Rocky Mountain RAM Responses to DOD Technical and Functional Requirements Related to McAfee® (formerly SafeBoot®) Mobile Data Security Products

The Rocky Mountain RAM McAfee responses to technical questions filed under RFQ: FA8771-07-R-0001 appear below. Review Technical Responses.


The topic areas covered under these inquiries include:


CERTIFICATION AND STANDARDS:
Requirement 1: The cryptographic module used in the product offered must be NIST FIPS 140-2 compliant.

Response: McAfee's integrated FDE/FES Encryption meets the FIPS-140-2 requirement as the core cryptographic modules used within McAfee's product portfolio were awarded FIPS 140-2 (Certification #506) on July 27th 2005.

Requirement 2: Product shall be NIAP certified.

Response: McAfee's integrated FDE/FES solution exceeds the requirement for the National Information Assurance Partnership (NIAP). In 2006, McAfee's product offering was awarded EAL 4 Common Criteria Certification (Certification #227).

Requirement 3: Product shall be compliant with American Disabilities Act Section 508.

Response: McAfee's integrated FDE/FES exceeds the Section 508 compliance requirement. Please refer to the attachment entitled “Section_508_McAfee Compliance_Checklist.pdf.”

Requirement 4: Product shall be in the NIAP certification process.

Response: McAfee's integrated FDE/FES solution is EAL4 Common Criteria Certified (Certification #227). McAfee is the only encryption solution certified based on the new 2006 EAL 4 Certification criteria.

top

ENCRYPTION:
Requirement 5: The product provides Full Disk Encryption (FDE), File/Folder Encryption System (FES), or Integrated FDE and FES.

Response: McAfee's integrated FDE/FES solutions meet the requirement for integrated FDE and FES by offering a true centralized and integrated FDE & FES product. McAfee uses strong access control and pre-boot authentication for both users and machines to prevent unauthorized access to PCs, laptops, Tablet PCs, and smart phones and/or PDA's. McAfee provides industry-leading encryption with FIPS 140-2 L2 certified, AES 256 algorithm and additionally RC5-1024. McAfee supports dual factor authentication in the pre-boot environment with CAC/ PKI certificates. McAfee's Management Center and associated components afford a unique ability to centrally monitor, manage and revoke user identities across the enterprise. The McAfee Management tools provide policy creation and enforcement for both FDE and FES encryption. This allows central deployment, remote upgrades, and creation and enforcement of mandatory security policies. McAfee's FDE module encrypts at a rate of approximately 10GB- 50GB per hour depending on the drive speed, CPU, RAM and other hardware factors.

The pre-boot footprint installs in sectors 0-60 on the endpoint device's hard drive where McAfee replaces the existing Microsoft Master Boot Record (MBR) as the trusted MBR. Further, McAfee's FDE module is compliant with industry standard GINAs to provide Single Sign On (SSO) or Password Synchronization transparently to the end user. Encryption is transparent to the end user as their existing network or local user ID and password is synchronized with McAfee. They will continue to authenticate as normal. Further, the initial impact of the encryption process is configurable to any endpoint via a centrally created and deployed policy. This McAfee advantage provides Federal Agencies the ability to select specific users to encrypt at specified frequencies; such as encrypt only when the pc or laptop is idle or use all available resources to encrypt. All users can continue working on their associated PC as they normally would during the one time initial drive encryption. McAfee's FDE component encrypts all sectors of the hard drive.

Requirement 6: The product provides a capability to automatically encrypt data that is transferred to removable storage media, for example, CD/DVD, USB pin-drives, tapes, external hard drives, etc., without user intervention or circumvention.

Response: Although network administrators have rights and privileges in the overall Microsoft environment, McAfee's FES restricts access to specific files and folders that can be viewed ONLY by the McAfee "trusted" user (this is often used to keep Executive Level data non-viewable by help desk, network administrators, and/or third party contractors). Other solutions take an altogether different approach whereby the encryption model is static and refers only to a specific virtual container. Once the data is moved out of the container (even by an end user) the data is unencrypted. McAfee's FES module provides dynamic and persistent encryption that is centrally managed and enforced. Finally, McAfee's integrated FDE/FES solution includes additional tools sets that increase deployment speeds, efficiencies and the end user experience. McAfee's Scripting Tool, McAfee Connectors (AD, NDS, and LDAP), McAfee Web Help Desk Recovery, and McAfee's SafeTech Diagnostic Tool Set components are used by both of the integrated FDE/FES McAfee modules.

Requirement 7: Product must be capable of using the user's PKI encryption certificate within the DoD CAC or PIV II compliant Smartcard to protect the full volume encryption key.

Response: McAfee's integrated FDE/FES meets the requirement to provide the capability to use a Federal Government user's PKI encryption certificate contained within their DoD CAC or PIV II compliant Smartcard protecting the full volume encryption key by integrating with a wide variety of PKI environments – examples include ActiveIdentity, Baltimore, Entrust, Novell, Microsoft, etc., and provides true PKI authentication using certificates stored on tokens such as smart cards and USB keys, including RSA SID800 and Aladdin eTokens. The McAfee connector provides a soft (electronic only) copy of the user by looking up the user certificate in the PKI, and using the public key to encrypt the user’s personal McAfee authentication key. When the user attempts to authenticate, McAfee sends this data to the token and ask it to decrypt it using the appropriate matching private key. This architecture enables McAfee to use the PKI certificates for authentication. McAfee can monitor the certificate validity periods, CRLs, Cert rollover, etc for appropriate changes and take corresponding actions.

This is a standard part of our product offering, and is currently in its 2nd Generation. Per our market research, McAfee is the ONLY product with true PKI interoperability in pre-boot. We have used this system to integrate other National PKI identity cards in other countries, such as Estonia and Singapore.

Requirement 8: Product must be capable of using the user's PKI encryption certificate contained in the DoD CAC or PIV II compliant Smartcard to encrypt the file that contains the system generated file/folder encryption key .

