| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 6/30/2030 |
| Caveat | When installed, initialized and configured as specified in Section Life-Cycle Assurance of the Security Policy. The tamper evident seals installed as indicated in the Security Policy |
| Vendor | Cisco Systems, Inc. |
flowchart LR
%% Deterministic review-risk graph for Cisco Secure Firewall Threat Defense Cryptographic Module (FPR 2100 Series)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Cisco Secure Firewall Threat Defense Cryptographic Module (FPR 2100 Series)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Cisco Systems, Inc. Cisco Secure Firewall Threat Defense Cryptographic Module (FPR 2100 Series) Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2021-2025 Cisco Systems, Inc. Cisco Systems logo is registered trademark of Cisco Systems, Inc.
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Hardware | 7 |
| Table 3: Modes List and Description | 7 |
| Table 4: Approved Algorithms - CiscoSSL FOM Cryptographic Implementation | 9 |
| Table 5: Approved Algorithms - Octeon III Family Crypto Engine | 10 |
| Table 6: Vendor-Affirmed Algorithms | 10 |
| Table 7: Security Function Implementations | 15 |
| Table 8: Entropy Certificates | 16 |
| Table 9: Entropy Sources | 16 |
| Table 10: Ports and Interfaces | 17 |
| Table 11: Authentication Methods | 19 |
| Table 12: Roles | 19 |
| Table 13: Approved Services | 37 |
| Table 14: Mechanisms and Actions Required | 38 |
| Table 15: Storage Areas | 44 |
| Table 16: SSP Input-Output Methods | 45 |
| Table 17: SSP Zeroization Methods | 45 |
| Table 18: SSP Table 1 | 52 |
| Table 19: SSP Table 2 | 59 |
| Table 20: Pre-Operational Self-Tests | 60 |
| Table 21: Conditional Self-Tests | 65 |
| Table 22: Pre-Operational Periodic Information | 65 |
| Table 23: Conditional Periodic Information | 68 |
| Table 24: Error States | 68 |
| Figure 1 FPR 2110 and FPR 2120 | 6 |
| Figure 2 FPR 2130 and FPR 2140 | 6 |
| Figure 3 Module front view with opacity shield | 39 |
| Figure 4 FRP 2110/2120 back view | 39 |
| Figure 5 FRP 2130/2140 back view | 39 |
| Figure 6 FRP 2110/2120 top view with opacity shield | 40 |
| Figure 7 FRP 2130/2140 top view with opacity shield | 40 |
| Figure 8 Module’s bottom view with opacity shield | 41 |
| Figure 9 Module’s left view with opacity shield | 41 |
| Figure 10 Module’s right view with opacity shield | 41 |
| Figure 11 Opacity Shield Brackets | 43 |
Defense Cryptographic Module (FPR 2100 Series) (hereinafter referred to as FTD or Module), version 7.4. The following details how this module meets the security requirements of FIPS 140-3, SP 800-140 and ISO/IEC 19790 for a Security Level 2 hardware cryptographic module. The security requirements cover areas related to the design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic module interfaces; roles, services, and authentication; software/firmware security; operational environment; physical security; non-invasive security; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks. The following table indicates the actual security levels for each area of the cryptographic module.
Section Title Security Level
1 General 2
2 Cryptographic module specification 2
3 Cryptographic module interfaces 2
4 Roles, services, and authentication 3
5 Software/Firmware security 2
6 Operational environment N/A
7 Physical security 2
8 Non-invasive security N/A
9 Sensitive security parameter management 2
10 Self-tests 2
11 Life-cycle assurance 2
12 Mitigation of other attacks N/A
Overall Level 2 Table 1: Security Levels
Purpose and Use: This module is a multi-chip standalone hardware cryptographic module identified as Firewall Threat Defense (FTD) which houses ASA and Firepower solutions with underlying operating system identified as Linux 4 (also referred to as Firepower eXtensible Operating System or FXOS throughout this document). The Module’s operational environment is Limited. FTD delivers enterprise-class firewall for businesses, improving security at the Internet edge, high performance and throughput for demanding enterprise data centers. The FTD solution offers the combination of the industry's most deployed stateful firewall with a comprehensive © 2021-2025 Cisco Systems, Inc.
range of next-generation network security services, intrusion prevention system (IPS), content security and secure unified communications, HTTPS/TLSv1.2, SSHv2, IPsec/IKEv2, SNMPv3 and Cryptographic Cipher Suite B using the ASA Cryptographic Module. Module Type: Hardware Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary is defined as the entire chassis unit’s physical perimeter encompassing the "top," "front," "left," "right," “rear” and "bottom" surfaces of the case, and shown in the figures below and in the Physical Security section. The FPR 2110, FPR 2120, FPR 2130 and FPR 2140 all have the same exterior appearance. Where they differ is in Firewall throughput, IPS throughput, IPsec VPN throughput and number of VPN peers allowed. Figure 1 FPR 2110 and FPR 2120 Figure 2 FPR 2130 and FPR 2140
Tested Module Identification
Model Hardware Firmware Processors Features and/or Version Version Part Number FRP FPR-2110 7.4 Intel Xeon D-1526 (Broadwell), Octeon III
FRP FPR-2120 7.4 Intel Xeon D-1528 (Broadwell), Octeon III
FRP FPR-2130 7.4 Intel Xeon D-1548 (Broadwell), Octeon III
FRP FPR-2140 7.4 Intel Xeon D-1577 (Broadwell), Octeon III
Table 2: Tested Module Identification
Modes List and Description: Mode Name Description Type Status Indicator Approved The module is always in the approved Approved Approved mode Mode of mode of operation after initial indicator: "FIPS is Operation operations are performed. currently enabled." Table 3: Modes List and Description The module has one approved mode of operation and is always in the approved mode of operation after initial operations are performed (See Section 11). The module does not claim © 2021-2025 Cisco Systems, Inc.
implementation of a degraded mode of operation. Section 4 provides details on the service indicator implemented by the module.
Approved Algorithms: CiscoSSL FOM Cryptographic Implementation Algorithm CAVP Properties Reference Cert AES-CBC A4446 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4446 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 Counter DRBG A4446 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes ECDSA KeyGen A4446 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA SigGen A4446 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 ECDSA SigVer A4446 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512 HMAC-SHA-1 A4446 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2- A4446 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2- A4446 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2- A4446 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 HMAC-SHA2- A4446 Key Length - Key Length: 256-448 Increment 8 FIPS 198-1 KAS-ECC-SSC A4446 Domain Parameter Generation Methods - P- SP 800-56A Sp800-56Ar3 256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A4446 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 ffdhe2048, ffdhe3072, ffdhe4096, modp-2048, Rev. 3 modp-3072, modp-4096 Scheme dhEphem KAS Role - initiator, responder KDF IKEv2 A4446 Diffie-Hellman Shared Secret Length - Diffie- SP 800-135 (CVL) Hellman Shared Secret Length: 2048 Rev. 1 © 2021-2025 Cisco Systems, Inc.
Algorithm CAVP Properties Reference Cert Derived Keying Material Length - Derived Keying Material Length: 3072 Hash Algorithm - SHA-1 KDF SNMP A4446 Password Length - Password Length: 256, 64 SP 800-135 (CVL) Rev. 1 KDF SSH (CVL) A4446 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512 RSA KeyGen A4446 Key Generation Mode - B.3.4 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Algorithm - SHA2-256 Private Key Format - Standard RSA SigGen A4446 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4446 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 Safe Primes Key A4446 Safe Prime Groups - modp-2048, modp-3072, SP 800-56A Generation modp-4096 Rev. 3 SHA-1 A4446 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-224 A4446 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-256 A4446 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-384 A4446 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512 A4446 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 TLS v1.2 KDF A4446 Hash Algorithm - SHA2-256, SHA2-384, SHA2- SP 800-135 RFC7627 (CVL) 512 Rev. 1 Table 4: Approved Algorithms - CiscoSSL FOM Cryptographic Implementation Octeon III Family Crypto Engine Algorithm CAVP Properties Reference Cert AES-CBC AES 3301 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM AES 3301 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 Hash DRBG DRBG 819 Prediction Resistance - No SP 800-90A Mode - SHA2-512 Rev. 1 HMAC-SHA-1 HMAC - FIPS 198-1 2095 HMAC-SHA2- HMAC - FIPS 198-1
HMAC-SHA2- HMAC - FIPS 198-1
Algorithm CAVP Properties Reference Cert HMAC-SHA2- HMAC - FIPS 198-1
SHA-1 SHS 2737 Message Length - Message Length: 0- FIPS 180-4
SHA2-256 SHS 2737 Message Length - Message Length: 0- FIPS 180-4
SHA2-384 SHS 2737 Message Length - Message Length: 0- FIPS 180-4
SHA2-512 SHS 2737 Message Length - Message Length: 0- FIPS 180-4
Table 5: Approved Algorithms - Octeon III Family Crypto Engine Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key Type:Asymmetric N/A SP 800-133r2 Section 4, Method 1 Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.
Name Type Description Properties Algorithms KAS-ECC- KAS-KeyGen KAS ECC Keysize:128 to Counter DRBG: KeyGen keygen used in 256 bits (A4446) (SSHv2) SSHv2 service encryption Hash DRBG: strength (DRBG 819) CKG: () KAS-FFC- KAS-KeyGen KAS FFC Keysize:112 to Counter DRBG: KeyGen keygen used in 128 bits (A4446) (SSHv2) SSHv2 service Hash DRBG: © 2021-2025 Cisco Systems, Inc.
Name Type Description Properties Algorithms encryption (DRBG 819) strength Safe Primes Key Generation: (A4446) CKG: () KAS-ECC- KAS-KeyGen KAS ECC Keysize:128 to Counter DRBG: KeyGen keygen used in 256 bits (A4446) (TLSv1.2) TLSv1.2 service encryption Hash DRBG: strength (DRBG 819) CKG: () KAS-FFC- KAS-KeyGen KAS FFC Keysize:112 to Counter DRBG: KeyGen keygen used in 128 bits (A4446) (TLSv1.2) TLSv1.2 service encryption Hash DRBG: strength (DRBG 819) Safe Primes Key Generation: (A4446) CKG: () KAS-ECC- KAS-KeyGen KAS ECC Keysize:128 to Counter DRBG: KeyGen (IKEv2) keygen used in 256 bits (A4446) TLSv1.2 service encryption Hash DRBG: strength (DRBG 819) CKG: () KAS-FFC- KAS-KeyGen KAS FFC Keysize:112 to Counter DRBG: KeyGen (IKEv2) keygen used in 128 bits (A4446) TLSv1.2 service encryption Hash DRBG: strength (DRBG 819) Safe Primes Key Generation: (A4446) CKG: () KAS-ECC KAS-Full KAS-ECC for Security KDF SSH: (SSHv2) SSHv2 service Strength:Provides (A4446) between 128 and KAS-ECC-SSC
encryption (A4446) strength KAS-FFC KAS-Full KAS-FFC Security KDF SSH: (SSHv2) SSHv2 service Strength:Provides (A4446) between 112 to KAS-FFC-SSC
encryption (A4446) strength KAS-ECC KAS-Full KAS-ECC for Security TLS v1.2 KDF (TLSv1.2) TLSv1.2 service Strength:Provides RFC7627: between 128 and (A4446)
encryption Sp800-56Ar3: strength (A4446) © 2021-2025 Cisco Systems, Inc.
