Connect with us

Hi, what are you looking for?


Endpoint Security

NIST Releases New macOS Security Guidance for Organizations

The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security.

The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security.

The guidance is derived from the macOS Security Compliance Project (mSCP), an open source effort aimed at creating customized security baselines to meet the cybersecurity needs of various organizations.

A collaboration between NIST, NASA, the Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL), the mSCP eliminates the need to issue new cybersecurity guidance for each macOS release, and instead curates the macOS guidance and keeps it up to date.

The newly released guidance, NIST says, is also meant to introduce the mSCP to broader audiences by offering an overview of the project and its components, and by providing details on common use cases.

“This document and the mSCP GitHub site are intended for system administrators, security professionals, policy authors, privacy officers, and auditors who have responsibilities involving macOS security. Additionally, vendors of device management, security, configuration assessment, and compliance tools that support macOS may find this document and the GitHub site to be helpful,” NIST says.

The project’s GitHub page provides secure baselines and associated rules that can be used as practical, actionable recommendations for properly configuring and managing macOS endpoint device security.

With Apple releasing new macOS versions each year, the mSCP is intended to be independent of new versions, but will be updated when substantial changes occur. Thus, organizations will be provided with consistency of content, as well as with accelerated guidance, courtesy of standardized macOS baseline efforts.

Advertisement. Scroll to continue reading.

According to NIST, agencies and organizations typically “wait for guidance or accept risk before deploying the new macOS version” each year, and many create their own internal security configuration, which delays deployments. With mSCP at hand, organizations will be able to update sooner.

“Generally, the technical security settings in macOS do not drastically change from release to release, with only a handful of new settings being introduced. By pursuing a rules-based approach, mSCP rules that remain applicable can be reused and incorporated into guidance for the latest macOS version. This enables quicker adoption of new security features that are not offered in prior versions of macOS,” NIST says.

The mSCP content is meant to be used by government agencies and private organizations alike, with the provided security baselines either mapped to existing guidance or controls, or customized to meet specific needs. Furthermore, the content can be used for automated security compliance scans.

Related: Proposed US Guidance, Legislation Show Increasing Importance of Cloud Security

Related: NIST Releases ICS Cybersecurity Guidance for Manufacturers

Related: NSA Provides Guidance on Cisco Device Passwords 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.