The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security.
The guidance is derived from the macOS Security Compliance Project (mSCP), an open source effort aimed at creating customized security baselines to meet the cybersecurity needs of various organizations.
A collaboration between NIST, NASA, the Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL), the mSCP eliminates the need to issue new cybersecurity guidance for each macOS release, and instead curates the macOS guidance and keeps it up to date.
The newly released guidance, NIST says, is also meant to introduce the mSCP to broader audiences by offering an overview of the project and its components, and by providing details on common use cases.
“This document and the mSCP GitHub site are intended for system administrators, security professionals, policy authors, privacy officers, and auditors who have responsibilities involving macOS security. Additionally, vendors of device management, security, configuration assessment, and compliance tools that support macOS may find this document and the GitHub site to be helpful,” NIST says.
The project’s GitHub page provides secure baselines and associated rules that can be used as practical, actionable recommendations for properly configuring and managing macOS endpoint device security.
With Apple releasing new macOS versions each year, the mSCP is intended to be independent of new versions, but will be updated when substantial changes occur. Thus, organizations will be provided with consistency of content, as well as with accelerated guidance, courtesy of standardized macOS baseline efforts.
According to NIST, agencies and organizations typically “wait for guidance or accept risk before deploying the new macOS version” each year, and many create their own internal security configuration, which delays deployments. With mSCP at hand, organizations will be able to update sooner.
“Generally, the technical security settings in macOS do not drastically change from release to release, with only a handful of new settings being introduced. By pursuing a rules-based approach, mSCP rules that remain applicable can be reused and incorporated into guidance for the latest macOS version. This enables quicker adoption of new security features that are not offered in prior versions of macOS,” NIST says.
The mSCP content is meant to be used by government agencies and private organizations alike, with the provided security baselines either mapped to existing guidance or controls, or customized to meet specific needs. Furthermore, the content can be used for automated security compliance scans.