Name Type Description Properties Algorithms KAS-FFC KAS-Full KAS-FFC for Security TLS v1.2 KDF (TLSv1.2) TLSv1.2 service Strength:Provides RFC7627: between 112 to (A4446)
encryption Sp800-56Ar3: strength (A4446) KAS-ECC KAS-Full KAS-ECC for Security KAS-ECC-SSC (IKEv2) IKEv2 Service Strength:Provides Sp800-56Ar3: between 112 and (A4446)
encryption (A4446) strength KAS-FFC KAS-Full KAS-FFC for Security KAS-FFC-SSC (IKEv2) IKEv2 service Strength:Provides Sp800-56Ar3: between 112 and (A4446)
encryption (A4446) strength KTS (TLSv1.2 KTS-Wrap KTS via Security AES-CBC: with AES and TLSv1.2 service Strength:Provides (A4446) HMAC) by using AES between 128 and Key Length: and HMAC 256 bits of 128, 256 encryption HMAC-SHA-1: strength (A4446) HMAC-SHA2256: (A4446) HMAC-SHA2384: (A4446) SHA-1: (A4446) SHA2-256: (A4446) SHA2-384: (A4446) KTS (TLSv1.2 KTS-Wrap KTS via Security AES-GCM: with AES-GCM) TLSv1.2 service Strength:Provides (A4446) by using AES- between 128 and Key Length: GCM 256 bits of 128, 256 encryption strength KTS (SSHv2 KTS-Wrap KTS via SSHv2 Security AES-CBC: with AES and service by using Strength:Provides (A4446) HMAC) AES and HMAC between 128 and Key Length:
encryption HMAC-SHA-1: strength (A4446) HMAC-SHA2256: (A4446) SHA-1: (A4446) © 2021-2025 Cisco Systems, Inc.
Name Type Description PropertiesAlgorithms SHA2-256: (A4446) KTS (SSHv2 KTS-Wrap KTS via SSHv2 Security AES-GCM: with AES-GCM) service by using Strength:Provides (A4446) AES-GCM between 128 and Key Length:
encryption strength RSA KeyGen AsymKeyPair- RSA KeyGen for RSA KeyGen (SSHv2, KeyGen SSHv2, (FIPS186-4): TLSv1.2, IKEv2) TLSv1.2, and (A4446) IKEv2 services Counter DRBG: (A4446) Hash DRBG: (DRBG 819) ECDSA KeyGen AsymKeyPair- ECDSA KeyGen ECDSA KeyGen (SSHv2, KeyGen for TLSv1.2 and (FIPS186-4): TLSv1.2 and IKEv2 services (A4446) IKEv2) Counter DRBG: (A4446) Hash DRBG: (DRBG 819) RSA SigGen DigSig-SigGen RSA SigGen for RSA SigGen (SSHv2, SSHv2, (FIPS186-4): TLSv1.2, IKEv2) TLSv1.2, and (A4446) IKEv2 services ECDSA SigGen DigSig-SigGen ECDSA SigGen ECDSA SigGen (SSHv2, for TLSv1.2, and (FIPS186-4): TLSv1.2 and IKEv2 services (A4446) IKEv2) RSA SigVer DigSig-SigVer RSA SigVer for RSA SigVer (SSHv2, SSHv2, (FIPS186-4): TLSv1.2, and TLSv1.2, and (A4446) IKEv2) IKEv2 services ECDSA SigVer DigSig-SigVer ECDSA SigVer ECDSA SigVer (SSHv2, for TLSv1.2 and (FIPS186-4): TLSv1.2, and IKEv2 services (A4446) IKEv2) Block Cipher BC-Auth Block Cipher for AES-CBC: (SSHv2) BC-UnAuth SSHv2 service (A4446) Key Length: 128, 256 AES-GCM: (A4446) Key Length: 128, 256 Block Cipher BC-Auth Block Cipher for AES-GCM: (TLSv1.2) BC-UnAuth TLSv1.2 service (A4446) Key Length: © 2021-2025 Cisco Systems, Inc.
Name Type Description Properties Algorithms 128, 256 AES-CBC: (A4446) Key Length: 128, 256 Block Cipher BC-Auth Block Cipher for AES-CBC: (IPSec/IKE) BC-UnAuth IPSec/IKEv2 (A4446, AES service 3301) AES-GCM: (A4446, AES 3301) Block Cipher BC-UnAuth Block Cipher for AES-CBC: (SNMPv3) SNMPv3 service (A4446) KDF SNMP: (A4446) MAC (SSHv2) MAC MAC for SSHv2 HMAC-SHA-1: service (A4446) HMAC-SHA2256: (A4446) SHA-1: (A4446) SHA2-256: (A4446) MAC (TLSv1.2) MAC Message HMAC-SHA-1: Authentication (A4446) for TLSv1.2 HMAC-SHA2services 256: (A4446) HMAC-SHA2384: (A4446) SHA-1: (A4446) SHA2-256: (A4446) SHA2-384: (A4446) MAC MAC Message HMAC-SHA2(IPSec/IKEv2) Authentication 256: (A4446, for IPSec/IKEv2 HMAC 2095) services HMAC-SHA2384: (A4446, HMAC 2095) HMAC-SHA2512: (A4446, HMAC 2095) SHA2-256: (A4446, SHS 2737) SHA2-384: (A4446, SHS 2737) SHA2-512: © 2021-2025 Cisco Systems, Inc.
Name Type Description Properties Algorithms (A4446, SHS 2737) HMAC-SHA-1: (HMAC 2095) SHA-1: (SHS 2737) MAC (SNMPv3) MAC Message HMAC-SHA-1: Authentication (A4446) for SNMPv3 SHA-1: (A4446) service KDF SNMP: (A4446) HMAC-SHA2256: (A4446) HMAC-SHA2384: (A4446) SHA2-256: (A4446) SHA2-384: (A4446) HMAC-SHA2224: (A4446) SHA2-224: (A4446) Firmware Load MAC MAC for HMAC-SHA2Test firmware load 512: (A4446) test Table 7: Security Function Implementations
The module’s AES-GCM implementation conforms to Implementation Guidance C.H scenario #1 following RFC 5288 for TLS. The module is compatible with TLSv1.2 and provides support for the acceptable GCM cipher suites from SP 800-52 Rev1, Section 3.3.1. The operations of one of the two parties involved in the TLS key establishment scheme were performed entirely within the cryptographic boundary of the module being validated. The counter portion of the IV is set by the module within its cryptographic boundary. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition will trigger a handshake to establish a new encryption key. The keys for the client and server negotiated in the TLSv1.2 handshake process (client_write_key and server_write_key) are compared and the module aborts the session if the key values are identical. In case the module’s power is lost and then restored, a new key for use with the AES GCM encryption/decryption shall be established. The module uses RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition will trigger a handshake to establish a new encryption key. Two keys established by © 2021-2025 Cisco Systems, Inc.
IKEv2 for one security association (one key for encryption in each direction between the parties) are not identical and abort the session if they are. In case the module’s power is lost and then restored, a new key for use with the AES GCM encryption/decryption shall be established. The module was algorithm tested based on the FIPS 186-4 standard Digital Signatures. According to IG C.K, this module is 186-5 compliant as all 186-4 CAVP tests performed are mathematically identical to the 186-5 CAVP tests. The Module does not support 186-4 DSA or RSA X9.31 for Signature Generation.
Cert Vendor Name Number E3 Cisco Systems, Inc. Table 8: Entropy Certificates Name Type Operational Environment Sample Entropy Conditioning Size per Component Sample Cisco Non- Intel Xeon D-1526 (Broadwell), 4 bits 2 bits A2810 (SHA3Jitter Physical Intel Xeon D-1528 (Broadwell), 256) Entropy Intel Xeon D-1548 (Broadwell), Source Intel Xeon D-1577(Broadwell) Table 9: Entropy Sources
The module generates RSA, ECDSA, ECDH, and DH asymmetric key pairs compliant with FIPS 186-4, using a NIST SP 800-90Arev1 CTR DRBG or NIST SP 800-90Arev1 Hash DRBG for random number generation. In accordance with FIPS 140-3 IG D.H, the cryptographic module performs CKG for asymmetric keys as per section 5.1 of NIST SP 800-133rev2 (vendor affirmed) by obtaining a random bit string directly from an approved DRBG. The random bit string supports the required security strength requested by the calling application (without any V, as described in Additional Comments 2 of IG D.H.).
The module provides the following key/SSP establishment services in the approved mode of operation: KAS-FFC Shared Secret Computation: - The module provides SP800-56Arev3 compliant key establishment according to FIPS 140-3 IG D.F scenario 2 path (2) with KAS-FFC shared secret computation. The shared secret computation provides between 112 and 152 bits of encryption strength. KAS-ECC Shared Secret Computation: - The module provides SP800-56Arev3 compliant key establishment according to FIPS 140-3 IG D.F scenario 2 path (2) with KAS-ECC shared secret computation. The shared secret computation provides between 128 and 256 bits of encryption strength. © 2021-2025 Cisco Systems, Inc.
The module supports SSHv2, TLS v1.2, SNMPv3 and IPsec/IKEv2 industrial protocols. Please refer to the Security Function Implementations Table for more information. No parts of IPSec/IKEv2, SNMPv3, SSH and TLS protocols, other than the KDFs, have been tested by the CAVP and CMVP.
Physical Port Logical Data That Passes Interface(s) Ethernet Port, SFP (1G) Data Input Data input into the module for all the services port, SFP+ (10G) port, defined in Approved Services Table, including and Console Port TLSv1.2, SSHv2, SNMPv3 and IPsec/IKEv2 service data. Ethernet Port, SFP (1G) Data Output Data output from the module for all the services port, SFP+ (10G) port defined in Approved Services Table, including and Console Port TLSv1.2, SSHv2, SNMPv3 and IPsec/IKEv2 service data. Ethernet Port, SFP (1G) Control Control Data input into the module for all the port, SFP+ (10G) port, Input services defined in Approved Services Table, Console Port and RESET including TLSv1.2, SSHv2, SNMPv3 and IPsec/IKEv2 service data. Ethernet Port, SFP (1G) Status Status Information output from the module. port, SFP+ (10G) port, Output Console Port and LEDs N/A Control N/A Output Power Power Provide the Power Supply to the module. Table 10: Ports and Interfaces The module’s physical perimeter encompasses the case of the tested platform mentioned in Table 2. The module provides physical ports which are mapped to logical interfaces provided by the module (data input, data output, control input, control output and status output) as above. The module’s data output interface will be disabled when performing pre-operational self-tests, loading new firmware, zeroizing keys, or when in an error state.
Method Description Security Strength Strength per Minute Name Mechanism Each Attempt Password The minimum length is Password The probability The probability of eight (8) characters (94 Based that a random successfully possible characters). attempt will authenticating to the The configuration succeed or a module within one supports at most ten false minute is 10/(94^8), failed attempts to acceptance which is less than authenticate in a one- will occur is 1/100,000. minute period. 1/(94^8) which is less than 1/1,000,000. RSA- The modules support RSA SigVer The probability the probability of Based RSA public-key based (FIPS186-4) that a random successfully Certificate authentication (A4446) attempt will authenticating to the mechanism using a succeed is module within a one minimum of RSA 2048 1/(2^112). minute period is bits, which provides 112 Please refer to 17,000 * 60 = bits of security strength. Description 1,020,000/(2^112). The probability that a section in this Please refer to random attempt will table for more Description section in succeed is 1/(2^112) details this table for more which is less than details 1/1,000,000. For multiple attacks during a one-minute period, as the module at its highest can support at most 17,000 new sessions per second to authenticate in a oneminute period, the probability of successfully authenticating to the module within a one minute period is 17,000 * 60 = 1,020,000/(2^112), which is less than 1/100,000. ECDSA- The modules support ECDSA The probability the probability of Based ECDSA public-key SigVer that a random successfully Certificate based authentication (FIPS186-4) attempt will authenticating to the mechanism using a (A4446) succeed is module within a one minimum of curve P- 1/(2^128) minute period is 256, which provides 128 which is less 17,000 * 60 = bits of security strength. than 1,020,000/(2^128). The probability that a 1/1,000,000. Please refer to random attempt will Please refer to Description section in succeed is 1/(2^128) Description © 2021-2025 Cisco Systems, Inc.
Method Description Security Strength Strength per Minute Name Mechanism Each Attempt which is less than section in this this table for more 1/1,000,000. For table for more details multiple attacks during a details one-minute period, as the module at its highest can support at most 17,000 new sessions per second to authenticate in a oneminute period, the probability of successfully authenticating to the module within a one minute period is 17,000 * 60 = 1,020,000/(2^128), which is less than 1/100,000. Table 11: Authentication Methods The module implements identity-based authentication. The module supports Crypto Officer role and the User role. The module also allows the concurrent operators.
Name Type Operator Type Authentication Methods Crypto Officer Identity CO Password RSA-Based Certificate ECDSA-Based Certificate User Identity User Password RSA-Based Certificate ECDSA-Based Certificate Table 12: Roles Unauthenticated Users can run the self-test service by power-cycling the module by removing the power and re-applying.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions Show Provide Global Command Module's None Crypto Status Module's Indicator used to Operationa Officer current show l Status User © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions status or syslog Module's (return message Status codes and/or syslog messages) Show Provide Console Command Module's None Crypto Version Module's message to show ID and Officer name and version versioning User version information information Perform Reload the Global Command Status of None Crypto Self-Tests module to Indicator to trigger the self- Officer perform or syslog reload or tests User Self-Tests message Removal results Unauthentic (Pre- and ated operational reconnecti self-test on of and power Conditional supply Self-Tests) Perform Perform Syslog Command Status of None Crypto Zeroization Zeroization message to zeroize the SSPs Officer the module zeroization - DRBG Entropy Input: Z - DRBG Seed: Z - DRBG Internal State V value: Z - DRBG Key: Z - User Password: Z - Crypto Officer Password: Z - RADIUS Secret: Z - Firmware Load Test Key: Z - SSH DH Private Key: Z - SSH DH © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions Public Key: Z - SSH Peer DH Public Key: Z - SSH DH Shared Secret: Z - SSH ECDH Private Key: Z - SSH ECDH Public Key: Z - SSH Peer ECDH Public Key: Z - SSH ECDH Shared Secret: Z - SSH RSA Private Key: Z - SSH RSA Public Key: Z - SSH ECDSA Private Key: Z - SSH ECDSA Public Key: Z - SSH Session Encryption Key: Z - SSH Session Authenticatio n Key: Z - TLS DH Private Key: Z - TLS DH Public Key: Z © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions - TLS Peer DH Public Key: Z - TLS DH Shared Secret: Z - TLS ECDH Private Key: Z - TLS ECDH Public Key: Z - TLS Peer ECDH Public Key: Z - TLS ECDH Shared Secret: Z - TLS ECDSA Private Key: Z - TLS ECDSA Public Key: Z - TLS RSA Private Key: Z - TLS RSA Public Key: Z - TLS Master Secret: Z - TLS Session Encryption Key: Z - TLS Session Authenticatio n Key: Z - IPSec/IKE DH Private Key: Z - IPSec/IKE DH Public Key: Z © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions - IPSec/IKE Peer DH Public Key: Z - IPSec/IKE DH Shared Secret: Z - IPSec/IKE ECDH Private Key: Z - IPSec/IKE ECDH Public Key: Z - IPSec/IKE Peer ECDH Public Key: Z - IPSec/IKE ECDH Shared Secret: Z - IPSec/IKE ECDSA Private Key: Z - IPSec/IKE ECDSA Public Key: Z - IPSec/IKE RSA Private Key: Z - IPSec/IKE RSA Public Key: Z - IPSec/IKE Pre-shared Secret: Z SKEYSEED: Z - IPSec/IKE Session Encryption Key: Z - IPSec/IKE Authenticatio © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions n Key: Z - SNMPv3 Shared Secret: Z - SNMPv3 Encryption Key: Z - SNMPv3 Authenticatio n Key: Z Configure Sets None Command Status of None Crypto Network configurati s to the Officer on of the configure completion systems the of network network configurati on status Crypto CO Role N/A CO Status of None Crypto Officer Authenticat Authenticat the CO Officer Authenticat ion ion authenticat - Crypto ion Request ion Officer Password: W,Z User User Role N/A User role Status of None User Authenticat Authenticat authenticat the User - User ion ion ion request role Password: authenticat W,Z ion Configure Configure Global Command Status of KAS-ECC- Crypto SSHv2 SSHv2 Indicator s to the KeyGen Officer Function Function and configure completion (SSHv2) - SSH DH SSHv2 SSHv2 of the KAS-FFC- Private Key: configurat SSHv2 KeyGen W,E ion configurati (SSHv2) - SSH DH success on KAS-ECC Public Key: status (SSHv2) W,E message KAS-FFC - SSH Peer (SSHv2) DH Public KTS Key: W,E (SSHv2 - SSH DH with AES Shared and Secret: W,E HMAC) - SSH ECDH KTS Private Key: (SSHv2 W,E with AES- - SSH ECDH GCM) Public Key: RSA W,E KeyGen - SSH Peer © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions (SSHv2, ECDH TLSv1.2, Public Key: IKEv2) W,E ECDSA - SSH ECDH KeyGen Shared (SSHv2, Secret: W,E TLSv1.2 - SSH RSA and IKEv2) Private Key: RSA W,E SigGen - SSH RSA (SSHv2, Public Key: TLSv1.2, W,E IKEv2) - SSH ECDSA ECDSA SigGen Private Key: (SSHv2, W,E TLSv1.2 - SSH and IKEv2) ECDSA RSA Public Key: SigVer W,E (SSHv2, - SSH TLSv1.2, Session and IKEv2) Encryption ECDSA Key: W,E SigVer - SSH (SSHv2, Session TLSv1.2, Authenticatio and IKEv2) n Key: W,E Block - DRBG Cipher Entropy (SSHv2) Input: W,E MAC - DRBG (SSHv2) Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E - RADIUS Secret: W Configure Configure Global Command Status of KAS-ECC- Crypto HTTPS HTTPS Indicator s to the KeyGen Officer over over and configure completion (TLSv1.2) - TLS DH TLSv1.2 TLSv1.2 HTTPS TLSv1.2 of TLSv1.2 KAS-FFC- Private Key: Function Function over configurati KeyGen W,E TLSv1.2 on (TLSv1.2) - TLS DH configurat KAS-ECC Public Key: ion (TLSv1.2) W,E © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions success KAS-FFC - TLS Peer status (TLSv1.2) DH Public message KTS Key: W,E (TLSv1.2 - TLS DH with AES Shared and Secret: W,E HMAC) - TLS ECDH KTS Private Key: (TLSv1.2 W,E with AES- - TLS ECDH GCM) Public Key: RSA W,E KeyGen - TLS Peer (SSHv2, ECDH TLSv1.2, Public Key: IKEv2) W,E ECDSA - TLS ECDH KeyGen Shared (SSHv2, Secret: W,E TLSv1.2 - TLS and IKEv2) ECDSA RSA Private Key: SigGen W,E (SSHv2, - TLS TLSv1.2, ECDSA IKEv2) Public Key: ECDSA W,E SigGen - TLS RSA (SSHv2, Private Key: TLSv1.2 W,E and IKEv2) - TLS RSA RSA Public Key: SigVer W,E (SSHv2, - TLS Master TLSv1.2, Secret: W,E and IKEv2) - TLS ECDSA Session SigVer Encryption (SSHv2, Key: W,E TLSv1.2, - TLS and IKEv2) Session Block Authenticatio Cipher n Key: W,E (TLSv1.2) - DRBG MAC Entropy (TLSv1.2) Input: W,E - DRBG Seed: W,E - DRBG © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions Internal State V value: W,E - DRBG Key: W,E Configure Configure Global Command Status of KAS-ECC- Crypto IPsec/IKEv IPSec/IKEv Indicator s to the KeyGen Officer
2 Function 2 Function with configure completion (IKEv2) - IPSec/IKE
IPsec/IKE IPsec/IKEv of KAS-FFC- DH Private v2 2 IPsec/IKEv KeyGen Key: W,E configurat 2 (IKEv2) - IPSec/IKE ion configurati KAS-ECC DH Public success on (IKEv2) Key: W,E status KAS-FFC - IPSec/IKE message (IKEv2) Peer DH RSA Public Key: KeyGen W,E (SSHv2, - IPSec/IKE TLSv1.2, DH Shared IKEv2) Secret: W,E ECDSA - IPSec/IKE KeyGen ECDH (SSHv2, Private Key: TLSv1.2 W,E and IKEv2) - IPSec/IKE RSA ECDH SigGen Public Key: (SSHv2, W,E TLSv1.2, - IPSec/IKE IKEv2) Peer ECDH ECDSA Public Key: SigGen W,E (SSHv2, - IPSec/IKE TLSv1.2 ECDH and IKEv2) Shared RSA Secret: W,E SigVer - IPSec/IKE (SSHv2, ECDSA TLSv1.2, Private Key: and IKEv2) W,E ECDSA - IPSec/IKE SigVer ECDSA (SSHv2, Public Key: TLSv1.2, W,E and IKEv2) - IPSec/IKE Block RSA Private Cipher Key: W,E (IPSec/IKE - IPSec/IKE ) RSA Public © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions MAC Key: W,E (IPSec/IKE - IPSec/IKE v2) Pre-shared Secret: W,E SKEYSEED: W,E - IPSec/IKE Session Encryption Key: W,E - IPSec/IKE Authenticatio n Key: W,E - DRBG Entropy Input: W,E - DRBG Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E Run Execute Global Initiate Status of KAS-ECC- Crypto SSHv2 SSHv2 Indicator SSHv2 SSHv2 KeyGen Officer Function Function and tunnel tunnel (SSHv2) - SSH DH successfu establishm establishm KAS-FFC- Private Key: l SSHv2 ent ent KeyGen W,E log (SSHv2) - SSH DH message KAS-ECC Public Key: (SSHv2) W,E KAS-FFC - SSH Peer (SSHv2) DH Public KTS Key: W,E (SSHv2 - SSH DH with AES Shared and Secret: W,E HMAC) - SSH ECDH KTS Private Key: (SSHv2 W,E with AES- - SSH ECDH GCM) Public Key: RSA W,E KeyGen - SSH Peer (SSHv2, ECDH TLSv1.2, Public Key: IKEv2) W,E © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions ECDSA - SSH ECDH KeyGen Shared (SSHv2, Secret: W,E TLSv1.2 - SSH RSA and IKEv2) Private Key: RSA W,E SigGen - SSH RSA (SSHv2, Public Key: TLSv1.2, W,E IKEv2) - SSH ECDSA ECDSA SigGen Private Key: (SSHv2, W,E TLSv1.2 - SSH and IKEv2) ECDSA RSA Public Key: SigVer W,E (SSHv2, - SSH TLSv1.2, Session and IKEv2) Encryption ECDSA Key: W,E SigVer - SSH (SSHv2, Session TLSv1.2, Authenticatio and IKEv2) n Key: W,E Block - DRBG Cipher Entropy (SSHv2) Input: W,E MAC - DRBG (SSHv2) Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E - RADIUS Secret: E User - SSH DH Private Key: W,E - SSH DH Public Key: W,E - SSH Peer DH Public Key: W,E - SSH DH © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions Shared Secret: W,E - SSH ECDH Private Key: W,E - SSH ECDH Public Key: W,E - SSH Peer ECDH Public Key: W,E - SSH ECDH Shared Secret: W,E - SSH RSA Private Key: W,E - SSH RSA Public Key: W,E - SSH ECDSA Private Key: W,E - SSH ECDSA Public Key: W,E - SSH Session Encryption Key: W,E - SSH Session Authenticatio n Key: W,E - DRBG Entropy Input: W,E - DRBG Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions - RADIUS Secret: E Run Execute Global Initiate Status of KAS-ECC- Crypto HTTPS HTTPS Indicator TLSv1.2 TLSv1.2 KeyGen Officer over over and tunnel tunnel (TLSv1.2) - TLS DH TLSv1.2 TLSv1.2 successfu establishm establishm KAS-FFC- Private Key: Function function l HTTPS ent request ent KeyGen W,E over (TLSv1.2) - TLS DH TLSv1.2 KAS-ECC Public Key: log (TLSv1.2) W,E message KAS-FFC - TLS Peer (TLSv1.2) DH Public KTS Key: W,E (TLSv1.2 - TLS DH with AES Shared and Secret: W,E HMAC) - TLS ECDH KTS Private Key: (TLSv1.2 W,E with AES- - TLS ECDH GCM) Public Key: RSA W,E KeyGen - TLS Peer (SSHv2, ECDH TLSv1.2, Public Key: IKEv2) W,E ECDSA - TLS ECDH KeyGen Shared (SSHv2, Secret: W,E TLSv1.2 - TLS and IKEv2) ECDSA RSA Private Key: SigGen W,E (SSHv2, - TLS TLSv1.2, ECDSA IKEv2) Public Key: ECDSA W,E SigGen - TLS RSA (SSHv2, Private Key: TLSv1.2 W,E and IKEv2) - TLS RSA RSA Public Key: SigVer W,E (SSHv2, - TLS Master TLSv1.2, Secret: W,E and IKEv2) - TLS ECDSA Session SigVer Encryption (SSHv2, Key: W,E © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions TLSv1.2, - TLS and IKEv2) Session Block Authenticatio Cipher n Key: W,E (TLSv1.2) - DRBG MAC Entropy (TLSv1.2) Input: W,E - DRBG Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E User - TLS DH Private Key: W,E - TLS DH Public Key: W,E - TLS Peer DH Public Key: W,E - TLS DH Shared Secret: W,E - TLS ECDH Private Key: W,E - TLS ECDH Public Key: W,E - TLS Peer ECDH Public Key: W,E - TLS ECDH Shared Secret: W,E - TLS ECDSA Private Key: W,E - TLS ECDSA Public Key: W,E © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions - TLS RSA Private Key: W,E - TLS RSA Public Key: W,E - TLS Master Secret: W,E - TLS Session Encryption Key: W,E - TLS Session Authenticatio n Key: W,E - DRBG Entropy Input: W,E - DRBG Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E Run Execute Global Initiate Status of KAS-ECC- Crypto IPSec/IKEv IPsec/IKEv Indicator IPsec/IKEv IPSec/IKE KeyGen Officer
2 Function 2 Function and 2 tunnel v2 tunnel (IKEv2) - IPSec/IKE
succesful establishm establishm KAS-FFC- DH Private IPsec/IKE ent request ent KeyGen Key: W,E v2 log (IKEv2) - IPSec/IKE message KAS-ECC DH Public (IKEv2) Key: W,E KAS-FFC - IPSec/IKE (IKEv2) Peer DH RSA Public Key: KeyGen W,E (SSHv2, - IPSec/IKE TLSv1.2, DH Shared IKEv2) Secret: W,E ECDSA - IPSec/IKE KeyGen ECDH (SSHv2, Private Key: TLSv1.2 W,E and IKEv2) - IPSec/IKE RSA ECDH SigGen Public Key: © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions (SSHv2, W,E TLSv1.2, - IPSec/IKE IKEv2) Peer ECDH ECDSA Public Key: SigGen W,E (SSHv2, - IPSec/IKE TLSv1.2 ECDH and IKEv2) Shared RSA Secret: W,E SigVer - IPSec/IKE (SSHv2, ECDSA TLSv1.2, Private Key: and IKEv2) W,E ECDSA - IPSec/IKE SigVer ECDSA (SSHv2, Public Key: TLSv1.2, W,E and IKEv2) - IPSec/IKE Block RSA Private Cipher Key: W,E (IPSec/IKE - IPSec/IKE ) RSA Public MAC Key: W,E (IPSec/IKE - IPSec/IKE v2) Pre-shared Secret: W,E SKEYSEED: W,E - IPSec/IKE Session Encryption Key: W,E - IPSec/IKE Authenticatio n Key: W,E - DRBG Entropy Input: W,E - DRBG Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E User - IPSec/IKE © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions DH Private Key: W,E - IPSec/IKE DH Public Key: W,E - IPSec/IKE Peer DH Public Key: W,E - IPSec/IKE DH Shared Secret: W,E - IPSec/IKE ECDH Private Key: W,E - IPSec/IKE ECDH Public Key: W,E - IPSec/IKE Peer ECDH Public Key: W,E - IPSec/IKE ECDH Shared Secret: W,E - IPSec/IKE ECDSA Private Key: W,E - IPSec/IKE ECDSA Public Key: W,E - IPSec/IKE RSA Private Key: W,E - IPSec/IKE RSA Public Key: W,E - IPSec/IKE Pre-shared Secret: W,E SKEYSEED: W,E - IPSec/IKE © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions Session Encryption Key: W,E - IPSec/IKE Authenticatio n Key: W,E - DRBG Entropy Input: W,E - DRBG Seed: W,E - DRBG Internal State V value: W,E - DRBG Key: W,E Configure Configure Global Command Status of Block Crypto SNMPv3 SNMPv3 Indicator s to the Cipher Officer Function Function and configure completion (SNMPv3) - SNMPv3 SNMPv3 SNMPv3 of MAC Shared configurat SNMPv3 (SNMPv3) Secret: W,E ion configurati - SNMPv3 success on Encryption status Key: W,E message - SNMPv3 Authenticatio n Key: W,E Run Execute Global Initiate Status of Block Crypto SNMPv3 SNMPv3 Indicator SNMPv3 SNMPv3 Cipher Officer Function Function and tunnel tunnel (SNMPv3) - SNMPv3 successfu establishm establishm MAC Shared l SNMPv3 ent request ent (SNMPv3) Secret: W,E log - SNMPv3 message Encryption Key: W,E - SNMPv3 Authenticatio n Key: W,E User - SNMPv3 Shared Secret: W,E - SNMPv3 Encryption Key: W,E - SNMPv3 Authenticatio n Key: W,E © 2021-2025 Cisco Systems, Inc.
Name Descriptio Indicator Inputs Outputs Security SSP Access n Functions Firmware Execute Global Command Outcome Firmware Crypto Load Test the indicator s to load of the Load Test Officer Firmware and new Firmware - Firmware Load Test successfu firmware Load Test Load Test l image Key: R Firmware Loading status message Table 13: Approved Services
The module supports the firmware load test by using HMAC-SHA2-512 (HMAC Cert. #A4446) for the new validated firmware to be uploaded into the module. A Firmware Load Test Key was preloaded to the module’s binary at the factory and used for firmware load test. In order to load new firmware, the Crypto Officer must authenticate to the module before loading the firmware. This ensures that unauthorized access and use of the module is not performed. The module will load the new update upon reboot. The update attempt will be rejected if the verification fails. Any firmware loaded into the module that is not shown on the module certificate, is out of scope of this validation and requires a separate FIPS 140-3 validation.
The module implements Self-initiated cryptographic output capability without external operator request. The Crypto Officer shall configure self-initiated cryptographic output capability. Prior to executing the self-initiated cryptographic output capability, the module conducts two independent internal actions to activate the capability to prevent the inadvertent output due to a single error.
The module supports unauthenticated service. The unauthenticated User/Operators can trigger the self-test service by power-cycling the module, and is able to observe the module’s LEDs status. © 2021-2025 Cisco Systems, Inc.
The module is provided in the form of binary executable code. To ensure firmware security, the module is protected by RSA 2048 bits with SHA2-256 (RSA Cert. #A4446) algorithm. A Firmware Integrity Test Key (non-SSP) was preloaded to the module’s binary at the factory and used for firmware integrity test only at the pre-operational self-test. The module uses the RSA
4096 bits modulus public key to verify the digital signature. If the firmware integrity test fails, the
module would enter to an Error state with all crypto functionality inhibited.
Integrity test is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. The operator can power-cycle or reboot the tested platform to initiate the firmware integrity test on-demand.
Type of Operational Environment: Limited
Mechanism Inspection Inspection Guidance Frequency Tamper labels (9) with Part Recommend 30 Visible inspection of platform for number: AIR-AP-FIPSKIT= Days residual evidence of tampering Opacity shield (1) with Part Recommend 30 Visible inspection of platform for number: FPR-2100-FIPS-KIT= Days evidence of tampering, removal or access Table 14: Mechanisms and Actions Required The module utilizes a production-grade enclosure and removable cover along with tamper evidence labels as the physical security mechanisms. Appling Tamper Evidence Labels Step 1: Turn off and unplug the module. Step 2: Clean the chassis of any grease, dirt, oil or any other material other than the surface coating from manufacture before applying the tamper evident labels. Alcohol-based cleaning pads are recommended for this purpose. © 2021-2025 Cisco Systems, Inc.
