Customer Trust Portal

Access to information and resources about Symantec’s information security policies, standards and assurance programs over the protection of customer data.

Security Program Summaries

Trust is Fundamental to Our Business

Committed to safeguarding privacy and personal data

Protecting your most valuable assets is at the heart of our business, and Symantec remains vigilant about safeguarding your data and the privacy of the individuals it represents.

  • Data and its protection are at the center of everything we do: Our business is built on security, compliance, and accountability, enabling us to protect our customers’ most valuable assets.
  • We support the European Union’s General Data Protection Regulation (GDPR) and the safeguarding of privacy rights.
  • Privacy is a fundamental human right and protecting personal data—whether our own, our customers’, or our partners’—is part of our commitment to corporate responsibility.
Global Certification Management

Customer Trust Office

The Customer Trust Office plays a key role in supporting Symantec's customer due diligence needs during the sales process, and thereafter ensuring customers are provided with sufficient insight into Symantec's information security policies, practices and product assurances. This team within the Global Security Office (GSO) coordinates with Sales, Legal and the Product teams to respond to customers’ information security assessment ("ISA") questionnaires or providing product assurance documentation (e.g., ISO 27001 certifications, SOC audit reports, evidence of penetration testing or vulnerability scanning results).

Learn More

Security Certifications

Privacy Statement

Symantec's Privacy Statement describes the types of information we collect via Symantec’s web sites, how we may use that information and with whom we may share it. Our Privacy Statement describes the measures we take to protect the security of the information. We also tell you how you may contact us to update your information, remove your name from our mailing lists or get answers to questions you may have about our privacy practices at Symantec.

Learn More

Information Security Policies and Standards

Symantec’s Information Security policies and standards are aligned to industry standards, e.g., ISO, CSA, NIST /IEC 27001, SOC 2 and PCI. These policies and standards are reviewed and updated (as necessary) on an annual basis. The following information security domains are covered by Symantec’s Information Security policies and standards:

  • Risk Management and Compliance
  • Security Training and Awareness
  • Personnel Security
  • Data Classification and Protection
  • Encryption and Key Management
  • Security Incident Management and Response
  • Supply Chain Risk Management
  • Logical Access Control
  • Workplace & Datacenter Security
  • Endpoint Security
  • Architecture & Cloud Security
  • Change Management
  • Asset Management
  • Product Development & Operations Security
  • Business Resiliency & Disaster Recovery
  • Data Backup & Recovery
  • Acceptable Use & Media Handling
  • Vulnerability & Patch Management
  • Security Monitoring


Symantec’s global staff of certification professionals actively promotes awareness of global certification best practices and provides overarching guidance and support to our product teams to walk them through the necessary business and technical channels to obtaining and maintaining Symantec product certifications.


Symantec Certifications

Common Criteria

The international Common Criteria Recognition Arrangement (CCRA) brings together 26 nations who agree to accept a unified approach to the evaluations of information technology products and protection profiles for information assurance and security. This arrangement benefits member nation governments and other customers of IT products by creating more clarity in procurement decisions, more precision in evaluations, a better balance of security and features, and more rapid access to products from industry.

As the basis for the international standards ISO/IEC15408 and ISO/IEC 18045, Common Criteria is a framework in which:

  • government, military and other users can specify their security functional and assurance requirements through the use of protection profiles,
  • vendors can then implement and/or make claims about the security attributes of their products,
  • and testing laboratories can evaluate the products to determine if they actually meet the claims.

Source: Common Criteria IT Security Evaluation & the National Information Assurance Partnership

Please also refer to National Information Assurance Policy and Common Criteria for additional information.

View More
View Less


Federal Identity, Credential and Access Management (FICAM)

The FICAM TFS is the federated identity framework for the U.S. Federal Government. It includes guidance, processes, and supporting infrastructure to enable secure and streamlined citizen and business facing online service delivery.

NSL IDEF certification Achieved. IDEF is the Identity Ecosystem Framework version 1.0. This is a valid and active certification and applicable for both public sector and commercial markets.

The following Norton Secure Login and certification packages are applicable to the FICAM program run by GSA.  Refer here for a list of approved identity providers.

For additional information, please contact Adam Madlin.

Federal Information Processing Standard Publication 140-2 (FIPS 140-2)

FIPS 140-2 Product Status

Federal Information Processing Standard 140-2 (FIPS 140-2) validation is important to any vendor selling cryptography to the Federal market space. If your IT product utilizes any form of encryption, it will likely require validation against the FIPS 140-2 criteria by the Cryptographic Module Validation Program (CMVP) run jointly by the National Institute of Standards and Technology (NIST), in the United States and Communications Security Establishment (CSE) in Canada before it can be sold and installed in a Federal agency or DoD facility.

FIPS 140-2 describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the NIST, has been adopted by the CSE, and is jointly administered by these bodies under the umbrella of the CMVP.

The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.  Please refer here for additional information regarding FIPS 140-2 requirements, including NIST links.

Symantec Validated Products List

Listed below are the Symantec products with a status as to whether a listed product is:

  • FIPS 140-2 validated
    • Product uses an existing encryption module (Symantec or 3rd party) and has gone through a "private label" validation process
  • Compliant
    • Product uses an existing validated 3rd party module, but has not explicitly obtained a private validation from NIST
  • N/A
    • Product does not contain an encryption module
  • Not at this time
    • Product has an encryption module but is not FIPS 140-2 validated at this time

This snapshot in time below involves an in flux product line so there are no guarantees as to accuracy, but we try to keep this updated with the current status/FIPS 140-2 status per products. Symantec does not certify that all its software and hardware products, services or appliance solutions are compliant or validated per FIPS 140-2 requirements.

