NIST publishes essential macOS security guide for enterprise pros

Image c/o: Photo by GotCredit

The National Institute of Standards and Technology (NIST) has published what will likely be essential reading for enterprise, security, and device management professionals. It’s a high-end guide to Mac security and compliance.

An essential security source

As noted by Security Week, the guide offers pros a window into joint work on Mac security transacted by NIST, NASA, the Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL) under the macOS Security Compliance Project.

The guidance aims to be a one stop shop for security guidance for every Mac release, which is why it is valuable to pros.

The open-source macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. It should be the kind of document Jamf and any other MDM vendor explores.

The project seeks to simplify the macOS security development cycle by reducing the amount of effort required to implement security baselines.

Security baselines are groups of settings used to configure a system to meet a target level or set of requirements or to verify that a system complies with requirements.

Why it may be useful

Apple releases a new macOS version every year. When it does some agencies and organizations must await risk assessment before the new OS is deployed, which can delay updates. Delays may generate additional risk.

The mSCP aims to reduce that risk and accelerate updating by reflecting that in most cases the security settings put in place in Macs don’t change a huge deal between releases, though some elements may change. The mSCP aims to reflect any such changes rapidly, making tis work a source for enterprise security professionals.

[Also read: WWDC: What is Rapid Security Response and how to enable it?]

The publication states that organizations using any baseline example should,

“Take a risk-based approach for selecting the appropriate settings and organizationally defined values depending on the context under which the baseline will be applied. Organizations can tailor any of the baselines to include controls specific to their needs and to produce evidence of control enforcement.”

More information and the document itself

• The mSCP’s GitHub site.
• Project documentation Wiki
• You can download the document here.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.