Product security certifications, validations, and guidance for macOS

This article contains references for key product certifications, cryptographic validations, and security guidance for macOS platforms. Contact us at if you have any questions.

Cryptographic module validations

All Apple FIPS 140-2 Conformance Validation Certificates can be found on the CMVP vendor page.

FIPS 140 conformance validation

The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment of the Government of Canada (CSEC). 

FIPS 140-2 refers specifically to the security requirements for cryptographic modules. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed.  A complete description of each level can be found within the FIPS 140-2 publication found on the NIST website (FIPS PUB 140-2).

Cryptographic Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both countries for the protection of sensitive information.

The CMVP web portal contains complete details on the program, all the related standards and documents, as well as the official lists of FIPS 140-1 and FIPS 140-2 validated cryptographic modules.

Apple actively engages in the validation of the CoreCrypto and CoreCrypto Kernel modules for each major release of macOS. Validation can only be performed against a final module release version and formally submitted upon OS public release. 

CMVP now maintains validation status of cryptographic modules under two separate lists depending on their current status.

macOS Sierra

OS X El Capitan

Previous versions

These previous OS X versions had cryptographic module validations and are now archived:

  • OS X Yosemite v10.10
  • OS X Mavericks v10.9
  • OS X Mountain Lion v10.8
  • OS X Lion v10.7
  • OS X Snow Leopard v10.6

Security configuration guides

Security-focused organizations provide well defined and vetted guidance for how to configure various platforms for accepted use. Security Configuration Guides provide an overview of features in OS X and iOS that you can use to enhance protection; this is known as "hardening your device." Worldwide governments have collaborated with Apple and developed guides designed to give instructions and recommendations for maintaining a more secure environment. 

To use these guides, you should be an experienced user or system administrator. You shold be familiar with the user interface, and have some working knowledge of management tools for the target platform. It's beneficial to be familiar with basic networking concepts. Certain instructions in the guides are complex, and deviation could result in adverse effects or reduced protection. Thoroughly test any changes made to your device's settings before deployment.

  macOS Sierra 10.12 OS X El Capitan v10.11 OS X Mavericks v10.10

  SCAP-on-Apple SCAP-on-Apple

End User Devices Security Guidance End User Devices Security Guidance

End User Devices Security Guidance

OS X 10.11 provisioning script
End User Devices Security Guidance

  Apple OS X 10.11 Workstation STIG


NIST: Guide to Securing Apple OS X 10.10 (PDF)

OS X 10.10 (Memo, IAVM, STIG)


Security certifications

A list of Apple's publicly identified, active, and completed certifications.

ISO 27001 Certification

Apple has received ISO 27001 certification for the Information Security Management System for the infrastructure, development, and operations supporting the products and services: Apple School Manager, iCloud, iMessage, FaceTime, Managed Apple IDs, and iTunes U, in accordance with the Statement of Applicability v1.0, dated February 26, 2016. Apple’s compliance with the ISO standard was certified by the British Standards Institution. This certificate is available on the BSI website.

Common Criteria certification

The goal, as stated by the Common Criteria community, is for an internationally approved set of security standards to provide a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product's ability to meet security standards, Common Criteria Certification gives customers more confidence in the security of Information Technology products and leads to more informed decisions.

Through a Common Criteria Recognition Arrangement (CCRA), twenty-six member countries have agreed to recognize the certification of Information Technology products with the same level of confidence. Membership along with the depth and breadth of Protection Profiles continues to grow on a yearly basis to address emerging technology. This agreement permits a product developer to pursue a single certification under any one of the Authorizing Schemes.

Those unfamiliar with the relatively recent restructuring of the certification approach under the new Common Criteria, should take notice that there is no longer any reference to Evaluated Assurance Levels (EAL#). Previous Protection Profiles (PP) were archived and have begun to be replaced with the development of targeted Protection Profiles focusing on specific solutions and environments. In a concerted effort to ensure continued mutual recognition across all CCRA members, the International Technical Community (iTC) continues to drive all future PP development and updates towards Collaborative Protection Profiles (cPP) which are developed from the start with involvement from multiple schemes.

Apple began pursuing certifications under this new Common Criteria restructure with selected PPs starting in early 2015. Apple’s publicly identified, active, and completed certifications are listed below. 

  OS X Mountain Lion v10.8 OS X Lion v10.7
Configuration & Administration Guide

Admin Guide v2.1

Admin Guide v2.1

About Common Criteria Audit Tools



Audit Tools Download






Test Cases



Security Target



Validation Report



Validation Certificate



Conformance Claims



  1. Command line interface (CLI) Security Audit Tools are built-in to Mac OS X v10.6 and later.  See the Admin Guide.
  2. This Mac OS X version was not submitted for Common Criteria Certification.

Volatility Statements

Government organizations and their supporting contractors who are required to provide a Volatility Statement from the product manufacturer can obtain one by sending an email request to and providing the Requesting Government Agency, Apple Product Name, Product Serial Number, and Government Technical Contact for the request.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: