[Fed-Talk] [Announce] Common Criteria Certification!
[Fed-Talk] [Announce] Common Criteria Certification!
- Subject: [Fed-Talk] [Announce] Common Criteria Certification!
- From: Shawn Geddis <email@hidden>
- Date: Thu, 17 Feb 2005 13:10:40 -0500
[ .. sorry in advance for the length of this message ... ]
Folks,
Apple Computer's Federal Team is proud to announce:
Common Criteria Certification for Mac OS X 10.3.6 & Mac OS X Server 10.3.6
Many of you may already have begun to see postings on familiar websites referencing Apple's Common Criteria Certification for Mac OS X 10.3.6 & Mac OS X Server 10.3.6 - "Panther". I just wanted to provide some initial key information here to help begin to explain to everyone what this means and how it might impact your environment. Please keep in mind that this is initial information and much more will be shared on the Fed-Talk mailing list, the Apple Federal website [ http://www.apple.com/federal/ ] as well as the Apple Security pages [ http://www.apple.com/support/security/commoncriteria/ ] in the coming days and weeks.
Things I want to cover in this message (since this will be a long message):
* Common Criteria Certification (CAPP/EAL3)
* Auditing on Mac OS X (Classified Networks / NISPOM-Ch.8)
* Related Resources (Where to go to get more info)
Common Criteria Certification (CAPP/EAL3)
Protection Profile: CAPP - Controlled Access Protection Profile
Assurance Level: EAL3 - Evaluated Assurance Level 3
Product Name(s): Mac OS X 10.3.6 with Common Criteria Tools Package
Mac OS X Server 10.3.6 with Common Criteria Tools Package
Evaluation Platforms:
Mac OS X 10.3.6:
- eMac, iBook, iMac
- PowerBook, or Power Mac with single or dual G3, G4, or G5 processor
Mac OS X Server 10.3.6:
- eMac, iBook, iMac
- PowerBook, Power Mac, or Xserve with single or dual G3, G4, or G5 processor
Certifying Lab: SAIC
** All Common Criteria functionality has been incorporated into Mac OS X starting with Mac OS X version 10.3.6 and Mac OS X Server version 10.3.6.
** The depth of hardware systems certified is extensive and should provide everyone to move immediately with their current systems in place as well as those they are still purchasing to-date.
Brief Background on Common Criteria
Common Criteria, an internationally approved set of security standards, provides a clear and reliable evaluation of the security capabilities of Information Technology products. By providing an independent assessment of a product's ability to meet security standards, Common Criteria gives customers more confidence in the security of Information Technology products and leads to more informed decisions. Security-conscious customers, such as the U.S. Federal Government, are requiring Common Criteria certification as a determining factor in purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.
US Federal Government Requirements
US Federal Agencies have long needed independent evaluations of applications and operating systems it uses to ensure the products are following good security best practices, but most of all that the vendor's claims for these security services have been validated. Specific to the US Federal Government, NIAP - National Information Assurance Partnership [ http://niap.nist.gov/ ] oversees the certification process.
<x-tad-bigger>The National Information Assurance Partnership (NIAP) is a U.S. Government initiative originated to meet the security testing needs of both information technology (IT) consumers and producers. NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under PL 100-235 (Computer Security Act of 1987). The partnership combines the extensive IT security experience of both agencies to promote the development of technically sound security requirements for IT products and systems and appropriate measures for evaluating those products and systems.</x-tad-bigger>
Common Criteria certification is then recognized Internationally by the countries involved in the arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of IT Security [ http://niap.nist.gov/cc-scheme/ccra-participants.html ] The complete PDF document covering this arrangement can be found on the NIAP website as well [ http://niap.nist.gov/cc-scheme/cc-recarrange.pdf ].
Products are evaluated and if appropriate, given a certification stating that the vendor's claims have been validated by a US Federally Certified Lab. In the case of Mac OS X / OS X Server, SAIC was the Certifying Lab.
Validated Products List (including Mac OS X & Mac OS X Server)
<http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#operatingsystem>
-----------------------------------------------------------------------------------------------------------
Auditing on Mac OS X (Classified Networks / NISPOM-Ch.8)
As part of the work done for Common Criteria, Apple delivered the required 'Security Auditing' capabilities. These auditing services providing the the capturing, reviewing, filtering and validating relevant security events that have taken place on the associated system. One of the most notable requirements for Auditing is for those wanting and needing to place systems on Classified Networks (i.e. SIPRNET). The corresponding requirements are driven by DSS [ http://www.dss.mil/ ] and relate to NISPOM - National Industrial Security Program Operating Manual [ http://www.dss.mil/search-dir/infoas/index.htm ]. The one area that requires these auditing services exist, are document and properly enforced are referenced in Chapter 8 of the NISPOM [ http://www.dss.mil/isec/change_ch8.htm ].
The Audit support in Mac OS X 10.3.6 & Mac OS X Server 10.3.6 with the Common Criteria Tools installed meet the requirements as mandated in Chapter 8.
There have been several specific individuals working with the Auditing Tools and documentation prior to the announcement of Common Criteria Certification who have successfully achieved acceptance of their Mac OS X & Mac OS X Server based systems on their Classified Networks. We would like to gather appropriate information from these folks which could be posted to aid future efforts by others to receive DSS Approval. Until that is available, if you need information to assist in your documentation for NISPOM, please contact Shawn Geddis <email@hidden>, Security Consulting Engineer, Apple - Federal, offline for follow up.
-----------------------------------------------------------------------------------------------------------
Related Resources
As I indicated earlier, this message should serve as the initial notification of the Certification as well as some of the background information, but more information will soon be posted to the Apple Federal Security Website [ http://www.apple.com/federal/security ] to provide more in-depth information on Common Criteria, Auditing and related services in Mac OS X relative to the security needs of the US Federal Government.
The following are references to the content specifically posted in support of the Common Criteria Certification. Those individuals looking for and needing the Auditing information only still need to install the Common Criteria Tools as well as download and follow the guidance in the Common Criteria Administration Guide.
Common Criteria Tools & Admin Guide
▪ Common Criteria Tools
<http://www.apple.com/support/downloads/commoncriteriatools.html>
▪ Common Criteria Administration Guide
<http://images.apple.com/support/security/commoncriteria/CC_AdminGuide.pdf>
▪ Common Criteria White Paper
<http://images.apple.com/support/security/commoncriteria/CC_Whitepaper.pdf>
▪ National Information Assurance Partnership (NIAP) Home Page
<http://niap.nist.gov/>
▪ NIAP Evaluation Report
<http://images.apple.com/support/security/commoncriteria/CC_NIAP.pdf>
▪ Common Criteria Test Cases
<http://download.info.apple.com/Mac_OS_X/061-1665.20050216.CCCTsCs/CCTestCases.dmg>
-----------------------------------------------------------------------------------------------------------
This message by no means can provide the perfect amount of information on CCC and Auditing for everyone on this list, but I hope it helps to begin to enlighten folks on what is available and where to begin. I wish to remind everyone to keep their browser bookmarked on the Federal Website & Security Pages to stay up-to-date on what is available and where.
Those who provide the System Administration for the Mac OS X & Mac OS X Server systems in their agency are encouraged to share their successes, challenges and general feedback to both the list at large and to me personally for possible inclusion in a live "FAQ" page on this topic.
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal GovernmentAttachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden