Solved: FIPS 140-2 Certification

graberb · ‎08-22-2018

I would love to use the Meraki full stack in my environment but the network is subject to LEIN audits every three years. Devices that pass criminal justice information are required to hold a valid FIPS 140-2 certificate. I have heard from many sources that Meraki is in the process of acquiring these certs. Does anyone know more?

edazeved · ‎09-23-2021

Hi everyone. I am aware that this is an old post, but I believe is relevant to share this here even for future reference.

Please refer to our Meraki Device to Cloud Connectivity - FIPS document, where we list all the certifications available at this moment

Hope this helps

Eduardo Azevedo

View solution in original post

simple818 · ‎08-22-2018

I would like this too. It is a big hold up being to implement full stack Meraki in a Criminal Justice environment.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Philip D'Ath · ‎08-22-2018

I haven't heard of any rumours of Meraki applying for FIPS140-2 compliance (to be specific, FIPS140-2 relates to VPN and crypto).

However the 15.x code train (not available to the public yet) has significant changes on the VPN side - and perhaps those changes might make FIPS140-2 possible.

One significant issue is that FIPS140-2 is given to specific software versions. This would mean you could not upgrade the firmware to maintain compliance. This kinda violates the whole Merai principle where the software is kept up to date automatically for you.

The last part of this year is going to prove to be exciting in this area!

simple818 · ‎08-22-2018

@Philip D'Ath the encryption Meraki uses for its VPN tunnels is likely FIPS 140-2 compliant but getting the actual devices certified is what we'd be after. Cisco already does this with their ASA line of products and those have regular updates available. So I don't see why Cisco couldn't do this for its Meraki line of products as well. It cuts out a big chunk of law enforcement and criminal justice customers otherwise.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

SunshineJulie · ‎04-08-2019

Adam,
Have you heard any more? I'm curious about this as well.

Philip D'Ath · ‎04-08-2019

>Cisco already does this with their ASA line of products and those have regular updates available

Note that specific software releases are certified FIPS140-2 for the ASA. You can not just upgrade the ASA software and maintain your FIPS140-2 certification.

LandrinLong · ‎10-02-2019

I have just heard a rumor...mind you it is just a rumor and is not substantiated at all, but I heard that Meraki devices will be on the FIPS 140-2 compliance list as soon as May of 2020.

Landrin Long | Network Architect
Nevada Department of Motor Vehicles
555 Wright Way, Carson City, NV 89711

bludwigj · ‎02-13-2020

I know it's not May yet but has anyone heard anything about the progress of FIPS?

LandrinLong · ‎02-13-2020

Due to confidentiality and non-disclosure agreements, I cannot share the content of the signed letter I received from an SVP in Meraki. I can tell you that though the Meraki devices may not be on the FIPS compliancy list by May, the intent is to be by May.

Landrin Long | Network Architect
Nevada Department of Motor Vehicles
555 Wright Way, Carson City, NV 89711

bludwigj · ‎02-13-2020

Can you share the SVP name? Thanks!

LandrinLong · ‎02-13-2020

Landrin Long | Network Architect
Nevada Department of Motor Vehicles
555 Wright Way, Carson City, NV 89711

thomasnorris · ‎04-21-2020

Has anyone heard any new information on this? I know it's not May yet. but at least it's been two months 🙂

LandrinLong · ‎04-22-2020

Since it is not May as you state, I have not heard anything more. I'm going to at least wait until then to start asking more questions.

Landrin Long | Network Architect
Nevada Department of Motor Vehicles
555 Wright Way, Carson City, NV 89711

ronald.stimbert · ‎05-19-2020

It is May! I have been tracking this thread for at least a year, and now that we are here I wanted to see if there were updates.

In a previous life as an MSP, Meraki was a great solution. In my current role, we must have FIPS to purchase, and our ASAs are due for replacement.

Please tell me there is a solution, or if one is on the roadmap still and when. I would prefer to purchase Meraki over the others but need to have this in the pocket before I can.

LandrinLong · ‎05-19-2020

From my rep at Meraki...

Here’s the synopsis of what we heard from Product Management yesterday:

FIPS 140-2 validation for AutoVPN network traffic has been delayed due to a software architectural issue with incorporating the FIPS validated object module that they were looking to use. As a result, we are looking at a minimum of 18 months before AutoVPN traffic will support FIPS 140-2 validation as they will likely have to certify a brand new hardware-based object module and this process alone takes around 12 months.
While FIPS for AutoVPN has been delayed, this software limitation will not delay the roadmap for FedRAMP certification. Development efforts are now being focused on achieving FedRAMP in progress (and certification) by using this object module for Meraki control traffic (mtunnel).

Landrin Long | Network Architect
Nevada Department of Motor Vehicles
555 Wright Way, Carson City, NV 89711