CERTIFICATION AND STANDARDS
Requirement 1: The cryptographic module used in the product offered must be NIST FIPS 140-2 compliant.
Response: SafeBoot's integrated FDE/FES Encryption meets the FIPS-140-2 requirement as the core cryptographic modules used within SafeBoot's product portfolio were awarded FIPS 140-2 (Certification #506) on July 27th 2005.
Requirement 2: Product shall be NIAP certified
Response: SafeBoot's integrated FDE/FES solution exceeds the requirement for the National Information Assurance Partnership (NIAP). In 2006, SafeBoot's product offering was awarded EAL 4 Common Criteria Certification (Certification #227).
Requirement 3: Product shall be compliant with American Disabilities Act Section 508.
Response: SafeBoot's integrated FDE/FES exceeds the Section 508 compliance requirement. Please refer to the attachment entitled “Section_508_SafeBoot Compliance_Checklist.pdf.”
Requirement 4: Product shall be in the NIAP certification process
Response: SafeBoot's integrated FDE/FES solution is EAL4 Common Criteria Certified (Certification #227). SafeBoot is the only encryption solution certified based on the new 2006 EAL 4 Certification criteria.
ENCRYPTION
Requirement 5: The product provides Full Disk Encryption (FDE), File/Folder Encryption System (FES), or Integrated FDE and FES.
Response: SafeBoot's integrated FDE/FES solutions meet the requirement for integrated FDE and FES by offering a true centralized and integrated FDE & FES product. SafeBoot uses strong access control and pre-boot authentication for both users and machines to prevent unauthorized access to PCs, laptops, Tablet PCs, and smart phones and/or PDA's. SafeBoot provides industry-leading encryption with FIPS 140-2 L2 certified, AES 256 algorithm and additionally RC5-1024. SafeBoot supports dual factor authentication in the pre-boot environment with CAC/ PKI certificates. SafeBoot's Management Center and associated components afford a unique ability to centrally monitor, manage and revoke user identities across the enterprise. The SafeBoot Management tools provide policy creation and enforcement for both FDE and FES encryption. This allows central deployment, remote upgrades, and creation and enforcement of mandatory security policies. SafeBoot's FDE module encrypts at a rate of approximately 10GB- 50GB per hour depending on the drive speed, CPU, RAM and other hardware factors.
The pre-boot footprint installs in sectors 0-60 on the endpoint device's hard drive where SafeBoot replaces the existing Microsoft Master Boot Record (MBR) as the trusted MBR. Further, SafeBoot's FDE module is compliant with industry standard GINAs to provide Single Sign On (SSO) or Password Synchronization transparently to the end user. Encryption is transparent to the end user as their existing network or local user ID and password is synchronized with SafeBoot. They will continue to authenticate as normal. Further, the initial impact of the encryption process is configurable to any endpoint via a centrally created and deployed policy. This SafeBoot advantage provides Federal Agencies the ability to select specific users to encrypt at specified frequencies; such as encrypt only when the pc or laptop is idle or use all available resources to encrypt. All users can continue working on their associated PC as they normally would during the one time initial drive encryption. SafeBoot's FDE component encrypts all sectors of the hard drive.
Requirement 6: The product provides a capability to automatically encrypt data that is transferred to removable storage media, for example, CD/DVD, USB pin-drives, tapes, external hard drives, etc., without user intervention or circumvention
Response: Although network administrators have rights and privileges in the overall Microsoft environment, SafeBoot's FES restricts access to specific files and folders that can be viewed ONLY by the SafeBoot "trusted" user (this is often used to keep Executive Level data non-viewable by help desk, network administrators, and/or third party contractors). Other solutions take an altogether different approach whereby the encryption model is static and refers only to a specific virtual container. Once the data is moved out of the container (even by an end user) the data is unencrypted. SafeBoot's FES module provides dynamic and persistent encryption that is centrally managed and enforced. Finally, SafeBoot's integrated FDE/FES solution includes additional tools sets that increase deployment speeds, efficiencies and the end user experience. SafeBoot's Scripting Tool, SafeBoot Connectors (AD, NDS, and LDAP), SafeBoot Web Help Desk Recovery, and SafeBoot's SafeTech Diagnostic Tool Set components are used by both of the integrated FDE/FES SafeBoot modules.
Requirement 7: Product must be capable of using the user's PKI encryption certificate within the DoD CAC or PIV II compliant Smartcard to protect the full volume encryption key
Response: SafeBoot's integrated FDE/FES meets the requirement to provide the capability to use a Federal Government user's PKI encryption certificate contained within their DoD CAC or PIV II compliant Smartcard protecting the full volume encryption key by integrating with a wide variety of PKI environments – examples include ActiveIdentity, Baltimore, Entrust, Novell, Microsoft, etc., and provides true PKI authentication using certificates stored on tokens such as smart cards and USB keys, including RSA SID800 and Aladdin eTokens. The SafeBoot connector provides a soft (electronic only) copy of the user by looking up the user certificate in the PKI, and using the public key to encrypt the user’s personal SafeBoot authentication key. When the user attempts to authenticate, SafeBoot sends this data to the token and ask it to decrypt it using the appropriate matching private key. This architecture enables SafeBoot to use the PKI certificates for authentication. SafeBoot can monitor the certificate validity periods, CRLs, Cert rollover, etc for appropriate changes and take corresponding actions.
This is a standard part of our product offering, and is currently in its 2nd Generation. Per our market research, SafeBoot is the ONLY product with true PKI interoperability in pre-boot. We have used this system to integrate other National PKI identity cards in other countries, such as Estonia and Singapore.
Requirement 8: Product must be capable of using the user's PKI encryption certificate contained in the DoD CAC or PIV II compliant Smartcard to encrypt the file that contains the system generated file/folder encryption key
Response: SafeBoot integrated FDE/FES meets the requirement to provide the capability to use a Federal Government user's PKI encryption certificate contained within their DoD CAC or PIV II compliant Smartcard protecting their authentication encryption key by integrating with a wide variety of PKI environments – examples include ActiveIdentity, Baltimore, Entrust, Novell, Microsoft, etc., and provides true PKI authentication using certificates stored on tokens such as smart cards and USB keys, including RSA SID800 and Aladdin eTokens. The SafeBoot connector provides a soft (electronic only) copy of the user by looking up the user certificate in the PKI, and using the public key to encrypt the user’s personal SafeBoot authentication key. When the user attempts to authenticate, SafeBoot sends this data to the token and ask it to decrypt it using the appropriate matching private key.
