Rule File Layout

A rule file defines a single security control. Each rule is written in YAML and must follow the structure below.

Required Fields

mSCP 2.0 (Beta)
mSCP 1.0

Field	Description
`id`	Unique identifier matching the filename (without `.yaml`)
`title`	Human-readable title for the rule
`discussion`	Description of the rule’s intent and context
`references`	Nested mappings to frameworks organized by source (`nist`, `disa`, `cis`)
`platforms`	Per-OS, per-version enforcement info (check, fix, result, benchmarks)
`tags`	Keywords for categorizing and filtering rules

Field	Description
`id`	Unique identifier matching the filename (without `.yaml`)
`title`	Human-readable title for the rule
`discussion`	Description of the rule’s intent and context
`check`	Shell command or script to validate compliance
`result`	Expected result from the check
`fix`	Remediation steps or configuration to enforce the rule
`tags`	Keywords for categorizing and filtering rules

Field	Description
`odv`	Organization Defined Values with hint and defaults
`severity`	Severity level (low, medium, high)
`mobileconfig`	Set to `true` if enforceable via configuration profile
`mobileconfig_info`	Configuration profile payload (required if `mobileconfig` is true)
`ddm_info`	DDM configuration declaration

Field	Description
`references`	Mappings to CCEs, security frameworks, and controls
`macOS`	macOS versions this rule is validated for
`odv`	Organization Defined Values with hint and defaults
`severity`	Severity level (low, medium, high)
`mobileconfig`	Set to `true` if enforceable via configuration profile
`mobileconfig_info`	Configuration profile payload (required if `mobileconfig` is true)
`ddm_info`	DDM configuration declaration

References Structure

mSCP 2.0 (Beta)
mSCP 1.0

References are nested by source organization:

references:
  nist:
    cce:
      macos_26: [CCE-95164-0]
      macos_15: [CCE-94164-1]
    800-53r5: [AC-3, CM-5, SI-7]
    800-171r3: [03.01.02, 03.04.05]
  disa:
    disa_stig:
      macos_26: [APPL-26-002064]
      macos_15: [APPL-15-002064]
    srg: [SRG-OS-000480-GPOS-00227]
  cis:
    cis: {benchmark: [N/A], controls_v8: [N/A]}

References are flat key-value pairs:

Key	Framework
`cce`	Common Configuration Enumeration
`cci`	Control Correlation Identifier
`800-53r5`	NIST SP 800-53 Rev 5
`800-171r3`	NIST SP 800-171 Rev 3
`srg`	Security Requirements Guide
`disa_stig`	DISA STIG identifiers
`cis`	CIS Benchmarks and Controls
`cmmc`	CMMC level mappings

Example Rule File

mSCP 2.0 (Beta)
mSCP 1.0

id: os_authenticated_root_enable
title: Enable Authenticated Root
discussion: |
  Authenticated Root _MUST_ be enabled.

  When Authenticated Root is enabled the macOS is booted from a
  signed volume that is cryptographically protected to prevent
  tampering with the system volume.
references:
  nist:
    cce:
      macos_26: [CCE-95164-0]
      macos_15: [CCE-94164-1]
      macos_14: [CCE-92764-0]
    800-53r5: [AC-3, CM-5, SC-34, SI-7]
    800-171r3: [03.01.02, 03.04.05]
  disa:
    disa_stig:
      macos_26: [APPL-26-002064]
      macos_15: [APPL-15-002064]
      macos_14: [APPL-14-002064]
tags:
  - 800-53r5_moderate
  - 800-53r5_high
  - cisv8
  - cnssi-1253_moderate
platforms:
  macOS:
    '26.0':
      benchmarks:
        - name: cis_lvl1
        - name: cis_lvl2
        - name: disa_stig
          severity: medium
      enforcement_info:
        check:
          shell: >
            /usr/libexec/mdmclient QuerySecurityInfo 2>/dev/null |
            /usr/bin/grep -c "AuthenticatedRootVolumeEnabled = 1;"
          result:
            integer: 1
    '15.0':
      benchmarks:
        - name: cis_lvl1
        - name: cis_lvl2
        - name: disa_stig
          severity: medium
      enforcement_info:
        check:
          shell: >
            /usr/bin/csrutil authenticated-root |
            /usr/bin/grep -c 'enabled'
          result:
            integer: 1
mobileconfig: false

id: system_settings_bluetooth_disable
title: Disable Bluetooth When no Approved Device is Connected
discussion: |
  The macOS system _MUST_ be configured to disable Bluetooth unless
  there is an approved device connected.
check: |
  /usr/bin/osascript -l JavaScript << EOS
  $.NSUserDefaults.alloc.initWithSuiteName('com.apple.MCXBluetooth')\
  .objectForKey('DisableBluetooth').js
  EOS
result:
  string: 'true'
fix: |
  This is implemented by a Configuration Profile.
references:
  cce:
    - CCE-94352-2
  800-53r5:
    - AC-18
    - SC-8
  disa_stig:
    - APPL-15-002062
macOS:
  - '15.0'
tags:
  - 800-53r5_moderate
  - 800-53r5_high
  - stig
severity: high
mobileconfig: true
mobileconfig_info:
  com.apple.ManagedClient.preferences:
    com.apple.MCXBluetooth:
      DisableBluetooth: true

Next Steps

Sections File Layout — Understand section YAML structure
Customize Rules — Create custom rules