This support statement is provided by the Product Management Team.
McAfee has successfully completed the FIPS 140-2 validation process for the
McAfee Core Cryptographic Modules (MCCM).
The
MCCMs are used by the following encryption products:
These products provide an option to install the product in FIPS mode.
The
Cryptographic Module Validation Program (CMVP) awarded certificate number
2239 to
McAfee Core Cryptographic Module (user) in
October 2014, which is posted on the NIST website. The companion McAfee Core Cryptographic Module (kernel) FIPS 140-2 validation was announced in
August 2014 and has certificate number
2223. These cryptographic modules have been validated at FIPS 140-2 Level 1.
Certified modules:
The minimum product versions that use these certified modules are:
- DE 7.2.x, 7.1 Update 1 (7.1.1) and later
- FRP 5.x
- MNE 5.x
NOTES:
This milestone shows our continued commitment to providing customers with world-class products that have been carefully evaluated for safety, security, and reliability.
Frequently Asked Questions
What is McAfee Core Cryptographic Module (MCCM)?
MCCM is a cross-platform, cross-product cryptographic module that is used by multiple McAfee encryption products. It consists of two distinct modules: user and kernel. These cryptographic modules have been validated at FIPS 140-2 Level 1.
Where can I find more information regarding the certification status of MCCM?
See the links to the NIST site in the "Certified models" section above. The CMVP awarded certificate number 2239 McAfee Core Cryptographic Module (user) in October 2014. The companion MCCM (kernel) validation was announced in August 2014 and has certificate number 2223.
Which encryption products use MCCM for all their crypto-related operations?
The above applies to:
NOTES:
- FRP and DE support FIPS mode installation because MCCM is validated at FIPS 140-2 Level 1. Neither product has to be certified individually.
- MNE Preboot uses a non-FIPS version of OpenSSL. For FIPS-compliant use of MNE, use any authentication method other than Preboot.
What versions of the McAfee encryption products use the FIPS certified MCCM crypto modules?
The above applies to:
- FRP 5.x
- DE 7.2.x and 7.1 Update 1 (7.1.1) and later
- MNE 4.0 and later
Does MCCM offer support for Intel® AES-NI?
Yes. MCCM uses Intel Advanced Encryption Standard Instructions (AES-NI), which results in more performance improvements on systems with AES-NI support.
Are AES-NI related performance benefits offered by MCCM still be available if FRP or DE is installed in non-FIPS mode?
Yes. Both McAfee encryption products that operate in non-FIPS mode also use the MCCM cryptographic module and can thus provide performance benefits available by MCCM using AES-NI.
NOTE: This benefit does not apply to MNE, because MNE does not have a non-FIPS installation option.
Is it required to run ePO in FIPS mode?
- FRP—Encryption keys are generated within ePO, so you must run ePO in FIPS mode.
- DE—Review your overall configuration with the appropriate auditor to determine whether you need to run ePO in FIPS mode. Discussions with an auditor determine whether your overall environment (clients and servers) or only your clients need to operate in FIPS mode. For more guidance on when to install ePO in FIPS mode, see the relevant ePO product guide for your release. For product documentation information, see the Related Information section of this article.
Is it necessary to run the Microsoft Windows system on which the DE, FRP, or MNE client is installed in FIPS mode?
Each customer is advised to review their overall configuration with the appropriate auditor to determine whether they need to run the Microsoft Windows system in FIPS mode.
NOTE: For MNE, Windows must be configured to use FIPS for BitLocker to use FIPS. Go to
https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation for more information
.
Are there any differences in the installation processes for FRP or DE for FIPS and non-FIPS mode?
Yes. See the corresponding product guide for more information. For product documentation information, see the Related Information section of this article.
NOTE: This information does not apply to MNE because MNE does not have a non-FIPS installation option.
Is upgrading from a non-FIPS version of DE or FRP directly to a later version in FIPS mode supported?
No. Only fresh installations in FIPS mode are supported. It is not possible to move from a non-FIPS installation of the product to a FIPS installation. The reason is because the keys would have previously been generated in a non-FIPS mode without using FIPS validated algorithms.
To achieve a FIPS-compliant installation, a fresh install is needed to make sure that the keys are generated in a FIPS-approved manner
NOTE: This information does not apply to MNE because MNE does not have a non-FIPS installation option.
See the corresponding product guide for more information about the FIPS mode installation process. For product documentation information, see the Related Information section of this article.