Response: McAfee integrated FDE/FES meets the requirement to provide the capability to use a Federal Government user's PKI encryption certificate contained within their DoD CAC or PIV II compliant Smartcard protecting their authentication encryption key by integrating with a wide variety of PKI environments – examples include ActiveIdentity, Baltimore, Entrust, Novell, Microsoft, etc., and provides true PKI authentication using certificates stored on tokens such as smart cards and USB keys, including RSA SID800 and Aladdin eTokens. The McAfee connector provides a soft (electronic only) copy of the user by looking up the user certificate in the PKI, and using the public key to encrypt the user’s personal McAfee authentication key. When the user attempts to authenticate, McAfee sends this data to the token and ask it to decrypt it using the appropriate matching private key.

McAfee's integrated FDE/FES solutions exceed the requirement for end user transparency. Both encryption modules (FDE/FES) within McAfee are completely transparent to the end user. McAfee's FDE module prompts an end user for authentication. Once successfully authenticated, the key is loaded into memory and all data called or written is encrypted or decrypted on the hard drive. Further, both modules are centrally controlled and managed from the McAfee Management software. Within the FDE encryption module, at no time is an end user provided with the ability to remove or uninstall the encryption keys or associated software. Only authorized McAfee Administrators with access to the McAfee Database and access to the machine information can decrypt the endpoint device. McAfee's FES module restricts access to protect files and/or folders -- only authorized users or administrators can access protected files with proper authentication.

Requirement 9: The product's process for encryption and decryption of data is configurable to be transparent to user .

Response: McAfee's integrated FDE/FES solutions exceed the requirement for end user transparency. Both encryption modules (FDE/FES) within McAfee are completely transparent to the end user. McAfee's FDE module prompts an end user for authentication. Once successfully authenticated, the key is loaded into memory and all data called or written is encrypted or decrypted on the hard drive. Further, both modules are centrally controlled and managed from the McAfee Management software. Within the FDE encryption module, at no time is an end user provided with the ability to remove or uninstall the encryption keys or associated software. Only authorized McAfee Administrators with access to the McAfee Database and access to the machine information can decrypt the endpoint device. McAfee's FES module restricts access to protect files and/or folders -- only authorized users or administrators can access protected files with proper authentication.

McAfee's FES solution eliminates the inherent security vulnerability of Root or Administrative users from accessing or deleting data. McAfee policies become the trusted mechanism by which access to specific content is authorized. Further, the FES module allows Federal Agencies to set policies to that enforce the encryption of the data file or folder as it moves throughout the enterprise. For example, the data can be encrypted as it is burned to a CD-ROM, USB stick or attached in an e-mail.

Requirement 10: Products shall provide an option to use only FIPS 180-2 compliant algorithms for hashing and signing.

Response: McAfee's FDE/FES algorithms are certified to FIPS140-2. In FIPS mode, McAfee does not provide the means for users to choose non-FIPS 180-2 hashing and signing algorithms. McAfee has SHA1 certificate 254 http://csrc.nist.gov/cryptval/shs/shaval.htm.

Requirement 11: Product uses an approved random number generator specified in FIPS 140-2 Annex C for key generation.

Response: McAfee's FDE/FES algorithms are certified to FIPS140-2. In FIPS mode, McAfee does not provide the means for users to choose non-FIPS 180-2 hashing and signing algorithms. McAfee has SHA1 certificate 254 http://csrc.nist.gov/cryptval/shs/shaval.htm.

Requirement 12: The product must allow data from an encrypted source to be decrypted to allow transfer of data unencrypted to another destination.

Response: McAfee's integrated FDE/FES exceeds the requirement allowing users to send a file from an encrypted origin in an unencrypted fashion given the permitting policy to do so from the McAfee Management Center. The policy defined by the administrator in the McAfee Management Center determines if the user is able to send encrypted or decrypted files. The policy may be automated such that it does not require any intervention from the user.

Requirement 13: The product supports distribution of encrypted data to trusted or business partners for data exchange using authenticated self extraction.

Response: McAfee's integrated FDE/FES exceeds the requirement to distribute encrypted data to trusted parties. McAfee's FES module provides Federal Agencies with flexible deployent options. One applicable deployment strategy is to create and implement specific policies that provide only specific users or groups access to encrypted files. Should Federal Agencies choose this option, McAfee's FES module provides a self-extraction tool that is embedded in the encrypted file. This file can be transported physically or electronically and will remain persistently encrypted until it reaches its destination. This encrypted file or folder can only be accessed by successfully authenticating with a password. Further, McAfee's FDE module affords Federal Agencies to ability to create a virtual container within the FDE environment whereby users can provide encryption to files placed into the virtual container. McAfee is the sole vender in the marketplace that delivers two (2) integrated approaches to address removable media.

Requirement 14: If product offers optional encryption algorithms to be used for encryption, the product allows encryption algorithm selection by an administrator.

Response: McAfee integrated FDE/FES exceeds the requirement for a McAfee administrator to select the encryption algorithm during the installation. The chosen algorithm cannot be modified by lower-level administrators or end users. Further, in a McAfee environment, to change the encryption type (i.e. 128 to 256) of an existing McAfee client, an authorized McAfee administrator must decrypt the end-point device and then re-encrypt.

Requirement 15: If product is an integrated FDE and FES solution, the product provides FDE and FES under a single product management console.

Response: McAfee's integrated FDE/FES exceeds the requirement for a fully integrated FDE/FES. McAfee's product portfolio is built upon one centralized console, namely the McAfee Management Center. The integrated components that comprise this solution are McAfee for Device Encryption, McAfee for Content Encryption and McAfee Port Control. From the McAfee Management Center, all McAfee product modules are configured, managed and maintained. McAfee offers advanced centralized management system to enable efficient management of FDE/FES encryption for all users, user groups, and machine groups. The McAfee Management center provides an administration console to manage and enforce all FDE/FES encryption policy for all users/ machines and user/ machine groupings. The McAfee Management Center, through its connector technology, allows administrators to interface with existing directory structures (including Microsoft Active Directory, Novell, LDAP) further simplifying setup, deployment, hot user revocation, and ongoing administration.

