Apple Government Customers,
All of you have contacted Apple regarding the status of FIPS 140-2 Conformance Validation on Mac OS X either by way of the
email@hidden email address (via Federal Website) or by sending a message directly to me, Shawn Geddis, Security Consulting Engineer, Apple Enterprise (Public & Private Sectors) Division. Many of you have been waiting for quite sometime and for that I wanted to extend my apologies for the significant delay in responding to your request for information.
I am sorry for the somewhat impersonal method of responding to all of you at once, but there are so many asking the same questions that I was hoping to catch up by sending the same message to all of you at once. Some of you may have recently received a separate message from me, so please accept this as an update.
FIPS 140-2
Apple, Inc. has been under contract with CygnaCom (CEAL), a certified Cryptographic Modules Testing (CMT) Laboratory for the testing and validation of, the cryptography provided and used by Mac OS X for services like FileVault™ & Encrypted Storage, Key Management, S/MIME, etc. The FIPS 140-2 Level 1 (Software) Conformance Validation process takes a fair amount of time especially with the size and complexity of Apple's integrated Security Framework.
When will it be done ?
Many have asked when Mac OS X's cryptographic algorithms and Cryptography (and of course the related services like FileVault) Validation will be complete. Apple is unable to provide you with a specific timeframe as to when the FIPS 140-2 Conformance Validation will be complete due to the extensiveness of the process as well as the > 6 month backlog experienced by NIST once products are formally submitted by the testing laboratories. Apple will make every effort to post status updates on the Federal website [ http://www.apple.com/federal/ ] as well as occasional updates posted to the Fed-Talk Mailing list [ http://lists.apple.com/mailman/listinfo/fed-talk ].
The FIPS 140-2 Validation Process
For those who are not familiar with the process and requirements, they can be found on the NIST website
- Implementation Under Test (IUT)
- Validation Review Pending
- Validation Review
- Validation Coordination (this process may be iterative)
- Validation Finalization
Meeting the Technical Needs
Apple's Enterprise Division (Public & Private Sector) is intimately aware of the urgency and pressures that many of you are working under to identify and deploy FIPS 140-2 Validated solutions to protect Personally Identifiable Information (PII) on portable devices. Many agencies have rushed to purchase products and some have experienced significant challenges in integrating those products into the agency's default system configurations and usage scenarios on various platforms. Different agencies are meeting the OMB Guidelines with significant variance of interpretation. It is understood that Apple's cryptography has not yet achieved the desired FIPS 140-2 Validation, however the "services" to meet the OMB Guidelines have been built into the Mac OS X Operating System for years.
To assist Federal Agency IT Staff in understanding how Apple's Mac OS X Operating System can help them meet those guidelines, the Apple Enterprise Team had developed and presented the "Meeting OMB Encryption Guidelines with Mac OS X Today" briefing to a large Federal IT Staff on August 17, 2006. Many additional Federal Staff had indicated that they were unable to attend the all day briefing and technical discussion due to scheduling conflicts, but said they were extremely interested in getting access to the presentation.
Public iDisk: geddis
folder: security
file: "Meeting OMB Encryption Guidelines-Apple.pdf
Direct Web Link:
Full Disk Encryption
Some agencies have gone as far as to require/mandate full disk encryption on all their systems with PII. To be clear, FileVault™ (AES-128) is full encryption of the User's Home Directory where the user has full, direct access to read and write their data. The underlying Encrypted Disk architecture does provide services to encrypt data across a whole NON-Boot disk for strong AES-128. This would include external volumes such as Thumb drives, CDs/DVDs, USB/FireWire HDs and even the storage of files on Network accessible Volumes.
Since Apple's Mac OS X Security Architecture is significantly different than that of Microsoft's Windows OS, the need for full disk encryption is significantly less. However, Apple realizes that several agencies and IT Staff are still requiring full disk encryption solutions to protect the data, so the Apple Enterprise division engaged with well-known vendors to assist in accelerating their product offerings as well. As soon as there is adequate information to share on those offerings, the Apple Enterprise Division and those vendors will jointly make known the availability of those solutions. We also have plans for a national tour to effective communicate those available solutions to Apple's Enterprise Customers. The dates and logistics of those events will be communicated to the Fed-Talk Mailing List, among others, so it is best to subscribe if you have not already.
Background on Apple's Cryptographic Architecture
The Cryptography and PKI Services within Mac OS X and Mac OS X Server are provided through the CDSA - Common Data Security Architecture . The CDSA architecture is the core part of Apple's Security framework which is available from The Open Group and available as open source for review, use and modification.
For those who need to implement a FIPS 140-2 validated HSM (Hardware Security Module) on Apple Hardware (Xserve or MacPro) for SSL/TLS based services, there is a platform independent product which was submitted for FIPS 140-2 submission.
Many have asked why they cannot yet find Mac OS X on the Pre-Validation List posted (PDF) on the NIST CMVP website. Short answer is that Mac OS X's validation process has not yet reached that phase and hence has not yet been posted. When it has, it will be posted along with the other products for your reference.
If any of you have any additional questions at this time relating to FIPS 140-2 Level 1 Conformance Validation of Mac OS X , please contact me directly via email at: