Encryption Products’ FIPS SKU Description Change Notification

Article:TECH183594  |  Created: 2012-03-12  |  Updated: 2012-09-07  |  Article URL http://www.symantec.com/docs/TECH183594
Article Type
Technical Solution


Issue



Symantec announces the End of Life (EOL) for all Symantec PGP Encryption Products’ FIPS SKU descriptions effective May 7, 2012.  This announcement indicates that FIPS SKU descriptions will be removed from future Price Lists effective with the June lists, and is not announcing any end of support for FIPS 140 validated cryptographic products, a vitally important part of our Encryption product line. 

 
This article outlines the forthcoming product lifecycle milestones, while providing guidance to customers on how to ensure continuity of using Encryption products with FIPS 140 validated cryptographic modules.

Solution



Announcement

Q. What is Symantec announcing?
A. Symantec is announcing SKU descriptions with the phrase “FIPS Version” will be removed from future Price Lists. Symantec changed the product development process for Symantec PGP Encryption products so all major/minor releases of Encryption products include a FIPS 140 validated module, and so may be used in either FIPS mode or standard mode.   As the Encryption product releases will include a FIPS 140 validated module at launch, it is unnecessary to include the phrase “FIPS Version” as part of a product description. 
 
Q. What does this announcement mean regarding support for FIPS 140 validated cryptographic modules in Symantec PGP Encryption products?
A. Symantec understands offering products with FIPS 140 validated cryptographic modules is vitally important to our Encryption product line. Providing FIPS 140 support is so critical we offer customers the choice of using FIPS or standard mode when we launch new versions of Encryption products. 
 
Q. What does this announcement mean regarding support for FIPS 140 validated cryptographic modules in maintenance packs/hot fixes?
A. For releases that are maintenance packs and hot fixes, we will use FIPS 140 validated cryptographic modules in these releases as well, beginning with releases following version 10.2.1 (for client products) and 3.2.1 (for server products). Should the maintenance pack/hot fix require a change to the cryptographic module to fix an issue of concern, Symantec may be unable to provide a maintenance pack/hot fix release using a validated cryptographic module. 
 
Q. Who does this announcement affect?
A. This announcement affects all Symantec PGP Encryption customers with license entitlements that include “FIPS Version” as part of the product description. The document outlines the transition of license entitlements to comparable SKUs without the description of “FIPS Version” in the Encryption product portfolio.
 
Q. Why is Symantec announcing this SKU description and license entitlement change?
A. Symantec changed the product development process for Symantec PGP Encryption products so all major/minor releases of Encryption products include a FIPS 140 validated module with FIPS mode and so may be used in FIPS mode or standard mode.   As all major/minor releases of Encryption products will include a FIPS 140 validated module at launch, it is unnecessary to include the phrase “FIPS Version” as part of a product description. 
 
Milestones
Q. What are the important dates I need to know?
A. The following timeline outlines the important product lifecycle milestone dates for Symantec PGP Encryption Products’ FIPS SKU descriptions and license entitlements.  
 

Date
Announcement
Notes
May 7, 2012
End of Life of FIPS SKU Description
Beginning of 6-month last-time buy period for FIPS SKUs
Nov. 2012
End of Availability
FIPS SKUs are removed from the Price List

 
Entitlements
Q. Is Symantec providing customers with “FIPS Version” license entitlements with a replacement product?
A. Yes, all Symantec PGP Encryption customers with license entitlements that include “FIPS Version” as part of the product description will transition to license entitlements for the comparable SKUs without the phrase “FIPS Version”.  As all major/minor releases of Encryption products will include a FIPS 140 validated module at launch, it is unnecessary to include the phrase “FIPS Version” as part of a product description or license entitlement.
 
Support Renewal Migration
Q. What should new Symantec customers interested in renewing Support do?
A. To renew Support for a Symantec PGP Encryption product with the “FIPS Version” SKU description, a customer should contact Symantec’s Customer Support team at www.symantec.com/business/support/assistance_care.jsp or their preferred reseller.
 
Licensing
Q. How will Symantec PGP Encryption products be licensed?
A. Beginning with the May 2012 Price Lists, Symantec Price Lists will list Encryption products’ SKUs excluding the phrase, “FIPS Version”. Customers should choose the comparable product SKU without the “FIPS Version” description since all major/minor releases of Encryption products will include a FIPS 140 validated module at launch. 
 
FIPS 140
Q. What is FIPS 140?
A. FIPS is the abbreviation for Federal Information Processing Standard. FIPS 140 specifies security requirements for a cryptographic module used within a security system protecting sensitive information in computer and telecommunication systems for US federal agencies. 
 
Q. Why is it important for US federal agency to use products with FIPS 140 validated cryptography?
A. An excerpt from the Cryptographic Module Validation Program (CMVP) homepage of csrc.nist.gov/groups/STM/cmvp/index.htmlanswers this question well:
FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data - in effect the data would be considered unprotected plaintext. In essence, if cryptography is required, then it must be validated.
 
Q. Where may I find a list of cryptographic modules that received FIPS 140 validation?
A. The CMVP posts a list of the vendors with FIPS 140 validated cryptography modules at csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm (scroll to the PGP or Symantec section of this list). 
 
 
Q. Must every product that uses encryption be FIPS 140 validated?

ANo. A product may either be a validated cryptographic module itself or use an embedded validated cryptographic module (for example, a software development kit like the Symantec PGP SDK). 




Article URL http://www.symantec.com/docs/TECH183594


Terms of use for this information are found in Legal Notices