The McAfee Management Center also provides a centrally managed Port Control technology that permits or denies users/groups the ability to use specific hardware devices and I/O on the machine. McAfee Port control is user- and device-based, wherein granular permission policies can enforce device usage to users or groups based on specific hardware identifiers. McAfee's Management center also provides an application control technology that creates "white" and "black" lists of applications that may be used or disallowed. This allows administrators the ability to enforce standard or approved applications in use on endpoint devices. The McAfee Management Center additionally provides a central push/pull update engine for applying updates to the McAfee system or any other technologies residing on the client machine. Administrators can manage any aspect of the McAfee security environment from the McAfee Management Center.

Requirement 16: If the product offers optional encryption algorithms to be used for encryption, the product should have the capability for the administrator to deactivate or 'grey out' undesirable or unauthorized options.

Response: McAfee's integrated FDE/FES exceeds the requirement for a McAfee administrator to select the encryption algorithm during the installation. The selection for encryption algorithms is voided and cannot be modified by lower level administrators or end users. The encryption algorithm is selected by the administrator during installation. It cannot be modified by the end user.

Requirement 17: Product is capable of file compression and encryption in a single step by the user.

Response: McAfee's FES encryption module exceeds the requirement to encrypt existing compressed files. McAfee's FES solution works seamlessly with standard, third-party compression applications. This process is transparent to the end user and is enforced by a centralized policy.

top

AUTHENTICATION:
Requirement 18: Product provides boot authentication.

Response: McAfee's integrated FDE/FES meets this requirement providing enhanced pre-boot authentication. McAfee FDE contains a complete pre-boot authentication engine, requiring the user authenticate with strong password and/or token/smartcard before any of the disk is decrypted (prior to the device operating system is loaded/booted). DoD-, CAC- or POV II- compliant cards are a supported form of the McAfee pre-boot environment. This McAfee pre-boot environment affords a Windows look and feel, with mouse support, on-screen keyboard support for tablets. Additionally, the pre-boot environment can be re-styled as administrators see fit, with changes to the text, language, and graphics required to provide transparency to end users.

Requirement 19: Product must support use of DoD CAC or PIV II compliant Smartcard for boot authentication with no modification of card required.

Response: McAfee's integrated FDE/FES meets this requirement providing enhanced pre-boot authentication. McAfee FDE contains a complete pre-boot authentication engine, requiring the user authenticate with strong password and/or token/smartcard before any of the disk is decrypted (prior to the device operating system is loaded/booted). DoD-, CAC- or POV II- compliant cards are a supported form of the McAfee pre-boot environment. This McAfee pre-boot environment affords a Windows look and feel, with mouse support, on-screen keyboard support for tablets. Additionally, the pre-boot environment can be re-styled as administrators see fit, with changes to the text, language, and graphics required to provide transparency to end users.

Requirement 20: Product must support use of DoD CAC or PIV II compliant Smartcard on a Government approved token for boot authentication.

Response: McAfee's FDE/FES integrated solution meets this requirement. McAfee's pre-boot environment supports DoD-, CAC-, or PIV II- compliant smartcards. When creating a client image within the McAfee environment, an authorized McAfee administrator simply selects two-factor authentication and selects the appropriate card or token required for authentication. No modification to the card is required. McAfee's architecture and design affords authorized Federal Agency administrators with the ability to maintain business continuity should an end user lose or have a DoD-, CAC-, or PIV II- compliant smartcard lost or stolen. In this event, the McAfee Management Center will afford authorized McAfee administrators the ability to remotely change the two-factor, pre-boot requirement from a two-factor authentication to a single-factor authentication. Once a new card is deployed to the remote user, the authorized McAfee Administrator can re-enable the two-factor, pre-boot authentication.

Requirement 21: Product shall allow the administrators to set a configurable limit for pre-boot logon attempts and invokes lockout for failed logon attempts after exceeding the limit.

Response: McAfee's integrated FDE/FES meets the requirement to lock out users after a configurable limit of pre-boot logon attempts. The McAfee Management Center enforces a customizable policy that will automatically lock out any user when maximum number of logon attempts has failed. Once locked out, the end user must follow the existing Agency challenge-and-response procedures for resetting a password (including contacting the helpdesk or leveraging a secure, self-service password reset). McAfee also provides a configurable phone-home feature within any given client file. Should it be enabled, if an end-point device does not communicate with an Agency McAfee database within a predetermined threshold (hours, days, weeks, months, etc.), the end-point device will lock and the current password becomes void -- and the user must follow internal procedure to reset the password.

Requirement 22: Product supports password based pre-boot authentication.

Response: McAfee meets the requirement for multiple users of the same laptop to authenticate, pre-boot, with their individual DoD-, CAC- and PIV II-compliant smartcards coupled with passwords. McAfee supports up to 16,700 individual users per machine. McAfee supports a one-to-many relationship with users and machine. Each user has their own unique profile that allows them to access the device using their own CAC- or PIV II-compliant smartcard and/or strong password for authentication at pre-boot. It is not possible for one user to authenticate with another user's card -- McAfee maintains a one-to-one mapping between the certificate and user.

top

ADMINISTRATION & CONFIGURATION:
Requirement 23: The product allows multiple users of the same laptop or device to use their individual DoD CAC or PIV II compliant Smartcard for boot authentication.

Response: McAfee meets the requirement for multiple users of the same laptop to authenticate, pre-boot, with their individual DoD-, CAC- and PIV II-compliant smartcards coupled with passwords. McAfee supports up to 16,700 individual users per machine. McAfee supports a one-to-many relationship with users and machine. Each user has their own unique profile that allows them to access the device using their own CAC- or PIV II-compliant smartcard and/or strong password for authentication at pre-boot. It is not possible for one user to authenticate with another user's card -- McAfee maintains a one-to-one mapping between the certificate and user.

Requirement 24: The product shall have the capability to allow administrators to update user's credentials when issued a new DoD CAC, PIV II compliant Smartcard, or token.

Response: McAfee's integrated FDE/FES meets this requirement. McAfee's pre-boot environment is F2-PBA-compliant and is capable of re-using existing tokens. Furthermore, updates made to the DoD, CAC, PIV II or token is synchronized automatically with the McAfee database, allowing the new credentials to be used at the next authentication. Furthermore, McAfee's Connector technology also leverages a CRL (Certificate Revocation List) Check providing a centralized mechanism for hot or immediate revocation for any user identity across the enterprise. Simply put, with a push of a button, an authorized McAfee administrator can enroll or disallow a user across hundreds or thousands of machines.

