CISO2CISO.COM & CYBER SECURITY GROUP

Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP) – NIST Special Publication – NIST SP 800-219

Executive Summary
The National Institute of Standards and Technology (NIST) has traditionally published secure
configuration guides for Apple desktop/laptop operating system versions as prose-based Special
Publications (SPs), such as NIST SP 800-179, Revision 1, Guide to Securing Apple macOS 10.12
Systems for IT Professionals: A NIST Security Configuration Checklist. In order to provide security configuration guidance to organizations more quickly and in a machine-consumable format, NIST has established the open-source macOS Security Compliance Project (mSCP).
Instead of NIST producing a prose SP guidance document for each macOS release, the mSCP will continuously curate and update machine-consumable macOS guidance.
The mSCP seeks to simplify the macOS security development cycle by reducing the amount of effort required to implement security baselines. Security baselines are groups of settings used to configure a system to meet a target level or set of requirements or to verify that a system complies with requirements. The mSCP, a collaboration among federal agencies, minimizes duplicate effort that would otherwise be needed for these agencies to administer individual security baselines. Additionally, the secure baseline content provided is easily extensible by other parties to implement their own security requirements.

This document provides a high-level overview of the mSCP, its components, and some common use cases. Readers seeking more detailed information on mSCP content or the content itself should visit the mSCP GitHub page (https://github.com/usnistgov/macos_security) and wiki (https://github.com/usnistgov/macos_security/wiki).
Organizations using mSCP content, particularly security baseline examples, should take a riskbased approach for selecting the appropriate settings and defining values that consider the context under which the baseline will be utilized.

Leave a Reply

Your email address will not be published.