Step 3: Apply a label to cover the module as shown in the figures below. The tamper evident labels are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to open the module will damage the tamper evident labels or the material of the security appliance cover. Because the tamper evident labels have non-repeated serial numbers, they may be inspected for damage and compared against the applied serial numbers to verify that the security appliance has not been tampered with. Tamper evident labels can also be inspected for signs of tampering, which include the following: curled corners, rips, and slices. The word “FIPS” may appear if the label was peeled back.
Number: Nine (9) Placement: Figure 3 Module front view with opacity shield Figure 4 FRP 2110/2120 back view TEL 1 Figure 5 FRP 2130/2140 back view TEL 1 TEL 6 © 2021-2025 Cisco Systems, Inc.
TEL 2 TEL 4 TEL 1 TEL 5 TEL 6 TEL 3 Figure 6 FRP 2110/2120 top view with opacity shield TEL 2 TEL 4 TEL 1 TEL 5 TEL 6 TEL 3 Figure 7 FRP 2130/2140 top view with opacity shield © 2021-2025 Cisco Systems, Inc.
TEL 7 TEL 8 TEL 9 Figure 8 Module’s bottom view with opacity shield TEL 6 Figure 9 Module’s left view with opacity shield TEL 3 TEL 2 Figure 10 Module’s right view with opacity shield Surface Preparation: Clean the chassis of any grease, dirt, or oil before applying the tamper evident labels. Alcohol-based cleaning pads are recommended for this purpose. Operator Responsible for Securing Unused Seals: Any unused TELs must be securely stored, accounted for, and maintained by the CO in a protected location. Part Numbers: AIR-AP-FIPSKIT= © 2021-2025 Cisco Systems, Inc.
2110, 2120, 2130, 2140 Opacity Shield FPR-2100-FIPS-KIT= Step 1: Attach the Slide Rail Locking Bracket, #2 in diagram to the Side of the Chassis using the countersink screws #3 in diagram. Step 2: Attach the Cable Management Bracket (#1) to the Slide Rail Locking Bracket (#2) using the countersink screws (#3) Step 3: Route the Cables through the Cable Management Brackets Step 4: Attach the FIPS Opacity Shield (#1) to the Cable Management Brackets (#3) using the countersink screws (#2) © 2021-2025 Cisco Systems, Inc.
Figure 11 Opacity Shield Brackets
Storage Description Persistence Area Type Name DRAM Volatile Memory Dynamic Flash Non-Volatile Memory Static Table 15: Storage Areas
Name From To Format Distributio Entry SFI or Type n Type Type Algorith m Peer Public Key External Module Plaintext Automated Electroni Input (Outside c of the Module's Boundary ) Module Public Module External Plaintext Automated Electroni Key Output (Outside c of the Module's Boundary ) Password/Secre External Module Encrypte Automated Electroni KTS t Input via (Outside d c (SSHv2 SSHv2 of the with AESencrypted by Module's GCM) GCM Boundary ) Password/Secre External Module Encrypte Automated Electroni KTS t Input via (Outside d c (SSHv2 SSHv2 of the with AES encrypted by Module's and AES and HMAC Boundary HMAC) ) Password/Secre External Module Encrypte Automated Electroni KTS t Input via TLS (Outside d c (TLSv1.2 encrypted by of the with AESGCM Module's GCM) Boundary ) Password/Secre External Module Encrypte Automated Electroni KTS t Input via TLS (Outside d c (TLSv1.2 encrypted by of the with AES AES and HMAC Module's and Boundary HMAC) ) © 2021-2025 Cisco Systems, Inc.
Table 16: SSP Input-Output Methods
Zeroization Description Rationale Operator Method Initiation Zeroization CO issues the zeroization command will erase all 'configure Command zeroization SSPs stored in the DRAM or in the factory-default' service Flash of the module. Table 17: SSP Zeroization Methods Please note that the Firmware Load Test Key is only used for Firmware Load Test Authentication and not subject to the zeroization requirement.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By DRBG Used to 384 bits - Entropy Counter Entropy seed the at least Input - CSP DRBG Input DRBG 256 bits (A4446) Hash DRBG (DRBG 819) DRBG Seed Used in 256 bits - DRBG Seed Counter DRBG 256 bits - CSP DRBG Generation (A4446) Hash DRBG (DRBG 819) DRBG Used in 256 bits - DRBG Counter Internal DRBG 256 bits Internal DRBG State V Generation State V (A4446) value value - CSP Hash DRBG (DRBG 819) DRBG Key Used in 256 bits - DRBG Key - Counter DRBG 256 bits CSP DRBG Generation (A4446) Hash DRBG (DRBG 819) © 2021-2025 Cisco Systems, Inc.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By User User 8-30 Authenticati Password authenticati Characte on Data on rs - 8-30 CSP Characte rs Crypto Crypto 8-30 Authenticati Officer Officer Characte on Data Password authenticati rs - 8-30 CSP on Characte rs RADIUS RADIUS 16 Authenticati Secret Server Characte on Data Authenticati rs - 16 CSP on Characte rs Firmware Used for 112 bits - Public Key - Firmware Load Test Firmware 112 bits CSP Load Test Key Load Test SSH DH Used to MODP- Private Key KAS- KAS-FFCPrivate Key derive the 2048, - CSP FFC- SSC SSH DH MODP- KeyGen Sp800Shared 3072, (SSHv2) 56Ar3 Secret MODP- (A4446)
112-152 bits SSH DH Used to MODP- Public Key - KAS-FFCPublic Key derive SSH 2048, PSP KeyGen DH Shared MODP- (SSHv2) Secret 3072, MODP-
112-152 bits SSH Peer Used to MODP- Public Key - KAS-FFCDH Public derive SSH 2048, PSP SSC Key DH Shared MODP- Sp800Secret 3072, 56Ar3 MODP- (A4446)
112-152 bits SSH DH Used to MODP- Shared KAS-FFC- KDF SSH Shared derive SSH 2048, Secret - SSC (A4446) Secret Session MODP- CSP Sp800Encryption 3072, 56Ar3 Keys, SSH MODP- (A4446) Session 4096 © 2021-2025 Cisco Systems, Inc.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By Authenticati 112-152 on Keys bits SSH ECDH Used to Curves: Private Key KAS- KAS-ECCPrivate Key derive the 256, 384, - CSP ECC- SSC SSH ECDH 521 bits - KeyGen Sp800Shared 128 to (SSHv2) 56Ar3 Secret 256 bits (A4446) SSH ECDH Used to Curves: Public Key - KAS-ECCPublic Key derive SSH 256, 384, PSP KeyGen ECDHE 521 bits - (SSHv2) Shared 128-256 Secret bits SSH Peer Used to Curves: Public Key - KAS-ECCECDH derive SSH 256, 384, PSP SSC Public Key DH Shared 521 bits - Sp800Secret 128 to 56Ar3
SSH ECDH Used to Curves: Shared KAS-ECC- KDF SSH Shared derive SSH 256, 384, Secret - SSC (A4446) Secret Session 521 bits - CSP Sp800Encryption 128 to 56Ar3 Keys, SSH 256 bits (A4446) Session Authenticati on Keys SSH RSA Used for Modulus Private Key RSA RSA Private Key SSH 2048 and - CSP KeyGen SigGen session 3072 bits (SSHv2, (FIPS186-4) authenticati - 112- TLSv1.2, (A4446) on 128 bits IKEv2) SSH RSA Used for Modulus Public Key - RSA Public Key SSH 2048 and PSP KeyGen sessions 3072 bits (SSHv2, aiuthenticati - 112- TLSv1.2, on 128 bits IKEv2) SSH Used for Curves: Private Key ECDSA ECDSA ECDSA SSH 256, 384, - CSP KeyGen SigGen Private Key session 521 bits - (SSHv2, (FIPS186-4) authenticati 128 to TLSv1.2 (A4446) on 256 bits and IKEv2) SSH Used for Curves: Public Key - ECDSA ECDSA SSH 256, 384, PSP KeyGen Public Key sessions 521 bits - (FIPS186aiuthenticati 128 to 4) (A4446) on 256 bits © 2021-2025 Cisco Systems, Inc.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By SSH Used for 128-256 Session KAS-ECC Block Session SSH bits - Key - CSP (SSHv2) Cipher Encryption Session 128-256 KAS-FFC (SSHv2) Key confidentialit bits (SSHv2) y protection SSH Used for At least Session KAS-ECC MAC Session SSH 160 bits - Key - CSP (IKEv2) (SSHv2) Authenticati Session At least KAS-FFC on Key integrity 160 bits (IKEv2) protection TLS DH Used to Modulus: Private Key KAS- KAS-FFCPrivate Key Derive TLS 2048, - CSP FFC- SSC DH Shared 3072, KeyGen Sp800Secret 4096 bits (TLSv1.2 56Ar3 - 128- ) (A4446)
TLS DH Used to Modulus: Public Key - KAS-FFCPublic Key Derive TS 2048, PSP KeyGen DH Shared 3072, or (TLSv1.2) Secret 4096 bits - 128-
TLS Peer Used to Modulus: Public Key - KAS-FFCDH Public derive IKE 2048, PSP SSC Key DH Shared 3072, or Sp800Secret 4096 bits 56Ar3 - 128- (A4446)
