Customer Trust Portal

Access Symantec security, public sector, privacy and other compliance information.

Security Program Summaries

Security Program Summaries

As a leading security company, Symantec is uniquely positioned to share insights on security compliance issues.  Symantec prides itself on its robust security posture. Read the summaries of some of the established security programs.

Learn More

Corporate Policies

Corporate Policies

Symantec understands customers’ need to protect their valuable data. Symantec’s corporate policies are designed to keep customer data secure. Learn more about Symantec corporate policies and compliance information.

Learn More

Global Certification Management

Global Certification Management

Symantec’s Global Certification Management Team oversees, maintains, and enhances Symantec’s centralized certification management program. We provide best practices, guidance and support in obtaining and maintaining Symantec product certificates.

Learn More

Office of Public Sector Compliance

Office of Public Sector Compliance

The Office of Public Sector Compliance provides support, education, and communication to foster a culture of compliance. Symantec is dedicated to enhancing our collective ability to sell confidently into the public sector.

Learn More

Security Certifications

Security Certifications

Symantec engages third parties to conduct audits of its systems' security. Review the certifications and reports from these audits, as well as those collected from third party providers. To review this content, please join our Customer Trust Portal group in the Symantec Connect user community. You will be asked to accept the Symantec Non-Disclosure Agreement.

Learn More

Security Certifications

Product Security Compliance

Symantec CloudSOC provides complete risk analysis and policy management for sanctioned cloud and ‘shadow IT’ applications to ensure safe cloud usage.

Learn More

Business Continuity Management Program

Symantec's Business Continuity Management (BCM) Program is a key component of our business model. The BCM Program’s focus is to identify actual and potential risks to business function resilience, mitigate those risks by ensuring respective business functions design, and document and exercise business continuity strategies. If there is a disruption to critical Symantec functions, the BCM Program facilitates the execution of strategies to maintain our ability to deliver services to our customers.

Incident Response Plan Summary

Symantec's Incident Response Plan defines and implements an operational framework including the processes, skills, and tools necessary for Symantec to detect, contain, investigate and report on cyber security incidents potentially impacting Symantec systems, networks, and data. This includes customer, partner or supplier information in Symantec's possession. This forward-looking plan supports Symantec's mission to its customers, partners, shareholders and employees as a trusted leader in information security risk management.

Information Security Policy

Through our Information Security Policy, Symantec is committed to the protection of the company's information technology, brand, intellectual property, personal information, and customer data from misuse or compromise. This external-facing policy defines how Symantec protects its assets and reputation from threats associated with misuse or compromise of information/data. This includes whether the threat is internal or external, deliberate or accidental in nature.

Pandemic/Infectious Disease Program

Symantec Corporation recognizes that a pandemic or infectious illness outbreak would pose a significant health risk to employees and could lead to the interruption of business. Symantec has been engaging in pandemic planning activities since early 2005. We initiated the Pandemic Preparedness Program with a global team comprised of key business group leaders knowledgeable in company operations to address these risks and respond to the consequences of a pandemic/infectious outbreak.

Payment Card Industry (PCI) Attestation of Compliance

The PCI Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process, which includes prevention, detection and appropriate reaction to security incidents. Symantec Corporation meets the criteria for a Level 1 Merchant.

Software Security Process

Symantec takes a proactive approach to secure software development. The Software Security Process document summarizes how we implement security review into all stages of the software development process and strive to continually improve our overall software security.

Supplier Trust Program

Symantec's Supplier Trust Program is an important part of our risk management function. Through collaboration with Legal and Procurement, the Symantec Supplier Trust Program manages the security risk of Symantec's supply chain. From initial engagement to annual monitoring and due diligence, Symantec is committed to holding its suppliers to the appropriate security standards.

Accessibility for Customers with Disabilities

Symantec is committed to meeting the accessibility needs of our customers with disabilities. In compliance with the “Accessibility for Ontarians with Disabilities Act, 2005”, below are links to the Symantec’s Customer Service Standards and Accessibility Policy under the Integrated Accessibility Standards. Comments and feedback can be submitted to Symantec’s technical and customer support team.

Code of Conduct

The Symantec Code of Conduct aligns our business practices with our values. Symantec is committed to conducting its business in an ethical and lawful manner. The reputation of Symantec is a valuable business asset, and ethical and legal conduct at all levels of our business is essential for our continued success.

Corporate Responsibility

Symantec considers the protection of information central to corporate responsibility in this digital age. We conduct our business with a commitment to ethical operation, sound environmental management, and positive societal impact.

Internal Control Over Financial Reporting (Sarbanes-Oxley (SOX)) Program

A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP). Symantec Corporation maintains effective internal control over financial reporting as reported in our annual 10-K filing with the Security Exchange Commission (SEC).

Privacy Statement

Symantec's Privacy Statement describes the types of information we collect via Symantec’s web sites, how we may use that information and with whom we may share it. Our Privacy Statement describes the measures we take to protect the security of the information. We also tell you how you may contact us to update your information, remove your name from our mailing lists or get answers to questions you may have about our privacy practices at Symantec.


