EEFF v4.2 FAQs : FIPS mode

Version 3

    NOTE : EEFF will henceforth be referred to as "File & Removable Media Protection".

    The necessary changes for the new product name will be incorporated in the next release v4.3.

     

     

    Background Information:

    EEFF client v4.2 makes use of the McAfee Core Cryptographic Module(MCCM) which has been submitted for FIPS certification. EEFF now provides an option to install the product in FIPS mode.


     

    What is McAfee Core Cryptographic Module (MCCM) module?

    MCCM is a cross-platform, cross-product cryptographic module developed by McAfee which will be utilized in upcoming releases of all McAfee’s Endpoint Encryption products.

    These cryptographic modules are being validated at FIPS 140-2 Level 1.

    MCCM provides performance benefits and, in particular, leverages Intel®Advanced Encryption Standard Instructions (AES NI), resulting in additional performance improvements on systems with AES NI support.

     

    What is the current certification status of MCCM module?

    McAfee Core Cryptographic Module (user)and McAfee Core Cryptographic Module (kernel) FIPS 140-2 cryptographic modules have entered into Block 1 of the validation process, and are now officially listed as “Implementation Under Test (IUT)” on the NIST website.

    These cryptographic modules are being validated at FIPS 140-2 Level 1. The current status can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

     

    When can customers operate the product in a FIPS certified manner?

    As soon as the MCCM module is FIPS certified.

    Please note that there is a chance that there might be further changes required to be incorporated in the MCCM module or the product itself based on feedback from NIST.

     

    Do I also need to run ePO in FIPS mode?

    Each customer should review their overall configuration with the appropriate auditor to determine whether they need to run ePO in FIPS mode or not. Discussions with their auditor should determine whether both client & server need to operate in FIPS mode or simply just the clients. There are restrictions, such as ePO can only manage FIPS certified products when operating in FIPS mode.

    Please refer to the following KB for more information: (https://kc.mcafee.com/corporate/index?page=content&id=KB75739)

     

     

    Do I need to run the Microsoft Windows system on which the EEFF client is installed in FIPS mode?

    Again, each customer should review their overall configuration with the appropriate auditor to determine whether they need tor un the Microsoft Windows system in FIPS mode or not


     

    Any there any differences in the installation processes for EEFF v4.2 for FIPS and non-FIPS mode?

    Yes, please refer to the EEFF v4.2 Product Guide for more information

     


    Is upgrading from an existing version of EEFF (EEFF v4.1 Patch 1 and lower) to EEFF v4.2 (FIPS mode) supported?

    No, only clean fresh installations of EEFF v4.2 FIPS mode are supported.


     

    Why is this not supported?

    It is not possible to move from a non-FIPS installation of EEFF, to a FIPS installation of EEFF because in such a case the keys would have previously been generated in a non-FIPS mode.

    This results in the inability to claim FIPS-certified status for your installation.


     

    Is upgrading supported from an existing version of EEFF (EEFF v4.1 Patch 1 and lower) to EEFF v4.2 (non-FIPS mode) supported?

    Yes


     

    If I am running EEFF v4.2 in FIPS mode, is it possible to read files/folders/removable media devices encrypted by the previous versions of EEFF on EEFF v4.2 installed in non-FIPS mode?

    Yes


     

    If I am running EEFF v4.2 in FIPS mode, is it possible to read removable media devices encrypted with EEFF v4.2 installed in non-FIPS mode on previous versions of EEFF?

    Yes

     

     

    If I install EEFF v4.2 in non-FIPS mode, will I still derive the performance benefits offered by MCCM?

    Yes, EEFF v4.2 operating in non-FIPS mode will also use the MCCM cryptographic module and will thus be able to enjoy performance benefits available by MCCM leveraging AES-NI