ThinkPad X1 Carbon And X1 Carbon Touch - Amazon Web … · Product Compliance Summary The ThinkPad X1 Carbon and X1 Carbon Touch meet FIPs, NIST, and other relevant standards across

ThinkPad® X1 CarbonAnd X1 Carbon Touch

Product Compliance Brief

Product Summary The world’s lightest 14" Ultrabook™, the ThinkPad X1 Carbon combines all day mobility with government-grade security and manageability as well as a durable reinforced carbon frame construction.

The ThinkPad X1 Carbon Touch adds a 14" touch-compatible screen.

About Lenovo Lenovo, the world’s #1 PC company, provides transformational PC+ NIST and TAA-compliant solutions to defense, military, national security, civilian, and military/civilian healthcare agencies. We are also a trusted technology partner to global leaders in commerce, healthcare, finance, energy, and other industries. Headquartered in Morrisville, NC, Lenovo brought PC assembly back to America with the 2013 opening of their facility in nearby Whitsett.

ProduCT SPeCifiCATionS

ProCeSSorIntel® Core™ i5-3427U Intel® Core™ i7-3667U

oPerATing SySTem(S)Windows® 8 Professional 64 Windows® 8 Enterprise 64Windows® 7 Ultimate 64 Windows® 7 Enterprise 64

diSPLAy14" HD+ (1600x900), 300 NITS, Wide Viewing

fingerPrinT reAderYes

grAPhiCSIntel® HD Integrated

WebCAm720p HD

memoryUp to 8GB DDR3L

nAvigATionTrackPoint® With trackpad

oPTiCAL driveN/A

bATTery3-Cell Internal (45wh)

bATTery LifeUp to 8.2 hours

dimenSionS13.03" x 8.19" x 0.79"

STorAgeSSd120GB SSD SATA3128GB SSD SATA3180GB SSD SATA3256GB SSD SATA3240GB FDE SSD SATA3

KeyboArdThinkPad® Precision Backlit Keyboard

WeighT3.4 lbs.

eTherneTVia USB dongle

WWAn/Wi-fiIntel® Centrino™ 7260(Wilkins Peak 2 AC) 2x2 AC + BT 4.0Ericsson H5321gw Mobile Broadband Module

bLueTooTh4.0 (optional)

PorTSSSd1 Mini DP1 Combo Audio1 USB 2.01 USB 3.01 4-in-1 card reader

AudioDolby™ Home Theater® v4

Product Compliance Summary The ThinkPad X1 Carbon and X1 Carbon Touch meet FIPs, NIST, and other relevant standards across the following components and services.

Lenovo recommends and can install Wave Endpoint Monitor and other Wave Embassy products for continuous endpoint monitoring. These applications meet NIST SP 800-155 (Draft) guidance on continuous monitoring for BIOS integrity measurements.

Continuous monitoring (endpoint)

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch use fully FIPS 140.2-compliant TPM modules manufactured by STMicroelectronics.

Trusted Platform module TPM

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch ship with a secure BIOS framework that meets NIST SP 800-147 guidance.

bioS Security

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch ship with an Intel Centrino Advanced N 62055S module, validated for FIPS 140-2 compliance.

Wireless WLAn Security

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch are available with two WWAN chipsets, both NIST compliant:• Ericsson H5321gw• Sierra Wireless AirPrime

Wireless WWAn Security

The ThinkPad X1 Carbon and Carbon Touch ship with Windows® 8 (Professional or Enterprise) installed which includes licensing for a downgrade to Windows® 7 (Ultimate or Enterprise). All versions are validated for FIPS 140-1 and 140-2 compliance.

operating SystemOS

All Lenovo PCs sold to government customers come from a TAA-certified Lenovo assembly plant in Whitsett, NC, or Monterrey, Mexico.

TAA ComplianceTAA

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch are available with NIST-compliant antitheft and recovery features:• Remote device recover/disable with Absolute®

Computrace• Remote destroy data with Symantec® Whole Disk

Encryption and Remote Disable and Destroy

Anti-theft/Asset recovery

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch ship with Windows® BitLocker for full disk encryption. The application is validated for FIPS 140-1 and 140-2 compliance on Windows® 8 Professional and Enterprise.

