That's good news and will
help Apple gain access to some new things.
I know Apple just received their EAL3
certification but in my experiences we can't do much with it until EAL4 so I
wanted to ask what the plans are to push for an EAL4 certification? The fact
that MS has an EAL4 for Windows 2000 gives a lot of people ammunition to throw
back when trying to push for OSX or Linux. I've run into it myself when pushing
for Linux, thankfully EAL4 is currently being worked for both Redhat's
enterprise Linux and Suse.
For people who wonder how MS would have
received a certification to EAL4 read up on what the CAPP profile is and what it
means and you can see how.
- Brian
[ .. sorry in advance for the length of this message ... ]
Folks,
Apple Computer's Federal Team is proud to announce:
Common Criteria Certification for Mac OS X 10.3.6 & Mac OS X Server
10.3.6
Many of you may already have begun to see postings on familiar websites
referencing Apple's Common Criteria Certification for Mac OS X 10.3.6 & Mac
OS X Server 10.3.6 - "Panther". I just wanted to provide some initial key
information here to help begin to explain to everyone what this means and how it
might impact your environment. Please keep in mind that this is initial
information and much more will be shared on the Fed-Talk mailing list, the Apple
Federal website [ http://www.apple.com/federal/ ] as well as the Apple Security
pages [ http://www.apple.com/support/security/commoncriteria/ ] in the coming
days and weeks.
Things I want to cover in this message (since this will be a long message):
* Common Criteria Certification (CAPP/EAL3)
* Auditing on Mac OS X (Classified Networks /
NISPOM-Ch.8)
* Related Resources (Where to go to get more
info)
Common Criteria Certification (CAPP/EAL3)
Protection Profile: CAPP - Controlled Access
Protection Profile
Assurance Level: EAL3 - Evaluated Assurance Level 3
Product Name(s): Mac OS X 10.3.6 with Common Criteria
Tools Package
Mac OS X Server 10.3.6 with Common Criteria Tools Package
Evaluation Platforms:
Mac OS X 10.3.6:
- eMac, iBook, iMac
- PowerBook, or Power Mac with single or dual G3, G4, or G5 processor
Mac OS X Server 10.3.6:
- eMac, iBook, iMac
- PowerBook, Power Mac, or Xserve with single or dual G3, G4, or G5
processor
Certifying Lab: SAIC
** All Common Criteria functionality has been incorporated into Mac
OS X starting with Mac OS X version 10.3.6 and Mac OS X Server version 10.3.6.
** The depth of hardware systems certified is extensive and should
provide everyone to move immediately with their current systems in place as well
as those they are still purchasing to-date.
Brief Background on Common Criteria
Common Criteria, an internationally approved set of security
standards, provides a clear and reliable evaluation of the security capabilities
of Information Technology products. By providing an independent assessment of a
product's ability to meet security standards, Common Criteria gives customers
more confidence in the security of Information Technology products and leads to
more informed decisions. Security-conscious customers, such as the U.S. Federal
Government, are requiring Common Criteria certification as a determining factor
in purchasing decisions. Since the requirements for certification are clearly
established, vendors can target very specific security needs while providing
broad product offerings.
US Federal Government Requirements
US Federal Agencies have long needed independent evaluations of
applications and operating systems it uses to ensure the products are following
good security best practices, but most of all that the vendor's claims for
these security services have been validated. Specific to the US Federal
Government, NIAP - National Information Assurance Partnership [
http://niap.nist.gov/ ] oversees the certification process.
The National Information Assurance Partnership (NIAP) is a U.S.
Government initiative originated to meet the security testing needs of both
information technology (IT) consumers and producers. NIAP is a collaboration
between the National Institute of Standards and Technology (NIST) and the
National Security Agency (NSA) in fulfilling their respective responsibilities
under PL 100-235 (Computer Security Act of 1987). The partnership combines the
extensive IT security experience of both agencies to promote the development
of technically sound security requirements for IT products and systems and
appropriate measures for evaluating those products and systems.
