__________________________________________________________________ Apple Inc. __________________________________________________________________ ! Apple FIPS Cryptographic Module, v1.0 FIPS 140-2 Non-Proprietary Security Policy Document Control Number APPLEFIPS_SECPOL_002.7 Version 2.7 February, 2011 Prepared by: Shawn Geddis Apple Inc. 11921 Freedom Drive Suite 600 Reston, VA 20190 Phone: (703) 264-5103 Fax: (703) 264-5157 www.apple.com ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 1 Table of Contents FIPS SECURITY LEVEL OVERVIEW .....................................................................................................................3 EXECUTIVE SUMMARY ...........................................................................................................................................3 OVERVIEW...................................................................................................................................................................3 INTRODUCTION............................................................................................................................................................4 APPLE FIPS CRYPTOGRAPHIC MODULE ..........................................................................................................5 OVERVIEW...................................................................................................................................................................5 CRYPTOGRAPHIC MODULE SPECIFICATION..................................................................................................................9 MODES OF OPERATION ..............................................................................................................................................10 CRYPTOGRAPHIC MODULE PORTS AND INTERFACES .................................................................................................11 ROLES, SERVICES, AND AUTHENTICATION.................................................................................................................12 Roles ....................................................................................................................................................................12 Services ................................................................................................................................................................12 Authentication......................................................................................................................................................13 PHYSICAL SECURITY..................................................................................................................................................13 OPERATIONAL ENVIRONMENT...................................................................................................................................13 CRYPTOGRAPHIC KEY MANAGEMENT.......................................................................................................................13 Key Generation ....................................................................................................................................................14 Key Establishment ...............................................................................................................................................14 Key Entry and Output ..........................................................................................................................................14 Key Storage..........................................................................................................................................................14 Key Zeroization....................................................................................................................................................14 List of Keys and CSP ...........................................................................................................................................15 EMI/EMC .................................................................................................................................................................15 SELF-TESTS...............................................................................................................................................................16 DESIGN ASSURANCE..................................................................................................................................................17 MITIGATION OF OTHER ATTACKS..............................................................................................................................17 SECURE OPERATION..............................................................................................................................................18 SECURITY FUNCTIONS...............................................................................................................................................18 CRYPTO OFFICER GUIDANCE.....................................................................................................................................20 USER GUIDANCE........................................................................................................................................................20 GLOSSARY AND REFERENCES ............................................................................................................................21 GLOSSARY.................................................................................................................................................................21 REFERENCES..............................................................................................................................................................22 ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 2 Section 1 FIPS Security Level Overview FIPS Section Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A Table 1 FIPS Security Level Overview Section 2 Executive Summary Overview Section 2.1 This document is the non-proprietary security policy supporting the Apple FIPS Cryptographic Module, v1.0. This document may be reproduced only in its original entirety, without revision. This security policy describes the module and how it meets the security requirements of FIPS 140-2. It also provides a specification of the FIPS 140-2 security rules under which the module operates. This document was prepared as part of the FIPS 140-2 Level 1 validation of the module. With the exception of this non-proprietary security policy as well as the Role Guide: Crypto Officer and Role Guide: User documentation, all other FIPS 140-2 Validation Submission Documentation is proprietary to Apple Inc. and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact Apple Inc. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 3 Introduction Section 2.2 The Level 1 Apple FIPS Cryptographic Module, v1.0 is used within Apple Mac OS X v10.6. It consists of the Apple Cryptographic Service Provider (AppleCSP), the module’s PRNG, and the FIPSPerformSelfTest helper application. The module provides cryptographic services for Apple Mac OS X. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 4 Section 3 Apple FIPS Cryptographic Module Overview Section 3.1 Mac OS X security services are built on two open-source standards: BSD (Berkeley Software Distribution) and CDSA (Common Data Security Architecture). BSD is a form of the UNIX operating system and provides fundamental services, such as the basis for the Mac OS X file system, including file access permissions. CDSA provides a much wider array of security services, including finer-grained access permissions, authentication of users’ identities, encryption, and secure data storage. Although CDSA has its own standard application programming interface (API), it is complex and does not follow standard Macintosh programming conventions. Therefore, Mac OS X includes its own security APIs that call the CDSA API. The Mac OS X security architecture is layered, with BSD on the bottom, CDSA in the middle, Mac OS X security APIs above that, and applications1 that call the security services at the top. Figure 1 below illustrates this architecture. Figure 1 Mac OS X Security Architecture Overview 1 Apple applications include Keychain Access, FileVault, Finder, and Safari. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 5 CDSA is an Open Source security architecture adopted as a technical standard by the Open Group. Apple has developed its own Open Source implementation of CDSA. The core of CDSA is CSSM (Common Security Services Manager), a set of Open Source code modules that implement a public API called the CSSM API. CSSM provides APIs for cryptographic services (such as creation of cryptographic keys, encryption and decryption of data), certificate services (such as creation of digital certificates, reading and evaluation of digital certificates), secure storage of data, and other security services. CSSM also defines an interface for plug-ins that implements security services for a particular operating system and hardware environment. The implementation on a given platform can optionally supply a middleware layer that provides an operating-system-specific API for applications. Whether such a layer is present or not, applications can call the CSSM API directly. Mac OS X implements nearly all the standard features of CSSM, plus a set of middleware security services to provide a Mac OS X-standard interface for application programmers. In addition, to enhance the security of the most sensitive operations, the Mac OS X implementation runs a Security Server daemon as a separate process. The Security Server daemon launches another process, the Security Agent, which serves as the user interface for Security Server. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 6 The CDSA standard defines a four-layer architecture, with the top layer being the applications that use the CDSA security features. Figure 2 below illustrates the Mac OS X implementation of CDSA and shows the first three layers: the CDSA plug-ins, CSSM, and the Mac OS X APIs, which constitute the middleware layer. The Authorization Services, the Security Server daemon, and the Security Agent shown in the figure are technically outside of CDSA, but they are shown here for completeness because they constitute an integral part of the Mac OS X security architecture. AppleCSP Figure 2 Mac OS X Implementation of CDSA Security contexts in Figure 2 are data structures used by CSSM to assist applications in managing the many parameters used in security operations. The CSSM managers implement the standard CSSM API. The CDSA plug-ins shown in Figure 2 are those provided as part of Mac OS X. The CDSA specification allows any number of plug-ins. As long as a plug-in follows the rules for interfacing with the CSSM managers, it can implement any portion of the CDSA feature set, including a combination of features associated with two or more of the CSSM managers. The CDSA specification even allows for the expansion of CDSA by the addition of elective module ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 7 managers and associated plug-ins. Plug-ins can call each other as well as being called by the CSSM managers and, in fact, it is common for them to do so. All secure communications and authentication protocols are based on keys and encryption provided by the AppleCSP. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 8 Cryptographic Module Specification Section 3.2 The logical cryptographic boundary of Apple FIPS Cryptographic Module, v1.0 (“Module library”) is the shared object library itself. The logical cryptographic boundary consists of the Apple Cryptographic Service Provider (AppleCSP), the module’s PRNG, and the FIPSPerformSelfTest helper application. The AppleCSP is a basic plug-in module that works together with the helper application. The PRNG is used in generating the module’s keys. The FIPSPerformSelfTest file performs the FIPS required power on self-tests for the AppleCSP. The physical cryptographic boundary of the Module library is the enclosure of the computer system on which the module is running. Figure 3 below shows the cryptographic boundary of the module. The logical boundary is indicated by the red dotted line while the physical boundary is indicated by the black dotted line. The Power On Self Test block within the diagram represents the FIPSPerformSelfTest file, the PRNG block represents the module’s PRNG, and the CSP Module block within the diagram represents the AppleCSP. Figure 3 Cryptographic Module Boundary ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 9 Modes of Operation Section 3.3 The module has two modes of operation: Approved mode and Non-approved mode. The module runs in the Approved mode by default, and when the module uses an internally generated RSA key pair for signature generation and verification and for RSA key wrapping, or any non-allowed algorithms listed in Table 6, the module is considered running in the Non-approved mode. The installation of the Apple FIPS Cryptographic Module by the Crypto Officer involves four steps and more information about these steps can be found in the “Role Guide: Crypto Officer” document: 1. Obtaining the FIPS Administration Tools installer 2. Installing the FIPS Administration Tools 3. Verifying the FIPS Administration Tools were successfully installed 4. Verify the integrity of the FIPS Administration Tools The User can also verify the Apple FIPS Cryptographic Module status by running the FIPSPerformSelfTest status command in the Terminal application. More information on the User verification of the Apple FIPS Cryptographic Module can be found in the “Role Guide: User” documentation. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 10 Cryptographic Module Ports and Interfaces Section 3.4 The cryptographic module is a software module. This module was tested on the 15-inch MacBook Pro laptop computer platform. The platform for the module provides a number of physical ports and logical interfaces. The platform’s physical ports correspond to the ports of the laptop computer that executes the module. They include a 15.4 inch display, power button, power adaptor port, rechargeable battery pack, two USB 2.0 ports, audio line in/optical digital audio input, headphone/optical digital audio output, two AirPort Extreme/Bluetooth wireless antennas, ExpressCard/34 slot, FireWire 400 port, FireWire 800 port, Gigabit Ethernet, DVI port, SuperDrive optical drive, keyboard, trackpad, speaker, microphone, iSight video camera and LEDs. The module implements the required FIPS 140-2 logical interfaces through application programming interface (API) calls as shown in the following table. FIPS 140-2 Logical Module Physical Ports Module Logical Interfaces Interfaces Data Input USB, audio line in/optical digital Data passed to the API calls to be used audio input, wireless antennas, by the Module ExpressCard/34, FireWire, Ethernet, SuperDrive, microphone, iSight video camera Data Output Display, USB, headphone/optical Data returned from API calls, digital audio output, wireless generated by the Module antennas, ExpressCard/34, FireWire, Ethernet, DVI, SuperDrive, speaker Control Input USB, wireless antennas, Exported API calls ExpressCard/34, FireWire, Ethernet, SuperDrive, trackpad, keyboard Status Output Display, USB, wireless antennas, Returned status information and return ExpressCard/34, FireWire, codes provided by API function calls Ethernet, SuperDrive, DVI, after execution LEDs Power Power button, power adaptor N/A port, battery pack Table 2 Mapping of Ports and Interfaces ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 11 Roles, Services, and Authentication Section 3.5 Roles Section 3.5.1 The Apple cryptographic module supports two authorized roles: User and Crypto Officer. The User can request access to the module in order to use its cryptographic services. The Crypto Officer can request access to install or remove the module as well as perform power on self tests and check the status of the module. Services Section 3.5.2 Role Service Critical Security Parameter (CSP) Access User Show FIPS Enabled Status Read Show FIPSPerformSelfTest Read Version AES secret key data encryption/ Write, Execute decryption Triple-DES secret key data Write, Execute encryption/decryption RSA/DSA/ECDSA Signature Write, Execute generation and verification Diffie-Hellman public/private Write, Execute key agreement Elliptic Curve Diffie-Hellman Write, Execute public/private key agreement Pseudo Random Number Write, Execute Generation (PRNG) SHS Hashing Write, Execute HMAC SHA-1 Keyed Hashing Write, Execute Crypto Officer Installation Execute Show FIPS Enabled Status Read Show FIPSPerformSelfTest Read Version Perform Full FIPS Self Test Execute AES secret key data encryption/ Write, Execute decryption ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 12 Triple-DES secret key data Write, Execute encryption/decryption RSA/DSA/ECDSA Signature Write, Execute generation and verification Diffie-Hellman public/private Write, Execute key agreement Elliptic Curve Diffie-Hellman Write, Execute public/private key agreement Pseudo Random Number Write, Execute Generation (PRNG) SHS Hashing Write, Execute HMAC SHA-1 Keyed Hashing Write, Execute Table 3 Roles and Services Authentication Section 3.5.3 Within the constraints of FIPS 140-2 Level 1, the module does not implement an authentication mechanism for operator authentication. The module relies upon the operating system, which lies outside the logical boundary, for operator authentication. Physical Security Section 3.6 Physical Security is not required for the software module. The FIPS software was tested on a 15- inch MacBook Pro laptop computer with an Intel microprocessor running at a clock speed of 2.33 GHz. The computer is made from production grade components and includes a lightweight aluminum alloy production grade enclosure. Operational Environment Section 3.7 The software module runs on the Apple Mac OS X 10.6 in single operator mode of operation. When the Mac operating system loads the module into memory, the FIPSPerformSelfTest runs code signing (RSA Signature) validations on all components of the module with the exception of HMAC-SHA1 validation on the PRNG, which will ensure a full cryptographic verification of the module. Loading will only continue if the module passes these checks. A number of other self- tests are also run at this time. The complete list of self-tests are listed in section 3.10. Cryptographic Key Management Section 3.8 The module provides the capability to use cryptographic keys with several algorithms. The implemented FIPS-approved algorithms include AES, Triple-DES, RSA/DSA/ECDSA, SHA-1/224/256/384/512, HMAC SHA-1, and FIPS 186-2 PRNG. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 13 Key Generation Section 3.8.1 This module implements the FIPS Approved FIPS 186-2 PRNG to generate keys. Key Establishment Section 3.8.2 The module uses Diffie-Hellman and Elliptic Curve Diffie-Hellman key agreement for key establishment. Methodologies providing a minimum of 80 bits of encryption strength are allowed in the FIPS mode of operation. Encryption strength is determined in accordance with FIPS 140-2 Implementation Guidance 7.5 and NIST Special Publication 800-57 (Part 1). Key Entry and Output Section 3.8.3 All keys are imported from, or output to, the invoking program running on the same computer. All keys entered into the module are electronically entered in plain text form. Keys are output from the module in plain text form. Key Storage Section 3.8.4 Keys stored in memory are stored in plaintext. Key Zeroization Section 3.8.5 All keys can be zeroized by overwriting them, deleting them, or by rebooting the computer. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 14 List of Keys and CSP Section 3.8.6 CSPs CSPs type Generation Storage Use AES keys Symmetric secret Internal via FIPS Plaintext2 Data encryption/ keys 186-2 PRNG decryption Triple-DES keys Symmetric secret Internal via FIPS Plaintext2 Data encryption/ keys 186-2 PRNG decryption RSA/DSA/ Asymmetric Internal via FIPS Plaintext2 Signing and ECDSA Key Pairs private and public 186-2 PRNG Verification key pairs Diffie-Hellman Diffie-Hellman Internal via FIPS Plaintext2 Key agreement and Eliptic Curve and Eliptic Curve 186-2 PRNG Diffie-Hellman Diffie-Hellman key pairs private and public key pairs RSA Key Pair 1 Key wrapping keyInternal via FIPS Plaintext2 Key wrapping 186-2 PRNG HMAC key Triple-DES key Internal via FIPS Plaintext2 Message 186-2 PRNG authentication FIPS 186-2 PRNG Secret key values Internal – by Plaintext2 Pseudo-random seed keys gathering entropy number generator for keys Note 1: Internally generated RSA keys must never be used in a FIPS Approved mode of operation for signature generation and verification and for RSA key wrapping. Note 2: Keys stored in memory are stored in plaintext. Table 4 List of Keys and CSP EMI/EMC Section 3.9 The module is designed to meet security level 1 requirements for EMI/EMC. The module was tested and found compliant with requirements for a Class B digital device. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 15 Self-Tests Section 3.10 The module performs a set of self-tests to ensure proper operation in compliance with FIPS 140-2. These self-tests are run during power-on (power-on self-tests) or when certain conditions are met (conditional self-tests). Self tests are performed for the approved security functions and algorithms as required. Power-On Self-Tests Software Integrity Test (RSA and HMAC-SHA1) RNG KAT AES KAT Triple-DES KAT RSA SHA-1 KAT RSA SHA-224 KAT RSA SHA-256 KAT RSA SHA-384 KAT RSA SHA-512 KAT DSA Pairwise Consistency Test (DSA Key GEN/DSA SIG GEN/DSA SIG VER) ECDSA Pairwise Consistency Test (ECDSA KEYGEN/ECDSA SIG GEN/ECDSA SIG VER) SHA-1 KAT SHA-224 KAT SHA-256 KAT SHA-384 KAT SHA-512 KAT HMAC SHA-1 KAT Conditional Self-Tests CRNG Tests ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 16 Design Assurance Section 3.11 Apple manages and records source code and associated documentation files. Apple implements a system for document and source code management compliant with FIPS 140-2 Level 1 security. The Apple module hardware data, which includes descriptions, parts data, part types, bills of materials, manufacturers, changes, history, and hardware documentation are managed and recorded. Additionally, configuration management is provided for the module’s FIPS documentation. Document management utilities provide access control, versioning, and logging. Mitigation of Other Attacks Section 3.12 The module does not use other security mechanisms to mitigate against specific attacks. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 17 Section 4 Secure Operation Security Functions Section 4.1 The module meets Level 1 requirements for FIPS 140-2. The Apple cryptographic module supports the following approved and non-approved security functions. Certificate Service Algorithm Standard Mode/Key Size/Description Number Asymmetric Key PKCS#1 v1.5: SigGen; SigVer; 1024, 1536, 2048, 3072, 4096; RSA PKCS#1 v1.5 681 SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 KeyGen; SigGen; SigVer: Curves ECDSA ANSI X9.62 176 (P-192 P-256 P-384 P-521) FIPS186-2: KeyGen Mod(1024); DSA FIPS 186-2 SigGen Mod(1024); SigVer Mod 453 (1024) Symmetric Key ECB(e/d; 128,192,256); CBC(e/d; AES FIPS 197 1400 128,192,256) FIPS 46-3, SP TECB(e/d; KO 1,2); TCBC(e/d; Triple-DES 955 800-67 KO 1,2) PRNGs FIPS186-2 PRNG FIPS 186-2 FIPS 186-2: x-Original; SHA-1 767 Hashes SHA-1 FIPS 180-2 Byte orienting hashing 1271 SHA-224 FIPS 180-2 Byte orienting hashing 1271 SHA-256 FIPS 180-2 Byte orienting hashing 1271 SHA-384 FIPS 180-2 Byte orienting hashing 1271 SHA-512 FIPS 180-2 Byte orienting hashing 1271 Keyed-Hashes HMAC SHA-1 FIPS 198 823 Table 5 Approved FIPS 140-2 Security Functions ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 18 Service Algorithm Standard Mode of Operation Ciphers DES ECB, CBC Blowfish ECB, CBC CAST ECB, CBC ASC RC2 ECB, CBC RC4 ECB, CBC RC5 ECB, CBC Asymmetric Key RSA (key wrapping; key establishment methodology provides between 80 and RSA Encrypt/Decrypt 128 bits of encryption strength; non- compliant less than 80 bits of encryption strength) RSA Key Generation PKCS#1 RSA (key generation) Diffie-Hellman (key agreement; key establishment methodology provides Diffie-Hellman ANSI X9.42 80 or 112 bits of encryption strength; non-compliant less than 80-bits of encryption strength) EC Diffie-Hellman (key agreement; Elliptic Curve Diffie- key establishment methodology ANSI X9.63 Hellman provides between 80 and 256 bits of encryption strength). FEE Hashes MD2 MD5 Keyed- Hashes HMAC MD5 Table 6 Non-Approved FIPS 140-2 Security Functions ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 19 Crypto Officer Guidance Section 4.2 The Crypto Officer must operate the module in a manner consistent with the guidance provided within the “Role Guide: Crypto Officer” document. The secure operation procedures include the initial setup, configuring the module in a FIPS compliant manner, and keeping the module in a FIPS-approved mode of operation. User Guidance Section 4.3 The User must operate the module in a manner consistent with the guidance provided within the “Role Guide: User” document to make sure that only approved security functions are allowed in the FIPS approved mode of operation. Only the services listed in Table 3 should be used if a FIPS approved mode of operation is to be maintained. All security functions listed in Table 5 can be used in the FIPS approved mode of operation. Although outside the boundary of the module, the User should be careful not to provide cryptographic keys or other critical security parameters (CSPs) to other unauthorized parties. In addition to the security functions listed in Table 5, both Diffie-Hellman and Elliptic Curve Diffie-Hellman for key agreement listed in Table 6 are also allowed in the FIPS approved mode of operation. No other non-approved security function should be used. Key establishment methodologies provide a minimum of 80 bits of encryption strength. Encryption strength is determined in accordance with FIPS 140-2 Implementation Guidance 7.5 and NIST Special Publication 800-57 (Part 1). The User can verify the Apple FIPS Cryptographic Module status by running the FIPSPerformSelfTest status command in the Terminal application. The User can verify the Apple FIPS Cryptographic Module version by running the FIPSPerformSelfTest version command in the Terminal application. More information can be found in the “Role Guide: User” documentation. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 20 Section 5 Glossary and References Glossary Section 5.1 API Application Programming Interface BSD Berkeley Software Distribution CBC Cipher Block Chaining CDSA Common Data Security Architecture CMVP Cryptographic Module Validation Program CRC Cyclical Redundancy Check CSP Critical Security Parameter CSSM Common Security Services Manager EDC Error Detection Code EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communication Commission FIPS Federal Information Processing Standard KAT Known Answer Test LED Light Emitting Diode MAC Message Authentication Code NIST National Institute of Standards and Technology PRNG Pseudo Random Number Generator RAM Random Access Memory SHA Secure Hash Algorithm ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 21 References Section 5.2 This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available about the module and the Apple Mac OS X on the Apple Web site at (http://www.apple.com/macosx/ security/). To get the latest updates on Apple’s security services and for pointers to other Apple security resources, go to the ADC technology page for security at http://developer.apple.com/security/. CDSA, implemented as part of the Mac OS X security architecture, is an Open Source standard by the Open Group (http://www.opengroup.org/security/cdsa.htm). For an introduction to CDSA, see CDSA Explained, second edition, from the Open Group. The CDSA/CSSM technical standard is Common Security: CDSA and CSSM, version 2 (with corrigenda), also from the Open Group. Information on the full line of products from Apple can be found at (http://www.apple.com/mac). Information on FIPS 140-2 validations and the Cryptographic Module Validation Program can be found at (http://csrc.nist.gov/groups/STM/cmvp/). The website also contains contact information for answers to technical or sales-related questions regarding the Cryptographic Module Validation Program. ________________________________________________________________________________________ APPLEFIPS_SECPOL_002.7 © Copyright 2011 Page 22