The ThinkPad X1 Carbon and X1 Carbon Touch can also ship with one of these TCG-compliant OPAL drives:• HGST TravelstartZ7K30• Intel Solid State Drive Pro 1500 Series (M.2)• Samsung PM841

full disk encryption Security

Lenovo recommends and can install WinMagic SecureDoc for encryption of data at rest. The application uses the Secure Doc Cryptographic Engine 6.1, validated for FIPS 140-2 compliance.

data encryption (At rest)DATA

1593

4608

95

27

Product Compliance details

Trusted Platform Module .....................................................................................................................

Operating System ...............................................................................................................................

Full Disk Encryption Security ..............................................................................................................

Data Encryption (At Rest) ...................................................................................................................

BIOS Security ....................................................................................................................................

Continuous Monitoring (Endpoint) .......................................................................................................

Wireless WLAN Security ......................................................................................................................

Wireless WWAN Security .....................................................................................................................

Anti-theft/Asset Recovery ..................................................................................................................

TAA Compliance ...................................................................................................................................

2

4

5

7

8

8

9

9

10

12

Lenovo ThinkPad X1 Carbon and ThinkPad X1 Carbon Touch Product Compliance brief rev 1.0

1

Security and federal Compliance The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch notebook security related components meet the Federal Information Processing Standards Publications (FIPS PUBS) issued by the National Institute of Standards and Technology (NIST) Category of Standard – Computer Security Standard, Security Requirements for Cryptographic Modules (FIPS PUB 140-2).

The following components within our ThinkPad end point devices – TPM Security Chip, Opal Drives, Microsoft Windows® 8 (Professional and Enterprise), Microsoft BitLocker, and wireless connectivity all carry Common Criteria, Trusted Computing Group, and/or FIPS 140-1 and/or 140-2 certifications.

Trusted Platform module

The Trusted Platform Module (TPM) uses secure, on-chip cryptography to verify hardware and software configuration data. Third party applications and services access the TPM verification to confirm hardware and software are operating as expected and that no unauthorized changes have been made. Combined with a secure BIOS, which protects root-level hardware configuration, TPM is the foundation for the trusted computing and platform authentication.

Lenovo utilizes micro-chips from STmicroelectronics for Trusted Computing in compliance with Trusted Computing Group (TCG) requirements. The Trusted Platform Module (TPM) is a specific protected and encapsulated microcontroller security chip used to defend the internal data structures against attacks.

STmicroelectronics Trusted Platform module (TPm) product family offers the world’s broadest TPM product line conforming to TPM specifications defined by the Trusted Computing Group (TCG).

The latest ST33-based TPM relies on the advanced ARM 32-bit SC300™ SecurCore® microcontroller. Along with its embedded TPM firmware, it provides a TCG compliant toolbox for security-sensitive services like platform integrity checks and secure personal data storage.

STMicroelectronics TPM chips comply with TCG TPM Protection Profile specification, Certified Common Criteria EAL4+, and FIPS 140-2. The FIPS validated product security policy is provided below and at the NIST 140 certification site http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm under Certificate Number 1599.

more information View the NIST Consolidated Validation Certificate: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/FIPS140ConsolidatedCertList0009.pdfRefer to following reference for further information on the STMicroelectronics TPM chip.http://www.st.com/web/catalog/mmc/FM143/CL1814/SC1522/PF252379Refer to the following reference for further information – Common Criteria Portal – EAL4+http://www.commoncriteriaportal.org/files/epfiles/ANSSI-CC_2012-84fr.pdf


2

Cert#

1599

Cryptographic module

hardCache™- SL3/PC v2.1(Hardware Version: STM7007)validated to fiPS 140-2

vendor / CST Lab

STmicroelectronics, inc.750 Canton DriveSuite 300Coppell, TX 75019 USAgianfranco Scherini TEL: 408-919-8426 FAX: 408-919-0250CST Lab: NVLAP 200802-0

module Type

Hardware

val. date

09-20-2011

Level / description

overall Level: 3 FIPS-approved algorithms: AES (Cert. #1068); SHS (Cert. #1219); HMAC (Cert. #781); Triple-DES (Cert. #798); ECDSA (Cert. #155); RSA (Cert. #623); RNG (Cert. #725)