Symantec’s global staff of certification professionals actively promotes awareness of global certification best practices and provides overarching guidance and support to our product teams to walk them through the necessary business and technical channels to obtaining and maintaining Symantec product certifications.

Please email Joan Barbieri for certification support and further assistance.

Symantec Certifications

Common Criteria

The international Common Criteria Recognition Arrangement (CCRA) brings together 26 nations who agree to accept a unified approach to the evaluations of information technology products and protection profiles for information assurance and security. This arrangement benefits member nation governments and other customers of IT products by creating more clarity in procurement decisions, more precision in evaluations, a better balance of security and features, and more rapid access to products from industry.

As the basis for the international standards ISO/IEC15408 and ISO/IEC 18045, Common Criteria is a framework in which:

  • government, military and other users can specify their security functional and assurance requirements through the use of protection profiles,
  • vendors can then implement and/or make claims about the security attributes of their products,
  • and testing laboratories can evaluate the products to determine if they actually meet the claims.

Source: Common Criteria IT Security Evaluation & the National Information Assurance Partnership

Please also refer to National Information Assurance Policy and Common Criteria for additional information.

View More
View Less


Federal Identity, Credential and Access Management (FICAM)

The FICAM TFS is the federated identity framework for the U.S. Federal Government. It includes guidance, processes, and supporting infrastructure to enable secure and streamlined citizen and business facing online service delivery.

NSL IDEF certification Achieved. IDEF is the Identity Ecosystem Framework version 1.0. This is a valid and active certification and applicable for both public sector and commercial markets.

The following Norton Secure Login and Managed Public Key Infrastructure certification packages are applicable to the FICAM program run by GSA.  Refer here for a list of approved identity providers.

For additional information, please contact Adam Madlin.

Federal Information Processing Standard Publication 140-2 (FIPS 140-2)

FIPS 140-2 Product Status

Federal Information Processing Standard 140-2 (FIPS 140-2) validation is important to any vendor selling cryptography to the Federal market space. If your IT product utilizes any form of encryption, it will likely require validation against the FIPS 140-2 criteria by the Cryptographic Module Validation Program (CMVP) run jointly by the National Institute of Standards and Technology (NIST), in the United States and Communications Security Establishment (CSE) in Canada before it can be sold and installed in a Federal agency or DoD facility.

FIPS 140-2 describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the NIST, has been adopted by the CSE, and is jointly administered by these bodies under the umbrella of the CMVP.

The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.  Please refer here for additional information regarding FIPS 140-2 requirements, including NIST links.

Symantec Validated Products List

Listed below are the Symantec products with a status as to whether a listed product is:

  • FIPS 140-2 validated
    • Product uses an existing encryption module (Symantec or 3rd party) and has gone through a "private label" validation process
  • Compliant
    • Product uses an existing validated 3rd party module, but has not explicitly obtained a private validation from NIST
  • N/A
    • Product does not contain an encryption module
  • Not at this time
    • Product has an encryption module but is not FIPS 140-2 validated at this time

This snapshot in time below involves an in flux product line so there are no guarantees as to accuracy, but we try to keep this updated with the current status/FIPS 140-2 status per products. Symantec does not certify that all its software and hardware products, services or appliance solutions are compliant or validated per FIPS 140-2 requirements.

For questions regarding FIPS 140-2 statuses/content herein or to note an updated FIPS product status, please contact us.

FIPS Compliant Symantec Products

Symantec Product Name Status Has Encryption Module Encryption Module Type
Data Center Security 6.6 FIPS Compliant Yes OpenSSL with BSAFE (Certificate # 1058)
IT Management Suite 8.0 FIPS Compliant Yes  
Critical System Protection 7.x FIPS Compliant Yes  
View More
View Less


FIPS Validated Symantec Products

Symantec Product Name Status Has Encryption Module Encryption Module Type
Data Loss Prevention 12.5 FIPS Validated Yes

Symantec Java Cryptographic Module (validation certificate #2138)

Symantec DLP Cryptographic Module (validation certificate #2318)

Data Loss Prevention 14.0 FIPS Validated Yes

Symantec Java Cryptographic Module (validation certificate #2138)

Symantec DLP Cryptographic Module (validation certificate #2318)

Encryption - Desktop Email Encryption 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - Drive Encryption 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1(certificate #1684)  
Encryption - Endpoint Encryption 11.1.1 FIPS Validated Yes PGP Cryptographic Engine 4.3
Encryption - File Share Encryption 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1(certificate #1684)  
Encryption - Gateway Email Encryption 3.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - Management Server 3.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - Mobile Encryption FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - PGP Command Line 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - PGP Key Management Client Access 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - PGP Key Management Server 3.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Endpoint Protection 12.1 FIPS Validated Yes

Symantec Java Cryptographic Module Version 1.2 (Certificate # 2138) BSAFE

(Certificate # 1786)

