PGP Universal and 21 CFR 11

PGP Universal is a comprehensive solution for any organization required to comply with Part 11 of Title 21 Code of Federal Regulations (21 CFR 11), which describes the Food and Drug Administration's guidance on Electronic Records and Electronic Signatures.

PGP Universal provides policy-based encryption and/or digital signatures for email. Encryption provides confidentiality by securing data against unauthorized access; digital signatures provide both assurance of a message's integrity as well as its authenticity. Organizations in regulated industries throughout the world are using PGP Universal as part of their risk mitigation and compliance strategies. With its wide range of encryption, digital signatures, and related security features, PGP Universal offers organizations a broad set of capabilities to assist them in complying with 21 CFR 11.

PGP Universal is designed to provide transparent, comprehensive, standards-compliant, and flexible messaging security to organizations. It supports both the Internet Engineering Task Force's RFC 2440 (OpenPGP) and S/MIME message formats as well as RFC 2440 (OpenPGP) and X.509 certificate formats.

More detailed information about PGP Universal can be found in the Products section of this site.

The FDA recently updated the scope and application of 21 CFR 11 to focus on the following issues:

Validation

FIPS 140-2
The PGP Software Development Kit (SDK), which is the core cryptographic technology underlying PGP Universal and other PGP products, has been validated to the National Institute of Standards and Technology's (NIST's) Federal Information Processing Standard 140-2. The validation process includes the submission of a detailed security policy. FIPS 140-2 validation provides independent assurance that the standard cryptographic algorithms used within the PGP SDK are implemented correctly and that other security-critical functions throughout the PGP SDK, such as key handling, are as well.

Common Criteria
PGP Corporation is currently in the process of having PGP Universal evaluated under the Common Criteria for IT Security. As a result of a Mutual Recognition Agreement, Common Criteria evaluations are recognized in Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, the Netherlands, New Zealand, Norway, Spain, the United Kingdom, and the United States.

Source Code Published for Peer Review
PGP Corporation is unique among commercial security software developers in that it has a strict corporate policy of publishing product source code for peer review. This unparalleled level of insight into PGP products allows customers as well as experts in the security community to review PGP implementations and provide valuable technical feedback to the company.

No Weak Key-Lengths
PGP products have never, nor will they, use ciphers with known weaknesses, weak keylengths, or weak keys, or use non-standard ciphers. PGP Universal's minimum key length when using symmetric ciphers, is 128 bits. Likewise, the PGP S/MIME implementation will never generate 40-bit RC2 messages as S/MIME v2 requires and S/MIME v3 recommends. Furthermore, the minimum certificate size PGP Universal generates is 1024 bits, which is well above the minimum of 512 bits mandated, and the minimum 768 bits recommended, by S/MIME v3.

Audit Trail
To provide post-facto assurance that email security policy was followed, PGP Universal maintains timestamped logs detailing its operation. If desired, this log data can additionally be transferred over the network to an external system.

Legacy Systems
PGP Universal is standards-based, thus enabling interoperability with other standards-based products, whether they are part of legacy or current systems. For example, PGP Corporation provides one of the reference implementations-two are required-for IETF RFC 2440, one of two standards recommended by NIST for secure messaging. The second standard, S/MIME, is also supported by PGP Universal.

Copies of Records and Record Retention
Although PGP Universal does not itself provide message archiving capability, it interoperates seamlessly with standard archiving systems used in most regulated industries. In addition, by using PGP Universal's Additional Decryption Key (ADK) facility, organizations can store archived data encrypted without forfeiting guaranteed access to the encrypted data.