update and resync rules

2026-02-03 14:03:24 +00:00 · 2025-12-19 11:28:47 -05:00
parent 640a03de81
commit 3cdd879d52
244 changed files with 1825 additions and 250 deletions
--- a/config/default/rules/audit/audit_acls_files_configure.yaml
+++ b/config/default/rules/audit/audit_acls_files_configure.yaml
@@ -89,3 +89,5 @@ tags:
  - cmmc_lvl2
  - cnssi-1253_moderate
  - cnssi-1253_high
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_acls_folders_configure.yaml
+++ b/config/default/rules/audit/audit_acls_folders_configure.yaml
@@ -89,3 +89,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_auditd_enabled.yaml
+++ b/config/default/rules/audit/audit_auditd_enabled.yaml
@@ -182,3 +182,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_control_acls_configure.yaml
+++ b/config/default/rules/audit/audit_control_acls_configure.yaml
@@ -84,3 +84,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_control_group_configure.yaml
+++ b/config/default/rules/audit/audit_control_group_configure.yaml
@@ -84,3 +84,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_control_mode_configure.yaml
+++ b/config/default/rules/audit/audit_control_mode_configure.yaml
@@ -84,3 +84,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_control_owner_configure.yaml
+++ b/config/default/rules/audit/audit_control_owner_configure.yaml
@@ -84,3 +84,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_failure_halt.yaml
+++ b/config/default/rules/audit/audit_failure_halt.yaml
@@ -23,8 +23,6 @@ references:
    srg:
      - SRG-OS-000047-GPOS-00023
    disa_stig:
-      macos_26:
-        - APPL-26-001010
      macos_15:
        - APPL-15-001010
      macos_14:
@@ -33,10 +31,7 @@ references:
      - AU.L2-3.3.4
 platforms:
  macOS:
-    '26.0':
-      benchmarks:
-        - name: disa_stig
-          severity: medium
+    '26.0': {}
    '15.0':
      benchmarks:
        - name: disa_stig
--- a/config/default/rules/audit/audit_files_group_configure.yaml
+++ b/config/default/rules/audit/audit_files_group_configure.yaml
@@ -90,3 +90,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_files_mode_configure.yaml
+++ b/config/default/rules/audit/audit_files_mode_configure.yaml
@@ -86,3 +86,5 @@ tags:
  - cnssi-1253_low
  - cnssi-1253_high
  - cmmc_lvl2
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_files_owner_configure.yaml
+++ b/config/default/rules/audit/audit_files_owner_configure.yaml
@@ -90,3 +90,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_flags_ad_configure.yaml
+++ b/config/default/rules/audit/audit_flags_ad_configure.yaml
@@ -119,3 +119,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_folder_group_configure.yaml
+++ b/config/default/rules/audit/audit_folder_group_configure.yaml
@@ -90,3 +90,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_folder_owner_configure.yaml
+++ b/config/default/rules/audit/audit_folder_owner_configure.yaml
@@ -90,3 +90,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_folders_mode_configure.yaml
+++ b/config/default/rules/audit/audit_folders_mode_configure.yaml
@@ -88,3 +88,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_off_load_records.yaml
+++ b/config/default/rules/audit/audit_off_load_records.yaml
@@ -37,3 +37,5 @@ tags:
  - cnssi-1253_low
  - cnssi-1253_high
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/audit/audit_retention_configure.yaml
+++ b/config/default/rules/audit/audit_retention_configure.yaml
@@ -80,6 +80,8 @@ odv:
  cis_lvl1: 60d OR 5G
  cis_lvl2: 60d OR 5G
  stig: 7d
+  nlmapgov_base: 180d
+  nlmapgov_plus: 180d
 tags:
  - 800-171
  - 800-53r5_privacy
@@ -91,3 +93,5 @@ tags:
  - cnssi-1253_high
  - cmmc_lvl2
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/icloud/icloud_backup_disabled.yaml
+++ b/config/default/rules/icloud/icloud_backup_disabled.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95422-2
+        - CCE-95631-8
      ios_18:
        - CCE-94415-7
      ios_17:
@@ -24,10 +24,14 @@ references:
    cci:
      - CCI-001090
    disa_stig:
+      ios_26:
+        - AIOS-26-003000
      ios_18:
        - AIOS-18-003000
      ios_17:
        - AIOS-17-003000
+      visionos_26:
+        - AVOS-02-003000
    sfr:
      - 'FMT_MOF_EXT.1.2 #40'
  cis:
@@ -45,6 +49,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.4 - iCloud restrictions)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.4 - iCloud restrictions)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -52,6 +59,12 @@ platforms:
      benchmarks:
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/icloud/icloud_drive_disable.yaml
+++ b/config/default/rules/icloud/icloud_drive_disable.yaml
@@ -14,7 +14,7 @@ references:
      macos_14:
        - CCE-92745-9
      ios_26:
-        - CCE-95423-0
+        - CCE-95632-6
      ios_18:
        - CCE-94421-5
      ios_17:
@@ -43,10 +43,14 @@ references:
        - APPL-15-002041
      macos_14:
        - APPL-14-002041
+      ios_26:
+        - AIOS-26-003200
      ios_18:
        - AIOS-18-003200
      ios_17:
        - AIOS-17-003200
+      visionos_26:
+        - AVOS-02-003200
    cmmc:
      - AC.L1-3.1.20
      - CM.L2-3.4.6
@@ -71,6 +75,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.4 - iCloud restrictions)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.4 - iCloud restrictions)
+        - ANNEX K
 platforms:
  macOS:
    '26.0':
@@ -101,6 +108,10 @@ platforms:
      benchmarks:
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
@@ -135,6 +146,7 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_plus
 mobileconfig_info:
  - PayloadType: com.apple.applicationaccess
    PayloadContent:
--- a/config/default/rules/icloud/icloud_enterprisebook_metadata_sync_disable.yaml
+++ b/config/default/rules/icloud/icloud_enterprisebook_metadata_sync_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95424-8
+        - CCE-95633-4
      ios_18:
        - CCE-94566-7
    800-53r5:
@@ -17,9 +17,15 @@ references:
      - CM-7
      - CM-7(1)
      - SC-7(10)
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
-    '26.0': {}
+    '26.0':
+      benchmarks:
+        - name: indigo_high
    '18.0':
      benchmarks:
        - name: indigo_high
--- a/config/default/rules/icloud/icloud_keychain_disable.yaml
+++ b/config/default/rules/icloud/icloud_keychain_disable.yaml
@@ -43,10 +43,14 @@ references:
        - APPL-15-002040
      macos_14:
        - APPL-14-002040
+      ios_26:
+        - AIOS-26-003300
      ios_18:
        - AIOS-18-003300
      ios_17:
        - AIOS-17-003300
+      visionos_26:
+        - AVOS-02-003300
    cmmc:
      - AC.L1-3.1.20
      - CM.L2-3.4.6
@@ -71,6 +75,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.4 - iCloud restrictions)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.4 - iCloud restrictions)
+        - ANNEX K
 platforms:
  macOS:
    '26.0':
@@ -101,6 +108,12 @@ platforms:
      benchmarks:
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
@@ -136,6 +149,7 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_plus
 mobileconfig_info:
  - PayloadType: com.apple.applicationaccess
    PayloadContent:
--- a/config/default/rules/icloud/icloud_managed_apps_store_data_disabled.yaml
+++ b/config/default/rules/icloud/icloud_managed_apps_store_data_disabled.yaml
@@ -25,11 +25,15 @@ references:
      - CCI-000366
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-003600
      ios_18:
        - AIOS-18-003600
      ios_17:
        - AIOS-17-003600
        - AIOS-17-703600
+      visionos_26:
+        - AVOS-02-003600
    sfr:
      - 'FMT_MOF_EXT.1.2 #40'
  cis:
@@ -50,6 +54,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.4 - iCloud restrictions)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.4 - iCloud restrictions)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -59,6 +66,12 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/icloud/icloud_photo_stream_disable.yaml
+++ b/config/default/rules/icloud/icloud_photo_stream_disable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95427-1
+        - CCE-95634-2
      ios_18:
        - CCE-94418-1
      ios_17:
@@ -29,10 +29,16 @@ references:
      ios_17:
        - ANNEX D (Section 5.4 - iCloud restrictions)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.4 - iCloud restrictions)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/icloud/icloud_photos_disable.yaml
