Dell invests significant resources in ensuring that our solutions and products comply with existing government certifications and mandates.
A Dell security and compliance architect assesses the security capabilities of all our products using a detailed checklist. The architect cross-references those capabilities to the categories specified by National Institute of Standards and Technology (NIST) in publication 800-53. These internal assessments are available upon request to customers who wish to review the security capabilities of a product. Publication 800-53 serves as the basis for most FISMA controls, meaning Dell’s product capabilities also map to FISMA requirements.
Dell has a long history of working with federal agencies, and it is committed to achieving working government security standards—including the requirements of, FIPS Publications 140/201, FISMA, and other information assurance processes. Dell uses technologies that comply with FIPS 140-2 to protect data and limit system access. It provides documentation to help agencies determine if products meet their unique security requirements, and assists agency efforts to perform Certification & Accreditation (C & A) of Dell Software solutions.
Some of Dell’s products have received Federal Desktop Core Configuration (FDCC) certifications. Others are certified under the Cryptographic Algorithm Validation Program (CAVP). Additionally, Dell’s R&D organization uses NIST-certified Security Content Automation Protocol (SCAP) vulnerability scanning and certification technologies.
Compliance is an ongoing effort in a changing landscape. We commit to staying as current as possible with our certifications so that your organization can confidently leverage our solutions to save time and money across physical, virtual and cloud environments.
Section 508 & VPATs
In recognition and support of the “Electronic and Information Accessibility Standards” defined by Section 508 of the Rehabilitation Act, Dell publishes accessibility self-assessments of our products using Voluntary Product Accessibility Templates (VPATs). The VPAT criteria influence the product roadmaps, and Dell’s Research and Development teams update the VPATs for their products during each major release cycle to reflect accessibility improvements contained in the latest release.
If the VPAT you seek is not listed below, please contact Dell to request it.
Please contact Dell's Legal Department with questions about VPATs.
FIPS 140-2 & CAVP
Dell and FIPS 140-2
Dell is committed to product security and assurance. Dell plans on using FIPS 140-2 approved cryptographic modules in its products whenever possible. When this is not a possibility, we will ensure that any Dell product that uses cryptography has support for FIPS 140-2-approved algorithms. These areas of cryptography include symmetric and asymmetric encryption, hashing, keyed hashing, message authentication, and random number generation. We intend to continue our ongoing discussions with our Federal government customers to ensure that we understand the requirements and processes involved to meet the required cryptography standards.
Cryptographic Algorithm Validation Program
In July 1995, NIST and the Communications Security Establishment Canada (CSEC) established the Cryptographic Algorithm Validation Program (CAVP). This program focuses on validation testing for NIST recommended, and FIPS 140-2 approved, cryptographic algorithms. Vendors interested in validating the cryptographic implementations used within their products may select an accredited laboratory to conduct testing of these implementations. Upon successful completion of the testing, vendors get listed on NISTs validation list(s) on their web sites.
USGCB & FDCC
Dell has established a testing environment within our R&D organization to aid with testing and certification of our software products against the USGCB (United States Government Configuration Baseline) and FDCC (Federal Desktop Core Configuration). We will continue to evaluate select product releases against the latest USGCB and FDCC baseline images (from NIST). Development plans will be considered to address discovered non compliant functionality within our products. We will self-certify our products that successfully pass compliance tests for USGCB and/or FDCC.
Please note that this represents our plan as of September 2012, and our development plans and priorities are subject to change, due to numerous factors, availability of resources and other matters common to all independent software vendors.
HSPD-12 & OMB 11-11
Homeland Security Presidential Directive 12, or HSPD-12, was issued by President George W. Bush in August of 2004. HSPD-12 calls for common identification standards for federal employees and contractors.
"...it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees)."
HSPD-12 calls on executive branch departments and agencies to ensure that their organizations meet those standards. HSPD-12 requires agencies to follow specific technical standards and business processes for the issuance and routine use of Federal Personal Identity Verification (PIV) smartcard credentials including a standardized background investigation to verify employees’ and contractors’ identities. Specific benefits of the standardized credentials required by HSPD-12 include secure access to federal facilities and disaster response sites, as well as multi-factor authentication, digital signature and encryption capabilities.
In 2011, the Office of Management and Budget (OMB) issued OMB Memorandum 11-11, which calls on agencies to accelerate their adoption of PIV credentials, the enablement of applications to use those credentials, and the upgrading of existing physical and logical access control systems to use those credentials.
Certification & Accreditation (C&A) is a requirement for all federal IT systems. C&A applies to complete systems – hardware and software – in a specific environment, associated with specific policies and procedures. Certification is the technical evaluation of the system components as they relate to security, and accreditation is the formal acceptance of that system in its specific environment.
Since C&A is environment-specific, no software, including solutions from Dell, can be generically certified and accredited, but must go through that process for each environment in which it is installed. Dell will provide copies of our products and assist organizations as requested in their specific C&A efforts for Dell solutions.