria certification and FIPS validation and is now officially listed on the CSfC Components List, making it eligible for use in layered, NSA-approved secure solutions.
How to Access the "CSfC Component List" and Find F5
- Click the provided link below
- This will take you directly to the CSfC Components List on the NSA website
- Visit the CSfC Components List Look for vendors listed by component category
- The list is grouped by technology type (e.g., VPN Gateways, WLAN Clients, MDM, etc.). Find and click on F5
- Once you locate F5 under the relevant category, click on the product name to view certification details and compliance information.
F5 Approved CSfC Listings
Traffic Filtering Firewall
Vendor | Model | Version | Certification Date |
F5, Inc. | BIG-IP including AFM | v17.1.0.1 | 2024.11.10 |
TLS Protected Servers
Vendor | Model | Version | Certification Date |
F5, Inc. | BIG-IP including APM | v17.1.0.1 | 2024.11.10 |
F5, Inc. | BIG-IP including SSLO | v17.1.0.1 | 2024.10.11 |
F5, Inc. | BIG-IP including AFM | v17.1.0.1 | 2024.1265 |
F5, Inc. | BIG-IP including SSLO | v16.1.3.1 | 2024.04.16 |
NIAP Product Compliant List
NIAP COMPLIANCE LIST OVERVIEW
The National Information Assurance Partnership (NIAP) oversees the U.S. Common Criteria program and maintains the NIAP Product Compliant List (PCL), the official list of products that have completed evaluation against NIAP‑approved Protection Profiles and have received NIAPs approval to be placed on the PCL. Products on the PCL are recognized as meeting U.S. government security requirements for use in National Security Systems.
What are Protection Profiles? Protection Profiles are standardized sets of security requirements for specific types of technology, defining the baseline safeguards products must meet and the criteria used to evaluate them.
What does "Listed on the Product Compliant List" mean?
Your product has successfully completed evaluation under the National Information Assurance Partnership (NIAP). It has met the Common Criteria requirements for security functionality and assurance and is now officially listed on the NIAP Product Compliant List (PCL). This listing confirms that the product is recognized for use in national security systems.
How to Access the "Product Compliant List" and Find F5
- Click the provided link below This will take you directly to the NIAP Product Compliant List: Visit the NIAP Product Compliant List
- Use the filter or search function
You can filter by Vendor, Product, or Certification Status to narrow down the list. Look for vendors listed alphabetically - If browsing manually, vendors are listed in A–Z order. Find and click on F5
- Once you locate F5, click on the product name to view certification details, protection profiles, and conformance claims.
F5 Modules On The NIAP Product Compliant List
Product | Certification Date | Status | Certifying Country |
F5 BIG-IP 17.1.0.1 including AFM | 10/11/2024 | Certified | Sweden |
F5 BIG-IP 17.1.0.1 including APM | 10/11/2024 | Certified | Sweden |
F5 BIG-IP 17.1.0.1 including SSLO | 10/11/2024 | Certified | Sweden |
F5 BIG-IP 16.1.3.1 including SSLO | 4/16/2024 | Certified | Sweden |
F5 17.5 LTM+APM | 2/10/2026 | Certified | Sweden |
F5 17.5 SSLO | 2/26/2026 | Certified | Sweden |
508 Compliance (VPAT)
508 COMPLIANCE / VPAT OVERVIEW
Section 508 is a federal requirement under the Rehabilitation Act (29 U.S.C. § 794d) that ensures technology used by U.S. federal agencies is accessible to people with disabilities. A VPAT explains how a product meets these accessibility requirements. Together, Section 508 and VPATs help customers assess accessibility and show our commitment to compliant, inclusive products.
Revised Section 508 standards published January 18, 2017, and corrected January 22, 2018
- Revised Section 508 Edition (Based on VPAT® Version 2.4) – F5 BIG-IP v17.5
- Revised Section 508 Edition (Based on VPAT® Version 2.4) – F5 BIG-IP v17.1
- Revised Section 508 Edition (Based on VPAT® Version 2.4) – F5 BIG-IP v16.1
- Revised Section 508 Edition (Based on VPAT® Version 2.4) – F5 BIG-IP v15.1
- Revised Section 508 Edition (Based on VPAT® Version 2.5Rev) – F5 BIG-IQ Software v8.4.0
- Revised Section 508 Edition (Based on VPAT® Version 2.4) - F5 Distributed Cloud Console
- Revised Section 508 Edition (Based on VPAT® Version 2.5) – F5 F5OS Release v1.8.1
- Revised Section 508 Edition (Based on VPAT® Version 2.4) - F5 NGINX Plus Release 33
- Revised Section 508 Edition (Based on VPAT® Version 2.4) - F5 NGINX Management Suite API Connectivity Manager