This support statement is provided by the Product Management Team.
We've successfully completed the FIPS 140-2 validation process for the
Core Cryptographic Modules (CCMs).
The
CCMs are used by the following encryption products:
These products provide an option to install the product in FIPS mode.
The
Cryptographic Module Validation Program (CMVP) awarded certificate number
4221 to
CCM (user) in
May 2022, which is posted on the NIST website. The companion CCM (kernel) FIPS 140-2 validation was also announced in
May 2022 and has certificate number
4220. These cryptographic modules have been validated at FIPS 140-2 Level 1.
Certified modules:
- See certificate 4221.
- See certificate 4220.
The minimum product versions that use these certified modules are as follows:
- DE 7.3.x, 7.2.x
- FRP 5.x
- MNE 5.x, 4.x
NOTES:
This milestone shows our continued commitment to providing customers with world-class products that have been carefully evaluated for safety, security, and reliability.
Frequently Asked Questions
What's CCM?
CCM is a cross-platform, cross-product cryptographic module that's used by multiple encryption products. It consists of two distinct modules: user and kernel. These cryptographic modules have been validated at FIPS 140-2 Level 1.
Where can I find more information regarding the certification status of CCM?
See the links to the NIST site in the "Certified models" section above. The CMVP awarded certificate number 4221 to CCM (user) in May 2022. The companion CCM (kernel) validation was also announced in May 2022 and has certificate number 4220. These cryptographic modules have been validated at FIPS 140-2 Level 1.
Which encryption products use CCM for all their crypto-related operations?
The above applies to the following:
NOTES:
- FRP and DE support FIPS mode installation because CCM is validated at FIPS 140-2 Level 1. Neither product has to be certified individually.
- MNE Preboot uses a non-FIPS version of OpenSSL. For FIPS-compliant use of MNE, use any authentication method other than Preboot.
What versions of the encryption products use the FIPS certified CCM crypto modules?
The above applies to the following:
- DE 7.3.x, 7.2.x
- FRP 5.x
- MNE 5.x, 4.x
Does CCM offer support for Intel® AES-NI?
Yes. CCM uses Intel Advanced Encryption Standard Instructions (AES-NI), which results in more performance improvements on systems with AES-NI support.
Are AES-NI related performance benefits offered by CCM still available if FRP or DE is installed in non-FIPS mode?
Yes. Both the encryption products that operate in non-FIPS mode also use the CCM and can thus provide performance benefits available by CCM using AES-NI.
NOTE: This benefit doesn't apply to MNE, because MNE doesn't have a non-FIPS installation option.
Is it required to run ePolicy Orchestrator (ePO) in FIPS mode?
- FRP—Encryption keys are generated within ePO, so you must run ePO in FIPS mode.
- DE—Review your overall configuration with the appropriate auditor to determine whether you need to run ePO in FIPS mode. Discussions with an auditor determine whether your overall environment (clients and servers) or only your clients need to operate in FIPS mode. For more guidance on when to install ePO in FIPS mode, see the relevant ePO product guide for your release. For product documentation information, see the "Related Information" section of this article.
Is it necessary to run the Microsoft Windows system on which the DE, FRP, or MNE client is installed in FIPS mode?
Each customer is advised to review their overall configuration with the appropriate auditor to determine whether they need to run the Microsoft Windows system in FIPS mode.
NOTE: For MNE, Windows must be configured to use FIPS for BitLocker to use FIPS. For more information, see
FIPS 140-2 Validation.
Are there any differences in the installation processes for FRP or DE for FIPS and non-FIPS mode?
Yes. See the corresponding product guide for more information. For product documentation information, see the "Related Information" section of this article.
NOTE: This information doesn't apply to MNE because MNE doesn't have a non-FIPS installation option.
Is upgrading from a non-FIPS version of DE or FRP directly to a later version in FIPS mode supported?
No. Only new installations in FIPS mode are supported. It isn't possible to upgrade from a non-FIPS installation of the product to an FIPS installation. The reason is because the keys would have previously been generated in a non-FIPS mode without using FIPS-validated algorithms.
To achieve an FIPS-compliant installation, a new installation is needed to make sure that the keys are generated in an FIPS-approved manner.
NOTE: This information doesn't apply to MNE because MNE doesn't have a non-FIPS installation option.
See the corresponding product guide for more information about the FIPS mode installation process. For product documentation information, see the "Related Information" section of this article.