TPm module

TPM


3

TCg Certification of Lenovo TPm ChipsetThe Lenovo TPM chipset is registered and certified by the Trusted Computing Group (TCG).

more information Refer to following reference for further information – TCG Vendor ID registry.http://www.trustedcomputinggroup.org/files/static_page_files/33FCF23D-1A4B-B294-D07ED1FE636CF4BE/Vendor_ID_Registry_0%207_clean.pdf

16 bitSizeFormatAssigned by:Lenovo

STMicroelectronics

16 BitIntegerTCG0x17AA 0x104A

32 bitSizeFormatAssigned by:Lenovo

STMicroelectronics

32 BitByte ArrayTCGASCII: “LEN”HEX: 0x4C 0x45 0x4E 0x00ASCII: “STM”HEX: 0x53 0x54 0x4D 0x20

Source: TCG Vendor ID Registry Version 1.00 Revision 0.7 11th June 2013


4

operating System

The operating system manages most device security past the BIOS, with the help of other authentication, encryption, and access control technologies. It is updated as required to add new functionality and new protections against evolving threats. Federal regulation requires the certification of any cryptographic modules used by the OS to ensure secure operations when required.

microsoft Windows®The ThinkPad X1 Carbon and Carbon Touch ship with Windows® 8 (Professional or Enterprise) installed which includes licensing for a downgrade to Windows® 7 (Ultimate or Enterprise).

The Windows® 8 operating system contain cryptographic modules validated for FIPS 140-1 and FIPS 140-2. The NIST definition of a module is it may either be an embedded component of a product or application, or a complete product in-and-of-itself.

Cert#

1899


Validated to FIPS 140-2

Microsoft Windows® 8, Microsoft Windows® Server 2012, Microsoft Windows® RT, Microsoft Surface Windows® RT, Microsoft Surface Windows® 8 Pro, and Microsoft Windows® Phone 8 BitLocker® Dump Filter (DUMPFVE.SYS)(Software Version: 6.2.9200)

(When installed, initialized and configured as specified in the Security Policy Section 2 with modules Microsoft Windows® 8, Microsoft Windows® Server 2012, Microsoft Windows® RT, Microsoft Surface Windows® RT, Microsoft Surface Windows® 8 Pro, and Microsoft Windows® Phone 8 Boot Manager validated to FIPS 140-2 under Cert. #1895 operating in FIPS mode, Microsoft Windows® 8, Microsoft Windows® Server 2012, Microsoft Windows® RT, Microsoft Surface Windows® RT, Micros oft Surface Windows® 8 Pro, and Microsoft Windows® Phone 8 BitLocker® Windows® OS Loader (WINLOAD) validated to FIPS 140-2 under Cert. #1896 operating in FIPS mode, and Microsoft Windows® 8, Microsoft Windows® Server 2012, Microsoft Windows® RT, Microsoft Surface Windows® RT, Microsoft Surface Windows® 8 Pro, and Microsoft Windows® Phone 8 Code Integrity (CI.DLL) validated to FIPS 140-2 under Cert. #1897 operating in FIPS mode.)

vendor / CST Lab

microsoft CorporationOne Microsoft WayRedmond, WA 98052-6399USA

-Tim myers TEL: 800-MICROSOFT CST Lab: NVLAP 200427-0

module Type

Software

val. date

09-13-2013

Level / description

Overall Level: 1 Design Assurance: Level 2

-FIPS-approved algorithms: AES (Certs. #2196 and #2198)

Operational Environment: Tested as meeting Level 1 with Microsoft Windows® 8 Enterprise (x86) running on a Dell Dimension C521; Microsoft Windows® 8 Enterprise (x64) running on a Dell PowerEdge SC430 without AES-NI; Microsoft Windows® 8 Enterprise (x64) running on Intel Core i7 with AES-NI running on an Intel Client Desktop; Microsoft Windows® Server 2012 (x64) running on a Dell PowerEdge SC430 without AES-NI; Microsoft Windows® Server 2012 (x64) running on Intel Core i7 with AES-NI running on an Intel Client Desktop; Microsoft Windows® RT (ARMv7 Thumb-2) running on an NVIDIA Tegra 3 Tablet; Microsoft Windows® RT (ARMv7 Thumb-2) running on a Qualcomm Tablet; Microsoft Windows® RT (ARMv7 Thumb-2) running on a Microsoft Surface Windows® RT; Microsoft Windows® 8 Pro (x64) running on an Intel x64 Processor with AES-NI running on a Microsoft Surface Windows® 8 Pro; Microsoft Windows® Phone 8 (ARMv7 Thumb-2) running on a Windows® Phone 8 (single-user mode)

microsoft Windows® 8 Professional and enterprise oS

OS

more information See NIST validation information at:http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1899


5

full disk encryption Security

Full-disk encryption locks the drive against unauthorized access, even when the OS is bypassed. Authorized access is managed by a small separate partition on the volume, allowing the rest of the drive data to be completely encrypted – boot included. Full disk encryption can be enforced at both the software level (BitLocker) as well as hardware-based encryption on the drive itself (the Opal drive protocol).

microsoft bitLockerThe Lenovo ThinkPad X1 Carbon and X1 Carbon Touch ship from the factory with Windows® BitLocker software modules. Lenovo supports Microsoft recommendations that new system designs include support for BitLocker software-based drive encryption, which makes use of a Trusted Platform Module to provide stronger data protection.

Microsoft BitLocker uses cryptographic modules that have been validated for FIPS 140-1 and FIPS 140-2. The NIST definition of a module is it may either be an embedded component of a product or application, or a complete product in-and-of-itself.

Cert#

1332


Windows® 7 BitLocker™ Drive Encryption

(Software Versions: 6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675)

validated to fiPS 140-2

(When operated in FIPS mode with Windows® 7 Boot Manager (bootmgr) (Cert. #1319), Windows® 7 Winload OS Loader (winload.exe) (Cert. #1326), Windows® 7 Code Integrity (ci.dll) (Cert. #1327), Microsoft Windows® 7 Kernel Mode Cryptographic Primitives Library (cng.sys) (Cert. #1328) and Microsoft Windows® 7 Cryptographic Primitives Library (bcryptprimitives.dll) (Cert. #1329) all validated under FIPS 140-2 and all operating in FIPS mode)

vendor / CST Lab


-nils dussart TEL: 800-MICROSOFT CST Lab: NVLAP 200427-0

module Type

Software

val. date

11-15-2010;03-28-2011;06-01-2011;10-04-2011

Level / description

Overall Level: 1 -Operational Environment: Tested as meeting Level 1 with Windows® 7 Ultimate Edition (x86 Version); Windows® 7 Ultimate Edition (x64 version); Microsoft Windows® 7 Ultimate Edition SP1 (x86 version); Microsoft Windows® 7 Ultimate Edition SP1 (x64 version) (single-user mode)

-FIPS-approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)

microsoft bitLocker for Windows® 7 ultimate and enterprise

more information View the NIST Validation Certificate:http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1332.pdf


6

Cert#

1898


Microsoft Windows® 8, Microsoft Windows® Server 2012, and Microsoft Surface Windows® 8 Pro BitLocker® Windows® Resume (WINRESUME)(Software Version: 6.2.9200)


(When operated in FIPS mode with module Microsoft Windows® 8, Microsoft Windows® Server 2012, Microsoft Windows® RT, Microsoft Surface Windows® RT, Microsoft Surface Windows® 8 Pro, and Microsoft Windows® Phone 8 Boot Manager validated to FIPS 140-2 under Cert. #1895 operating in FIPS mode)

vendor / CST Lab


-Tim myers TEL: 800-MICROSOFT CST Lab: NVLAP 200427-0

module Type

Software

val. date

09-06-2013

Level / description

Overall Level: 1 Operational Environment: Tested as meeting Level 1 with Windows® 7 Ultimate Edition (x86 Version); Windows® 7 Ultimate Edition (x64 version); Microsoft Windows® 7 Ultimate Edition SP1 (x86 version); Microsoft Windows® 7 Ultimate Edition SP1 (x64 version) (single-user mode)

-FIPS-approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)

microsoft bitLocker for Windows® 8 Professional or enterprise

more information View the NIST Validation information:http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#1898

oPAL drives The Opal storage specification, written by the Trusted Computing Group, provides hardware-based encryption capabilities on the drive itself. The result is a self-encrypting drive (SED) that communicates as a trusted peripheral with a trusted host, for ultrasecure data and device protection.

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch use TCG-approved Opal drives from a variety of manufacturers.

hgST opal drive (formerly hitachi global Storage Technologies) Travelstar Z7K320 is the fourth generation to feature optional Bulk Data Encryption (BDE) for hard-drive-level data security. With BDE, the data is scrambled using a key as it is written to the disk, then descrambled with the key as it is retrieved, giving users the highest level of data protection available.

more information Refer to the following reference for further information on HGST Travelstar Product Specs:HGST Travelstar Z7K320 Product Informationhttp://www.hgst.com/hard-drives/mobile-drives/7mm-thin-and-light-drives/travelstar-z7k320HGST Travelstar Z7K320 Technical Specifications Datasheethttp://www.hgst.com/tech/techlib.nsf/techdocs/5781663792A88E8B8625772F0082E860/$file/TS_Z7K320_DS_final.pdfHGST Trusted Computing Group Membershiphttp://www.trustedcomputinggroup.org/members/hgst_a_western_digital_company

intel Solid State opal drive Pro 1500 Series (m.2)The Intel® SSD Pro 1500 Series is a case-less, M.2, next generation storage solution designed for Ultrabook™. The new M.2 form factor allows ultracompact solutions which deliver leading performance for Serial Advanced Technology Attachment (SATA)-based computers in capacities ranging up to 360 GB.

more information Refer to the following reference for further information on Intel PRO 1500 Product Specs:Intel SSD Pro 1500 Product Informationhttp://www.intel.com/content/dam/www/public/us/en/documents/product-specifications/ssd-pro-1500-series-m2-specification.pdfTrusted Computing Group Intel Pro 1500 Series Headlines New Intel SSD Professional Familyhttp://www.trustedcomputinggroup.org/media_room/news/333

more information View the NIST Consolidated Validation Certificate:http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/FIPS140ConsolidatedCertList0026.pdf

data encryption (At rest)

Encryption of data at rest protects sensitive data in the event of unauthorized access. At rest data typically includes information stored in persistent memory, not data being processed by the CPU or held in RAM. As the government workforce becomes more mobile, protection of sensitive data at rest becomes even more important.

Winmagic SecuredocThe Lenovo ThinkPad X1 Carbon and X1 Carbon Touch are available with SecureDoc by WinMagic for encryption of data at rest. At rest data typically includes information stored in persistent memory, not data being processed by the CPU or held in RAM.

The SecureDoc cryptographic module is FIPS 140-2 compliant.

DATA

1593

4608

95

27

Cert#

1880


Securedoc® disk encryption Cryptographic engine for Windows®(Software Version: 6.1)


vendor / CST Lab

Winmagic inc.200 Matheson Boulevard WestSuite 201Mississauga, ON L5R 3L7Canada

-Alexander mazuruc TEL: 905-502-7000 ext. 225 FAX: 905-502-7001

CST Lab: NVLAP 200928-0

module Type

Software

val. date

02-04-2013

Level / description

roles, Services, and Authentication: Level 2

-EMI/EMC: Level 3

-Design Assurance: Level 3

-Operational Environment: Tested as meeting Level 1 with Microsoft Windows® 7 32-bit running on an Acer Aspire 7745G Intel Core i7, Microsoft Windows® 7 32-bit running on a Lenovo ThinkPad T420 Intel Core i5 with AES-NI, Microsoft Windows® 7 64-bit running on an Acer Aspire 7745G Intel Core i7, Microsoft Windows® 7 64-bit running on a Lenovo ThinkPad T420 Intel Core i5 with AES-NI (single-user mode)

-FIPS Approved algorithms: AES (Certs. #1924 and #1925); SHS (Cert. #1690); RNG (Cert. #1012); HMAC (Cert. #1159)

Winmagic Software Corporation encryption engine


7

Samsung Pm841 opal driveSamsung’s Solid State Drives (SSDs) are light, rugged and reliable MLC NAND flash-based PC storage devices, available in a range of sizes and densities and feature hardware-based self encryption to protect confidential data from unauthorized access.