Endpoint Protection Small Business Edition 12.1 FIPS Validated Yes Java cryptography module 1.3.
Managed Public Key Infrastructure (PKI) FIPS Validated Yes Safenet Luna CA
Messaging Gateway 10.5 FIPS Validated Yes

Symantec Scanner Cryptographic Module; Symantec Control Center Cryptographic Module

OpenSSL & RSA B-safe wrapper

Mobility Suite - Hosted FIPS Validated Yes OpenSSL
Mobility Suite - On Premise FIPS Validated Yes OpenSSL
Symantec Insight for Private Cloud FIPS Validated Yes Uses two OpenSSL
View More
View Less


Non-FIPS Symantec Products

Symantec Product Name Status Has Encryption Module Encryption Module Type
Control Compliance Suite - AM N/A No  
Cyber Security DeepSight Intelligence Datafeed
N/A No  
Cyber Security DeepSight Intelligence Portal N/A No  
Endpoint Protection Small Business Edition 2013 N/A No Open SSL 0.98
Mail Security for Domino 8.1 N/A No  
Mail Security for MS Exchange 7.5 N/A No  
Norton Secure Login Not At This Time Yes Java crypto
Protection Engine 7.5 N/A No  
Protection for Sharepoint Servers 6.0 N/A No  
Symantec Embedded Security: Critical System Protection 1.0
Not at this time Yes OpenSSL
Validation and ID Protection Service (VIP) Not At This Time Yes FIPS-mode OpenSSL
View More
View Less


Federal Risk and Authorization Management Program (FedRAMP)

Symantec Product Status
Symantec VIP In Process
Email Security for Government: SMG Authorized

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.


  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Increase confidence in security of cloud solutions achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
  • Ensure consistent application of existing security practice, increase confidence in security assessments
  • Increase automation and near real-time data for continuous monitoring


  • Increase re-use of existing security assessments across agencies
  • Save significant cost, time, and resources – “do once, use many times”
  • Improve real-time security visibility
  • Provide a uniform approach to risk-based management
  • Enhance transparency between government and Cloud Service Providers (CSPs)
  • Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

Main Players

Main Players There are three main players in the FedRAMP process: Agencies, CSPs, and Third Party Assessment Organizations (3PAOs). Agencies are responsible for selecting a cloud service, leveraging the FedRAMP Process, and requiring CSPs to meet FedRAMP requirements. CSPs provide the actual cloud service to an Agency, and must meet all FedRAMP requirements before they implement their services. 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  FedRAMP provisional authorizations (P-ATOs) must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

Key Processes

FedRAMP authorizes cloud systems in a three step process:

  1. Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
  2. Leveraging and Authorization: Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
  3. Ongoing Assessment & Authorization: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.


FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA.  In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP.


Federal Service for Technical and Export Control (FSTEK)

The Federal Service for Technical and Export Control (FSTEK) certification is required in order to sell information security systems in Russia. The regulations covering these requirements were  introduced by the Russian government  in July 2011. The Russian government  introduced  these requirements to ensure that establishments handling personal/confidential/government data are compliant with data security norms and regulations (FZ 152). The regulations detail  the security requirements with which  information security systems which process personal/confidential/government data need to comply. Compliance with the requirements is affirmed by a certificate granted by the Russian Government  (Order of FSTEC  #17, #31 and #21).

For additional information, please refer to hФСТЭК России.

Symantec Product FSTEK Certificates
Data Loss Prevention 11 TU + NDF
Security Endpoint Protection 12 TU + NDF
Control Compliance Suite 11 TU


Veritas Product FSTEK Certificates
Backup Exec 2012 TU + NDF
NetBackup 7 TU + NDF
View More
View Less


UK Cyber Essentials

From 1 October 2014, the UK government has made it mandatory that all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.

The scheme’s five security controls apply to:

  • Access Control
  • Malware Protection
  • Patch Management
  • Secure Configuration
  • Boundary Firewall and Internet Gateway

There are two level of certification available: Cyber Essentials and Cyber Essentials Plus. A Cyber Essentials certification is awarded on the basis of a verified self-assessment and approved by a senior executive and verified by an independent Certification body.  Cyber Essentials Plus offers a higher level of assurance through external testing of an organization’s cyber security approach.

UK Symantec Certification Status
Cyber Essentials UK Cyber Essentials (CE)

Obtaining a Symantec Product Certification (Internal Users)

If you would like assistance obtaining a product certification, please complete a business case and email to Joan Barbieri or Ilya Troitskiy

Completed VPAT™ Voluntary Product Accessibility Templates

The purpose of the Voluntary Product Accessibility Template, or VPAT™, is to assist Federal contracting officials and other buyers in making preliminary assessments regarding the availability of commercial “Electronic and Information Technology” products and services with features that support accessibility.

Symantec supports the U.S. Government's efforts to increase access to electronic and information technology (E&IT) for the disabled. Symantec does not certify that its software products, services or appliance solutions are compliant with 508 requirements.

For additional questions regarding these VPAT forms, please contact us.