+++ b/config/default/rules/icloud/icloud_photos_disable.yaml
@@ -14,7 +14,7 @@ references:
      macos_14:
        - CCE-92751-7
      ios_26:
-        - CCE-95428-9
+        - CCE-95635-9
      ios_18:
        - CCE-94419-9
      ios_17:
@@ -43,10 +43,14 @@ references:
        - APPL-15-002043
      macos_14:
        - APPL-14-002043
+      ios_26:
+        - AIOS-26-003450
      ios_18:
        - AIOS-18-003450
      ios_17:
        - AIOS-17-003450
+      visionos_26:
+        - AVOS-02-003450
    cmmc:
      - AC.L1-3.1.20
      - CM.L2-3.4.6
@@ -67,6 +71,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.4 - iCloud restrictions)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.4 - iCloud restrictions)
+        - ANNEX K
 platforms:
  macOS:
    '26.0':
@@ -94,6 +101,11 @@ platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/icloud/icloud_shared_photo_stream_disable.yaml
+++ b/config/default/rules/icloud/icloud_shared_photo_stream_disable.yaml
@@ -5,7 +5,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95429-7
+        - CCE-95636-7
      ios_18:
        - CCE-94420-7
      ios_17:
@@ -22,6 +22,8 @@ references:
      - CCI-000366
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-003500
      ios_18:
        - AIOS-18-003500
      ios_17:
@@ -33,10 +35,18 @@ references:
      ios_17:
        - ANNEX D (Section 5.4 - iCloud restrictions)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.4 - iCloud restrictions)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/icloud/icloud_sync_disable.yaml
+++ b/config/default/rules/icloud/icloud_sync_disable.yaml
@@ -88,6 +88,7 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_plus
 mobileconfig_info:
  - PayloadType: com.apple.applicationaccess
    PayloadContent:
--- a/config/default/rules/os/os_account_modification_disable.yaml
+++ b/config/default/rules/os/os_account_modification_disable.yaml
@@ -62,6 +62,8 @@ references:
        - ANNEX K
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  macOS:
    '26.0':
@@ -89,6 +91,8 @@ platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_airdrop_disable.yaml
+++ b/config/default/rules/os/os_airdrop_disable.yaml
@@ -13,7 +13,7 @@ references:
      macos_14:
        - CCE-92756-6
      ios_26:
-        - CCE-95431-3
+        - CCE-95637-5
      ios_18:
        - CCE-94422-3
      ios_17:
@@ -45,12 +45,18 @@ references:
        - APPL-15-002009
      macos_14:
        - APPL-14-002009
+      ios_26:
+        - AIOS-26-010200
+        - AIOS-26-012500
      ios_18:
        - AIOS-18-010200
        - AIOS-18-012500
      ios_17:
        - AIOS-17-010200
        - AIOS-17-012500
+      visionos_26:
+        - AVOS-02-012500
+        - AVOS-02-010200
    cmmc:
      - AC.L1-3.1.1
      - AC.L1-3.1.20
@@ -74,6 +80,8 @@ references:
        - ANNEX K
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  macOS:
    '26.0':
@@ -107,6 +115,13 @@ platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_airdrop_unmanaged_destination_enable.yaml
+++ b/config/default/rules/os/os_airdrop_unmanaged_destination_enable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95432-1
+        - CCE-95638-3
      ios_18:
        - CCE-94423-1
      ios_17:
@@ -25,11 +25,15 @@ references:
      - CCI-000366
      - CCI-002008
    disa_stig:
+      ios_26:
+        - AIOS-26-011500
      ios_18:
        - AIOS-18-011500
      ios_17:
        - AIOS-17-011500
        - AIOS-17-711500
+      visionos_26:
+        - AVOS-02-011500
    sfr:
      - 'FMT_SMF_EXT.1.1 #47'
  cis:
@@ -50,6 +54,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.5.5 - AirDrop)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.7.5 - AirDrop)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -59,6 +66,12 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_airplay_incoming_password_require.yaml
+++ b/config/default/rules/os/os_airplay_incoming_password_require.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95433-9
+        - CCE-95639-1
      ios_18:
        - CCE-94514-7
    800-53r5:
@@ -15,15 +15,29 @@ references:
    cci:
      - CCI-000063
    disa_stig:
+      ios_26:
+        - AIOS-26-010900
