Cryptographic module validations
All Apple FIPS 140-2 Conformance Validation Certificates are on the CMVP vendor page. Apple actively engages in the validation of the CoreCrypto and CoreCrypto Kernel modules for each major release of macOS. Validation can only be performed against a final module release version and formally submitted upon OS public release. CMVP now maintains validation status of cryptographic modules under two separate lists depending on their current status. The modules begin in the Implementation Under Test List and then proceed to the Modules in Process List.
macOS Mojave
Apple is actively engaged in the validation of the CoreCrypto v9.0 modules used in macOS Mojave coming later this year.
macOS High Sierra
Related validation
macOS Sierra
- Apple macOS FIPS Cryptographic Modules v7.0
- Compliant devices
- Crypto Officer Role Guide for FIPS 140-2 Compliance macOS Sierra 10.12 (PDF)
- CoreCrypto #2832: Module certificate and security policy (PDF)
- CoreCrypto Kernel #2830: Module certificate and security policy (PDF)
OS X El Capitan
- Apple OS X FIPS Cryptographic Modules v6.0
- Compliant devices
- Crypto Officer Role Guide for FIPS 140-2 Compliance OS X El Capitan 10.11 (PDF)
- CoreCrypto #2610: Module certificate and security policy (PDF)
- CoreCrypto Kernel #2597: Module certificate and security policy (PDF)
Previous versions
These previous OS X versions had cryptographic module validations and are now archived:
- OS X Yosemite 10.10
- OS X Mavericks 10.9
- OS X Mountain Lion 10.8
- OS X Lion 10.7
- OS X Snow Leopard 10.6
Security configuration guides
Security-focused organizations provide well defined and vetted guidance for how to configure various platforms for accepted use. Security Configuration Guides provide an overview of features in OS X and iOS that you can use to enhance protection; this is known as "hardening your device." Worldwide governments have collaborated with Apple and developed guides designed to give instructions and recommendations for maintaining a more secure environment.
To use these guides, you should be an experienced user or system administrator. You shold be familiar with the user interface, and have some working knowledge of management tools for the target platform. It's beneficial to be familiar with basic networking concepts. Certain instructions in the guides are complex, and deviation could result in adverse effects or reduced protection. Thoroughly test any changes made to your device's settings before deployment.
Learn more in the macOS Security Guide (PDF).
| macOS High Sierra 10.13 | macOS Sierra 10.12 | OS X El Capitan 10.11 | |
 Apple |
SCAP-On-Apple | SCAP-On-Apple | SCAP-on-Apple |
 UK (NCSC) |
EUD Security Guidance: macOS 10.13 High Sierra | End User Devices Security Guidance | End User Devices Security Guidance End User Devices Security Guidance (PDF) OS X 10.11 provisioning script |
 US (DISA, NIST, NSA) |
macOS STIGs | Apple OS X 10.11 Workstation STIG |
Security certifications
A list of Apple's publicly identified, active, and completed certifications.
ISO 27001 and 27018 Certification
Apple has received ISO 27001 and ISO 27018 certifications for the Information Security Management System for the infrastructure, development, and operations supporting these products and services: Apple School Manager, iTunes U, iCloud, iMessage, FaceTime, Managed Apple IDs, Siri, and Schoolwork in accordance with the Statement of Applicability v2.1 dated 7/11/2017. Apple’s compliance with the ISO standards was certified by the British Standards Institution. The BSI website has certificates of compliance for ISO 27001 and ISO 27018.
Common Criteria certification
The goal, as stated by the Common Criteria community, is for an internationally approved set of security standards to provide a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product's ability to meet security standards, Common Criteria Certification gives customers more confidence in the security of Information Technology products and leads to more informed decisions.
Through a Common Criteria Recognition Arrangement (CCRA), member countries and regions have agreed to recognize the certification of Information Technology products with the same level of confidence. Membership along with the depth and breadth of Protection Profiles continues to grow on a yearly basis to address emerging technology. This agreement permits a product developer to pursue a single certification under any one of the Authorizing Schemes.
Those unfamiliar with the relatively recent restructuring of the certification approach under the new Common Criteria, should take notice that there is no longer any reference to Evaluated Assurance Levels (EAL#). Previous Protection Profiles (PP) were archived and have begun to be replaced with the development of targeted Protection Profiles focusing on specific solutions and environments. In a concerted effort to ensure continued mutual recognition across all CCRA members, the International Technical Community (iTC) continues to drive all future PP development and updates towards Collaborative Protection Profiles (cPP) which are developed from the start with involvement from multiple schemes.
Apple began pursuing certifications under this new Common Criteria restructure with selected PPs starting in early 2015. Apple’s publicly identified, active, and completed certifications are listed below.
macOS
Apple is actively engaged in the validation of macOS against the General Purpose Operating System Protection Profile.
Volatility Statements
Government organizations and their supporting contractors who are required to provide a Volatility Statement from the product manufacturer can obtain one by sending an email request to AppleFederal@apple.com and providing the Requesting Government Agency, Apple Product Name, Product Serial Number, and Government Technical Contact for the request.
Other operating systems
Learn more about product security, validations, and guidance for: