KB40055 - SA/MAG/PSA (PCS/PPS) FIPS Certification Status and Recommendations

This KB provides official recommendation from Pulse Secure on the DRBG (Deterministic Random Bit Generator) certification for FIPS-enabled appliances.

For more information on this certification please refer to the NIST DRBG validation list located at http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html.



 

This KB provides official recommendation from Pulse Secure on the issue of losing FIPS certifications for SAx000FIPS, SAx500FIPS, and IC6500FIPS devices.

The Pulse Secure MAG and Virtual Appliances with software based FIPS support the new SP 800-90 DRBG (Deterministic Random Bit Generator); however, the legacy X500FIPS and X000FIPS appliances do not.  These appliances use an external FIPS cryptographic module and these modules do not support SP 800-90 DRBG (or the less common X9.62-2005 RBG).  This means at the end of 2015, the SA4000FIPS, SA4500FIPS, SA6000FIPS, SA6500FIPS, and IC6500FIPS appliances will lose their FIPS certification status. 
 

Pulse Secure official recommendations to customers impacted by FIPS platforms which are not certified: 

Upgrade all SAx000FIPS, SAx500FIPS, and  IC6500FIPS hardware to MAG (PCS/PPS) platforms which are fully FIPS certified (including the new SP 800-90 DRBG certification).

PSA appliances such as PSA300, PSA3000, PSA5000, and PSA7000 that have FIPS mode enabled is in the process of being certified and currently IN REVIEW status with NIST.   If certification is not required then the device can run in FIPS mode.  

UPDATE 07/11/2017: PSA appliances are now FIPS140-2 (Level 1) certified on 05/03/2017, please see KB40759, and download validation certificate here.