+        - AIOS-26-010950
      ios_18:
        - AIOS-18-010900
        - AIOS-18-010950
    sfr:
      - 'FMT_SMF_EXT.1.1 #40'
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: low
+        - name: indigo_base
+          severity: low
+        - name: indigo_high
+          severity: low
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_airplay_outgoing_password_require.yaml
+++ b/config/default/rules/os/os_airplay_outgoing_password_require.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95434-7
+        - CCE-95640-9
      ios_18:
        - CCE-94424-9
    800-53r5:
@@ -15,15 +15,29 @@ references:
    cci:
      - CCI-000063
    disa_stig:
+      ios_26:
+        - AIOS-26-010900
+        - AIOS-26-010950
      ios_18:
        - AIOS-18-010900
        - AIOS-18-010950
    sfr:
      - 'FMT_SMF_EXT.1.1 #40'
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: low
+        - name: indigo_base
+          severity: low
+        - name: indigo_high
+          severity: low
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_airprint_credential_storage_disable.yaml
+++ b/config/default/rules/os/os_airprint_credential_storage_disable.yaml
@@ -4,18 +4,27 @@ discussion: |
  Storage of AirPrint credentials _MUST_ be disabled.
 references:
  nist:
+    cce:
+      ios_26:
+        - CCE-95641-7
    800-53r5:
      - CM-6
  disa:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-016800
      ios_18:
        - AIOS-18-016800
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
 platforms:
  iOS:
+    '26.0':
+      supervised: false
+      benchmarks:
+        - name: ios_stig
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_airprint_disable.yaml
+++ b/config/default/rules/os/os_airprint_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95435-4
+        - CCE-95642-5
      ios_18:
        - CCE-94515-4
      ios_17:
@@ -19,6 +19,8 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-016600
      ios_18:
        - AIOS-18-016600
    sfr:
@@ -27,10 +29,15 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+        - name: indigo_high
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_airprint_force_trusted_TLS.yaml
+++ b/config/default/rules/os/os_airprint_force_trusted_TLS.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95436-2
+        - CCE-95643-3
      ios_18:
        - CCE-94516-2
      ios_17:
@@ -17,6 +17,8 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-016900
      ios_18:
        - AIOS-18-016900
    sfr:
@@ -25,10 +27,15 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+        - name: indigo_high
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_allow_contacts_read_managed_sources_unmanaged_destinations_disable.yaml
+++ b/config/default/rules/os/os_allow_contacts_read_managed_sources_unmanaged_destinations_disable.yaml
@@ -5,7 +5,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95437-0
+        - CCE-95644-1
      ios_18:
        - CCE-94425-6
      ios_17:
@@ -23,11 +23,15 @@ references:
      - CCI-000051
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-012400
      ios_18:
        - AIOS-18-012400
      ios_17:
        - AIOS-17-012400
        - AIOS-17-712400
+      visionos_26:
+        - AVOS-02-012400
    sfr:
      - 'FMT_SMF_EXT.1.1 #42'
      - FDP_ACF_EXT.1.2
@@ -36,10 +40,20 @@ references:
      ios_17:
        - ANNEX D (Section 5.6.3 - Contacts)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.6.3 - Contacts)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: low
+        - name: indigo_base
+          severity: low
+        - name: indigo_high
+          severity: low
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_allow_contacts_write_managed_sources_unmanaged_destinations_disable.yaml
+++ b/config/default/rules/os/os_allow_contacts_write_managed_sources_unmanaged_destinations_disable.yaml
@@ -5,7 +5,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95438-8
+        - CCE-95645-8
      ios_18:
        - CCE-94426-4
      ios_17:
@@ -23,11 +23,15 @@ references:
      - CCI-000051
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-012300
      ios_18:
        - AIOS-18-012300
