FIPS 140-2 certification status for the Symantec Endpoint Encryption 11 cryptographic module

book

Article ID: 150141

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

 

Resolution

Symantec PGP Cryptographic Engine version 4.3 is a validated FIPS 140-2 cryptographic module and all versions of Symantec Endpoint Encryption 11 currently use SDK version 4.3.

Symantec Enterprise Division obtained validation by NIST on October 21, 2020 for SDK version 4.4 so as of this writing there are two cryptographic SDK versions that are currently validated and each of these validations are listed below:

SDK Version 4.4:
Module Name: Symantec PGP Cryptographic Engine
Standard: FIPS 140-2
Status: Active
Validation Dates: 10/21/2020
Overall Level1


SDK Version 4.3:
Module Name: Symantec PGP Cryptographic Engine
Standard: FIPS 140-2
Status: Historical
Validation Dates: 05/21/2015, 07/06/2015
Overall Level1

Note that FIPS Validation for Symantec Encryption products that use SDK version 4.3 has entered a "Historical" status. As stated in the NIST documentation, FIPS validation is still considered valid and is not considered "Revoked", "Expired" or "Invalid". Therefore SDK version 4.3 is still considered FIPS validated and will remain valid pending a status change to "Revoked".

A future version of Symantec Endpoint Encryption will use SDK 4.4.  Check back for further updates on this, but in the meantime all previously-established FIPS validations remain intact and are considered current (Even while in "Historical" status).  For more details on this, please contact Symantec Enterprise Division support.

 

FIPS 140 details

The Cryptographic Module Validation Program webpage http://csrc.nist.gov/groups/STM/cmvp/index.html has the following description of the importance of FIPS 140-2 to US federal agencies:

FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data - in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated.

The FIPS 140 validation certificate 2377, for Symantec PGP Cryptographic Engine, is posted on the Cryptographic Module Validation Program website at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2015.htm#2377

 

To check which Cryptographic engine you are using with Symantec Endpoint Encryption, right-click the "PGPce.dll" file in the "c:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption" folder, and click the "Details" tab to check the "File Version" value.  If the value is 4.3 as mentioned above, the client is covered by FIPS validation.  The SEE client is always running with the FIPS validated module.

 

For Symantec Endpoint Encryption 8.2.1 and FIPS validation information, see article HOWTO101701.

For Symantec Encryption Desktop 10.x and Symantec Encryption Management Server 3.x and FIPS validation information, see article https://knowledge.broadcom.com/external/article?articleId=178330.

Additional Information

To be able to search on the NIST website for validated modules, click here.

To see all all modules currently in process for validation, click here.