This is an unofficial draft of FIPS compliance and TLS versions and cipher suites.
Overview
This article explains how Cato Networks relates to Federal Information Processing Standards (FIPS) compliance. It also discusses how customizing the TLS Version and Cipher Suite compatibility level in the TLS Inspection Policy feature relates to the FIPS 140-2 and 140-3 encryption requirements.
For reference, see the Mozilla Server Side TLS wiki, which provides compatibility levels (Modern, Intermediate, and Legacy) and their associated cipher configurations.
Enforcing TLS Versions and Ciphers in the TLS Inspection Policy
Cato Networks is not FIPS-compliant. However, you can use the TLS Inspection Policy to enforce specific TLS versions and the compatibility level of cipher suites to be more consistent with FIPS guidelines. For more information, see Configuring TLS Inspection Policy for the Account.
To enforce specific TLS versions and compatibility levels in your account, configure the TLS Inspection Policy using the options in the TLS Version and Cipher Suites for the rule Action.

Recommendations for FIPS Compatibility Levels
The Mozilla compatibility levels provide guidance on which ciphers are recommended for FIPS alignment. The following compatibility profiles can help you configure the TLS Inspection Policy accordingly:
Use the Modern or Intermediate compatibility profiles, based on your organization's FIPS alignment and compatibility needs
Use the Intermediate compatibility profile to include a broader set of FIPS-approved ciphers
Avoid using the Legacy profile, as it includes many outdated and non-compliant ciphers
Modern Compatibility
TLS 1.3
Approved for FIPS 140-2/140-3:
TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384
Not Approved:
TLS_CHACHA20_POLY1305_SHA256(rarely used)
TLS 1.2
No TLS 1.2 ciphers in the Modern set are FIPS-approved.
Recommendation: You can set TLS Inspection Policy to enforce TLS 1.3 as the minimum TLS version, and the Modern cipher suite. This can help you align more closely with FIPS-recommended cryptographic practices.
Intermediate Compatibility
TLS 1.3
Same compatibility as in Modern
TLS 1.2
FIPS-Approved Ciphers:
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384DHE-RSA-AES128-GCM-SHA256DHE-RSA-AES256-GCM-SHA384
Not Approved:
ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-CHACHA20-POLY1305DHE-RSA-CHACHA20-POLY1305
Recommendation: If your organization requires FIPS alignment and broader client compatibility than the Modern profile allows, configure the TLS Inspection Policy with TLS 1.2 as the minimum TLS version using the Intermediate compatibility level. This policy includes several FIPS-approved options, but it also contains non-approved ciphers.
Legacy Compatibility
Not recommended for FIPS-related enforcement because it includes outdated and non-approved ciphers.
Known Limitations
Cato Networks is not FIPS 140-2 or 140-3 certified
This configuration does not replace formal compliance or validation requirements
You cannot disable or block individual TLS ciphers