      ios_17:
        - AIOS-17-012300
        - AIOS-17-712300
+      visionos_26:
+        - AVOS-02-012300
    sfr:
      - 'FMT_SMF_EXT.1.1 #42'
      - FDP_ACF_EXT.1.2
@@ -39,10 +43,20 @@ references:
      ios_17:
        - ANNEX D (Section 5.6.3 - Contacts)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.6.3 - Contacts)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: low
+        - name: indigo_base
+          severity: low
+        - name: indigo_high
+          severity: low
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml
+++ b/config/default/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95439-6
+        - CCE-95646-6
      ios_18:
        - CCE-94427-2
      ios_17:
@@ -23,11 +23,15 @@ references:
      - CCI-002233
      - CCI-002530
    disa_stig:
+      ios_26:
+        - AIOS-26-009700
      ios_18:
        - AIOS-18-009700
      ios_17:
        - AIOS-17-009700
        - AIOS-17-709700
+      visionos_26:
+        - AVOS-02-009700
    sfr:
      - 'FMT_SMF_EXT.1.1 #42'
      - FDP_ACF_EXT.1.2
@@ -49,6 +53,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.6.3 - Contacts)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.6.3 - Contacts)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -58,6 +65,12 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_allow_documents_unmanaged_sources_managed_destinations_disable.yaml
+++ b/config/default/rules/os/os_allow_documents_unmanaged_sources_managed_destinations_disable.yaml
@@ -40,6 +40,9 @@ references:
      ios_17:
        - ANNEX D (section 5.8.3 - Institutional procurement)
        - ANNEX K
+      ios_26:
+        - ANNEX D (section 5.8.3 - Institutional procurement)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -49,6 +52,8 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: indigo_base
+        - name: indigo_high
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_allow_enterprise_trust_disabled.yaml
+++ b/config/default/rules/os/os_allow_enterprise_trust_disabled.yaml
@@ -0,0 +1,36 @@
+id: os_allow_enterprise_trust_disabled
+title: Disable Allow Trusting Enterprise Apps
+discussion: |
+  Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices.
+
+  Allowing such installations and executions could cause a compromise of data accessible by these unauthorized/malicious applications.
+references:
+  nist:
+    cce:
+      visionos_26:
+        - CCE-96708-3
+    800-53r5:
+      - AC-19
+      - SI-7(5)
+  disa:
+    cci:
+      - CCI-000366
+    disa_stig:
+      visionos_26:
+        - AVOS-02-007000
+    sfr:
+      - 'FMT_SMF.1.1 #8'
+platforms:
+  visionOS:
+    '26.0':
+      supervised: false
+    introduced: '2.0'
+tags:
+  - visionos_stig
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+mobileconfig_info:
+  - PayloadType: com.apple.applicationaccess
+    PayloadContent:
+      - allowEnterpriseAppTrust: false
--- a/config/default/rules/os/os_allow_prerelease_disable.yaml
+++ b/config/default/rules/os/os_allow_prerelease_disable.yaml
@@ -0,0 +1,37 @@
+id: os_allow_prerelease_disable
+title: Disable the Ability to Install PreRelease Software
+discussion: |
+  Beta software may contain features that could lead to the compromise of sensitive information or provide a vector for the attack on a network.
+references:
+  nist:
+    cce:
+      visionos_26:
+        - CCE-96711-7
+    800-53r5:
+      - CM-6
+      - CM-7
+  disa:
+    cci:
+      - CCI-000366
+    disa_stig:
+      visionos_26:
+        - AVOS-02-015500
+    sfr:
+      - 'FMT_MOF_EXT.1.2 #47'
+platforms:
+  visionOS:
+    '26.0':
+      supervised: true
+    introduced: '-1'
+tags:
+  - visionos_stig
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - cnssi-1253_moderate
+  - cnssi-1253_low
+  - cnssi-1253_high
+mobileconfig_info:
+  - PayloadType: com.apple.softwareupdate
+    PayloadContent:
+      - AllowPreReleaseInstallation: false
--- a/config/default/rules/os/os_anti_virus_installed.yaml
+++ b/config/default/rules/os/os_anti_virus_installed.yaml
@@ -59,3 +59,5 @@ platforms:
        additional_info: 'NOTE: These services cannot be unloaded or loaded while System Integrity Protection (SIP) is enabled.'
