macOS Security Compliance Project
The macOS Security Compliance Project (mSCP) is an open source effort to provide a programmatic approach to generating security guidance. The project can be used to output customized documentation, scripts (logging and remediation), configuration profiles, and an audit checklist based on the baseline used. It is authoritative through NIST Special Publication 800-219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP).
This is a joint project of federal operational IT Security staff and volunteers from the National Institute of Standards and Technology (NIST), National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), Los Alamos National Laboratory (LANL), Idaho National Laboratory, Lawrence Livermore National Laboratory, the United States State Department, Leidos, and the Center for Internet Security (CIS). The project uses a set of tested and validated controls for macOS and maps these controls against any security guide supported by the project. Additionally, this project can be used as a resource to easily create customized security baselines of technical security controls by leveraging a library of tested and validated atomic actions (configuration settings). These mSCP baselines can produce output content used in conjunction with management and security tools to achieve compliance. Configuration settings in this project support the following guidance baselines:
Organization | Supported baselines |
|---|---|
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 5 | |
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Rev.2 | |
Defense Information Systems Agency (DISA) macOS 14 STIG: Apple macOS 14 Security Technical Implementation Guide | |
Committee on National Security Systems Instruction (CNSSI) 1253, Security Categorization and Control Selection for National Security Systems | |
Center for Internet Security CIS Benchmark, Level 1 and Level 2 | |
Center for Internet Security CIS Critical Security Controls version 8 | |
Cybersecurity Maturity Model Certification (CMMC) 2.0 |
Additional information:
A baseline to review all rules in the project is available here.
To generate SCAP 1.3 content from the project, review the instructions provided here.
To learn more about the project and usage, see the macOS Security Compliance Project wiki.
To set up the project for use, see: Getting to Know the macOS Security Compliance Project, Part 1 and Getting to Know the macOS Security Compliance Project, Part 2.
A list of products and services that leverage the project is maintained here.
If you’re interested in supporting the development of the project, see the contributor guidance.
For questions about Apple Security and Privacy Certifications, contact security-certifications@apple.com.