Requirement 25: Product shall have the capability to allow administrators to provide remote assistance to users who are locked out.

Response: McAfee's integrated FDE/FES meets the requirement to permit McAfee administrators the ability to efficiently provide remote assistance to users who are 'locked out' of a device using three methods of online or offline recovery. Lost user passwords are reset using various supported methods; both online or offline. Any or all of which can be enabled or disabled for specific administrator levels in accordance with your McAfee security policies. The following methods are available for recovering a user.

  1. If the user is connected to the network, the administrator resets the password (to known value or use the default password provided by McAfee) from the McAfee Management Center and synchronizes the machine.
  2. WebHelpDesk
    • a. User self-help reset via McAfee’s WebHelpdesk – A dedicated Web server component that provides secure challenge/response authentication of users via a sequence of question/answer, such as user’s employee number, birthplace, etc (configurable). This is available for users to self-reset their passwords through a connected kiosk.
      b. Administrator-assisted Web recovery – A dedicated Web server component that allows an administrator to drive the password reset process on behalf of the user through a Web portal. This involves the exchange of short-typed code sequences. In this case, the administrator authenticates as him/herself, and then assists the user in resetting their password/smartcard.
  3. Administrator-assisted recovery using the McAfee Management Center, or remote administrator console, to perform a challenge/response recovery with the user.


Requirement 26: Product shall have the capability to allow administrators to configure the product for decryption and uninstall of encryption product by a system administrator only.

Response: McAfee integrated FDE/FES meets the requirement to allow only provisioned administrators the ability to decrypt data or uninstall the product. Only an authorized administrator, with elevated privileges, has the ability change the policy to remove McAfee and decrypt the drive(s) and/or uninstall the product.

Requirement 27: Product shall prohibit vendor's ability to access, modify, or decrypt data.

Response: McAfee integrated FDE/FES meets the requirement prohibiting McAfee Corp. any ability to access, modify, or decrypt data contained on Government devices. Simply put, McAfee has no backdoors into any McAfee system. Each Federal Agency maintains its independent McAfee database where unique keys are securely escrowed. Further, access to this escrow and database are governed solely by the individual Federal Agencies. NOTE: McAfee has experience with private sector organizations where they had locked themselves out of the secure escrow. When this happened, there was and still is nothing that McAfee can do to resolve the situation. The keys to unlock the data rest with each individual customer, not McAfee.

Requirement 28: Product does not interfere with imaging of hard drive after encryption product is installed.

Response: McAfee's integrated FDE/FES meets the requirement to support hard drive or device drive imaging without interference after McAfee is installed. After authenticating, any standard imaging tool may be used to image a drive or device after it is encrypted with McAfee. Additionally, McAfee offers plug-ins for tools such as WinPE and BartPE which can be used to image the drive after authenticating.

Requirement 29: Product does not interfere with Restoration/Recovery of encrypted data from backup media.

Response: McAfee's integrated FDE/FES meets the requirement to allow the restoration and recovery of encrypted data from backup media, without interference, utilizing the McAfee diagnostic toolkit comprised of the McAfee Backup Tool, McAfee DR Toolkit, and boot methods. McAfee's Backup Tool provides business continuity by allowing a copy of the McAfee database to be made highly available. To this end, McAfee has two (2) levels of transparent, high-availability embedded in the FDE/FES solution. The McAfee client software affords administrators to define diverse paths for connecting to a primary and secondary communication server and McAfee database. Furthermore, the number of paths can be exponential based on DHCP versus static Internet protocol. The McAfee Backup Tool Set allows Agencies the ability to leverage their existing disaster recovery/operations continuity procedures by installing multiple databases, leveraging SAN, NAS and clusters for McAfee databases. McAfee databases can be installed as cold, warm or hot configurations.

McAfee provides information on how to add the McAfee drivers to these CD tools to enable access (again by authorized users) to the affected machines. It is important to note there will be no additional data loss with disk encryption than would otherwise occur if disk encryption had not been used. McAfee maintains copies of all keys and essential information in the McAfee database, as such there are never keys stored only on the user machine. Essential keys are backed up and available to appropriate, authorized administrators.

Requirement 30: Product does not interfere with full disk data erasure tools.

Response: McAfee's integrated FDE/FES solutions meet the requirement for compliance with disk/data erasure tools. McAfee does not interfere or interact in any way with disk/data erasure or clearing products. There is no interaction, or prevention of their normal operation.

Requirement 31: The product is capable of secure escrow and recovery of the symmetric encryption key.

Response: McAfee's integrated FDE/FES solutions meet the requirement for ensuring secure escrow and recovery of the McAfee symmetric encryption key. McAfee's architecture affords for the centralized and secure key management. In fact, in FIPS mode, McAfee mandates that all encryption keys are securely offloaded for recovery into a dedicated, encrypted policy store. At no time can a user perform any action that would prevent encrypted data being inaccessible to an appropriately privilege administrator.

Requirement 32: The product shall implement NIST SP 800-53, Control IA-5.

Response: McAfee's integrated FDE/FES meets the requirement ensuring password implementing NIST SP 800-53, Control IA-5. All McAfee passwords are encrypted and stored in the database. The data remains encrypted when transmitted. McAfee passwords are NEVER displayed when they are entered; all characters entered at login prompts are blocked with a generic placeholder. A centrally managed policy in the McAfee Management Center enforces password minimum and maximum lifetime restrictions and prohibits password reuse for a specified number of generations.

Requirement 33: If the product requires modification of the Master Boot Record, it shall be validated by the pre-boot environment.

Response: McAfee's integrated FDE/FES meets the requirement for validating the Master Boot Record by the pre-boot environment. McAfee copies the original Master Boot Record to the McAfee Encrypted File System that is used to boot the machine. The McAfee File System contains all the properties and users associated with the machine. After authenticating and validation occurs at pre-boot using the McAfee Encrypted File System, the original MBR is loaded.

Requirement 34: The product's encryption/decryption process must occur without loss or corruption of data or content modification.

Response: McAfee integrated FDE/FES meets the requirement ensuring that no data loss, content modification, or corruption will occur during the encryption/decryption process. McAfee encryption simply encrypts, sector-by-sector, the selected disk partitions or all sectors providing no data loss and/or modification during the encryption/decryption process.

Requirement 35: Product will be capable of encrypting swap, free, slack, temp, and Internet temp files.

Response: McAfee integrated FDE/FES meets the requirement providing the ability for administrators to customize many aspects of the boot authentication screen including displaying Federal Agency warning banners. Administrators not only have the ability to add Federal Agency warning banners on the boot authentications screen, but can also completely modify the look and background display that could include an all black background, display of Federal Agency logos/banners, and also include text incorporated in the background environment. McAfee allows customization in the pre-boot environment including the use of logos and text displayed to your users at pre-boot. This option is set via the McAfee Management Center.

Requirement 36: Product allows modification of boot authentication screen by administrators to reflect Federal Agency warning banners.

Response: McAfee integrated FDE/FES meets the requirement providing the ability for administrators to customize many aspects of the boot authentication screen including displaying Federal Agency warning banners. Administrators not only have the ability to add Federal Agency warning banners on the boot authentications screen, but can also completely modify the look and background display that could include an all black background, display of Federal Agency logos/banners, and also include text incorporated in the background environment. McAfee allows customization in the pre-boot environment including the use of logos and text displayed to your users at pre-boot. This option is set via the McAfee Management Center.

Requirement 37: When only password authentication is used for boot authentication, the product shall allow the administrator to enforce complex passwords to include a minimum of 9 characters in length, upper and lower case, alphanumeric, and special characters.

Response: McAfee's integrated FDE/FES exceeds the requirement providing administrators the ability to select and restrict the enforcement of which pre-boot authentication processes(es) are used. McAfee administrators can choose and enforce either logical (passwords), physical (DoD CAC or PIV II Smartcards), or a combination of authentication processes for users at pre-boot. McAfee supports multiple authentication methods simultaneously. The administrator may define and assign the method of authentication to the user or user group during the initial client build or at any point in time.

Requirement 38: Product supports ability for administrators to require / restrict which pre-boot authentication mechanism will be used (i.e. CAC, Smartcard, token or password only).

Response: McAfee's integrated FDE/FES exceeds the requirement providing administrators the ability to select and restrict the enforcement of which pre-boot authentication processes(es) are used. McAfee administrators can choose and enforce either logical (passwords), physical (DoD CAC or PIV II Smartcards), or a combination of authentication processes for users at pre-boot. McAfee supports multiple authentication methods simultaneously. The administrator may define and assign the method of authentication to the user or user group during the initial client build or at any point in time.

Requirement 39: Product has the ability to allow administrators to maintain administrator password for pre-boot authentication for each system.

Response: McAfee's integrated FDE/FES exceeds the requirement to allow McAfee administrators to maintain administrator password or smartcard for pre-boot authentication for each system they have the appropriate permissions to administer. Both the McAfee software architecture and licensing models provide Federal Agencies administrators' to maintain administrative accounts for the endpoints they are responsible for supporting. This requires no customization or additional license fees.

Requirement 40: Product does not change the content of the GINA.dll file.

Response: McAfee's integrated FDE/FES exceeds the requirement by not changing the content of a systems GINA.dll file.The selectable McAfee Single Sign On feature intercepts the Windows Logon mechanism, using a “Pass through Gina” on Windows NT, 2000 and XP, and the Unified Logon Architecture on Windows 95, 98 and ME. On all operating systems a custom .ini file (SBGINA.INI) is used to help McAfee analyze the logon screen and apply the credentials into the correct boxes on screen.

Requirement 41: Product should not conflict with the host based security solutions running simultaneously on a mobile computing device such as Host Intrusion or Prevention Systems (HIDS or HIPS), Firewalls, and Anti-virus.

Response: McAfee's integrated FDE/FES exceeds the requirement of not interfering with host based security systems. McAfee is known to not interfere with the major host intrusion, antivirus and firewall vendors ensuring mutual compatibility of our respective products. Furthermore, through the password synchronization available with the McAfee solution, Federal Agencies may also synchronize VPN login credentials.

Requirement 42: Product is capable of silent and remote installation and updates of the product.

Response: McAfee's integrated FDE/FES solution exceeds the silent installation requirement. McAfee offers the option to install the product silently. Software installation can be achieved using tools such as Radia, SMS, LANDesk, Tivoli, Altiris, Zenworks and others. As soon as McAfee is installed, the McAfee Integrated Deployment Service can be used to install any software package. The McAfee Management Center has the capability to deploy patches and updates to protected workstations.

Requirement 43: During the product's encryption/decryption process, if the process is interrupted, the product is capable of resuming the process from point of disruption.

Response: McAfee's integrated FDE/FES solution exceeds the power interuption requirement. McAfee has it own built in power fail protection. If the device loses power during encryption, the encryption process will simply resume when power is restored.

Requirement 44: Product will support or have built-in auditing, monitoring, analysis, and reporting capabilities.

Response: McAfee's integrated FDE/FES solution exceeds the built-in auditing, monitoring, analysis, and reporting capability requirements. The McAfee client attempts to connect to its home server or directory every time the machine boots or establishes a new dial-up connection. During this process, any configuration changes made by the McAfee administrator are collected and implemented by the McAfee client. In addition, the McAfee Client uploads the latest audit information that may include encryption status, any user password changes and security breaches to the Object directory. The Report Tool provides a graphical representation of the user's activity. Reports may be customized to meet your business needs.

Requirement 45: Product shall allow logging of access events to the product and encrypted data (success and failure).

Response: McAfee's integrated FDE/FES solution meets the audit log requirements. The McAfee client connects to its home server or directory each time the machine boots or establishes a new dial-up connection. During this process, any configuration changes made by the McAfee administrator are collected and refreshed by the McAfee client. In addition, the McAfee client uploads the latest audit information including encryption status, any user password changes and security breaches to the object directory.

