Fortinet Secure Product Development Lifecycle

Protecting customers with supply chain security at all stages of the product lifecycle

Our Commitment
Fortinet recognizes that supply chain security is an increasingly important
dimension of cybersecurity and enterprise risk management. Fortinet is committed
to implementing a comprehensive approach to protecting the security and integrity
of its products throughout the product design, development, manufacturing, Supply Chain Breadth
delivery and support processes. Fortinet focuses on risk management and
security of Fortinet products and services
Fortinet Supply Chain Process from the inception of an idea through to its
commercial realization and use, including:
Fortinet manages a coordinated program across our engineering, manufacturing,
n Product design and development
technical services teams, together with our suppliers and channel partners, to
n Component and material sourcing
ensure the security of our supply chain.
n Manufacturing and assembly
§ Fortinet develops its own Network Processors (NP), Content Processors (CP), n Product delivery
and System-on-Chip (SoC) Application Specific Integrated Circuits (ASICs) n Technical services and support
technology in house
§ R&D conducted primarily in the US and Canada The Fortinet Approach
§ Fortinet operates a Trusted Supplier Program with a rigorous selection and
qualification of manufacturing partners, adhering to NIST 800-161 The Fortinet Secure
§ Implement technical measures to prevent malware and rogue components that Development Lifecycle covers
could compromise functionality every stage of the product
§ Technical support provided from dedicated Fortinet regional centers lifecycle, from design through
end of life.
§ Application of secure development best practices (including NIST 800-53,
NIST 800-160, NIST 800-218, US EO 14028, UK TSB) Security is baked into the
§ Regular patch release cycles and a notification service to support and encourage product from inception.
customers to apply security patches
Fortinet has strong product
The Fortinet Supply Chain Risk Management program covers security risk scrutiny at all stages of the
management for the entire breadth of the supply chain and implements five key product development lifecycle,
steps for managing supply chain risks: internal and external.

Identify: Identify potential risks to the supply chain When issues inevitably occur,
Protect: Build controls to help protect the supply chain from risks Fortinet remediates rapidly with
Detect: Detect issues early, giving more time and options to respond a transparent incident response
Respond: Respond as quickly as possible to mitigate the vulnerability or threat plan.
Recover: Recover with minimal impact to customers Fortinet operates in partnership
with our customers and regional
Transparency CERT teams, sharing information
Fortinet understands that customers have a heightened awareness regarding security and feedback.
when selecting suppliers and have a choice in who they trust to deploy on their
Fortinet works with industry to
networks. Fortinet operates a transparency program to provide all of the information
develop and implement stronger
customers need to make a security-driven decision including: standards for the benefit of all
our customers.
§ Publicly available PSIRT Policy and Advisories including all internally discovered
issues
§ Broad range of independent certifications including FIPS 140-2, CC EAL4+ and
NDcPP, SOC2

§ Adherence to US Presidential Executive Order on Improving the Nation’s

Cybersecurity with production of Software Bill of Materials
For more information on third party product certifications see here.