SafeBoot's integrated FDE/FES solutions exceed the requirement for end user transparency. Both encryption modules (FDE/FES) within SafeBoot are completely transparent to the end user. SafeBoot's FDE module prompts an end user for authentication. Once successfully authenticated, the key is loaded into memory and all data called or written is encrypted or decrypted on the hard drive. Further, both modules are centrally controlled and managed from the SafeBoot Management software. Within the FDE encryption module, at no time is an end user provided with the ability to remove or uninstall the encryption keys or associated software. Only authorized SafeBoot Administrators with access to the SafeBoot Database and access to the machine information can decrypt the endpoint device. SafeBoot's FES module restricts access to protect files and/or folders -- only authorized users or administrators can access protected files with proper authentication.
Requirement 9: The product's process for encryption and decryption of data is configurable to be transparent to user
Response: SafeBoot's integrated FDE/FES solutions exceed the requirement for end user transparency. Both encryption modules (FDE/FES) within SafeBoot are completely transparent to the end user. SafeBoot's FDE module prompts an end user for authentication. Once successfully authenticated, the key is loaded into memory and all data called or written is encrypted or decrypted on the hard drive. Further, both modules are centrally controlled and managed from the SafeBoot Management software. Within the FDE encryption module, at no time is an end user provided with the ability to remove or uninstall the encryption keys or associated software. Only authorized SafeBoot Administrators with access to the SafeBoot Database and access to the machine information can decrypt the endpoint device. SafeBoot's FES module restricts access to protect files and/or folders -- only authorized users or administrators can access protected files with proper authentication.
SafeBoot's FES solution eliminates the inherent security vulnerability of Root or Administrative users from accessing or deleting data. SafeBoot policies become the trusted mechanism by which access to specific content is authorized. Further, the FES module allows Federal Agencies to set policies to that enforce the encryption of the data file or folder as it moves throughout the enterprise. For example, the data can be encrypted as it is burned to a CD-ROM, USB stick or attached in an e-mail.
Requirement 10: Products shall provide an option to use only FIPS 180-2 compliant algorithms for hashing and signing
Response: SafeBoot's FDE/FES algorithms are certified to FIPS140-2. In FIPS mode, SafeBoot does not provide the means for users to choose non-FIPS 180-2 hashing and signing algorithms. SafeBoot has SHA1 certificate 254 http://csrc.nist.gov/cryptval/shs/shaval.htm
Requirement 11: Product uses an approved random number generator specified in FIPS 140-2 Annex C for key generation
Response: SafeBoot's FDE/FES algorithms are certified to FIPS140-2. In FIPS mode, SafeBoot does not provide the means for users to choose non-FIPS 180-2 hashing and signing algorithms. SafeBoot has SHA1 certificate 254 http://csrc.nist.gov/cryptval/shs/shaval.htm
Requirement 12: The product must allow data from an encrypted source to be decrypted to allow transfer of data unencrypted to another destination
Response: SafeBoot's integrated FDE/FES exceeds the requirement allowing users to send a file from an encrypted origin in an unencrypted fashion given the permitting policy to do so from the SafeBoot Management Center. The policy defined by the administrator in the SafeBoot Management Center determines if the user is able to send encrypted or decrypted files. The policy may be automated such that it does not require any intervention from the user.
Requirement 13: The product supports distribution of encrypted data to trusted or business partners for data exchange using authenticated self extraction
Response: SafeBoot's integrated FDE/FES exceeds the requirement to distribute encrypted data to trusted parties. SafeBoot's FES module provides Federal Agencies with flexible deployent options. One applicable deployment strategy is to create and implement specific policies that provide only specific users or groups access to encrypted files. Should Federal Agencies choose this option, SafeBoot's FES module provides a self-extraction tool that is embedded in the encrypted file. This file can be transported physically or electronically and will remain persistently encrypted until it reaches its destination. This encrypted file or folder can only be accessed by successfully authenticating with a password. Further, SafeBoot's FDE module affords Federal Agencies to ability to create a virtual container within the FDE environment whereby users can provide encryption to files placed into the virtual container. SafeBoot is the sole vender in the marketplace that delivers two (2) integrated approaches to address removable media.
Requirement 14: If product offers optional encryption algorithms to be used for encryption, the product allows encryption algorithm selection by an administrator
Response: SafeBoot integrated FDE/FES exceeds the requirement for a SafeBoot administrator to select the encryption algorithm during the installation. The chosen algorithm cannot be modified by lower-level administrators or end users. Further, in a SafeBoot environment, to change the encryption type (i.e. 128 to 256) of an existing SafeBoot client, an authorized SafeBoot administrator must decrypt the end-point device and then re-encrypt.
Requirement 15: If product is an integrated FDE and FES solution, the product provides FDE and FES under a single product management console
Response: SafeBoot's integrated FDE/FES exceeds the requirement for a fully integrated FDE/FES. SafeBoot's product portfolio is built upon one centralized console, namely the SafeBoot Management Center. The integrated components that comprise this solution are SafeBoot for Device Encryption, SafeBoot for Content Encryption and SafeBoot Port Control. From the SafeBoot Management Center, all SafeBoot product modules are configured, managed and maintained. SafeBoot offers advanced centralized management system to enable efficient management of FDE/FES encryption for all users, user groups, and machine groups. The SafeBoot Management center provides an administration console to manage and enforce all FDE/FES encryption policy for all users/ machines and user/ machine groupings. The SafeBoot Management Center, through its connector technology, allows administrators to interface with existing directory structures (including Microsoft Active Directory, Novell, LDAP) further simplifying setup, deployment, hot user revocation, and ongoing administration.
The SafeBoot Management Center also provides a centrally managed Port Control technology that permits or denies users/groups the ability to use specific hardware devices and I/O on the machine. SafeBoot Port control is user- and device-based, wherein granular permission policies can enforce device usage to users or groups based on specific hardware identifiers. SafeBoot's Management center also provides an application control technology that creates "white" and "black" lists of applications that may be used or disallowed. This allows administrators the ability to enforce standard or approved applications in use on endpoint devices. The SafeBoot Management Center additionally provides a central push/pull update engine for applying updates to the SafeBoot system or any other technologies residing on the client machine. Administrators can manage any aspect of the SafeBoot security environment from the SafeBoot Management Center.