Requirement 46: Product allows export of encrypted file that contains system generated full volume encryption key.

Response: McAfee's integrated FDE/FES solution exceeds the encrypted file exportation requirement. McAfee Management Center allows authorized McAfee administrators to export configuration information that is used for diagnostic or troubleshooting purposes. The keys are encrypted and centrally stored with the machine ID in the McAfee database. In addition, to eliminate backdoors, machines are permanently deleted from the database and there is no backup, the machine cannot be recovered in case of a disaster.

Requirement 47: Product allows authorized user to validate disk encryption has occurred and is maintained.

Response: McAfee's integrated FDE/FES solution exceeds the requirement for empirical proof that end user disks are encrypted. There is no way for an end user to remove, delete or manipulate the encryption status. Once an end user has successfully authenticated, they locate the McAfee icon in the Windows system tray. McAfee's Report Viewer provides graphical dashboard reports of the current and historical encryption state.

Requirement 48: Product can support pre-boot integrity.

Response: McAfee's integrated FDE/FES solution meets the requirement to support pre-boot integrity. McAfee performs validity checks on the boot loader and core load code to prevent against corruption and unintentlonal damage.

Requirement 49: Product allows administrators the option to install and configure the product on systems and devices not requiring DoD CAC or PIV II compliant Smartcard for boot authentication and/or encryption.

Response: McAfee's integrated FDE/FES solution exceeds the requirement to support the use of the DoD CAC, PIV II compliant Smartcard or token or password for boot authentication. McAfee policy driven configuration supports multiple combinations of authentication methods including the DoD CAC, PIV II compliant Smartcard, other tokens and passwords. In the case a user looses a token a privileged administrator reset the end user authentication method to single factor provide immediate access to the data. Note: An additional option is to remotely configure a replacement token to maintain two (2) factor authentication.

Requirement 50: Product can be integrated into Federal Agency host-based security solutions as a module running on an endpoint computer.

Response: McAfee's integrated FDE/FES solution exceeds the requirement for integrated host-based security systems. McAfee is compliant with host- based security solutions. McAfee works with the major host intrusion, prevention, antivirus and firewall vendors to ensure mutual compatibility of our respective products. McAfee's password synchronization affords authorized McAfee Administrators the ability to synchronize host based security passwords.

Requirement 51: Product supports Trusted Platform Module (TPM) chip version 1.2 or higher.

Response: McAfee exceeds the requirement to comply with Federal Government standard applications, protocols, and communications. McAfee encrypts the drive at the sector level; therefore, operability of applications is not affected. Whereas many full-disk encryption vendors store their data on the user disk in areas marked as bad sectors. McAfee stores information as standard data. Information is unaffected by Checkdisk, Scandisk, Defrag, etc. McAfee is the ONLY product with data files specifically handled by Defrag and correspondingly affords protection of McAfee files from corruption. McAfee maintains a long-standing relationship with Microsoft and relationship with the authors of the Microsoft DeFrag Tool (formerly Executive Software).

Requirement 52: Product must be compatible with standard applications, protocols, and communications within the Federal Government.

Response: McAfee exceeds the requirement to comply with Federal Government standard applications, protocols, and communications. McAfee encrypts the drive at the sector level; therefore, operability of applications is not affected. Whereas many full-disk encryption vendors store their data on the user disk in areas marked as bad sectors. McAfee stores information as standard data. Information is unaffected by Checkdisk, Scandisk, Defrag, etc. McAfee is the ONLY product with data files specifically handled by Defrag and correspondingly affords protection of McAfee files from corruption. McAfee maintains a long-standing relationship with Microsoft and relationship with the authors of the Microsoft DeFrag Tool (formerly Executive Software).

Requirement 53: Product supports boot into multiple operating systems on a single device.

Response: McAfee's integrated FDE/FES solution exceeds the dual-boot requirement. McAfee supports multiple operating systems on a single device. The user will authenticate in the pre-boot environment. After authenticating, the user is able to choose the desired operating system.

Requirement 54: Provides open APIs or an SDK to support application integration.

Response: McAfee exceeds the API requirement. McAfee is committed to its customers needs to enhance it core product functionality to meet specific business or operation requirements. This is documented in McAfee's support of over sixty (60) token vendors. McAfee R&D team, is continuously enhancing its APIs and SDKs.

Requirement 55: The product supports Single Sign-On (simultaneous pre-boot and O/S logon).

Response: McAfee's integrated FDE/FES solution exceeds the requirement to provide SSO with fully integrated, flexible, single sign-on (SSO) capability. Multiple users are supported at pre-boot, and their SSO credentials are stored and presented. McAfee utilizes standard GINAs to allow seamless login to the operating system while entering credentials in the secure, pre-boot authentication environment. In situations where a non-standard GINA is used, McAfee provides configuration options.

top

CENTRALIZED MANAGEMENT CONSOLE:
Requirement 56: The product's administrator management console allows for failover functionality (fault tolerance/redundancy).

Response: McAfee's integrated FDE/FES solution exceeds the failover functionality requirement. The McAfee Management Center provides failover functionality through the use of the McAfee Database Backup Utility that creates a remote "hot backup" of the management console. The McAfee client includes a transparent, realtime failover functionality. If the primary McAfee database is unavalable, it will automatically connect to the secondary database. In the event that neither database is available, the client will automatically re-connect at the pre-determined frequency.

Requirement 57: The product's administrator management console supports capability to add/modify/delete admin users.

Response: McAfee's integrated FDE/FES solution meets the requirement to add/modify/delete administrators from the management console. The McAfee Management Center features the ability to enforce hot revocation for administrators. McAfee supports 32 levels of parent/child adminstration permissions. Administrator tiers are centrally managed.

Requirement 58: The product shall provide the capability to set a limit on the number of unsuccessful consecutive logon attempts to the administrator management console and invokes lockout for exceeding the limit.

Response: McAfee's integrated FDE/FES solution meets the requirement to configure a policy to lock out an Administrator account based on unsuccessful logon attempts. McAfee defends again brute force attacks to the McAfee Administrator accounts by defining a policy in the McAfee Management Center allowing a pre-determined maximum number of failed logon attempts. McAfee requires that a "locked' admin account only be restored by a "parent" administrator not by a peer.