Common Criteria certification is then recognized Internationally by the
countries involved in the arrangement on the Mutual Recognition of Common
Criteria Certificates in the Field of IT Security [
http://niap.nist.gov/cc-scheme/ccra-participants.html ] The complete
PDF document covering this arrangement can be found on the NIAP website as well
[ http://niap.nist.gov/cc-scheme/cc-recarrange.pdf ].
Products are evaluated and if appropriate, given a certification
stating that the vendor's claims have been validated by a US Federally Certified
Lab. In the case of Mac OS X / OS X Server, SAIC was the Certifying Lab.
Validated Products List (including Mac OS X & Mac OS X Server)
<http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#operatingsystem>
-----------------------------------------------------------------------------------------------------------
Auditing on Mac OS X (Classified Networks /
NISPOM-Ch.8)
As part of the work done for Common Criteria, Apple delivered the required
'Security Auditing' capabilities. These auditing services providing the the
capturing, reviewing, filtering and validating relevant security events that
have taken place on the associated system. One of the most notable requirements
for Auditing is for those wanting and needing to place systems on Classified
Networks (i.e. SIPRNET). The corresponding requirements are driven by DSS [
http://www.dss.mil/ ] and relate to NISPOM - National Industrial Security
Program Operating Manual [ http://www.dss.mil/search-dir/infoas/index.htm ]. The
one area that requires these auditing services exist, are document and properly
enforced are referenced in Chapter 8 of the NISPOM [
http://www.dss.mil/isec/change_ch8.htm ].
The Audit support in Mac OS X 10.3.6 & Mac OS X Server 10.3.6
with the Common Criteria Tools installed meet the requirements as mandated in
Chapter 8.
There have been several specific individuals working with the Auditing
Tools and documentation prior to the announcement of Common Criteria
Certification who have successfully achieved acceptance of their Mac OS X &
Mac OS X Server based systems on their Classified Networks. We would like to
gather appropriate information from these folks which could be posted to aid
future efforts by others to receive DSS Approval. Until that is available, if
you need information to assist in your documentation for NISPOM, please contact
Shawn Geddis <email@hidden>, Security Consulting Engineer, Apple -
Federal, offline for follow up.
-----------------------------------------------------------------------------------------------------------
Related Resources
As I indicated earlier, this message should serve as the initial
notification of the Certification as well as some of the background
information, but more information will soon be posted to the Apple Federal
Security Website [ http://www.apple.com/federal/security ] to provide more
in-depth information on Common Criteria, Auditing and related services in Mac OS
X relative to the security needs of the US Federal Government.
The following are references to the content specifically posted in support
of the Common Criteria Certification. Those individuals looking for and needing
the Auditing information only still need to install the Common Criteria Tools as
well as download and follow the guidance in the Common Criteria Administration
Guide.
Common Criteria Tools & Admin Guide
▪ Common Criteria Tools
<http://www.apple.com/support/downloads/commoncriteriatools.html>
▪ Common Criteria Administration Guide
<http://images.apple.com/support/security/commoncriteria/CC_AdminGuide.pdf>
▪ Common Criteria White Paper
<http://images.apple.com/support/security/commoncriteria/CC_Whitepaper.pdf>
▪ National Information Assurance Partnership
(NIAP) Home Page
<http://niap.nist.gov/>
▪ NIAP Evaluation Report
<http://images.apple.com/support/security/commoncriteria/CC_NIAP.pdf>
▪ Common Criteria Test Cases
<http://download.info.apple.com/Mac_OS_X/061-1665.20050216CCCTsCs/CCTestCases.dmg>
-----------------------------------------------------------------------------------------------------------
This message by no means can provide the perfect amount of information on
CCC and Auditing for everyone on this list, but I hope it helps to begin to
enlighten folks on what is available and where to begin. I wish to remind
everyone to keep their browser bookmarked on the Federal Website & Security
Pages to stay up-to-date on what is available and where.
Those who provide the System Administration for the Mac OS X & Mac OS X
Server systems in their agency are encouraged to share their successes,
challenges and general feedback to both the list at large and to me personally
for possible inclusion in a live "FAQ" page on this topic.
-Shawn
___________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Computer - US Federal Government