Requirement 16: If the product offers optional encryption algorithms to be used for encryption, the product should have the capability for the administrator to deactivate or 'grey out' undesirable or unauthorized options.
Response: SafeBoot's integrated FDE/FES exceeds the requirement for a SafeBoot administrator to select the encryption algorithm during the installation. The selection for encryption algorithms is voided and cannot be modified by lower level administrators or end users. The encryption algorithm is selected by the administrator during installation. It cannot be modified by the end user.
Requirement 17: Product is capable of file compression and encryption in a single step by the user
Response: SafeBoot's FES encryption module exceeds the requirement to encrypt existing compressed files. SafeBoot's FES solution works seamlessly with standard, third-party compression applications. This process is transparent to the end user and is enforced by a centralized policy.
AUTHENTICATION
Requirement 18: Product provides boot authentication
Response: SafeBoot's integrated FDE/FES meets this requirement providing enhanced pre-boot authentication. SafeBoot FDE contains a complete pre-boot authentication engine, requiring the user authenticate with strong password and/or token/smartcard before any of the disk is decrypted (prior to the device operating system is loaded/booted). DoD-, CAC- or POV II- compliant cards are a supported form of the SafeBoot pre-boot environment. This SafeBoot pre-boot environment affords a Windows look and feel, with mouse support, on-screen keyboard support for tablets. Additionally, the pre-boot environment can be re-styled as administrators see fit, with changes to the text, language, and graphics required to provide transparency to end users.
Requirement 19: Product must support use of DoD CAC or PIV II compliant Smartcard for boot authentication with no modification of card required.
Response: SafeBoot's integrated FDE/FES meets this requirement providing enhanced pre-boot authentication. SafeBoot FDE contains a complete pre-boot authentication engine, requiring the user authenticate with strong password and/or token/smartcard before any of the disk is decrypted (prior to the device operating system is loaded/booted). DoD-, CAC- or POV II- compliant cards are a supported form of the SafeBoot pre-boot environment. This SafeBoot pre-boot environment affords a Windows look and feel, with mouse support, on-screen keyboard support for tablets. Additionally, the pre-boot environment can be re-styled as administrators see fit, with changes to the text, language, and graphics required to provide transparency to end users.
Requirement 20: Product must support use of DoD CAC or PIV II compliant Smartcard on a Government approved token for boot authentication
Response: SafeBoot's FDE/FES integrated solution meets this requirement. SafeBoot's pre-boot environment supports DoD-, CAC-, or PIV II- compliant smartcards. When creating a client image within the SafeBoot environment, an authorized SafeBoot administrator simply selects two-factor authentication and selects the appropriate card or token required for authentication. No modification to the card is required. SafeBoot's architecture and design affords authorized Federal Agency administrators with the ability to maintain business continuity should an end user lose or have a DoD-, CAC-, or PIV II- compliant smartcard lost or stolen. In this event, the SafeBoot Management Center will afford authorized SafeBoot administrators the ability to remotely change the two-factor, pre-boot requirement from a two-factor authentication to a single-factor authentication. Once a new card is deployed to the remote user, the authorized SafeBoot Administrator can re-enable the two-factor, pre-boot authentication.
Requirement 21: Product shall allow the administrators to set a configurable limit for pre-boot logon attempts and invokes lockout for failed logon attempts after exceeding the limit
Response: SafeBoot's integrated FDE/FES meets the requirement to lock out users after a configurable limit of pre-boot logon attempts. The SafeBoot Management Center enforces a customizable policy that will automatically lock out any user when maximum number of logon attempts has failed. Once locked out, the end user must follow the existing Agency challenge-and-response procedures for resetting a password (including contacting the helpdesk or leveraging a secure, self-service password reset). SafeBoot also provides a configurable phone-home feature within any given client file. Should it be enabled, if an end-point device does not communicate with an Agency SafeBoot database within a predetermined threshold (hours, days, weeks, months, etc.), the end-point device will lock and the current password becomes void -- and the user must follow internal procedure to reset the password.
Requirement 22: Product supports password based pre-boot authentication
Response:
SafeBoot meets the requirement for multiple users of the same laptop to authenticate, pre-boot, with their individual DoD-, CAC- and PIV II-compliant smartcards coupled with passwords. SafeBoot supports up to 16,700 individual users per machine. SafeBoot supports a one-to-many relationship with users and machine. Each user has their own unique profile that allows them to access the device using their own CAC- or PIV II-compliant smartcard and/or strong password for authentication at pre-boot. It is not possible for one user to authenticate with another user's card -- SafeBoot maintains a one-to-one mapping between the certificate and user.
ADMINISTRATION & CONFIGURATION
Requirement 23: The product allows multiple users of the same laptop or device to use their individual DoD CAC or PIV II compliant Smartcard for boot authentication
Response: SafeBoot meets the requirement for multiple users of the same laptop to authenticate, pre-boot, with their individual DoD-, CAC- and PIV II-compliant smartcards coupled with passwords. SafeBoot supports up to 16,700 individual users per machine. SafeBoot supports a one-to-many relationship with users and machine. Each user has their own unique profile that allows them to access the device using their own CAC- or PIV II-compliant smartcard and/or strong password for authentication at pre-boot. It is not possible for one user to authenticate with another user's card -- SafeBoot maintains a one-to-one mapping between the certificate and user.
Requirement 24: The product shall have the capability to allow administrators to update user's credentials when issued a new DoD CAC, PIV II compliant Smartcard, or token
Response: SafeBoot's integrated FDE/FES meets this requirement. SafeBoot's pre-boot environment is F2-PBA-compliant and is capable of re-using existing tokens. Furthermore, updates made to the DoD, CAC, PIV II or token is synchronized automatically with the SafeBoot database, allowing the new credentials to be used at the next authentication. Furthermore, SafeBoot's Connector technology also leverages a CRL (Certificate Revocation List) Check providing a centralized mechanism for hot or immediate revocation for any user identity across the enterprise. Simply put, with a push of a button, an authorized SafeBoot administrator can enroll or disallow a user across hundreds or thousands of machines.
Requirement 25: Product shall have the capability to allow administrators to provide remote assistance to users who are locked out
Response: SafeBoot's integrated FDE/FES meets the requirement to permit SafeBoot administrators the ability to efficiently provide remote assistance to users who are 'locked out' of a device using three methods of online or offline recovery. Lost user passwords are reset using various supported methods; both online or offline. Any or all of which can be enabled or disabled for specific administrator levels in accordance with your SafeBoot security policies. The following methods are available for recovering a user.
1. If the user is connected to the network, the administrator resets the password (to known value or use the default password provided by SafeBoot) from the SafeBoot Management Center and synchronizes the machine.
2. WebHelpDesk a. User self-help reset via SafeBoot’s WebHelpdesk – A dedicated Web server component that provides secure challenge/response authentication of users via a sequence of question/answer, such as user’s employee number, birthplace, etc (configurable). This is available for users to self-reset their passwords through a connected kiosk. b. Administrator-assisted Web recovery – A dedicated Web server component that allows an administrator to drive the password reset process on behalf of the user through a Web portal. This involves the exchange of short-typed code sequences. In this case, the administrator authenticates as him/herself, and then assists the user in resetting their password/smartcard. 3. Administrator-assisted recovery using the SafeBoot Management Center, or remote administrator console, to perform a challenge/response recovery with the user.
Requirement 26: Product shall have the capability to allow administrators to configure the product for decryption and uninstall of encryption product by a system administrator only
Response: SafeBoot integrated FDE/FES meets the requirement to allow only provisioned administrators the ability to decrypt data or uninstall the product. Only an authorized administrator, with elevated privileges, has the ability change the policy to remove SafeBoot and decrypt the drive(s) and/or uninstall the product.
Requirement 27: Product shall prohibit vendor's ability to access, modify, or decrypt data
Response: SafeBoot integrated FDE/FES meets the requirement prohibiting SafeBoot Corp. any ability to access, modify, or decrypt data contained on Government devices. Simply put, SafeBoot has no backdoors into any SafeBoot system. Each Federal Agency maintains its independent SafeBoot database where unique keys are securely escrowed. Further, access to this escrow and database are governed solely by the individual Federal Agencies. NOTE: SafeBoot has experience with private sector organizations where they had locked themselves out of the secure escrow. When this happened, there was and still is nothing that SafeBoot can do to resolve the situation. The keys to unlock the data rest with each individual customer, not SafeBoot.
Requirement 28: Product does not interfere with imaging of hard drive after encryption product is installed
Response: SafeBoot's integrated FDE/FES meets the requirement to support hard drive or device drive imaging without interference after SafeBoot is installed. After authenticating, any standard imaging tool may be used to image a drive or device after it is encrypted with SafeBoot. Additionally, SafeBoot offers plug-ins for tools such as WinPE and BartPE which can be used to image the drive after authenticating.
Requirement 29: Product does not interfere with Restoration/Recovery of encrypted data from backup media
Response: SafeBoot's integrated FDE/FES meets the requirement to allow the restoration and recovery of encrypted data from backup media, without interference, utilizing the SafeBoot diagnostic toolkit comprised of the SafeBoot Backup Tool, SafeBoot DR Toolkit, and boot methods. SafeBoot's Backup Tool provides business continuity by allowing a copy of the SafeBoot database to be made highly available. To this end, SafeBoot has two (2) levels of transparent, high-availability embedded in the FDE/FES solution. The SafeBoot client software affords administrators to define diverse paths for connecting to a primary and secondary communication server and SafeBoot database. Furthermore, the number of paths can be exponential based on DHCP versus static Internet protocol. The SafeBoot Backup Tool Set allows Agencies the ability to leverage their existing disaster recovery/operations continuity procedures by installing multiple databases, leveraging SAN, NAS and clusters for SafeBoot databases. SafeBoot databases can be installed as cold, warm or hot configurations.
SafeBoot provides information on how to add the SafeBoot drivers to these CD tools to enable access (again by authorized users) to the affected machines. It is important to note there will be no additional data loss with disk encryption than would otherwise occur if disk encryption had not been used. SafeBoot maintains copies of all keys and essential information in the SafeBoot database, as such there are never keys stored only on the user machine. Essential keys are backed up and available to appropriate, authorized administrators.
Requirement 30: Product does not interfere with full disk data erasure tools
Response: SafeBoot's integrated FDE/FES solutions meet the requirement for compliance with disk/data erasure tools. SafeBoot does not interfere or interact in any way with disk/data erasure or clearing products. There is no interaction, or prevention of their normal operation.
Requirement 31: The product is capable of secure escrow and recovery of the symmetric encryption key
Response: SafeBoot's integrated FDE/FES solutions meet the requirement for ensuring secure escrow and recovery of the SafeBoot symmetric encryption key. SafeBoot's architecture affords for the centralized and secure key management. In fact, in FIPS mode, SafeBoot mandates that all encryption keys are securely offloaded for recovery into a dedicated, encrypted policy store. At no time can a user perform any action that would prevent encrypted data being inaccessible to an appropriately privilege administrator.
Requirement 32: The product shall implement NIST SP 800-53, Control IA-5
Response: SafeBoot's integrated FDE/FES meets the requirement ensuring password implementing NIST SP 800-53, Control IA-5. All SafeBoot passwords are encrypted and stored in the database. The data remains encrypted when transmitted. SafeBoot passwords are NEVER displayed when they are entered; all characters entered at login prompts are blocked with a generic placeholder. A centrally managed policy in the SafeBoot Management Center enforces password minimum and maximum lifetime restrictions and prohibits password reuse for a specified number of generations.
Requirement 33: If the product requires modification of the Master Boot Record, it shall be validated by the pre-boot environment
Response: SafeBoot's integrated FDE/FES meets the requirement for validating the Master Boot Record by the pre-boot environment. SafeBoot copies the original Master Boot Record to the SafeBoot Encrypted File System that is used to boot the machine. The SafeBoot File System contains all the properties and users associated with the machine. After authenticating and validation occurs at pre-boot using the SafeBoot Encrypted File System, the original MBR is loaded.
