Apple seeks to better iPad, iPhone security via FIPS 140-2 compliance

Apple Inc.'s decision to seek FIPS 140-2 validation for its iPad and iPhone devices signals its intent to enter the world of government IT.

Federal IT managers concerned about security for expanding numbers of iPhone and iPad users may get some relief soon. Apple Computer Inc. recently submitted cryptographic modules to enhance iPhone security and iPad security to National Institute of Standards and Technology-accredited testing laboratories as part of the validation and certification process required under the Federal Information Security Management Act of 2002. Those standards are laid out in NIST's Federal Information Processing Standard Publication (FIPS) 140-2 (.pdf), which proscribes a minimum set of security requirements for cryptographic modules that include both hardware and software components.

People ask why Apple doesn't seem to be in the [government] game; now it looks like they're in the game.


Randall Easter
director of cryptographic module validation programNIST

"People ask why Apple doesn't seem to be in the [government] game; now it looks like they're in the game," said Randall Easter, director of NIST's cryptographic module validation program.

As more agencies contemplate deploying Apple mobile devices and start up pilot programs to test their suitability for enterprise-wide use, managers have to make sure those devices are compliant with the cryptographic standards established under FISMA.

Under FISMA, "any agency that procures a product that has crypto in it and they're going to use those cryptographic functions to protect sensitive, unclassified information, that cryptology has to be tested and validated by us for conformance with 140-2," Easter said. Companies that want to sell their products to federal agencies have to submit them to a NIST-accredited laboratory. At the lab, the modules undergo cryptographic module validation and a comprehensive, five-step testing and review process to ensure they meet FIPS 140-2 requirements. The NIST website gives an overview of the FIPS 140-2 validation process, as well as the status of modules in process.

Aiming to break into the government market on an enterprise level, Apple has submitted three cryptographic modules that are in the modules in process queue for FIPS 140-2 compliance, according to Easter. Two of the modules in the testing process are specifically designed for iPhone and iPad security, and the third is a more generic module, he said.

"The information we have from the laboratory is that [the iPhone and iPad modules] are still undergoing the conformance testing," he said, adding that he didn't know when they would be released to his team for validation since the modules were still in the early stages of the validation procedure. "We review [a report] provided by the laboratories and validate it," Easter explained. "Once it's validated -- when agencies procure a product that is either a crypto module or uses the crypto module embedded in it -- they have traceability to the validation certificate when they're audited for conformance to FISMA."

Easter offered this tip for managers looking at using Apple mobile devices: Once FIPS 140-2 certification is available, if you're going to use crypto on the device, be sure it has traceability to a FIPS 140-2 validation certificate because that's mandatory under FISMA.

"It's fine to do pilot projects [without certification] but to actually go operational before the functions are validated is not meeting the FISMA requirement," Easter said.

David Smith, chief technology officer of Citrix Systems Inc., which is providing application-delivery support to the U.S. Marshals Service on its iPad pilot program, suggested that agencies should fully incorporate security as part of their overall strategy for using mobile devices to deliver applications across the enterprise.

Smith advised managers to:

  • Look carefully at the security ramifications of using Apple devices. "You can take your iPhone and go to the App Store and download a nice app, but I don't know if I want somebody just to download an arbitrary app onto a device that [the agency owns] and that may have sensitive information," he said.
  • Use the device as a method of access, but not for data storage.
  • Develop an overall device management strategy. "There are a lot of default capabilities that exist on an iPad or an iPhone that you may not want the users to be able to use," he said. For example, managers may want to restrict the ability of users to access the App Store or iTunes from the device or to install their own apps.

About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.

Dig Deeper on Apple iOS in the enterprise