No operating system is immune to threats, and a thorough endpoint security strategy accommodates the requirements for each one. Toward that end, the National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints.
NIST SP 800-219 provides system administrators, security professionals, security policy authors, information security officers, and auditors with resources to secure and assess macOS desktop and laptop system security in an automated way. NIST derived the guidance from the open source macOS Security Compliance Project, born out of a collaboration between NIST, NASA, the Defense Information Systems Agency, and Los Alamos National Laboratory.
The goal of the mSCP is to simplify the macOS security development cycle by reducing the amount of effort required to implement security baselines, NIST says. Security baselines refers to "groups of settings used to configure a system to meet a target level or set of requirements or to verify that a system complies with requirements." The project is intended to help IT and security staff create customized security baselines of technical security controls by leveraging a library of rules, with each rule mapped to requirements from security standards, regulations, or frameworks, NIST says in the guidance document.
The mSCP provides scripts that can be used with baselines to create scripts and profiles for configuring macOS; generate a mapping between security standards, regulations, and frameworks; produce human-readable documentation in a variety of formats; customize existing baselines; and generate Security Content Automation Protocol (SCAP) content for use in automated security compliance scans.
Security baselines and associated rules for configuring and managing macOS endpoint devices can be found on mSCP’s GitHub page. Organizations should take a risk-based approach for selecting the appropriate settings and defining values that consider the context under which the baseline will be used, NIST says.
Make It Easier to Upgrade
Agencies and organizations typically delay deploying the new macOS release because they are waiting for guidance. The mSCP is intended to provide guidance of the security features in new operating system releases at the earliest availability. Instead of having to produce a new guidance document for each macOS release, NIST will focus on continually curating and updating the information in mSCP, giving organizations one consistent reference point.
"Generally, the technical security settings in macOS do not drastically change from release to release, with only a handful of new settings being introduced. By pursuing a rules-based approach, mSCP rules that remain applicable can be reused and incorporated into guidance for the latest macOS version. This enables quicker adoption of new security features that are not offered in prior versions of macOS," NIST says.