Requirement 59: The product's administrator management console supports retrieval of computer, user, and user-group information from Active Directory

Response: McAfee's integrates FDE/FES solution meets the requirement of the retrieval of computer, user and user-group information from Active Directory. McAfee's Connector software for LDAP, Active Directory and Novell monitors the parent directory (AD or Novell/LDAP) for policy changes, new users, disabled users, and other directory-hosted user denotations. The Connector manager pulls information from Active Directory and does not extend the schema. Authorized administrators have the option to choose if they will continue to manage user adds, changes, and deletes within the McAfee management console or from within the native directory (AD, NDS, LDAP, etc.)

Requirement 60: The product's administrator management console must support ability to secure the PK-enabled administrative interface by using the DoD CAC or PIV II compliant Smartcard for authentication.

Response: McAfee's integrated FDE/FES solution, meets the requirement for DoD CAC or PIV II compliant Smartcard authentication for adminstrative access to the console. McAfee's FDE & FES solution supports DoD CAC & PIV II compliant Smartcards for adminstrator authentication to access the McAfee adminstrative console. The McAfee Management Center supports soft or logical tokens (user name and password) and hard or physical tokens (Dod CAC & PIV II smartcards, etc). The authentication method assigned to the user is replicated throughout the enterprise.

Requirement 61: Product will support or integrate with existing asset/license tracking and management tools.

Response: McAfee's integrated FDE/FES solution meets the requirement to support asset tracking and management tools. McAfee's FDE/FES modules are compliant with industry standard assest tracking and managent tools.

Requirement 62: Product shall support secure remote management of devices to support remote users.

Response: McAfee's integrated FDE/FES solution meets the requirement to support secure remote administration. McAfee's client/server architecture coupled with McAfee's proprietary Web Certificates provide secure remote access to authorized administrators from any web browser at anytime.

Requirement 63: Product shall support secure remote access to the administrator management console for administrators.

Response: McAfee's integrates FDE/FES solutions meets the secure remote access requirement. McAfee uses SSL encrypted network links between its policy servers and administration consoles ensuring integrity of the data. The link uses AES-256 encryption, Diffie-hellman key exchange, and 2048bit DSA signatures.

Requirement 64: The product's administrator management console must be scalable to support large enterprise environments.

Response: McAfee's integrated FDE/FES solution meets the enterprise class scalability requirement. McAfee's global customer base is made up of many 75,000 - 140,000+ user environments. A single server easily supports 50,000 users.

Requirement 65: The product's administrator management console permits multiple administrator logins for simultaneous access.

Response: McAfee's integrated FDE/FES solution meets exceeds the requirement to support simultaneous administrator logons. The McAfee Management Center enables secure support of any number of administrators and users, and any number of simultaneous administrators. McAfee has customers running more than 1,000 administrators to a single server simultaneously (network and server hardware permitting).

Requirement 66: The product's administrator management console supports retrieval of computer, user, and user-group information from LDAP Servers.

Response: McAfee's integrates FDE/FES solution meets the requirement of the retrieval of computer, user and user-group information from Active Directory. McAfee's Connector software for LDAP, Active Directory and Novell monitors the parent directory (AD or Novell/LDAP) for policy changes, new users, disabled users, and other directory-hosted user denotations. The Connector manager pulls information from Active Directory and does not extend the schema. Authorized administrators have the option to choose if they will continue to manage user adds, changes, and deletes within the McAfee management console or from within the native directory (AD, NDS, LDAP, etc.)

Requirement 67: The product or encryption system must be configurable to not interfere with remote distribution and full installation of applications, patches, and updates while connected to the network, and without user intervention.

Response: McAfee's integrated FDE/FES solution meets the requirement for compliance with Federal Agency applications, patches and updates. McAfee ensures compatibility with leading file and patch employment vendors.

Requirement 68: The product or encryption system shall allow administrator to configure product to enforce zeroization, 'wipe' or key destruction to render the data unusable.

Response: McAfee's integrated FDE/FES solution meets the requirement to remotely remove the symmetrical key from an endpoint device. McAfee's Management Center, allows the administrator to push a policy and force a synchronization that removes the encryption key from the device and disabling this account and the user from any associated machines.

top

SUPPORTED OPERATING SYSTEM, HARDWARE, FIRMWARE - NOTE: It is CRITICAL that product supports at least one of the following operating systems. It is IMPORTANT that product supports more than one of the following operating systems. It is DESIRABLE that product supports 3 or more operating systems. Of the list below, identify all operating systems supported to include version.:
Requirement 69: Microsoft Windows 2000.

Response: McAfee supports Windows NT through Server 2003 operating systems.

Requirement 70: Microsoft Windows 2003.

Response: McAfee supports Windows NT through Server 2003 operating systems.

Requirement 71: Microsoft Windows XP.

Response: McAfee supports Windows 9x through XP operating systems.

Requirement 72: Microsoft Windows Vista.

Response: McAfee supports Windows Vista operating systems.

Requirement 73: UNIX / Sun Solaris.

Response: McAfee does not currently have plans to support UNIX/ Sun Solaris.

Requirement 74: Mac OS X.

Response: McAfee has roadmap plans to support Mac OS X, no release date has been set.

Requirement 75: Windows Mobile 5.0.

Response: McAfee supports the Windows Mobile 5.0 operating system.

Requirement 76: Windows CE.

Response: McAfee supports Windows CE.

Requirement 77: RIM/Blackberry.

Response: McAfee will provide functionality to manage policies for the use of Blackberry's native AES 256 bit FIPS 140-2 strong encryption. Future versions of our management environment are planned to support policy control over blackberry devices.

Requirement 78: Palm.

Response: McAfee supports the Palm operating system.

Requirement 79: Symbian.

Response: McAfee supports the Symbian operating system.

Requirement 80: Linux to include Red Hat, SuSE.

Response: McAfee for Linux will include support for Red Hat and SuSE.

top

GENERAL AND TECHNICAL SUPPORT:
Requirement 81: Under software maintenance agreement, vendors must notify the Government and deliver product within 10 working days of commercial release for new updates.

