Encryption & Key Management

Symantec Encryption

Name: Symantec Encryption
Rating: 2.2 (14 reviews)
Author: Broadcom

by Broadcom

Covered

controls

Partial

controls

Gaps

controls

NIST 800-171 Coverage6%

Overview

Symantec Encryption by Broadcom is an encryption & key management solution that covers 7 NIST 800-171 controls (6% total coverage). It addresses key requirements in the encryption & key management domain for defense contractors pursuing CMMC compliance.

Controls Covered (7)

sc-3-13-1 sc-3-13-8 sc-3-13-10 mp-3-8-1 mp-3-8-2 ac-3-1-1 au-3-3-1

Partially Covered (2)

ia-3-5-1 cm-3-4-1

Not Covered (3)

pe-3-10-1 ra-3-11-1 si-3-14-1

Implementation Notes

Deploy Symantec Encryption with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.

More Encryption & Key Management Products

Thales CipherTrust

Thales — 8% coverage

Entrust nShield

Entrust — 7% coverage

Venafi

Venafi — 5% coverage

HashiCorp Vault

HashiCorp — 7% coverage

Implementation Guidance for Symantec Encryption

Configure Symantec Encryption to address NIST 800-171 SC-28 (Protection of Information at Rest) by enabling full disk encryption with AES-256 algorithms and implementing automated key rotation policies every 90 days. For SC-13 (Cryptographic Protection), establish centralized key management through the Symantec Key Management Server, ensuring FIPS 140-2 Level 2 validated cryptographic modules are enabled in the encryption policy settings. Configure MP-5 (Media Protection) and MP-6 (Media Sanitization) controls by implementing secure media wiping policies that overwrite data seven times before disposal. Generate assessment evidence through the Management Console's compliance reporting module, which produces audit trails showing encryption status, key rotation events, and policy enforcement across all endpoints. Export these reports monthly in PDF format for C3PAO assessors. Integrate with Active Directory for centralized user authentication and with SIEM solutions like Splunk through syslog forwarding for real-time monitoring. Common misconfigurations include: failing to enforce pre-boot authentication (causes SC-28 findings), using default encryption algorithms instead of FIPS-approved ciphers (SC-13 violations), not configuring automatic key escrow for recovery scenarios, and inadequate logging levels that prevent proper audit trail generation. Ensure recovery keys are stored in a separate, secured location and that decryption capabilities are properly restricted to authorized personnel only.

Gap Analysis & Compensating Controls

Symantec Encryption does not cover AC-3 (Access Enforcement), leaving gaps in granular data access controls beyond basic encryption/decryption permissions. This requires implementing additional Data Loss Prevention (DLP) tools or Rights Management solutions to control data access patterns and usage restrictions. The solution also lacks coverage for SI-4 (Information System Monitoring), which necessitates deploying complementary SIEM platforms or endpoint detection and response (EDR) tools to monitor encrypted data access and detect anomalous decryption activities. Additionally, CM-8 (Information System Component Inventory) gaps mean organizations need separate asset management tools to maintain comprehensive inventories of encrypted devices and media. Document these gaps in your System Security Plan (SSP) under the 'Control Implementation Summary' section, specifying compensating controls and timelines for gap closure. In your Plan of Action and Milestones (POA&M), prioritize the SI-4 gap first due to its high weight in CMMC assessments (monitoring is critical for Level 2), followed by AC-3 for data protection, and finally CM-8 for inventory management. Consider implementing Microsoft Purview for access enforcement, Splunk for monitoring, and ServiceNow for asset inventory to address these gaps comprehensively.

Compliance Cost Estimate

Symantec Encryption licensing ranges from $35-55 per endpoint annually, depending on volume and support tier. Implementation costs typically range $15,000-30,000 for organizations with 100-500 endpoints, including professional services for policy configuration, Active Directory integration, and staff training. Ongoing maintenance costs average $5,000-8,000 annually for monitoring, key management, and compliance reporting. Compared to competitors, Symantec falls in the mid-range pricing tier - more expensive than Microsoft BitLocker (included with Windows) but less costly than enterprise solutions like Vera or Virtru. Total three-year cost of ownership typically ranges $60,000-120,000 for mid-sized defense contractors. Factor in additional costs for gap-filling tools ($20,000-40,000 annually) and third-party assessment preparation ($10,000-15,000) to achieve full NIST 800-171 compliance.

Compliance Cross-References

Symantec Encryption directly satisfies DFARS 252.204-7012 requirements for protecting covered defense information through encryption both in transit and at rest, specifically addressing the cryptographic protection mandate. For CMMC Level 2, it covers assessment objectives in the System and Communications Protection (SC) domain, particularly SC.3.177 (employ FIPS-validated cryptography) and SC.3.191 (protect confidentiality of CUI at rest). The solution also supports Identification and Authentication (IA) domain objectives through its pre-boot authentication capabilities. However, additional tools are required for Access Control (AC), Audit and Accountability (AU), and System and Information Integrity (SI) domains to achieve comprehensive CMMC Level 2 compliance. For FedRAMP alignment, Symantec Encryption maps to SC-28, SC-13, and MP-5/MP-6 controls but requires supplementation with FedRAMP-authorized solutions for complete moderate baseline coverage. C3PAO assessors will verify encryption algorithm compliance, key management procedures, and audit trail completeness as primary assessment objectives when evaluating this tool's implementation.

Frequently Asked Questions

How many NIST 800-171 controls does Symantec Encryption cover?

Symantec Encryption covers 7 of 110 NIST 800-171 controls (6%), with 2 partially covered and 3 gaps.

Can Symantec Encryption alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Symantec Encryption covers 6% and should be part of a layered security stack addressing the remaining controls.

What controls does Symantec Encryption not cover?

Symantec Encryption does not cover controls pe-3-10-1, ra-3-11-1, si-3-14-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.

Map Your Full Security Stack

See NIST 800-171 control coverage for 80+ security products.

Open NIST Tool Mapper

Track Symantec Encryption NIST 800-171 coverage updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

← All NIST Tool Mappings

Implementation Guidance for Symantec Encryption

Gap Analysis & Compensating Controls

Compliance Cost Estimate

Compliance Cross-References

Frequently Asked Questions

How many NIST 800-171 controls does Symantec Encryption cover?

Symantec Encryption covers 7 of 110 NIST 800-171 controls (6%), with 2 partially covered and 3 gaps.

Can Symantec Encryption alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Symantec Encryption covers 6% and should be part of a layered security stack addressing the remaining controls.