Requirement 34: The product's encryption/decryption process must occur without loss or corruption of data or content modification
Response: SafeBoot integrated FDE/FES meets the requirement ensuring that no data loss, content modification, or corruption will occur during the encryption/decryption process. SafeBoot encryption simply encrypts, sector-by-sector, the selected disk partitions or all sectors providing no data loss and/or modification during the encryption/decryption process.
Requirement 35: Product will be capable of encrypting swap, free, slack, temp, and Internet temp files
Response: SafeBoot integrated FDE/FES meets the requirement providing the ability for administrators to customize many aspects of the boot authentication screen including displaying Federal Agency warning banners. Administrators not only have the ability to add Federal Agency warning banners on the boot authentications screen, but can also completely modify the look and background display that could include an all black background, display of Federal Agency logos/banners, and also include text incorporated in the background environment. SafeBoot allows customization in the pre-boot environment including the use of logos and text displayed to your users at pre-boot. This option is set via the SafeBoot Management Center.
Requirement 36: Product allows modification of boot authentication screen by administrators to reflect Federal Agency warning banners
Response: SafeBoot integrated FDE/FES meets the requirement providing the ability for administrators to customize many aspects of the boot authentication screen including displaying Federal Agency warning banners. Administrators not only have the ability to add Federal Agency warning banners on the boot authentications screen, but can also completely modify the look and background display that could include an all black background, display of Federal Agency logos/banners, and also include text incorporated in the background environment. SafeBoot allows customization in the pre-boot environment including the use of logos and text displayed to your users at pre-boot. This option is set via the SafeBoot Management Center.
Requirement 37: When only password authentication is used for boot authentication, the product shall allow the administrator to enforce complex passwords to include a minimum of 9 characters in length, upper and lower case, alphanumeric, and special characters
Response: SafeBoot's integrated FDE/FES exceeds the requirement providing administrators the ability to select and restrict the enforcement of which pre-boot authentication processes(es) are used. SafeBoot administrators can choose and enforce either logical (passwords), physical (DoD CAC or PIV II Smartcards), or a combination of authentication processes for users at pre-boot. SafeBoot supports multiple authentication methods simultaneously. The administrator may define and assign the method of authentication to the user or user group during the initial client build or at any point in time.
Requirement 38: Product supports ability for administrators to require / restrict which pre-boot authentication mechanism will be used (i.e. CAC, Smartcard, token or password only)
Response: SafeBoot's integrated FDE/FES exceeds the requirement providing administrators the ability to select and restrict the enforcement of which pre-boot authentication processes(es) are used. SafeBoot administrators can choose and enforce either logical (passwords), physical (DoD CAC or PIV II Smartcards), or a combination of authentication processes for users at pre-boot. SafeBoot supports multiple authentication methods simultaneously. The administrator may define and assign the method of authentication to the user or user group during the initial client build or at any point in time.
Requirement 39: Product has the ability to allow administrators to maintain administrator password for pre-boot authentication for each system
Response: SafeBoot's integrated FDE/FES exceeds the requirement to allow SafeBoot administrators to maintain administrator password or smartcard for pre-boot authentication for each system they have the appropriate permissions to administer. Both the SafeBoot software architecture and licensing models provide Federal Agencies administrators' to maintain administrative accounts for the endpoints they are responsible for supporting. This requires no customization or additional license fees.
Requirement 40: Product does not change the content of the GINA.dll file
Response: SafeBoot's integrated FDE/FES exceeds the requirement by not changing the content of a systems GINA.dll file.The selectable SafeBoot Single Sign On feature intercepts the Windows Logon mechanism, using a “Pass through Gina” on Windows NT, 2000 and XP, and the Unified Logon Architecture on Windows 95, 98 and ME. On all operating systems a custom .ini file (SBGINA.INI) is used to help SafeBoot analyze the logon screen and apply the credentials into the correct boxes on screen.
Requirement 41: Product should not conflict with the host based security solutions running simultaneously on a mobile computing device such as Host Intrusion or Prevention Systems (HIDS or HIPS), Firewalls, and Anti-virus.
Response: SafeBoot's integrated FDE/FES exceeds the requirement of not interfering with host based security systems. SafeBoot is known to not interfere with the major host intrusion, antivirus and firewall vendors ensuring mutual compatibility of our respective products. Furthermore, through the password synchronization available with the SafeBoot solution, Federal Agencies may also synchronize VPN login credentials.
Requirement 42: Product is capable of silent and remote installation and updates of the product
Response: SafeBoot's integrated FDE/FES solution exceeds the silent installation requirement. SafeBoot offers the option to install the product silently. Software installation can be achieved using tools such as Radia, SMS, LANDesk, Tivoli, Altiris, Zenworks and others. As soon as SafeBoot is installed, the SafeBoot Integrated Deployment Service can be used to install any software package. The SafeBoot Management Center has the capability to deploy patches and updates to protected workstations.
Requirement 43: During the product's encryption/decryption process, if the process is interrupted, the product is capable of resuming the process from point of disruption
Response: SafeBoot's integrated FDE/FES solution exceeds the power interuption requirement. SafeBoot has it own built in power fail protection. If the device loses power during encryption, the encryption process will simply resume when power is restored.
Requirement 44: Product will support or have built-in auditing, monitoring, analysis, and reporting capabilities
Response: SafeBoot's integrated FDE/FES solution exceeds the built-in auditing, monitoring, analysis, and reporting capability requirements. The SafeBoot client attempts to connect to its home server or directory every time the machine boots or establishes a new dial-up connection. During this process, any configuration changes made by the SafeBoot administrator are collected and implemented by the SafeBoot client. In addition, the SafeBoot Client uploads the latest audit information that may include encryption status, any user password changes and security breaches to the Object directory. The Report Tool provides a graphical representation of the user's activity. Reports may be customized to meet your business needs.
Requirement 45: Product shall allow logging of access events to the product and encrypted data (success and failure)
Response: SafeBoot's integrated FDE/FES solution meets the audit log requirements. The SafeBoot client connects to its home server or directory each time the machine boots or establishes a new dial-up connection. During this process, any configuration changes made by the SafeBoot administrator are collected and refreshed by the SafeBoot client. In addition, the SafeBoot client uploads the latest audit information including encryption status, any user password changes and security breaches to the object directory.