TLS DH Used to Modulus Shared KAS-FFC- TLS v1.2 Shared Derive TLS 2048, Secret - SSC KDF Secret Session 3072, or CSP Sp800- RFC7627 Encryption 4096 - 56Ar3 (A4446) Key and 128-152 (A4446) TLS bits Session Authenticati on Key TLS ECDH Used to Curves Private Key KAS- KAS-ECCPrivate Key Derive TLS P-256, P- - CSP ECC- SSC ECDH 384, and KeyGen Sp800Shared P-521 - (TLSv1.2 56Ar3 Secret 128-256 ) (A4446) bits TLS ECDH Used to Curves Public Key - KAS-ECCPublic Key Derive TS P-256, P- PSP KeyGen ECDH 384, and (TLSv1.2) Shared P-521 Secret © 2021-2025 Cisco Systems, Inc.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By 128-256 bits TLS Peer Used to Curves: Public Key - KAS-ECCECDH derive IKE P-256, P- PSP SSC Public Key ECDH 384, P- Sp800Shared 521 - 56Ar3 Secret 128-256 (A4446) bits TLS ECDH Used to Curves Shared KAS-ECC- TLS v1.2 Shared Derive TLS p-256, P- Secret - SSC KDF Secret Session 384, P- CSP Sp800- RFC7627 Encryption 521 - 56Ar3 (A4446) Key and 128-256 (A4446) TLS bits Session Authenticati on Key TLS Used to Curves Private Key ECDSA ECDSA ECDSA support CO P-256, P- - CSP KeyGen SigGen Private Key and Admin 384, P- (SSHv2, (FIPS186-4) HTTPS 521 - TLSv1.2 (A4446) interfaces 128-256 and bits IKEv2) TLS Used to Curves Public Key - ECDSA ECDSA support CO P-256, P- PSP KeyGen Public Key and User 384, P- (SSHv2, HTTPS 521 - TLSv1.2 Interfaces 128-256 and bits IKEv2) TLS RSA Used to Modulus Private Key RSA RSA Private Key support CO 2048 and - CSP KeyGen SigGen and Admin 3072 bits (SSHv2, (FIPS186-4) HTTPS - 112- TLSv1.2, (A4446) Interfaces 128 bits IKEv2) TLS RSA Used to Modulus Public Key - RSA Public Key support CO 2048 and PSP KeyGen and User 3072 bits (SSHv2, HTTPS - 112- TLSv1.2, interfaces 128 bits IKEv2) TLS Master Used to At least Master TLS v1.2 Secret protect 112 bits - Secret - KDF HTTPS At least CSP RFC7627 Session. 112 bits (A4446) Pre-master secret TLS Used to 128-256 Session KAS-ECC Block Session protect bits - Key - CSP (TLSv1.2) Cipher HTTPS (TLSv1.2) © 2021-2025 Cisco Systems, Inc.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By Encryption Session. 128-256 KAS-FFC Key TLS Master bits (TLSv1.2) secret TLS Used to at least Session KAS-ECC MAC Session protect 112 bits - Key - CSP (TLSv1.2) (TLSv1.2) Authenticati HTTPS at least KAS-FFC on Key Session. 112 bits (TLSv1.2) TLS master secret IPSec/IKE Used to MODP- Private Key KAS- KAS-FFCDH Private derive 2048, - CSP FFC- SSC Key IPSec/IKE MODP- KeyGen Sp800DH Shared 3072, (IKEv2) 56Ar3 Secret MODP- (A4446)
112-152 bits IPSec/IKE Used to MODP- Public Key - KAS-FFCDH Public derive 2048, PSP KeyGen Key IPSec/IKE MODP- (IKEv2) DH Shared 3072, Secret MODP-
112-152 bits IPSec/IKE Used to MODP- Public Key - KAS-FFCPeer DH derive 2048, PSP SSC Public Key IPSec/IKE MODP- Sp800DH Shared 3072, 56Ar3 Secret MODP- (A4446)
112-152 bits IPSec/IKE Used to MODP- Shared KAS-FFC- KDF IKEv2 DH Shared derive 2048, Secret - SSC (A4446) Secret IPSec/IKE MODP- CSP Sp800Session 3072, 56Ar3 Encryption MODP- (A4446) Keys, 4096 IPSec/IKE 112-152 Authenticati bits on Keys IPSec/IKE Used to Curves Private Key KAS- KAS-ECCECDH derive P-256, P- - CSP ECC- SSC Private Key IPSec/IKE 384, P- KeyGen Sp800ECDH 521 - (IKEv2) 56Ar3 Shared 128-256 (A4446) Secrets bits © 2021-2025 Cisco Systems, Inc.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By IPSec/IKE Used to Curves Public Key - KAS-ECCECDH derive P-256, P- PSP KeyGen Public Key IPSec/IKE 384, P- (IKEv2) ECDH 521 Shared 128-256 Secrets bits IPSec/IKE Used to Curves Public Key - KAS-ECCPeer ECDH derive P-256, P- PSP SSC Public Key IPSec/IKE 384, P- Sp800ECDH 521 - 56Ar3 Shared 128-256 (A4446) Secrets bits IPSec/IKE Used to Curves Shared KAS-ECC- KDF IKEv2 ECDH derive P-256, P- Secret - SSC (A4446) Shared IPSec/IKE 384, P- CSP Sp800Secret ECDH 521 - 56Ar3 Shared 128-256 (A4446) Secrets bits IPSec/IKE Used for Curves Private Key ECDSA ECDSA ECDSA IPSec/IKE P-256, P- - CSP KeyGen SigGen Private Key peer 384, P- (SSHv2, (FIPS186-4) authenticati 521 - TLSv1.2 (A4446) on 128-256 and bits IKEv2) IPSec/IKE Used for Curves Public Key - ECDSA ECDSA IPSec/IKE P-256, P- PSP KeyGen Public Key peer 384, P- (SSHv2, authenticati 521 - TLSv1.2 on 128-256 and bits IKEv2) IPSec/IKE Used for Modulus Private Key RSA RSA RSA Private IPSec/IKE 2048 or - CSP KeyGen SigGen Key peer 3072 - (SSHv2, (FIPS186-4) authenticati 112 or TLSv1.2, (A4446) on 128 bits IKEv2) IPSec/IKE Used for Modulus Public Key - RSA RSA Public IPSec/IKE 2048 or PSP KeyGen Key peer 3072 - (SSHv2, authenticati 112 or TLSv1.2, on 128 bits IKEv2) IPSec/IKE Used for 16-32 shared Pre-shared IPSec/IKE bytes secret Secret peer character CSP authenticati s - 16-32 on bytes character s © 2021-2025 Cisco Systems, Inc.
Name Description Size - Type - Generat Establish Used By Strength Category ed By ed By SKEYSEED Keying 160 bits - Keying KDF IKEv2 material 160 bits Material - (A4446) used to CSP derive the IPSec/IKE Session Encryption Key and IPSec/IKE Authenticati on Key IPSec/IKE Used to 128-256 Session KAS-ECC Block Session secure bits - Key - CSP (IKEv2) Cipher Encryption IPSec/IKEv2 128-256 KAS-FFC (IPSec/IKE) Key session bits (IKEv2) confidentialit y IPSec/IKE Used to at least Session KAS-ECC MAC Authenticati secure 160 bits - Key - CSP (IKEv2) (IPSec/IKEv on Key IPSec/IKEv2 at least KAS-FFC 2) session 160 bits (IKEv2) integrity SNMPv3 Used for 8-32 Authenticati Shared SNMPv3 character on Secret Secret user s - N/A CSP authenticati on SNMPv3 Used to 128 bits - Encryption KDF Block Encryption protect 128 bits Key - CSP SNMP Cipher Key SNMPv3 (A4446) (SNMPv3) traffic confidentialit y SNMPv3 Used to At least Authenticati KDF MAC Authenticati secure 112 bits - on Key - SNMP (SNMPv3) on Key SNMPv3 At least CSP (A4446) traffic 112 bits integrity Table 18: SSP Table 1 Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n DRBG DRAM:Plainte Until Zeroizatio DRBG Entropy xt Reboot n Seed:Used With Input Command DRBG Internal State V value:Used With © 2021-2025 Cisco Systems, Inc.
Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n DRBG Key:Used With DRBG Seed DRAM:Plainte Until Zeroizatio DRBG Entropy xt Reboot n Input:Used With Command DRBG Internal State V value:Used With DRBG Key:Used With DRBG DRAM:Plainte Until Zeroizatio DRBG Entropy Internal xt Reboot n Input:Used With State V Command DRBG value Seed:Used With DRBG Key:Used With DRBG Key DRAM:Plainte Until Zeroizatio DRBG Entropy xt Reboot n Input:Used With Command DRBG Seed:Used With DRBG Internal State V value:Used With User Password/Sec Flash:Encrypt Zeroizatio Password ret Input via ed n TLS encrypted Command by GCM Password/Sec ret Input via TLS encrypted by AES and HMAC Password/Sec ret Input via SSHv2 encrypted by GCM Password/Sec ret Input via SSHv2 encrypted by AES and HMAC Crypto Password/Sec Flash:Encrypt Zeroizatio Officer ret Input via ed n Password TLS encrypted Command by GCM Password/Sec ret Input via © 2021-2025 Cisco Systems, Inc.
Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n TLS encrypted by AES and HMAC Password/Sec ret Input via SSHv2 encrypted by GCM Password/Sec ret Input via SSHv2 encrypted by AES and HMAC RADIUS Password/Sec Flash:Plaintex Zeroizatio Secret ret Input via t n TLS encrypted Command by GCM Password/Sec ret Input via TLS encrypted by AES and HMAC Password/Sec ret Input via SSHv2 encrypted by GCM Password/Sec ret Input via SSHv2 encrypted by AES and HMAC Firmware Flash:Plaintex N/A Load Test t Key SSH DH DRAM:Plainte While SSH Zeroizatio SSH DH Public Private Key xt tunnel is n Key:Paired With on Command SSH Peer DH Public Key:Used With SSH DH Module Public DRAM:Plainte While SSH Zeroizatio SSH DH Private Public Key Key Output xt tunnel is n Key:Paired With on Command SSH Peer Peer Public DRAM:Plainte While SSH Zeroizatio SSH DH Private DH Public Key Input xt tunnel is n Key:Used With Key on Command © 2021-2025 Cisco Systems, Inc.
Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n SSH DH DRAM:Plainte While SSH Zeroizatio SSH DH Private Shared xt tunnel is n Key:Derived From Secret on Command SSH DH Public Key:Derived From SSH ECDH DRAM:Plainte While SSH Zeroizatio SSH ECDH Private Key xt tunnel is n Public Key:Paired on Command With SSH Peer ECDH Public Key:Used With SSH ECDH Module Public DRAM:Plainte While SSH Zeroizatio SSH ECDH Public Key Key Output xt tunnel is n Private on Command Key:Paired With SSH Peer Peer Public DRAM:Plainte While SSH Zeroizatio SSH ECDH ECDH Key Input xt tunnel is n Private Key:Used Public Key on Command With SSH ECDH DRAM:Plainte While SSH Zeroizatio SSH ECDH Shared xt tunnel is n Private Secret on Command Key:Derived From SSH ECDH Public Key:Derived From SSH RSA Flash:Plaintex Zeroizatio SSH RSA Public Private Key t n Key:Paired With Command SSH RSA Module Public Flash:Plaintex Zeroizatio SSH RSA Private Public Key Key Output t n Key:Paired With Command SSH Flash:Plaintex Zeroizatio SSH ECDSA ECDSA t n Public Key:Paired Private Key Command With SSH Module Public Flash:Plaintex Zeroizatio SSH ECDSA ECDSA Key Output t n Private Public Key Command Key:Paired With SSH DRAM:Plainte While SSH Zeroizatio SSH Session Session xt tunnel is n Authentication Encryption on Command Key:Used With Key SSH DRAM:Plainte While SSH Zeroizatio SSH Session Session xt tunnel is n Encryption Authenticati on Command Key:Used With on Key TLS DH DRAM:Plainte While TLS Zeroizatio TLS DH Public Private Key xt tunnel is n Key:Paired With on Command TLS Peer DH Public Key:Used With © 2021-2025 Cisco Systems, Inc.
Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n TLS DH Module Public DRAM:Plainte While TLS Zeroizatio TLS DH Private Public Key Key Output xt tunnel is n Key:Paired With on Command TLS Peer Peer Public DRAM:Plainte while TLS Zeroizatio TLS DH Private DH Public Key Input xt tunnel is n Key:Used With Key on Command TLS DH DRAM:Plainte While TLS Zeroizatio TLS ECDH Shared xt tunnel is n Private Secret on Command Key:Derived From TLS Peer ECDH Public Key:Derived From TLS ECDH DRAM:Plainte While TLS Zeroizatio TLS ECDH Public Private Key xt tunnel is n Key:Paired With on Command TLS Peer ECDH Public Key:Used With TLS ECDH Module Public DRAM:Plainte While TLS Zeroizatio TLS ECDH Public Key Key Output xt tunnel is n Private on Command Key:Paired With TLS Peer Peer Public DRAM:Plainte while TLS Zeroizatio TLS ECDH ECDH Key Input xt tunnel is n Private Key:Used Public Key on Command With TLS ECDH DRAM:Plainte While TLS Zeroizatio TLS ECDH Shared xt tunnel is n Private Secret on Command Key:Derived From TLS Peer ECDH Public Key:Derived From TLS ECDSA Flash:Plaintex Zeroizatio TLS ECDSA Private Key t n Public Key:Paired Command With TLS ECDSA Module Public Flash:Plaintex Zeroizatio TLS ECDSA Public Key Key Output t n Private Command Key:Paired With TLS RSA Flash:Plaintex Zeroizatio TLS RSA Public Private Key t n Key:Paired With Command TLS RSA Module Public Flash:Plaintex Zeroizatio TLS RSA Private Public Key Key Output t n Key:Paired With Command TLS Master DRAM:Plainte While TLS Zeroizatio TLS ECDH Secret xt tunnel is n Shared on Command Secret:Derived From TLS DRAM:Plainte While TLS Zeroizatio TLS Session Session xt tunnel is n Authentication on Command Key:Used With © 2021-2025 Cisco Systems, Inc.
Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n Encryption Key TLS DRAM:Plainte While TLS Zeroizatio TLS Session Session xt tunnel is n Encryption Authenticati on Command Key:Used With on Key IPSec/IKE DRAM:Plainte While Zeroizatio IPSec/IKE DH DH Private xt IPSec/IKE n Public Key:Paired Key v2 tunnel Command With is on IPSec/IKE Peer DH Public Key:Used With IPSec/IKE Module Public DRAM:Plainte While Zeroizatio IPSec/IKE DH DH Public Key Output xt IPSec/IKE n Private Key v2 tunnel Command Key:Paired With is on IPSec/IKE Peer Public DRAM:Plainte while Zeroizatio IPsec/IKE DH Peer DH Key Input xt IPSec/IKE n Private Key:Used Public Key tunnel is Command With on IPSec/IKE DRAM:Plainte While Zeroizatio SKEYSEED:Used DH Shared xt IPSec/IKE n With Secret v2 tunnel Command is on IPSec/IKE DRAM:Plainte While Zeroizatio IPSec/IKE ECDH ECDH xt IPSec/IKE n Public Key:Paired Private Key v2 tunnel Command With is on IPSec/IKE Peer ECDH Public Key:Used With IPSec/IKE Module Public DRAM:Plainte While Zeroizatio IPSec/IKE ECDH ECDH Key Output xt IPSec/IKE n Private Public Key v2 tunnel Command Key:Paired With is on IPSec/IKE Peer Public DRAM:Plainte While Zeroizatio IPSec/IKE ECDH Peer ECDH Key Input xt IPSec/IKE n Private Key:Used Public Key v2 tunnel Command With is on IPSec/IKE DRAM:Plainte While Zeroizatio SKEYSEED:Used ECDH xt IPSec/IKE n With Shared v2 tunnel Command Secret is on IPSec/IKE Flash:Plaintex Zeroizatio IPSec/IKE ECDSA t n ECDSA Public Private Key Command Key:Paired With IPSec/IKE Module Public Flash:Plaintex Zeroizatio IPSec/IKE ECDSA Key Output t n ECDSA Private Public Key Command Key:Paired With © 2021-2025 Cisco Systems, Inc.
Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n IPSec/IKE Flash:Plaintex Zeroizatio IPSec/IKE RSA RSA Private t n Public Key:Paired Key Command With IPSec/IKE Module Public Flash:Plaintex Zeroizatio IPSec/IKE RSA RSA Public Key Output t n Private Key Command Key:Paired With IPSec/IKE Password/Sec DRAM:Plainte While Zeroizatio SKEYSEED:Deriv Pre-shared ret Input via xt IPSec/IKE n ed to Secret SSHv2 v2 tunnel Command encrypted by is on GCM Password/Sec ret Input via SSHv2 encrypted by AES and HMAC Password/Sec ret Input via TLS encrypted by GCM Password/Sec ret Input via TLS encrypted by AES and HMAC SKEYSEED DRAM:Plainte While Zeroizatio IPSec/IKE DH xt IPSec/IKE n Shared v2 tunnel Command Secret:Derived is on From IPSec/IKE ECDH Shared Secret:Derived From IPSec/IKE Preshared Secret:Derived From IPSec/IKE DRAM:Plainte While Zeroizatio IPSec/IKE DH Session xt IPSec/IKE n Shared Encryption v2 tunnel Command Secret:Derived Key is on From IPSec/IKE ECDH Shared Secret:Derived From © 2021-2025 Cisco Systems, Inc.
Name Input - Output Storage Storage Zeroizatio Related SSPs Duration n IPSec/IKE DRAM:Plainte While Zeroizatio IPSec/IKE DH Authenticati xt IPSec/IKE n Shared on Key v2 tunnel Command Secret:Derived is on From IPSec/IKE ECDH Shared Secret:Derived From SNMPv3 Password/Sec DRAM:Plainte While Zeroizatio SNMPv3 Shared ret Input via xt SNMPv3 n Encryption Secret TLS encrypted tunnel is Command Key:Derive To by GCM on SNMPv3 Password/Sec Authentication ret Input via Key:Derive To TLS encrypted by AES and HMAC Password/Sec ret Input via SSHv2 encrypted by GCM Password/Sec ret Input via SSHv2 encrypted by AES and HMAC SNMPv3 DRAM:Plainte While Zeroizatio SNMPv3 Shared Encryption xt SNMPv3 n Secret:Derived Key tunnel is Command From on SNMPv3 DRAM:Plainte While Zeroizatio SNMPv3 Shared Authenticati xt SNMPv3 n Secret:Derived on Key tunnel is Command From on SNMPv3 Encryption Key:Used With Table 19: SSP Table 2
FIPS 186-4 to 186-5 As of February 5, 2024, the CMVP does not accept module submissions that implement DSA or RSA X9.31 in the approved mode, other than for signature verification which is approved for legacy use. This module does not implement DSA or RSA X9.31 for signature generation and therefore is unaffected by the current transition from 186-4 to 186-5. As detailed in section 2.7, © 2021-2025 Cisco Systems, Inc.
the CAVP testing performed on the 186-4 algorithms is mathematically similar to the testing performed on the 186-5 algorithms and therefore this module claims compliance with 186-5. This means that no timeline exists in which any of the implemented algorithms will transition from approved to non-approved.
Algorithm or Test Test Properties Test Test Type Indicator Details Method RSA SigVer RSA SigVer 2048 KAT SW/FW Module is in RSA (FIPS186-4) bits with SHA2-512 Integrity normal state SigVer (A4446) Table 20: Pre-Operational Self-Tests The module performs the following self-tests, including the pre-operational self-tests and Conditional self-tests. Prior to the module providing any data output via the data output interface, the module performs and passes the pre-operational self-tests. Following the successful pre-operational self-tests, the module executes the Conditional Cryptographic Algorithm Self-tests (CASTs). If anyone of the self-tests fails, the module transitions into an error state and outputs the error message via the module’s status output interface. While the module is in the error state, all data through the data output interface and all cryptographic operations are disabled. The error state can only be cleared by reloading the module. All self-tests must be completed successfully before the module transitions to the operational state.
Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type AES-CBC 256 bits KAT CAST Module is Encrypt Power Up Encrypt KAT in normal (A4446) state AES-CBC 256 bits KAT CAST Module is Decrypt Power Up Decrypt KAT in normal (A4446) state AES-GCM 256 bits KAT CAST Module is Authenticated Power Up Authenticated in normal Encrypt Encrypt KAT state (A4446) AES-GCM 256 bits KAT CAST Module is Authenticated Power Up Authenticated in normal Decrypt Decrypt KAT state (A4446) © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type Counter AES-128 KAT CAST Module is Instantiate KAT Power Up DRBG in normal Instantiate state KAT (A4446) Counter AES-128 KAT CAST Module is Reseed KAT Power Up DRBG in normal Reseed KAT state (A4446) Counter AES-128 KAT CAST Module is Generate KAT Power Up DRBG in normal Generate state KAT (A4446) ECDSA P-256 KAT CAST Module is ECDSA Power Up SigGen curve with in normal SigGen KAT (FIPS186-4) SHA2-256 state KAT (A4446) ECDSA P-256 KAT CAST Module is ECDSA SigVer Power Up SigVer curve with in normal KAT (FIPS186-4) SHA2-256 state KAT (A4446) HMAC-SHA-1 SHA-1 KAT CAST Module is HMAC-SHA-1 Power Up KAT (A4446) in normal state HMAC-SHA2- SHA2-256 KAT CAST Module is HMAC-SHA2- Power Up
256 KAT in normal 256
(A4446) state HMAC-SHA2- SHA2-384 KAT CAST Module is HMAC-SHA2- Power Up
384 KAT in normal 384
(A4446) state HMAC-SHA2- SHA2-512 KAT CAST Module is HMAC-SHA2- Power Up
512 KAT in normal 512
(A4446) state KAS-ECC- P-256 KAT CAST Module is Primitive Z KAT Power Up SSC Sp800- Curve in normal 56Ar3 KAT state (A4446) KAS-FFC- MODP- KAT CAST Module is Primitive Z KAT Power Up SSC Sp800- 2048 in normal 56Ar3 KAT state (A4446) RSA SigGen 2048 bit KAT CAST Module is RSA SigGen Power Up (FIPS186-4) modulus in normal KAT KAT (A4446) with SHA2- state RSA SigVer 2048 bit KAT CAST Module is RSA SigVer Power Up (FIPS186-4) modulus in normal KAT KAT (A4446) with SHA2- state © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type KDF IKEv2 N/A KAT CAST Module is N/A Power Up KAT (A4446) in normal state KDF SNMP N/A KAT CAST Module is N/A Power Up KAT (A4446) in normal state KDF SSH N/A KAT CAST Module is N/A Power Up KAT (A4446) in normal state TLS v1.2 KDF N/A KAT CAST Module is N/A Power Up RFC7627 in normal KAT (A4446) state SHA-1 KAT N/A KAT CAST Module is N/A Power Up (A4446) in normal state AES-CBC 128 bits KAT CAST Module is Encrypt KAT Power Up Encrypt KAT in normal (AES 3301) state AES-CBC 128 bits KAT CAST Module is Decrypt KAT Power Up Decrypt KAT in normal (AES 3301) state AES-GCM 128 bits KAT CAST Module is Authenticated Power Up Authenticated in normal Encrypt KAT Encrypt KAT state (AES 3301) AES-GCM 128 bits KAT CAST Module is Authenticated Power Up Authenticated in normal Decrypt KAT Decrypt KAT state (AES 3301) Hash DRBG SHA2-512 KAT CAST Module is Instantiate KAT Power Up Instantiate in normal KAT (DRBG state 819) Hash DRBG SHA2-512 KAT CAST Module is Reseed KAT Power Up Reseed KAT in normal (DRBG 819) state Hash DRBG SHA2-512 KAT CAST Module is Generate KAT Power Up Generate in normal KAT (DRBG state 819) HMAC-SHA-1 SHA-1 KAT CAST Module is HMAC-SHA-1 Power Up KAT (HMAC in normal 2095) state HMAC-SHA2- SHA2-256 KAT CAST Module is HMAC-SHA2- Power Up
256 KAT in normal 256
(HMAC 2095) state © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type HMAC-SHA2- SHA2-384 KAT CAST Module is HMAC-SHA2- Power Up
384 KAT in normal 384
(HMAC 2095) state HMAC-SHA2- SHA2-512 KAT CAST Module is HMAC-SHA2- Power Up
512 KAT in normal 512
(HMAC 2095) state SHA-1 KAT N/A KAT CAST Module is N/A Power Up (SHS 2737) in normal state ECDSA Curve P- PCT PCT Module is ECDSA Performs all KeyGen 256 with in normal required (FIPS186-4) SHA2-256 state pair-wise PCT (A4446) consistency tests on the newly generated key pairs before the first operational use. RSA KeyGen 2048 bit PCT PCT Module is RSA Performs all (FIPS186-4) Modulus in normal required PCT (A4446) state pair-wise consistency tests on the newly generated key pairs before the first operational use. KAS-ECC- Curve P- PCT PCT Module is N/A Performs all SSC Sp800- 256 with in normal required 56Ar3 PCT SHA2-256 state pair-wise (A4446) consistency tests on the newly generated key pairs before the first operational use. KAS-FFC- MODP- PCT PCT Module is N/A Performs all SSC Sp800- 2048 in normal required state pair-wise © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type 56Ar3 PCT consistency (A4446) tests on the newly generated key pairs before the first operational use. Firmware HMAC- KAT SW/FW Module is N/A When Load Test SHA2-512 Load in normal firmware has state been uploaded to the module Entropy 90B Repetition RCT CAST Module is Designed to Power Up Start-up Count Test in normal quickly detect Repetition state catastrophic Count Test failures that (RCT) cause the noise source to become "stuck" on a single output value for a long period of time Entropy 90B Adaptive APT CAST Module is Designed to Power Up Start-up Proportion in normal detect a large Adaptive Test state loss of entropy Proportion that might Test (APT) occur as a result of some physical failure or environmental change affecting the noise source Entropy 90B Repetition RCT CAST Module is Designed to Entropy data Continuous Count Test in normal quickly detect is generated Repetition state catastrophic from the Count Test failures that Entropy (RCT) cause the noise Source source to Continuous become "stuck" on a single output value for a long period of time © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Test Test Indicator Details Conditions Test Properties Method Type Entropy 90B Adaptive APT CAST Module is Designed to Entropy data Continuous Proportion in normal detect a large is generated Adaptive Test state loss of entropy from the Proportion that might Entropy Test (APT) occur as a Source result of some Continuous physical failure or environmental change affecting the noise source Table 21: Conditional Self-Tests The module performs on-demand self-tests initiated by the operator, by powering off and powering the module back on. The full suite of self-tests is then executed. The same procedure may be employed by the operator to perform periodic self-tests.
Algorithm or Test Method Test Type Period Periodic Test Method RSA SigVer KAT SW/FW Integrity Recommend 60 Reboot (FIPS186-4) Days (A4446) Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST Recommend 60 Reboot Encrypt KAT Days (A4446) AES-CBC KAT CAST Recommend 60 Reboot Decrypt KAT Days (A4446) AES-GCM KAT CAST Recommend 60 Reboot Authenticated Days Encrypt KAT (A4446) AES-GCM KAT CAST Recommend 60 Reboot Authenticated Days Decrypt KAT (A4446) Counter DRBG KAT CAST Recommend 60 Reboot Instantiate KAT Days (A4446) © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Method Test Type Period Periodic Test Method Counter DRBG KAT CAST Recommend 60 Reboot Reseed KAT Days (A4446) Counter DRBG KAT CAST Recommend 60 Reboot Generate KAT Days (A4446) ECDSA SigGen KAT CAST Recommend 60 Reboot (FIPS186-4) Days KAT (A4446) ECDSA SigVer KAT CAST Recommend 60 Reboot (FIPS186-4) Days KAT (A4446) HMAC-SHA-1 KAT CAST Recommend 60 Reboot KAT (A4446) Days HMAC-SHA2- KAT CAST Recommend 60 Reboot
256 KAT Days
(A4446) HMAC-SHA2- KAT CAST Recommend 60 Reboot
384 KAT Days
(A4446) HMAC-SHA2- KAT CAST Recommend 60 Reboot
512 KAT Days
(A4446) KAS-ECC-SSC KAT CAST Recommend 60 Reboot Sp800-56Ar3 Days KAT (A4446) KAS-FFC-SSC KAT CAST Recommend 60 Reboot Sp800-56Ar3 Days KAT (A4446) RSA SigGen KAT CAST Recommend 60 Reboot (FIPS186-4) Days KAT (A4446) RSA SigVer KAT CAST Recommend 60 Reboot (FIPS186-4) Days KAT (A4446) KDF IKEv2 KAT KAT CAST Recommend 60 Reboot (A4446) Days KDF SNMP KAT KAT CAST Recommend 60 Reboot (A4446) Days KDF SSH KAT KAT CAST Recommend 60 Reboot (A4446) Days TLS v1.2 KDF KAT CAST Recommend 60 Reboot RFC7627 KAT Days (A4446) SHA-1 KAT KAT CAST Recommend 60 Reboot (A4446) Days © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST Recommend 60 Reboot Encrypt KAT Days (AES 3301) AES-CBC KAT CAST Recommend 60 Reboot Decrypt KAT Days (AES 3301) AES-GCM KAT CAST Recommend 60 Reboot Authenticated Days Encrypt KAT (AES 3301) AES-GCM KAT CAST Recommend 60 Reboot Authenticated Days Decrypt KAT (AES 3301) Hash DRBG KAT CAST Recommend 60 Reboot Instantiate KAT Days (DRBG 819) Hash DRBG KAT CAST Recommend 60 Reboot Reseed KAT Days (DRBG 819) Hash DRBG KAT CAST Recommend 60 Reboot Generate KAT Days (DRBG 819) HMAC-SHA-1 KAT CAST Recommend 60 Reboot KAT (HMAC Days 2095) HMAC-SHA2- KAT CAST Recommend 60 Reboot
256 KAT (HMAC Days
2095) HMAC-SHA2- KAT CAST Recommend 60 Reboot
384 KAT (HMAC Days
2095) HMAC-SHA2- KAT CAST Recommend 60 Reboot
512 KAT (HMAC Days
2095) SHA-1 KAT KAT CAST Recommend 60 Reboot (SHS 2737) Days ECDSA KeyGen PCT PCT Recommend 60 Reboot (FIPS186-4) Days PCT (A4446) RSA KeyGen PCT PCT Recommend 60 Reboot (FIPS186-4) Days PCT (A4446) KAS-ECC-SSC PCT PCT Recommend 60 Reboot Sp800-56Ar3 Days PCT (A4446) © 2021-2025 Cisco Systems, Inc.
Algorithm or Test Method Test Type Period Periodic Test Method KAS-FFC-SSC PCT PCT Recommend 60 Reboot Sp800-56Ar3 Days PCT (A4446) Firmware Load KAT SW/FW Load N/A N/A Test Entropy 90B RCT CAST N/A N/A Start-up Repetition Count Test (RCT) Entropy 90B APT CAST N/A N/A Start-up Adaptive Proportion Test (APT) Entropy 90B RCT CAST N/A N/A Continuous Repetition Count Test (RCT) Entropy 90B APT CAST N/A N/A Continuous Adaptive Proportion Test (APT) Table 23: Conditional Periodic Information
Name Description Conditions Recovery Indicator Method Error If self-test tests fail, the module is Self-test Reboot the System State put into an error state failure module Halt Table 24: Error States If any of the above-mentioned self-tests fail, the module reports the error and enters the Error state. In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to reboot the module and perform the selftests, including the pre-operational firmware integrity test and the conditional CASTs. The module will only enter into the operational state after successfully passing the pre-operational firmware integrity test and the conditional CASTs.
The validated module firmware was installed onto the respective test platforms listed in Table 2 above. The Crypto Officer must configure and enforce the following initialization steps: Step 1: The Crypto Officer must install opacity shields as described in section 7 above. Step 2: The Crypto Officer must apply tamper evidence labels as described in section 7 above. Step 3: The Crypto Officer must securely store any unused tamper evidence labels. Note: Each module has a Type A USB 2.0 port, but it is considered to be disabled once the Crypto Officer has applied the TEL #9. Step 4: The Crypto Officer shall configure the module to be managed by the Firepower Management Center (FMC), and follow the procedure below from the FMC: a) Choose Devices > Platform Settings and create or edit a Firepower policy. b) On the left click “UCAPL/CC Compliance”. c) Choose “CC” from the dropdown under “Enable UCAPL/CC Compliance”. d) Click “Save” to save the changes. e) Click “Deploy” and select “Deploy All”. Step 5: The module will automatically reboot, and will be placed in the approved mode once it is done rebooting. Step 6: Crypto Officer can verify the version installed and running > show version Step 7: Crypto Officer can verify the module is in approved mode: > show fips Step 8: Assign users a Privilege Level of basic. Step 9: Configure IP address for unit and all distant endpoints from the FMC. Step 10: Define RADIUS shared secret keys that are at least 8 characters long and secure traffic between the security module and the RADIUS server via secure (IPSec, TLS) tunnel. Note: Perform this step only if RADIUS is configured, otherwise proceed. Step 11: Configure the security module so that any remote connections via Telnet are secured through IPSec. Step 12: Configure the security module so that only approved algorithms are used for all security connections (SSHv2, TLSv1.2, SNMPv3 and IPSec/IKEv2). Step 13: Configure the security module so that error messages can only be viewed by Crypto Officer. Step 14: Enable HTTPS with TLS. HTTPS with TLS should always be used for Web-based management. Step 15: Ensure that installed digital certificates are signed using approved algorithms. Step 16: Save and reboot the module. © 2021-2025 Cisco Systems, Inc.
Specific Administrator guidance can be found in the "Threat Defense Deployment with the Management Center" chapter of Cisco Firepower 2100 Getting Started Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100gsg/ftd-fmc.html
Specific Non-Administrator guidance can be found in the Cisco Firepower 2100 Series Data Sheet: https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100series/datasheet-c78-742473.html
N/A for this module. © 2021-2025 Cisco Systems, Inc.