macOS Security Compliance Project

Introduction

Mac admins are, no doubt, already aware of the macOS Security Compliance Project (mSCP). It’s an open-source collaboration between some pretty heavy-weight federal organizations in the United States, including the National Aeronautics and Space Administration (NASA), the National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA) and the Los Alamos National Laboratory (LANL). The project aims to provide a simple way for any organization using Mac in any industry to create a security baseline that exactly suits their own unique requirements. By approaching this in a uniform and logical way, the project pulls in guidelines from numerous established security standards, providing consistent output in the form of scripts to enforce settings, documentation and configuration profiles that can be used within any modern Apple Enterprise Management (AEM) solution.

Why’s this so important?

And what’s new and newsworthy about this? Security benchmarks for endpoints have been around for a long time. They may vary in name and how they are structured, and indeed they are adopted differently in different countries and industries. What is different about this particular project is that, within a relatively small space of time, it has made it into the Apple Security Certifications and Compliance Center. This is a major step forward for all macOS Enterprise customers. The built-in protections within macOS are extremely good, but the IT security industry has long advocated a more detailed approach to technology security, part of which is OS hardening which reduces the attack surface of endpoint devices - further minimizing threat vectors. Not only is Apple now openly advocating this approach for macOS, but the project provides a concise, yet simplified way for all organizations to adopt these security practices. The cost? Merely investing the time to integrate the benchmarks into their existing workflows.

Global reach?

One of the challenges many organizations outside of the United States may perceive is that the industry baselines currently referenced are:

• NIST 800-53 (High, Moderate and Low)
• NIST 800-171
• DISA STIG
• CNSSI 1253

The one thing you notice straight away is that these standards are commonly used in the US, but less so in other geographies. So is mSCP of any value outside the US? Well, the good news is that yes it is. Not only is the project open-source (so baselines more common in other geographies can and probably will be added) but the reality of all of the baselines which exist is that they largely comprise the same information, simply structured differently. For example, the NIST controls relating to vulnerability assessment and remediation map to identical requirements in:

• CIS Controls
• PCI DSS
• ISO 27002
• DHS CDM Program
• Australian Top 35
• GCHQ 10 Steps
• UK Cyber Essentials
• UK ICO Guidelines

As you can see, regardless of which baseline you officially align to or model from, mSCP can still help you achieve your target security maturity relatively quickly.

What does the future look like?

Something really cool about the mSCP is that not only can it be used by Mac admins and their security colleagues, but it’s also an invaluable tool for security vendors. This is a superb example of modern organizations working together to improve the overall security posture of an entire technology.

You may be aware that Jamf recently acquired the technical assets of a company called cmdSecurity, including a suite of security tools for macOS, one of which is cmdReporter. You can read all about this.

The really exciting news is that cmdReporter had already made an integration allowing the tool to reference the mSCP, extending both mSCP’s scope and functionality. Not only can we look forward to the mSCP scaling in its reach to include more global standards, but we can also expect to see Jamf further extending the security capabilities of its expansive AEM Platform.