Requirement 46: Product allows export of encrypted file that contains system generated full volume encryption key
Response: SafeBoot's integrated FDE/FES solution exceeds the encrypted file exportation requirement. SafeBoot Management Center allows authorized SafeBoot administrators to export configuration information that is used for diagnostic or troubleshooting purposes. The keys are encrypted and centrally stored with the machine ID in the SafeBoot database. In addition, to eliminate backdoors, machines are permanently deleted from the database and there is no backup, the machine cannot be recovered in case of a disaster.
Requirement 47: Product allows authorized user to validate disk encryption has occurred and is maintained
Response: SafeBoot's integrated FDE/FES solution exceeds the requirement for empirical proof that end user disks are encrypted. There is no way for an end user to remove, delete or manipulate the encryption status. Once an end user has successfully authenticated, they locate the SafeBoot icon in the Windows system tray. SafeBoot's Report Viewer provides graphical dashboard reports of the current and historical encryption state.
Requirement 48: Product can support pre-boot integrity
Response: SafeBoot's integrated FDE/FES solution meets the requirement to support pre-boot integrity. Safeboot performs validity checks on the boot loader and core load code to prevent against corruption and unintentlonal damage.
Requirement 49: Product allows administrators the option to install and configure the product on systems and devices not requiring DoD CAC or PIV II compliant Smartcard for boot authentication and/or encryption
Response: SafeBoot's integrated FDE/FES solution exceeds the requirement to support the use of the DoD CAC, PIV II compliant Smartcard or token or password for boot authentication. SafeBoot policy driven configuration supports multiple combinations of authentication methods including the DoD CAC, PIV II compliant Smartcard, other tokens and passwords. In the case a user looses a token a privileged administrator reset the end user authentication method to single factor provide immediate access to the data. Note: An additional option is to remotely configure a replacement token to maintain two (2) factor authentication.
Requirement 50: Product can be integrated into Federal Agency host-based security solutions as a module running on an endpoint computer
Response: SafeBoot's integrated FDE/FES solution exceeds the requirement for integrated host-based security systems. SafeBoot is compliant with host- based security solutions. SafeBoot works with the major host intrusion, prevention, antivirus and firewall vendors to ensure mutual compatibility of our respective products. SafeBoot's password synchronization affords authorized SafeBoot Administrators the ability to synchronize host based security passwords.
Requirement 51: Product supports Trusted Platform Module (TPM) chip version 1.2 or higher
Response: SafeBoot exceeds the requirement to comply with Federal Government standard applications, protocols, and communications. SafeBoot encrypts the drive at the sector level; therefore, operability of applications is not affected. Whereas many full-disk encryption vendors store their data on the user disk in areas marked as bad sectors. SafeBoot stores information as standard data. Information is unaffected by Checkdisk, Scandisk, Defrag, etc. SafeBoot is the ONLY product with data files specifically handled by Defrag and correspondingly affords protection of SafeBoot files from corruption. SafeBoot maintains a long-standing relationship with Microsoft and relationship with the authors of the Microsoft DeFrag Tool (formerly Executive Software).
Requirement 52: Product must be compatible with standard applications, protocols, and communications within the Federal Government
Response: SafeBoot exceeds the requirement to comply with Federal Government standard applications, protocols, and communications. SafeBoot encrypts the drive at the sector level; therefore, operability of applications is not affected. Whereas many full-disk encryption vendors store their data on the user disk in areas marked as bad sectors. SafeBoot stores information as standard data. Information is unaffected by Checkdisk, Scandisk, Defrag, etc. SafeBoot is the ONLY product with data files specifically handled by Defrag and correspondingly affords protection of SafeBoot files from corruption. SafeBoot maintains a long-standing relationship with Microsoft and relationship with the authors of the Microsoft DeFrag Tool (formerly Executive Software).
Requirement 53: Product supports boot into multiple operating systems on a single device
Response: SafeBoot's integrated FDE/FES solution exceeds the dual-boot requirement. SafeBoot supports multiple operating systems on a single device. The user will authenticate in the pre-boot environment. After authenticating, the user is able to choose the desired operating system.
Requirement 54: Provides open APIs or an SDK to support application integration
Response: SafeBoot exceeds the API requirement. SafeBoot is committed to its customers needs to enhance it core product functionality to meet specific business or operation requirements. This is documented in SafeBoot's support of over sixty (60) token vendors. SafeBoot R&D team, is continuously enhancing its APIs and SDKs.
Requirement 55: The product supports Single Sign-On (simultaneous pre-boot and O/S logon)
Response: SafeBoot's integrated FDE/FES solution exceeds the requirement to provide SSO with fully integrated, flexible, single sign-on (SSO) capability. Multiple users are supported at pre-boot, and their SSO credentials are stored and presented. SafeBoot utilizes standard GINAs to allow seamless login to the operating system while entering credentials in the secure, pre-boot authentication environment. In situations where a non-standard GINA is used, SafeBoot provides configuration options.
CENTRALIZED MANAGEMENT CONSOLE
Requirement 56: The product's administrator management console allows for failover functionality (fault tolerance/redundancy)
Response: SafeBoot's integrated FDE/FES solution exceeds the failover functionality requirement. The SafeBoot Management Center provides failover functionality through the use of the SafeBoot Database Backup Utility that creates a remote "hot backup" of the management console. The SafeBoot client includes a transparent, realtime failover functionality. If the primary SafeBoot database is unavalable, it will automatically connect to the secondary database. In the event that neither database is available, the client will automatically re-connect at the pre-determined frequency.
Requirement 57: The product's administrator management console supports capability to add/modify/delete admin users
Response: SafeBoot's integrated FDE/FES solution meets the requirement to add/modify/delete administrators from the management console. The SafeBoot Management Center features the ability to enforce hot revocation for administrators. SafeBoot supports 32 levels of parent/child adminstration permissions. Administrator tiers are centrally managed.
Requirement 58: The product shall provide the capability to set a limit on the number of unsuccessful consecutive logon attempts to the administrator management console and invokes lockout for exceeding the limit
Response: SafeBoot's integrated FDE/FES solution meets the requirement to configure a policy to lock out an Administrator account based on unsuccessful logon attempts. SafeBoot defends again brute force attacks to the SafeBoot Administrator accounts by defining a policy in the SafeBoot Management Center allowing a pre-determined maximum number of failed logon attempts. SafeBoot requires that a "locked' admin account only be restored by a "parent" administrator not by a peer.