For questions regarding FIPS 140-2 statuses/content herein or to note an updated FIPS product status, please contact us.

FIPS Compliant Symantec Products

Symantec Product Name Status Has Encryption Module Encryption Module Type
Data Center Security 6.6 FIPS Compliant Yes OpenSSL with BSAFE (Certificate # 1058)
IT Management Suite 8.0 FIPS Compliant Yes  
Critical System Protection 7.x FIPS Compliant Yes  

View More
View Less


FIPS Validated Symantec Products

Symantec Product Name Status Has Encryption Module Encryption Module Type
Data Loss Prevention 12.5 FIPS Validated Yes Symantec Java Cryptographic Module (validation certificate #2138)
Symantec DLP Cryptographic Module (validation certificate #2318)
Data Loss Prevention 14.0 FIPS Validated Yes Symantec Java Cryptographic Module (validation certificate #2138)
Symantec DLP Cryptographic Module (validation certificate #2318)
Data Loss Prevention 15.0 FIPS Validated Yes Symantec Java Cryptographic Module (validation certificate #3082)
Symantec DLP Cryptograhic Module (validation certificate #2318)
Encryption - Desktop Email Encryption 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - Drive Encryption 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1(certificate #1684)  
Encryption - Endpoint Encryption 11.1.1 FIPS Validated Yes PGP Cryptographic Engine 4.3
Encryption - File Share Encryption 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1(certificate #1684)  
Encryption - Gateway Email Encryption 3.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - Management Server 3.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - Mobile Encryption FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - PGP Command Line 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - PGP Key Management Client Access 10.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Encryption - PGP Key Management Server 3.3 FIPS Validated Yes Symantec PGP SDK 4.2.1 (certificate #1684)
Endpoint Protection 12.1 FIPS Validated Yes Symantec Java Cryptographic Module Version 1.2 (Certificate # 2138) BSAFE
(Certificate # 1786)
Endpoint Protection Small Business Edition 12.1 FIPS Validated Yes Java cryptography module 1.3
Messaging Gateway 10.5 FIPS Validated Yes Symantec Scanner Cryptographic Module; Symantec Control Center Cryptographic Module
OpenSSL & RSA B-safe wrapper
Mobility Suite - Hosted FIPS Validated Yes OpenSSL
Mobility Suite - On Premise FIPS Validated Yes OpenSSL
Symantec Insight for Private Cloud FIPS Validated Yes Uses two OpenSSL

View More
View Less


Non-FIPS Symantec Products

Symantec Product Name Status Has Encryption Module Encryption Module Type
Control Compliance Suite - AM N/A No  
Cyber Security DeepSight Intelligence Datafeed N/A No  
Cyber Security DeepSight Intelligence Portal N/A No  
Endpoint Protection Small Business Edition 2013 N/A No Open SSL 0.98
Mail Security for Domino 8.1 N/A No  
Mail Security for MS Exchange 7.5 N/A No  
Norton Secure Login Not at this time Yes Java crypto
Protection Engine 7.5 N/A No  
Protection for Sharepoint Servers 6.0 N/A No  
Symantec Embedded Security: Critical System Protection 1.0 Not at this time Yes OpenSSL
Validation and ID Protection Service (VIP) Not at this time Yes FIPS-mode OpenSSL

View More
View Less

Federal Risk and Authorization Management Program (FedRAMP)

Symantec Product Status
Symantec VIP In Process
Email Security for Government: SMG Authorized


The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.


  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Increase confidence in security of cloud solutions achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
  • Ensure consistent application of existing security practice, increase confidence in security assessments
  • Increase automation and near real-time data for continuous monitoring


  • Increase re-use of existing security assessments across agencies
  • Save significant cost, time, and resources – “do once, use many times”
  • Improve real-time security visibility
  • Provide a uniform approach to risk-based management
  • Enhance transparency between government and Cloud Service Providers (CSPs)
  • Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

Main Players

Main Players There are three main players in the FedRAMP process: Agencies, CSPs, and Third Party Assessment Organizations (3PAOs). Agencies are responsible for selecting a cloud service, leveraging the FedRAMP Process, and requiring CSPs to meet FedRAMP requirements. CSPs provide the actual cloud service to an Agency, and must meet all FedRAMP requirements before they implement their services. 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  FedRAMP provisional authorizations (P-ATOs) must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

Key Processes

FedRAMP authorizes cloud systems in a three step process:

  1. Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
  2. Leveraging and Authorization: Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
  3. Ongoing Assessment & Authorization: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.


FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA.  In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP.


Voluntary Product Accessibility Templates

Symantec is committed to developing technology solutions that are accessible to persons of all abilities. To that end, we utilize the Voluntary Product Accessibility Template (VPAT™),  developed by the Information Technology Industry Council, to assist government contracting officials and other buyers in making assessments of the accessibility features of our products and services.

Release of a VPAT, however, does not constitute a certification by Symantec that procurement of any electronic and information technology would comply with the requirements of Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. § 794 (d)).

For additional information regarding Symantec’s VPAT program, please contact us.