more information Refer to the following reference for further information on Intel PRO 1500 Product Specs:Samsung PM841 Product Informationhttp://www.samsung.com/global/business/semiconductor/file/media/ssd_datasheet_200906-1.pdfSamsung Demo: Solid-State Drives Supporting TCG Self-Encrypting Drive Technologyhttp://www.trustedcomputinggroup.org/resources/samsung_demo_solidstate_drives_supporting_tcg_selfencrypting_drive_technology


8

bioS Security

Lenovo bioS SecurityThe computer BIOS is responsible for initializing and testing system hardware components. A secure framework prevents the unauthorized modification of PC firmware – once the password is set, the BIOS remains secure and cannot be bypassed, even before or during boot.

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch meet the requirements identified in the NIST SP 800-147 document that provides guidelines for preventing the unauthorized modification of BIOS firmware on PC client systems. Additionally, Lenovo unified extensible firmware interface (uefi) bioS supports all 5 phases of management best practices that complement the security guidelines listed in NIST SP 800-147.

Compliance framework includes: • Digital signatures to prevent the installation of inauthentic BIOS update images.• BIOS Supervisor Password to provide a secure local update mechanism.• Optional secure local update mechanism that would authorize BIOS update image installation• No mechanisms that would allow the system processor or any other system component to bypass the

authenticated update mechanism.

more information Refer to the following reference for further information on NIST BIOS Protection standards:http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147-April2011.pdf

Continuous monitoring (endpoint)

Continuous monitoring is critical for both networks and endpoints. Endpoint monitoring ensures malware and other threats can be quickly detected and mitigated. It also helps enforce security policy updates and provides logging and other reporting capabilities.

Wave endpoint monitor The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch are available with Wave Embassy Suite that includes Wave Endpoint Monitor.

Wave Endpoint Monitor meets NIST SP 800-155 (Draft) guideline on continuous monitoring for BIOS integrity measurements.

other Trusted Computing Solutions Wave’s Embassy Suite of software delivers enterprise deployment, management and control of Trusted Computing components and solutions, including TPM and OPAL and other SED drive management.

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch are shipped with the Embassy Suite for advanced Trusted Computing solutions. The suite has received the U.S. Army NETCOM Certificate of Networthiness.

Wave embASSy Trust Suite Wave’s EMBASSY Trust Suite is a suite of security products that secure endpoints by providing strong authentication, data at rest protection, and endpoint health verification.

more information Refer to the following reference for further information on protection against malware and other threats:http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-155


9

embASSy remote Administration Server (erAS) • TPM management for strong device authentication, endpoint health, and BitLocker authentication• Management of data at rest protection, including Opal Self-Encrypting Drive (SED) and BitLocker

management

embASSy Security Center (installed on endpoints) • Client communications between the endpoint and ERAS and WEM• Local management of TPM and SED for non-enterprise connected machines

Wave endpoint monitor (Wem) • Management and monitoring of BIOS integrity measurements

Wave for bitLocker management • Automated TPM administration

Wireless WLAn Security

Wireless services provide local area network services via 802.11b or other Wi-Fi protocol. Governing IEEE 802.11i and Wi-Fi Alliance WPA-2 protocols, both FIPS 140-2 compliant, enable maximum security and interoperability with most WLAN infrastructures. They prevent cryptographic attacks as defined in FIPS 140-2 and can be used in non-FIPS environments, such as hot spots and home networks.

intel Centrino WirelessThe Lenovo ThinkPad X1 Carbon and X1 Carbon Touch use the Intel Centrino® Advanced-N 6205S wireless module.

The Intel Centrino Advanced N 62055S module is FIPS 140-2 compliant.

The Intel 6205S supports IEEE 802.11i, IEEE 802.1x, EAP-TLS, AES-CCMP, WPA2 with 128-bit AES Security, Public Key Infrastructure (PKI), X.509 Certificates, VPN compatibility and Common Criteria EAL4+ and Augmented Certified Discrete TPM 1.2 compliance.

more information Refer to the following reference for further information:http://www.intel.com/support/wireless/wlan/sb/CS-023250.htmhttp://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/wireless-products-fips-compliant-infrastructure.pdf

Wireless WWAn Security

Wireless wide area network services provide wide area network connectivity via 3G, 4G, and other protocols. This provides mobile connectivity away from traditional WLAN networks.

ericsson h5321gw The Ericsson H5321gw (with GPS) offers 3G capabilities.