Requirement 59: The product's administrator management console supports retrieval of computer, user, and user-group information from Active Directory
Response: SafeBoot's integrates FDE/FES solution meets the requirement of the retrieval of computer, user and user-group information from Active Directory. SafeBoot's Connector software for LDAP, Active Directory and Novell monitors the parent directory (AD or Novell/LDAP) for policy changes, new users, disabled users, and other directory-hosted user denotations. The Connector manager pulls information from Active Directory and does not extend the schema. Authorized administrators have the option to choose if they will continue to manage user adds, changes, and deletes within the SafeBoot management console or from within the native directory (AD, NDS, LDAP, etc.)
Requirement 60: The product's administrator management console must support ability to secure the PK-enabled administrative interface by using the DoD CAC or PIV II compliant Smartcard for authentication
Response: SafeBoot's integrated FDE/FES solution, meets the requirement for DoD CAC or PIV II compliant Smartcard authentication for adminstrative access to the console. SafeBoot's FDE & FES solution supports DoD CAC & PIV II compliant Smartcards for adminstrator authentication to access the SafeBoot adminstrative console. The SafeBoot Management Center supports soft or logical tokens (user name and password) and hard or physical tokens (Dod CAC & PIV II smartcards, etc). The authentication method assigned to the user is replicated throughout the enterprise.
Requirement 61: Product will support or integrate with existing asset/license tracking and management tools
Response: SafeBoot's integrated FDE/FES solution meets the requirement to support asset tracking and management tools. SafeBoot's FDE/FES modules are compliant with industry standard assest tracking and managent tools.
Requirement 62: Product shall support secure remote management of devices to support remote users
Response: SafeBoot's integrated FDE/FES solution meets the requirement to support secure remote administration. SafeBoot's client/server architecture coupled with SafeBoot's proprietary Web Certificates provide secure remote access to authorized administrators from any web browser at anytime.
Requirement 63: Product shall support secure remote access to the administrator management console for administrators
Response: SafeBoot's integrates FDE/FES solutions meets the secure remote access requirement. SafeBoot uses SSL encrypted network links between its policy servers and administration consoles ensuring integrity of the data. The link uses AES-256 encryption, Diffie-hellman key exchange, and 2048bit DSA signatures.
Requirement 64: The product's administrator management console must be scalable to support large enterprise environments
Response: SafeBoot's integrated FDE/FES solution meets the enterprise class scalability requirement. SafeBoot's global customer base is made up of many 75,000 - 140,000+ user environments. A single server easily supports 50,000 users.
Requirement 65: The product's administrator management console permits multiple administrator logins for simultaneous access
Response: SafeBoot's integrated FDE/FES solution meets exceeds the requirement to support simultaneous administrator logons. The SafeBoot Management Center enables secure support of any number of administrators and users, and any number of simultaneous administrators. SafeBoot has customers running more than 1,000 administrators to a single server simultaneously (network and server hardware permitting).
Requirement 66: The product's administrator management console supports retrieval of computer, user, and user-group information from LDAP Servers
Response: SafeBoot's integrates FDE/FES solution meets the requirement of the retrieval of computer, user and user-group information from Active Directory. SafeBoot's Connector software for LDAP, Active Directory and Novell monitors the parent directory (AD or Novell/LDAP) for policy changes, new users, disabled users, and other directory-hosted user denotations. The Connector manager pulls information from Active Directory and does not extend the schema. Authorized administrators have the option to choose if they will continue to manage user adds, changes, and deletes within the SafeBoot management console or from within the native directory (AD, NDS, LDAP, etc.)
Requirement 67: The product or encryption system must be configurable to not interfere with remote distribution and full installation of applications, patches, and updates while connected to the network, and without user intervention
Response: SafeBoot's integrated FDE/FES solution meets the requirement for compliance with Federal Agency applications, patches and updates. SafeBoot ensures compatibility with leading file and patch employment vendors.
Requirement 68: The product or encryption system shall allow administrator to configure product to enforce zeroization, 'wipe' or key destruction to render the data unusable.
Response: SafeBoot's integrated FDE/FES solution meets the requirement to remotely remove the symmetrical key from an endpoint device. SafeBoot's Management Center, allows the administrator to push a policy and force a synchronization that removes the encryption key from the device and disabling this account and the user from any associated machines.
SUPPORTED OPERATING SYSTEM, HARDWARE, FIRMWARE - NOTE: It is CRITICAL that product supports at least one of the following operating systems. It is IMPORTANT that product supports more than one of the following operating systems. It is DESIRABLE that product supports 3 or more operating systems. Of the list below, identify all operating systems supported to include version.
Requirement 69: Microsoft Windows 2000
Response: SafeBoot supports Windows NT through Server 2003 operating systems.
Requirement 70: Microsoft Windows 2003
Response: SafeBoot supports Windows NT through Server 2003 operating systems.
Requirement 71: Microsoft Windows XP
Response: SafeBoot supports Windows 9x through XP operating systems.
Requirement 72: Microsoft Windows Vista
Response: SafeBoot supports Windows Vista operating systems.
Requirement 73: UNIX / Sun Solaris
Response: SafeBoot does not currently have plans to support UNIX/ Sun Solaris.
Requirement 74: Mac OS X
Response: SafeBoot has roadmap plans to support Mac OS X, no release date has been set.
Requirement 75: Windows Mobile 5.0
Response: SafeBoot supports the Windows Mobile 5.0 operating system.
Requirement 76: Windows CE
Response: SafeBoot supports Windows CE.
Requirement 77: RIM/Blackberry
Response: SafeBoot will provide functionality to manage policies for the use of Blackberry's native AES 256 bit FIPS 140-2 strong encryption. Future versions of our management environment are planned to support policy control over blackberry devices.
Requirement 78: Palm
Response: SafeBoot supports the Palm operating system.
Requirement 79: Symbian
Response: SafeBoot supports the Symbian operating system.
Requirement 80: Linux to include Red Hat, SuSE
Response: SafeBoot for Linux will include support for Red Hat and SuSE.