Response: McAfee's integrated FDE/FES solution meets the requirement for ten (10) working day notification of software releases. McAfee notifies customers and delivers (customer decides delivery option) new updates within 10 days of general availability commercial releases. All available patches are accessible for download as an authorized customer from the McAfee Website.

Requirement 82: For every product patch or upgrade release, vendor will provide verification that the product still meets all of the initial critical requirements .

Response: McAfee's integrated FDE/FES solution meets the patch and upgrade requirements. When McAfee patches or updates, McAfee will provide verification that McAfee still meets all critical requirements.

Requirement 83: Vendor will maintain disclosure-requirements to the DoD when any commercial acquisitions of or by their company affects foreign ownership or influences foreign controls of that company.

Response: McAfee's integrated FDE/FES solution meets the country of origin requirement. McAfee, as an US end product, is assembled in the US, made of components generated in the UK and US. In the case of any commercial acquisition or event that affects foreign ownership or influences foreign controls of McAfee, a representative from McAfee's General Council will contact the Contracting Officer in writing within 10 business days.

Requirement 84: Vendor must provide several technical support delivery options, to include phone, online, onsite, etc.

Response: McAfee's integrated FDE/FES solution meets the minimum of technical support delivery systems. McAfee offers support via multiple delivery options including phone, online, on-site, etc.

Requirement 85: Provide one (1) administrator & one (1) user's guide in hard copy and in electronic formats (PDF) with unlimited reproduction privileges for internal purposes per order.

Response: McAfee's integrated FDE/FES solution meets the documentation requirements. McAfee's license and fulfillment process includes an electronic format (PDF) administrator guides, or hard copy administrator guides.

Requirement 86: For every patch or upgrade release, new product releases will be backward compatible and be capable of using or decrypting previously encrypted data.

Response: McAfee's integrated FDE/FES solution meets the product and patch release schedule requirements. McAfee patches and upgrade provide a seamless upgrade path and do not interfere with the database or the recovery of encrypted data.

Requirement 87: Provide troubleshooting guidance for product.

Response: McAfee's integrated FDE/FES solutions meet the requirement for troubleshooting guides. McAfee's product documentation includes commonly identified trouble shooting techniques. In addition, McAfee encourages customers to enroll in a training and certification class. The number of customer enrollees varies upon the user population.

Requirement 88: Product must provide user-friendly feedback messages when errors or warnings occur.

Response: McAfee's integrated FDE/FES solution meets the user notification requirements. McAfee provides simple user-friendly messages with specific error codes when errors or warnings occur.

Requirement 89: System installation documentation should include steps to verify proper operation upon completion of installation.

Response: McAfee's integrated FDE/FES solution meets the requirements for system installation documentation. McAfee provides customers with various options for knowledge transfer including but not limited to Administrative Guides, Quick Start Guides, Implementation Guides, Certifications and Trainings.

Requirement 90: Provide SIN (Special Item Number) 132-51 for professional services offered.

Response: McAfee's integrated solution meets the requirement for SIN 132-51 for professional services. McAfee offers remote and onsite implementation services including Assessments, Proof of Concept, Lab Evaluations, Client Analysis, Product Configuration, Product Validation and Product Implementation. McAfee is willing to discuss this request further to customize the appropriate services bundle to meet the business requirements.

top

LICENSING & COSTING:
Requirement 91: Licenses are transferable within each Federal Agency.

Response: McAfee's integrated FDE/FES solution meets the license transfer requirement. McAfee's licensing model affords the flexibility to accommodate the transferable request.

Requirement 92: Provide license pricing that is user based and includes secondary-use rights.

Response: McAfee's integrated FDE/FES solution meets the secondary-use software rights. McAfee's licensing model affords multiple users to utilize the same device.

Requirement 93: Product licenses are perpetual.

Response: McAfee's integrated FDE/FES solution meets the perpetual license requirement. McAfee licenses are perpetual. McAfee will provide all Federal Agencies with perpetual licenses access to updates and support based on valid maintenance contracts.

Requirement 94: Price of product licenses.

Response: McAfee offers several categories of licensing models - User based, Device based and Enterprise based licensing. McAfee will discuss these options to customize a licensing model to afford the business requirements. Please see attachment #1 for requested pricing information.

Requirement 95: Price of annual software maintenance.

Response: McAfee's integrated FDE/FES solution provides annual maintenance options. McAfee offers several custom maintenance options. McAfee will discuss this item to customize the most effective maintenance program. (See pricing in Atch 1).

Requirement 96: Price of all tiered support options.

Response: McAfee's integrated FDE/FES solution meets the requirement for multiple support options. McAfee offers two (2) levels of support - Business Day & 7x24 support. (See Atch 1).

Requirement 97: Product training is available for system administrators as separate price.

Response: McAfee's integrated FDE/FES solution meets the requirement for separate administrator training. McAfee offers line item pricing for administrator training and certification. Please see Attachment #1.

Requirement 98: Provide license pricing that is device-based regardless of the number of users.

Response: McAfee's integrated FDE/FES solution meet the requirement for device based licensing. McAfee's Licensing models accommodates the need for additional users to a specific device. Please see attachment #1.

Requirement 99: When maintenance is included with the purchase of a license, support begins at the time of installation phase.

Response: McAfee's integrated FDE/FES solution meets the requirement for inclusion of the requirements for 1st year maintenance with purchase of the license product.

Requirement 100: Licenses include home-use rights.

Response: McAfee's integrated FDE/FES solution meets the requirement for home use rights.

Requirement 101: Users should require minimal or no training to utilize the product.

Response: McAfee's integrated FDE/FES solution meets the no training requirement for end users. McAfee's product offerings do not require end-user training.

Requirement 102: Onsite product training is available.

Response: McAfee offers a comprehensive certification and training program that are typically hosted at Government customer locations.

Requirement 103: Vendor shall provide virtual web-based training for the product.

Response: McAfee's integrated FDE/FES meets the requirement for virtual web-based product training. McAfee offers custom Web-based certification and training.

top