Cryptographic module validations
All Apple FIPS 140-2 Conformance Validation Certificates are on the CMVP vendor page. Apple actively engages in the validation of the CoreCrypto and CoreCrypto Kernel modules for each major release of iOS. Validation can only be performed against a final module release version and formally submitted upon OS public release. CMVP now maintains validation status of cryptographic modules under two separate lists depending on their current status at http://csrc.nist.gov/groups/STM/cmvp/inprocess.html. The modules begin in the Implementation Under Test List and then proceed to the Modules in Process List.
Apple is actively engaged in the validation of the CoreCrypto v8.0 modules and the Secure Enclave Processor Secure Key Store Cryptographic Module v1.0 used by iOS 11.
These previous iOS versions had cryptographic module validations and are now archived:
- iOS 8
- iOS 7
Security configuration guides
Security-focused organizations provide well defined and vetted guidance for how to configure various platforms for accepted use. Security Configuration Guides provide an overview of features in macOS and iOS that you can use to enhance protection; this is known as "hardening your device." Worldwide governments have collaborated with Apple and developed guides designed to give instructions and recommendations for maintaining a more secure environment.
To use these guides, you should be an experienced user or system administrator, be familiar with the user interface, and have some working knowledge of management tools for the target platform. It's beneficial to be familiar with basic networking concepts. Certain instructions in the guides are complex, and deviation could result in adverse effects or reduced protection. Thoroughly test any changes made to your device's settings before deployment.
Learn more in the iOS Security Guide (PDF).
A list of Apple's publicly identified, active, and completed certifications.
ISO 27001 and 27018 Certification
Apple has received ISO 27001 and ISO 27018 certification for the Information Security Management System for the infrastructure, development, and operations supporting these products and services: Apple School Manager, iCloud, iMessage, FaceTime, Managed Apple IDs, and iTunes U, in accordance with the Statement of Applicability v2.1 dated July 11, 2017. Apple's compliance with the ISO standard was certified by the British Standards Institution. The BSI website has certificates of compliance for ISO 27001 and ISO 27018.
Common Criteria Certification
The goal, as stated by the Common Criteria community, is for an internationally approved set of security standards to provide a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product's ability to meet security standards, Common Criteria Certification gives customers more confidence in the security of Information Technology products and leads to more informed decisions.
Through a Common Criteria Recognition Arrangement (CCRA), member countries have agreed to recognize the certification of Information Technology products with the same level of confidence. Membership along with the depth and breadth of Protection Profiles continues to grow on a yearly basis to address emerging technology. This agreement permits a product developer to pursue a single certification under any one of the Authorizing Schemes.
Previous Protection Profiles (PP) were archived and have begun to be replaced with the development of targeted Protection Profiles focusing on specific solutions and environments. In a concerted effort to ensure continued mutual recognition across all CCRA members, the International Technical Community (iTC) continues to drive all future PP development and updates towards Collaborative Protection Profiles (cPP) which are developed from the start with involvement from multiple schemes.
Apple began pursuing certifications under this new Common Criteria restructure with selected PPs starting in early 2015. Apple’s publicly identified, active, and completed certifications are listed below.
Additional evaluations for VPN IPSec Client, Application Software, Email Client, Web Browser, and more in iOS 11 are underway and will be listed when they are formally submitted to the Scheme.
|Mobile Device||MDFPP3.0||VID: 10782 (2017.07.27)|
|VPN IPSec Client||VPNIPSecPP1.4||VID: 10792 (2017.07.27)|
|MDM Agent||MDMAgentEP3.0||VID: 10782 (2017.07.27)|
|WLAN Agent||WLANClientEP1.0||VID: 10782 (2017.07.27)|
|Mobile Device||MDFPP2.0||VID: 10695 (2016.01.28)|
|VPN IPSec Client||VPNIPSecPP1.4||VID: 10714 (2016.03.10)|
|MDM Agent||MDMAgentPP2.0||VID: 10725 (2016.07.18)|
Published major version updates to Protection Profiles by the Common Criteria community are generally expected to follow a 12-18 month cadence with additional or updated Security Functional Requirements (SFRs).
Under the Common Criteria Portal, you can find a complete list of Protection Profiles (PPs), Collaborative Protection Profiles (cPPs) along with their validity dates. You can also locate them under your Scheme of choice such as the National Information Assurance Partnership (NIAP) which is the US scheme.
Approved for government use
Information from select countries that have approved devices for government use.
As summarized from the EPL - Evaluated Products List page:
The Australian Signals Directorate (ASD) maintains the Evaluated Products List (EPL) of ICT security products evaluated by ASD for use in Australian and New Zealand government agencies.
- Products on the EPL are certified for specific purposes.
- Products on the EPL may be used to build secure systems and networks as described in the Australian Government Information Security Manual (ISM).
- Products are certified against the internationally-recognised ISO 15408 Common Criteria (CC). The CC Portal lists other products with mutually-recognised certification that may also be used.
- ASD’s certification office, the Australasian Certification Authority, oversees the Australasian Information Security Evaluation Program (AISEP) that administers product testing by licensed commercial evaluation facilities.
- The EPL also lists ASD’s Cryptographic Evaluations.
Product: iOS 9
Product type: Mobile Products
Product Status: Completed
Assurance Level: Assessed by ASD
Version: 9.3.5 or higher
As summarized from NCSC’s Commercial Product Assurance - products at foundation grade page:
CPA evaluates commercial off-the-shelf products and their developers against published security and development standards. A security product that is successfully assessed is awarded Foundation Grade certification. This means the product has been proved to demonstrate good commercial security practice and is suitable for lower threat environments.
- CPA certification is valid for 2 years and allows products to be updated during the lifetime of certification as vulnerabilities and updates are required.
- CPA certification is accepted by the NATO catalogue and recognized as one of the evaluations needed for the EU catalogue.
- Foundation Grade is further explained by NCSC.
As stated on the Commercial Solutions for Classified page:
U.S. Government customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS) in order to achieve mission objectives. Consequently, the National Security Agency/Central Security Service's (NSA/CSS) Information Assurance Directorate (IAD) is developing new ways to leverage emerging technologies to deliver more timely IA solutions for rapidly evolving customer requirements.
NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data. This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years.
An ever-increasing number of classified environments want to deploy Apple solutions, but have been held back for product certification reasons. Apple’s pursuit of Common Criteria Certifications against the Protection Profiles noted above has enabled Apple products to be listed and available on the CSfC Components List.
Once additional Common Criteria Certifications of Apple products have begun against each of the related protection profiles, the corresponding Apple components will be submitted for acceptance on the CSfC Components List and added below.
Running on devices using A7–A10 Fusion:
Running on devices using A7–A9X:
Add Apple products to your Products List
An increasing number of government environments have requested that Apple products be submitted to their programs similar to CPA, EPL, and CSfC. If you're an authorized agent of your government's solutions program and are interested in getting Apple products on your equivalent Products List, please contact us at email@example.com.