GENERAL AND TECHNICAL SUPPORT
Requirement 81: Under software maintenance agreement, vendors must notify the Government and deliver product within 10 working days of commercial release for new updates
Response: SafeBoot's integrated FDE/FES solution meets the requirement for ten (10) working day notification of software releases. SafeBoot notifies customers and delivers (customer decides delivery option) new updates within 10 days of general availability commercial releases. All available patches are accessible for download as an authorized customer from the SafeBoot Website.
Requirement 82: For every product patch or upgrade release, vendor will provide verification that the product still meets all of the initial critical requirements
Response: SafeBoot's integrated FDE/FES solution meets the patch and upgrade requirements. When SafeBoot patches or updates, SafeBoot will provide verification that SafeBoot still meets all critical requirements.
Requirement 83: Vendor will maintain disclosure-requirements to the DoD when any commercial acquisitions of or by their company affects foreign ownership or influences foreign controls of that company.
Response: SafeBoot's integrated FDE/FES solution meets the country of origin requirement. SafeBoot, as an US end product, is assembled in the US, made of components generated in the UK and US. In the case of any commercial acquisition or event that affects foreign ownership or influences foreign controls of SafeBoot, a representative from SafeBoot's General Council will contact the Contracting Officer in writing within 10 business days.
Requirement 84: Vendor must provide several technical support delivery options, to include phone, online, onsite, etc.
Response: SafeBoot's integrated FDE/FES solution meets the minimum of technical support delivery systems. SafeBoot offers support via multiple delivery options including phone, online, on-site, etc.
Requirement 85: Provide one (1) administrator & one (1) user's guide in hard copy and in electronic formats (PDF) with unlimited reproduction privileges for internal purposes per order
Response: SafeBoot's integrated FDE/FES solution meets the documentation requirements. SafeBoot's license and fulfillment process includes an electronic format (PDF) administrator guides, or hard copy administrator guides.
Requirement 86: For every patch or upgrade release, new product releases will be backward compatible and be capable of using or decrypting previously encrypted data
Response: SafeBoot's integrated FDE/FES solution meets the product and patch release schedule requirements. SafeBoot patches and upgrade provide a seamless upgrade path and do not interfere with the database or the recovery of encrypted data.
Requirement 87: Provide troubleshooting guidance for product
Response: SafeBoot's integrated FDE/FES solutions meet the requirement for troubleshooting guides. SafeBoot's product documentation includes commonly identified trouble shooting techniques. In addition, SafeBoot encourages customers to enroll in a training and certification class. The number of customer enrollees varies upon the user population.
Requirement 88: Product must provide user-friendly feedback messages when errors or warnings occur
Response: SafeBoot's integrated FDE/FES solution meets the user notification requirements. SafeBoot provides simple user-friendly messages with specific error codes when errors or warnings occur.
Requirement 89: System installation documentation should include steps to verify proper operation upon completion of installation.
Response: SafeBoot's integrated FDE/FES solution meets the requirements for system installation documentation. SafeBoot provides customers with various options for knowledge transfer including but not limited to Administrative Guides, Quick Start Guides, Implementation Guides, Certifications and Trainings.
Requirement 90: Provide SIN (Special Item Number) 132-51 for professional services offered
Response: SafeBoot's integrated solution meets the requirement for SIN 132-51 for professional services. SafeBoot offers remote and onsite implementation services including Assessments, Proof of Concept, Lab Evaluations, Client Analysis, Product Configuration, Product Validation and Product Implementation. SafeBoot is willing to discuss this request further to customize the appropriate services bundle to meet the business requirements.
LICENSING & COSTING
Requirement 91: Licenses are transferable within each Federal Agency
Response: SafeBoot's integrated FDE/FES solution meets the license transfer requirement. SafeBoot's licensing model affords the flexibility to accommodate the transferable request.
Requirement 92: Provide license pricing that is user based and includes secondary-use rights.
Response: SafeBoot's integrated FDE/FES solution meets the secondary-use software rights. SafeBoot's licensing model affords multiple users to utilize the same device.
Requirement 93: Product licenses are perpetual
Response: SafeBoot's integrated FDE/FES solution meets the perpetual license requirement. SafeBoot licenses are perpetual. SafeBoot will provide all Federal Agencies with perpetual licenses access to updates and support based on valid maintenance contracts.
Requirement 94: Price of product licenses
Response: SafeBoot offers several categories of licensing models - User based, Device based and Enterprise based licensing. SafeBoot will discuss these options to customize a licensing model to afford the business requirements. Please see attachment #1 for requested pricing information.
Requirement 95: Price of annual software maintenance
Response: SafeBoot's integrated FDE/FES solution provides annual maintenance options. SafeBoot offers several custom maintenance options. SafeBoot will discuss this item to customize the most effective maintenance program. See pricing in Atch 1.
Requirement 96: Price of all tiered support options
Response: SafeBoot's integrated FDE/FES solution meets the requirement for multiple support options. SafeBoot offers two (2) levels of support - Business Day & 7x24 support. (See Atch 1)
Requirement 97: Product training is available for system administrators as separate price
Response: SafeBoot's integrated FDE/FES solution meets the requirement for separate administrator training. SafeBoot offers line item pricing for administrator training and certification. Please see Attachment #1.
Requirement 98: Provide license pricing that is device-based regardless of the number of users
Response: SafeBoot's integrated FDE/FES solution meet the requirement for device based licensing. SafeBoot's Licensing models accommodates the need for additional users to a specific device. Please see attachment #1.
Requirement 99: When maintenance is included with the purchase of a license, support begins at the time of installation phase
Response: SafeBoot's integrated FDE/FES solution meets the requirement for inclusion of the requirements for 1st year maintenance with purchase of the license product.
Requirement 100: Licenses include home-use rights
Response: SafeBoot's integrated FDE/FES solution meets the requirement for home use rights.
Requirement 101: Users should require minimal or no training to utilize the product
Response: SafeBoot's integrated FDE/FES solution meets the no training requirement for end users. SafeBoot's product offerings do not require end-user training.
Requirement 102: Onsite product training is available
Response: SafeBoot offers a comprehensive certification and training program that are typically hosted at Government customer locations.
Requirement 103: Vendor shall provide virtual web-based training for the product
Response: SafeBoot's integrated FDE/FES meets the requirement for virtual web-based product training. SafeBoot offers custom Web-based certification and training.
|