Sierra Wireless AirPrime The Sierra Wireless AirPrime EM7700 module, powered by Qualcomms Gobi 4G LTE modem, offers more advanced 4G LTE capabilities.


10

Anti-theft/Asset recovery

Anti-theft and remote device and data management can help protect against exposure to risk should an asset be lost or stolen. Administrators can remotely locate the device as well as secure or destroy the device hard drive, keeping information safe and secure.

Lenovo ThinkPad laptops with an Intel® Core™ processor with Intel® Anti-Theft Technology (Intel® AT) provide IT administrators with intelligent protection of lost or stolen assets. Once assets are lost, administrators can:• Enable recovery or remotely disable the device with Absolute Computrace• Remotely destroy/delete data with Symantec Whole Disk Encryption and Remote Disable and Destroy• Manage at rest data encryption with Secure Doc and WinMagic

All Intel Anti-Theft solutions use cryptographic modules validated against FIP 140-2.

Computrace by Absolute Software Computrace Absolute provides anti-theft software at the BIOS level that can be used to remotely:• Disable a notebook that doesn’t call into the Absolute Monitoring Center within a predefined period of

time• Send a “poison pill” to lock down a device and prevent the OS from booting• Trigger an Intel® Anti-Theft lock using real-time technology within the Absolute Customer Center,

sending an SMS message to the computer and invoking the Intel® Anti-Theft lock almost immediately

Cert#

1680


Absolute encryption engine(Software Version: 1.2.0.46)

(When operated in FIPS mode)


vendor / CST Lab

Absolute Software CorporationSuite 1600, Four Bentall Centre, 1055 Dunsmuir StreetPO Box 49211Vancouver, BC V7X 1K8Canada

-Tim Parker TEL: 604-730-9851 ext. 194 FAX: 604-730-2621CST Lab: NVLAP 200556-0

module Type

Software

val. date

02-14-2012

Level / description

Overall Level: 1 Operational Environment: Tested as meeting Level 1 with Microsoft Windows® Server 2008 64-bit; Windows® 7 32-bit; Windows® XP 32-bit; Windows® Vista 32-bit; Windows® Vista 64-bit; Red Hat Enterprise Linux (RHEL) 6 32-bit; Mac OS X v10.6.7 32-bit (single-user mode)

-FIPS-approved algorithms: AES (Cert. #1610); RNG (Cert. #864)

Absolute Software Corporation encryption engine


Securedoc by WinmagicSecureDoc by WinMagic delivers console-based management of WinMagic encrypted drives. SecureDoc offers one server management console that handles data at rest encryption in a heterogeneous fashion including notebooks embedded with Intel AT.

SecureDoc is FIPS 140-2 certified as well as Common Criteria EAL-4 certified to meet the requirements of most government organizations and agencies.


11

Cert#

1880


Securedoc® disk encryption Cryptographic engine for Windows®(Software Version: 6.1)


vendor / CST Lab

Winmagic inc.200 Matheson Boulevard WestSuite 201Mississauga, ON L5R 3L7Canada

-Alexander mazuruc TEL: 905-502-7000 ext. 225 FAX: 905-502-7001CST Lab: NVLAP 200928-0

module Type

Software

val. date

02-04-2013

Level / description

Overall Level: 1 -Roles, Services, and Authentication: Level 2-EMI/EMC: Level 3-Design Assurance: Level 3

-Operational Environment: Tested as meeting Level 1 with Microsoft Windows® 7 32-bit running on an Acer Aspire 7745G Intel Core i7, Microsoft Windows® 7 32-bit running on a Lenovo ThinkPad T420 Intel Core i5 with AES-NI, Microsoft Windows® 7 64-bit running on an Acer Aspire 7745G Intel Core i7, Microsoft Windows® 7 64-bit running on a Lenovo ThinkPad T420 Intel Core i5 with AES-NI (single-user mode)

-FIPS-approved algorithms: AES (Certs. #1924 and #1925); SHS (Cert. #1690); RNG (Cert. #1012); HMAC (Cert. #1159)

