Introduction
The macOS Security Compliance Project is an open source initiative providing a programmatic approach to generating security guidance for macOS. This project enables the creation of customized security baselines by leveraging a comprehensive library of rules mapped to compliance requirements from established security guides, or for developing custom guidance.
By mapping security-enhancing rules to existing guides and policies, this project supports multiple security frameworks and regulated industry policies. Documentation and QA are uniformly managed, simplifying and accelerating the annual update process through unified and standardized efforts.
Why This Project?
Section titled “Why This Project?”- Accelerate Adoption: Ensure guidance is available for new OS/hardware releases.
- Reduce Global Effort: Unify and consolidate compliance work into a single project.
- Foster Collaboration: Develop methodologies to reduce overhead and redundancy among baseline authors.
- Standardize Controls: Unify the approach to setting security controls.
- Inform Vendors: Provide MDM/EMM/security/audit vendors and Apple with insight into customer hardening needs.
Supported Publications
Section titled “Supported Publications”The project includes guidance from the following sources:
Government Publications
Section titled “Government Publications”- NIST 800-53 (link)
- FISMA High
- FISMA Moderate
- FISMA Low
- NIST 800-171 (link)
- DISA STIG (link)
- CMMC 2.0 (link)
- CNSSI-1253 (link)
- indigo (link)
- indigo Base (iOS Only)
- indigo High (iOS Only)
Non-Governmental Standards
Section titled “Non-Governmental Standards”Development Team
Section titled “Development Team”This project is a collaboration between federal IT Security staff and macOS Administrators, published by:
- National Institute of Standards and Technology (NIST)
- National Aeronautics and Space Administration (NASA)
- Defense Information Systems Agency (DISA)
- Los Alamos National Lab (LANL)
Objective
Section titled “Objective”To develop an extensible, modern approach to security guidance usable by any organization (Government, Enterprise, Education) needing to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads for use with modern management tools.
Audience
Section titled “Audience”- System Administrators: Generate baseline documentation, configuration profile payloads, and scripts.
- Security Professionals: Review reporting of applied controls against guidance.
- Policy Authors: Map policy metadata to a library of verified controls to create or update baselines.
- MDM/EMM/Security/Compliance Tool Vendors: Support configuration, verification, and reporting of security guidance and controls in products using trusted source material.
- Privacy Officers: Ensure adequate privacy controls are enabled for institutional organizations.