No operating system is immune to threats and a thorough endpoint security strategy accommodates the requirements for each one. Towards that end, the National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints.
NIST SP 800-219 provides system administrators, security professionals, security policy authors, information security officers, and auditors with resources to secure and assess macOS desktop and laptop system security in an automated way. Instead of having to produce a new guidance document for each macOS release, NIST will focus on continuously curating and updating the information in one format as part of the open source macOS Security Compliance Project.
Based on the collaboration between NIST, NASA, the Defense Information Systems Agency, and Los Alamos National Laboratory, the goal of the mSCP is to simplify macOS security development cycle by reducing the amount of effort required to implement security baselines, NIST says.
NIST uses security baselines to refer to “groups of settings used to configure a system to meet a target level or set of requirements or to verify that a system complies with requirements.” The project is intended to help IT and security staff create customized security baselines of technical security controls by leveraging a library of rules, with each rule mapped to requirements from security standards, regulations, or frameworks, NIST says in the guidance document.
The mSCP provides scripts that can be used with baselines to create scripts and profiles for configuring macOS; generating a mapping between security standards, regulations, and frameworks; producing human-readable documentation in a variety of formats; customizing existing baselines; and to generate Security Content Automation Protocol (SCAP) content for use in automated security compliance scans.
Security baselines and associated rules for configuring and managing macOS endpoint devices can be found on mSCP’s GitHub page. Organizations should take a risk-based approach for selecting the appropriate settings and defining values that consider the context under which the baseline will be utilized, NIST says.
Make it Easier to Upgrade
Agencies and organizations typically delay deploying the new macOS release because they are waiting for guidance. The mSCP is intended to provide guidance of the security features in new operating system releases at the earliest availability.
Generally, the technical security settings in macOS do not drastically change from release to release, with only a handful of new settings being introduced. By pursuing a rules-based approach, mSCP rules that remain applicable can be reused and incorporated into guidance for the latest macOS version. This enables quicker adoption of new security features that are not offered in prior versions of macOS, ”NIST says.