OS X: Security certifications and validations
This article contains references for key product certifications, cryptographic validations, and security guidance for OS X platforms.
Click a topic for more information:
Government organizations and their supporting contractors who are required to provide a Volatility Statement from the product manufacturer can obtain one by sending an email request to AppleFederal@apple.com and providing the Requesting Government Agency, Apple Product Name, Product Serial Number, and Government Technical Contact for the request.
Common Criteria Certification
Common Criteria, an internationally approved set of security standards, provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product's ability to meet security standards, Common Criteria Certification gives customers more confidence in the security of Information Technology products and leads to more informed decisions.
Through a Common Criteria Recognition Arrangement (CCRA), twenty-six member countries have agreed to recognize the certification of Information Technology products with the same level of confidence.
|OS X Mountain Lion v10.8||OS X Lion v10.7|
|Configuration & Administration Guide|
|About Common Criteria Audit Tools|
|Audit Tools Download|
- Command line interface (CLI) Security Audit Tools are built-in to Mac OS X v10.6 and later. See the Admin Guide.
- This Mac OS X version was not submitted for Common Criteria Certification.
FIPS 140 Conformance Validation
The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment of the Government of Canada (CSEC).
FIPS 140-2 refers specifically to the security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. A complete description of each level can be found within the FIPS 140-2 publication found on the NIST website (FIPS PUB 140-2).
Cryptographic Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information.
The CMVP web portal contains complete details on the program, all the related standards and documents, as well as the official lists of FIPS 140-1 and FIPS 140-2 validated cryptographic modules.
Cryptographic Module Validations
All Apple FIPS 140-2 Conformance Validation Certificates can be found on the CMVP Vendor page http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.
OS X Mavericks v10.9
- Certificate #2015 – Apple OS X CoreCrypto Module v4.0
- Certificate #1956 – Apple OS X CoreCrypto Kernel Module v4.0
OS X Mountain Lion v10.8
- Certificate #1964 – Apple OS X CoreCrypto Module v3.0
- Certificate #1956 – Apple OS X CoreCrypto Kernel Module v3.0
- OS X Mountain Lion: Apple OS X FIPS Cryptographic Modules 3.0
- OS X Mountain Lion: How to set up and maintain a FIPS-enabled system
- Crypto Officer Role Guide for 10.8
OS X Lion v10.7
- Certificate #1701 – Apple FIPS Cryptographic Module v1.1
- Apple FIPS Cryptographic Modules 1.1
- How to set up and maintain a FIPS-enabled OS X Lion system
- FIPS Administration Tools Crypto Officer Role Guide v1.2
Mac OS X Snow Leopard v10.6
- Certificate #1514 – Apple FIPS Cryptographic Module v1.0
- Apple FIPS Cryptographic Modules 1.0
- How to set up and maintain a FIPS-enabled Mac OS X v10.6 Snow Leopard system
- FIPS Administration Tools Crypto Officer Role Guide
|Organization||OS X 10.9||OS X 10.8|
|UK (GCHQ)||Device Guidance|
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information.