National Institute of Standards and Technology releases guidance on Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)

June 26, 2022 |

The National Institute of Standards and Technology (“NIST”) has released the guidance Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP).

The abstract provides:

The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication introduces the mSCP and gives an overview of the resources available from the project’s GitHub site, which is continuously curated and updated to support each new release of macOS. The GitHub site provides practical, actionable recommendations in the form of secure baselines and associated rules. This publication also describes use cases for leveraging the mSCP content.

Interesting matters raisedin this guideline:

  • The mSCP seeks to reduce the amount of effort required to implement security baselines.
  • Security baselines are groups of settings used to configure a system to meet a target level or set of requirements or to verify that a system complies with requirements.  The secure baseline content provided is easily extensible by other parties to implement their own security requirements.

  • The mSCP is an open-source project that provides a programmatic approach to generating and using macOS security configuration baselines. The project’s content can be used to create customized security baselines of technical security controls by leveraging a library of rules, with each rule mapped to requirements in one or more existing security standards, regulations, or frameworks. This approach provides versioning and consistency of the content.

  • the goals of mSCP are:
    • develop recommended security baselines using a risk-based approach based on the impact of the data.
    • normalize and accelerate annual adoption of the new operating system and hardware by providing guidance to meet the security needs of new operating systems at the earliest
    • reduce worldwide efforts in creating annual guidance by unifying and consolidating compliance efforts into a single project.
    • develop a methodology to foster collaboration between baseline authors, reducing overhead and redundancy.
    • establish a unified approach for the configuration and assessment of controls across multiple sources and tools.
    • enable the customization of existing content and the creation of new content, including creating custom baselines in order to meet organization-specific security requirements.
    • provide device management and security tool vendors, auditors, and Apple insight into customer security configuration needs.

 

Leave a Reply





Verified by MonsterInsights