Winmagic inc. encryption engine


Cert#

1681


PgP Software developer’s Kit (SdK) Cryptographic module(Software Version: 4.2.1)

(When operated in FIPS mode)


vendor / CST Lab

Symantec Corporation350 Ellis St.Mountain View, CA 94043USA

-vinnie moscaritolo TEL: 650-527-8000 CST Lab: NVLAP 200802-0

module Type

Software

val. date

02-28-2012

Level / description

Overall Level: 1 Design Assurance: Level 3

-Operational Environment: Tested as meeting Level 1 with Windows® XP Professional SP3; Mac OS X 10.7; Linux, 32-bit: CentOS 5.5; iOS 5 (single-user mode)

-FIPS-approved algorithms: Triple-DES (Cert. #1150); AES (Cert. #1777); RSA (Cert. #888); DSA (Cert. #558); SHS (Cert. #1558); HMAC (Cert. #1042); DRBG (Cert. #124)

Symantec PgP Cryptographic module

Symantec PgP with Whole disk encryption and remote disable & destroyLenovo supports PGP Remote Disable & Destroy from Symantec which combines disk-based data protection (PGP Whole Disk Encryption) with hardware protection (Intel® Anti-Theft) to deliver superior asset protection.

Symantec PGP is FIPS 140-2 certified.



12

TAA Compliance

The Trade Agreement Act (TAA) restricts procurement of some items to eligible participating nations. This means only products manufactured in TAA-compliant facilities can be purchased for use by federal agencies.

Lenovo and TAA ComplianceLenovo is dedicated to a secure, compliant, and responsive supply chain. Our manufacturing facility in Whitsett, North Carolina, opened in 2013, assembles TAA-compliant ThinkPad and other Lenovo, and is fully 9001:2013 certified for superior product quality.

This capability, paired with our existing TAA-compliant facility in Monterrey, Mexico, is another step forward in Lenovo’s innovative hybrid Global Supply Chain strategy. Two strong production nodes bring Lenovo even closer to our North American customers and business partners and strengthens our ability to deliver better products and services.

The Lenovo ThinkPad X1 Carbon and X1 Carbon Touch are manufactured and shipped from our TAA-compliant Whitsett, North Carolina, facility.

more on the Lenovo Commitment to Comprehensive SecurityLenovo is committed to securing our supply chain through best practices and processes.• Component suppliers are vetted, trained, and audited by Lenovo Quality Engineers.• Supplier performance is reviewed regularly as part of our Lenovo Supplier Quality Management.• Preloaded software and images received are scanned before they are provided to production facility

servers through a secured process.• The production facilities are access-controlled and use redundant security systems with all Lenovo

employees subject to background investigations.• Employees are prohibited from bringing any kind of data processing or storage devices into the

manufacturing area.

Lenovo is committed to federal and international standards including National Institute of Standards and Technology (NIST), Trusted Computing Group (TCG), and International Organization for Standardization (ISO). Lenovo holds an ISO 9001:2013 certificate for design, development, manufacturing fulfillment, marketing, sales, and service of Lenovo computer products and devices.

We are also committed to a Quality Management System (QMS) that:• accentuates the competence of our personnel, suppliers and partners.• identifies the infrastructure and work environment to meet the unique requirements of our federal

consumers.• establishes control of our purchase/supply chain process.• maintains stringent security measures while ensuring faster logistics to meet the high expectations of

the North America market.

TAA

more information Read more about Lenovo TAA-compliant manufacturing:http://www.lenovo.com/government/us/en/federal/taa-compliance.html

For more information visit: www.lenovo.com/government

© 2014 Lenovo. All rights reserved. Lenovo is not responsible for photographic or typographic errors. Lenovo, the Lenovo logo, and ThinkPad are trademarks or registered trademarks of Lenovo. Intel, the Intel logo, Intel Core and Core Inside are registered trademarks of Intel Corporation in the U.S. and other countries. All other trademarks are the property of their respective owners. Version 1.00, April 2014

Documents

ThinkPad X1 Carbon And X1 Carbon Touch - Amazon Web … · Product Compliance Summary The ThinkPad X1 Carbon and X1 Carbon Touch meet FIPs, NIST, and other relevant standards across