<Past |
Future> |
10.7.x (Lion) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
10.8.x (Mntn Lion) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
10.9.x (Mavericks) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
10.10.x (Yosemite) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
10.11.x (El Capitan) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
10.12.x (Sierra) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
10.13.x (HighSierra) |
Approved w/Constraints [4, 10, 11, 12, 13] |
Approved w/Constraints [4, 10, 11, 12, 13] |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
10.14.x (Mojave) |
Approved w/Constraints [4, 10, 11, 12, 13] |
Approved w/Constraints [4, 10, 11, 12, 13] |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
10.15.x (Catalina) |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
Unapproved |
11.x (Big Sur) |
Approved w/Constraints [4, 10, 11, 12, 13] |
Approved w/Constraints [4, 10, 11, 12, 13] |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
12.x (Monterey) |
Unapproved |
Unapproved |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 4, 11, 12, 13] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
Approved w/Constraints [3, 12, 13, 14, 15] |
| | [1] | This Technology is currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. | | [2] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project. Due to a high number of NIST security vulnerabilities, extra vigilance should be applied to ensure supported versions of the product remain properly patched to mitigate known and future vulnerabilities. | | [3] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project. | | [4] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. | | [5] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project.
Version 10.12 currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. Contact your local CIO office if more information is needed in regards to the use of this technology. | | [6] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project.
Version 10.12 currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. Contact your local CIO office if more information is needed in regards to the use of this technology.
When establishing a password for the FileVault 2, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters. They must contain characters from three (3) of the following (4) categories:
English upper case characters
English lower case characters
Base-10 digits
Non-alphanumeric special characters
Six of the characters must not occur more than once in the password.
The lack of support for MFA and the reuse of OS authentication is a concern in FileVault 2. It is essential at VA to use two-factor authentication (2FA) and not duplicate OS credentials when authenticating users before system boot. Commercial add-on products must be investigated and tested for coupling with FileVault 2 to achieve MFA/2FA.
Since recovery keys are essentially passwords that the system generates for the user, the user will need to find a way to secure the recovery key for later retrieval if necessary. Successful implementation of FileVault 2 relies on impeccable password protection. VA must consistently conduct awareness programs emphasizing techniques to store/escrow passwords and recovery keys.
Thoroughly test centralized management and configuration third-party add-on pairings that must be used to scale FileVault 2 implementation from its intended personal use to an enterprise solution.
Care must be exercised to use the latest version of FileVault 2 and not to inadvertently implement Legacy FileVault by mistake. FileVault 2 must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines. | | [7] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project.
Version 10.13 currently being evaluated, reviewed, and tested in controlled environments. Use of this technology is strictly controlled and not available for use within the general population. Contact your local CIO office if more information is needed in regards to the use of this technology.
When establishing a password for the FileVault 2, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters. They must contain characters from three (3) of the following (4) categories: English upper case characters English lower case characters Base-10 digits Non-alphanumeric special characters Six of the characters must not occur more than once in the password.
The lack of support for MFA and the reuse of OS authentication is a concern in FileVault 2. It is essential at VA to use two-factor authentication (2FA) and not duplicate OS credentials when authenticating users before system boot. Commercial add-on products must be investigated and tested for coupling with FileVault 2 to achieve MFA/2FA.
Since recovery keys are essentially passwords that the system generates for the user, the user will need to find a way to secure the recovery key for later retrieval if necessary. Successful implementation of FileVault 2 relies on impeccable password protection. VA must consistently conduct awareness programs emphasizing techniques to store/escrow passwords and recovery keys.
Thoroughly test centralized management and configuration third-party add-on pairings that must be used to scale FileVault 2 implementation from its intended personal use to an enterprise solution.
Care must be exercised to use the latest version of FileVault 2 and not to inadvertently implement Legacy FileVault by mistake. FileVault 2 must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines. | | [8] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project.
macOS 10.14.X Mojave is in evaluation while the baseline is developed and is only available for use as part of a pilot or production test as approved by Solution Delivery Endpoint Engineering.
Per the Initial Product Review, users must abide by the following constraints:
- When establishing a password for the FileVault 2, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters. They must contain characters from three (3) of the following (4) categories:
o English upper case characters
o English lower case characters
o Base-10 digits
o Non-alphanumeric special characters
- The lack of support for MFA and the reuse of OS authentication is a concern in FileVault 2. It is essential at VA to use two-factor authentication (2FA) and not duplicate OS credentials when authenticating users before system boot. Commercial add-on products must be investigated and tested for coupling with FileVault 2 to achieve MFA/2FA.
- Since recovery keys are essentially passwords that the system generates for the user, the user will need to find a way to secure the recovery key for later retrieval if necessary. Successful implementation of FileVault 2 relies on impeccable password protection. VA must consistently conduct awareness programs emphasizing techniques to store/escrow passwords and recovery keys.
- Thoroughly test centralized management and configuration third-party add-on pairings that must be used to scale FileVault 2 implementation from its intended personal use to an enterprise solution.
- Care must be exercised to use the latest version of FileVault 2 and not to inadvertently implement Legacy FileVault by mistake. FileVault 2 must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines.
| | [9] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project.
Per the Initial Product Review, users must abide by the following constraints:
- When establishing a password for the FileVault 2, ensure that all of the VA password requirements are met with regard to length and complexity. VA Handbook 6500 Control IA-5: Authenticator Management sets a standard of at least 8 non-blank characters. They must contain characters from three (3) of the following (4) categories:
o English upper case characters
o English lower case characters
o Base-10 digits
o Non-alphanumeric special characters
- The lack of support for MFA and the reuse of OS authentication is a concern in FileVault 2. It is essential at VA to use two-factor authentication (2FA) and not duplicate OS credentials when authenticating users before system boot. Commercial add-on products must be investigated and tested for coupling with FileVault 2 to achieve MFA/2FA.
- Since recovery keys are essentially passwords that the system generates for the user, the user will need to find a way to secure the recovery key for later retrieval if necessary. Successful implementation of FileVault 2 relies on impeccable password protection. VA must consistently conduct awareness programs emphasizing techniques to store/escrow passwords and recovery keys.
- Thoroughly test centralized management and configuration third-party add-on pairings that must be used to scale FileVault 2 implementation from its intended personal use to an enterprise solution.
- Care must be exercised to use the latest version of FileVault 2 and not to inadvertently implement Legacy FileVault by mistake. FileVault 2 must remain patched and operated in accordance with Federal and Department security and privacy policies and guidelines.
| | [10] | Use of this technology is only permitted when deployed using the organization`s gold image and managed by the Mac standardization project.
| | [11] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | [12] | Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities. | | [13] | This technology has received one or more VA security bulletins that provide specific guidance on vulnerability patching and mitigation. It is the responsibility of VA system owners to ensure that the appropriate mitigations are taken to address all known and future discovered vulnerabilities with this product. See the Reference tab for more information on security bulletins related to this product. | | [14] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information System Security Officer) to ensure compliance with VA Handbook 6500. | | [15] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISSO (Information System Security Officer) can provide assistance in reviewing the NIST vulnerabilities. |
|
Note: |
At the time of writing, version 12.5.1 is the most current version and was released 08/17/2022. Additionally, at the time of writing, version 12.x is the latest baselined version and was released 10/25/2021. The current baselined versions are 11.x, 10.13.x, 10.14.x, and 12.x. |