 tags:
  - cisv8
+  - nlmapgov_base
+  - nlmapgov_plus
--- a/config/default/rules/os/os_apple_watch_pairing_disable.yaml
+++ b/config/default/rules/os/os_apple_watch_pairing_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95441-2
+        - CCE-95647-4
      ios_18:
        - CCE-94429-8
      ios_17:
@@ -22,6 +22,8 @@ references:
      - CCI-000097
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-012600
      ios_18:
        - AIOS-18-012600
      ios_17:
@@ -32,10 +34,19 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_apple_watch_wrist_detection_enable.yaml
+++ b/config/default/rules/os/os_apple_watch_wrist_detection_enable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95442-0
+        - CCE-95648-2
      ios_18:
        - CCE-94430-6
      ios_17:
@@ -19,6 +19,8 @@ references:
    cci:
      - CCI-000381
    disa_stig:
+      ios_26:
+        - AIOS-26-011800
      ios_18:
        - AIOS-18-011800
      ios_17:
@@ -48,6 +50,8 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: low
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_application_allow_list.yaml
+++ b/config/default/rules/os/os_application_allow_list.yaml
@@ -14,7 +14,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95443-8
+        - CCE-95649-0
      ios_18:
        - CCE-94431-4
      ios_17:
@@ -37,10 +37,17 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.8 - App-Installation)
+      ios_26:
+        - ANNEX D (Section 5.8 - App-Installation)
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_application_deny_list.yaml
+++ b/config/default/rules/os/os_application_deny_list.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95444-6
+        - CCE-95650-8
      ios_18:
        - CCE-94517-0
      ios_17:
@@ -16,10 +16,16 @@ references:
      ios_17:
        - ANNEX D (Section 5.8 - App-Installation)
        - ANNEX N
+      ios_26:
+        - ANNEX D (Section 5.8 - App-Installation)
+        - ANNEX N
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_base
+        - name: indigo_high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_authenticated_root_enable.yaml
+++ b/config/default/rules/os/os_authenticated_root_enable.yaml
@@ -98,3 +98,4 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_plus
--- a/config/default/rules/os/os_authentication_password_autofill_enable.yaml
+++ b/config/default/rules/os/os_authentication_password_autofill_enable.yaml
@@ -30,6 +30,8 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -37,6 +39,7 @@ platforms:
      benchmarks:
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: indigo_high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_auto_correction_disable.yaml
+++ b/config/default/rules/os/os_auto_correction_disable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95446-1
+        - CCE-95651-6
      ios_18:
        - CCE-94518-8
      ios_17:
@@ -15,10 +15,14 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_auto_dim_allow.yaml
+++ b/config/default/rules/os/os_auto_dim_allow.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95447-9
+        - CCE-95652-4
      ios_18:
        - CCE-94519-6
 platforms:
--- a/config/default/rules/os/os_auto_unlock_disable.yaml
+++ b/config/default/rules/os/os_auto_unlock_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95448-7
+        - CCE-95653-2
      ios_18:
        - CCE-94433-0
      ios_17:
@@ -20,6 +20,8 @@ references:
      - CCI-000767
      - CCI-002235
    disa_stig:
+      ios_26:
+        - AIOS-26-014800
      ios_18:
        - AIOS-18-014800
      ios_17:
@@ -30,10 +32,19 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_automatic_app_download_disable.yaml
+++ b/config/default/rules/os/os_automatic_app_download_disable.yaml
@@ -4,6 +4,9 @@ discussion: |
  The automatic download of apps to a mobile device could cause the exposure of sensitive  information when an unauthorized app is installed.
 references:
  nist:
+    cce:
+      ios_26:
+        - CCE-95654-0
    800-53r5:
      - CM-7
      - CM-7(1)
@@ -11,12 +14,18 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-016400
      ios_18:
        - AIOS-18-016200
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
 platforms:
  iOS:
+    '26.0':
+      supervised: true
+      benchmarks:
+        - name: ios_stig
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_bluetooth_modification_disable.yaml
+++ b/config/default/rules/os/os_bluetooth_modification_disable.yaml
@@ -0,0 +1,35 @@
+id: os_bluetooth_modification_disable
+title: Bluetooth Status Modification Disabled
+discussion: |
+  The ability to enable or disable Bluetooth _MUST_ be disabled.
+references:
+  nist:
+    cce:
+      ios_26:
+        - CCE-95655-7
+    800-53r5:
+      - CM-7
+      - CM-7(1)
+      - SC-07(10)
+  disa:
+    cci:
+      - CCI-000366
+    disa_stig:
+      ios_26:
+        - AIOS-26-018200
+    sfr:
+      - 'FMT_SMF.1.1 #47'
+platforms: {}
+tags:
+  - ios
+  - ios_stig
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - cnssi-1253_moderate
+  - cnssi-1253_low
+  - cnssi-1253_high
+mobileconfig_info:
+  - PayloadType: com.apple.applicationaccess
+    PayloadContent:
+      - allowBluetoothModification: false
--- a/config/default/rules/os/os_call_recording_disable.yaml
+++ b/config/default/rules/os/os_call_recording_disable.yaml
@@ -17,14 +17,24 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-015700
      ios_18:
        - AIOS-18-015700
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+        - name: indigo_base
+        - name: indigo_high
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_camera_disable.yaml
+++ b/config/default/rules/os/os_camera_disable.yaml
@@ -23,6 +23,8 @@ references:
        - CCE-94172-4
      macos_14:
        - CCE-92772-3
+      ios_26:
+        - CCE-95605-2
      visionos_26:
        - CCE-95568-2
  disa:
@@ -38,6 +40,8 @@ references:
        - APPL-15-002017
      macos_14:
        - APPL-14-002017
+      ios_26:
+        - AIOS-26-018100
 platforms:
  macOS:
    '26.0':
@@ -62,6 +66,13 @@ platforms:
        result:
          string: 'false'
    introduced: '10.11'
+  iOS:
+    '26.0':
+      supervised: true
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+    introduced: '4.0'
  visionOS:
    '26.0':
      supervised: true
--- a/config/default/rules/os/os_chat_disable.yaml
+++ b/config/default/rules/os/os_chat_disable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95450-3
+        - CCE-95606-0
      ios_18:
        - CCE-94520-4
      ios_17:
@@ -19,10 +19,14 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_config_data_install_enforce.yaml
+++ b/config/default/rules/os/os_config_data_install_enforce.yaml
@@ -90,6 +90,8 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 mobileconfig_info:
  - PayloadType: com.apple.SoftwareUpdate
    PayloadContent:
--- a/config/default/rules/os/os_definition_lookup_disable.yaml
+++ b/config/default/rules/os/os_definition_lookup_disable.yaml
@@ -20,10 +20,14 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_device_name_change_disable.yaml
+++ b/config/default/rules/os/os_device_name_change_disable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95455-2
+        - CCE-95608-6
      ios_18:
        - CCE-94522-0
      ios_17:
@@ -15,10 +15,15 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_base
+        - name: indigo_high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_diagnostics_reports_disable.yaml
+++ b/config/default/rules/os/os_diagnostics_reports_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95456-0
+        - CCE-95607-8
      ios_18:
        - CCE-94434-8
      ios_17:
@@ -23,11 +23,15 @@ references:
    cci:
      - CCI-001199
    disa_stig:
+      ios_26:
+        - AIOS-26-013400
      ios_18:
        - AIOS-18-013400
      ios_17:
        - AIOS-17-013400
        - AIOS-17-713400
+      visionos_26:
+        - AVOS-02-013400
    sfr:
      - 'FMT_SMF_EXT.1.1 #47a'
  cis:
@@ -47,6 +51,8 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -56,6 +62,12 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_diagnostics_reports_modification_disable.yaml
+++ b/config/default/rules/os/os_diagnostics_reports_modification_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95457-8
+        - CCE-95609-4
      ios_18:
        - CCE-94523-8
      ios_17:
@@ -21,10 +21,17 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: indigo_base
+          severity: high
+        - name: indigo_high
+          severity: high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_disallow_enterprise_app_trust.yaml
+++ b/config/default/rules/os/os_disallow_enterprise_app_trust.yaml
@@ -5,7 +5,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95458-6
+        - CCE-95610-2
      ios_18:
        - CCE-94435-5
      ios_17:
@@ -18,6 +18,8 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-007000
      ios_18:
        - AIOS-18-007000
      ios_17:
@@ -29,10 +31,19 @@ references:
    indigo:
      ios_17:
        - ANNEX D - (Section 5.8.5)
+      ios_26:
+        - ANNEX D - (Section 5.8.5)
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: low
+        - name: indigo_base
+          severity: low
+        - name: indigo_high
+          severity: low
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_enterprise_books_disable.yaml
+++ b/config/default/rules/os/os_enterprise_books_disable.yaml
@@ -5,7 +5,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95459-4
+        - CCE-95611-0
      ios_18:
        - CCE-94436-3
      ios_17:
@@ -17,6 +17,8 @@ references:
      - CCI-000366
      - CCI-002110
    disa_stig:
+      ios_26:
+        - AIOS-26-003700
      ios_18:
        - AIOS-18-003700
      ios_17:
@@ -28,10 +30,17 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_erase_contents_and_settings_disable.yaml
+++ b/config/default/rules/os/os_erase_contents_and_settings_disable.yaml
@@ -21,8 +21,12 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-016000
      ios_18:
        - AIOS-18-016000
+      visionos_26:
+        - AVOS-02-016000
    sfr:
      - 'FMT_SMF.1.1 #47'
  cis:
@@ -42,6 +46,7 @@ platforms:
      benchmarks:
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_esim_delete.yaml
+++ b/config/default/rules/os/os_esim_delete.yaml
@@ -15,6 +15,8 @@ references:
    cci:
      - CCI-001033
    disa_stig:
+      ios_26:
+        - AIOS-26-015100
      ios_18:
        - AIOS-18-015100
    sfr:
@@ -23,6 +25,9 @@ platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: ios_stig
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_esim_transfers_disable.yaml
+++ b/config/default/rules/os/os_esim_transfers_disable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95462-8
+        - CCE-95612-8
      ios_18:
        - CCE-94524-6
    800-53r5:
@@ -15,6 +15,8 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-017900
      ios_18:
        - AIOS-18-017900
    sfr:
@@ -23,6 +25,8 @@ platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_SMIME_encryption_certificate_overwirte_disable.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_encryption_certificate_overwirte_disable.yaml
@@ -7,8 +7,6 @@ discussion: |
 references:
  nist:
    cce:
-      ios_26:
-        - CCE-95463-6
      ios_18:
        - CCE-94525-3
      ios_17:
@@ -19,8 +17,6 @@ references:
        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0':
-      supervised: false
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_SMIME_encryption_certificate_overwrite_disable.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_encryption_certificate_overwrite_disable.yaml
@@ -0,0 +1,23 @@
+id: os_exchange_SMIME_encryption_certificate_overwrite_disable
+title: Disable changing the S/MIME encryption settings.
+discussion: |
+  The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements.
+
+  The usage of S/MIME encryption _MUST_ be configured to set mail signing as the default.
+references:
+  nist:
+    cce:
+      ios_26:
+        - CCE-95619-3
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
+platforms: {}
+tags:
+  - ios
+  - indigo_high
+mobileconfig_info:
+  - PayloadType: com.apple.mail.managed
+    PayloadContent:
+      - SMIMEEncryptionCertificateUUIDUserOverrideable: false
--- a/config/default/rules/os/os_exchange_SMIME_encryption_default_certificate_overwrite_enable.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_encryption_default_certificate_overwrite_enable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95464-4
+        - CCE-95620-1
      ios_18:
        - CCE-94526-1
      ios_17:
@@ -17,9 +17,13 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.6.1 - Mail)
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0': {}
+    '26.0':
+      benchmarks:
+        - name: indigo_high
    '18.0':
      benchmarks:
        - name: indigo_high
--- a/config/default/rules/os/os_exchange_SMIME_encryption_enforce.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_encryption_enforce.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95465-1
+        - CCE-95621-9
      ios_18:
        - CCE-94527-9
      ios_17:
@@ -17,9 +17,13 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.6.1 - Mail)
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0': {}
+    '26.0':
+      benchmarks:
+        - name: indigo_high
    '18.0':
      benchmarks:
        - name: indigo_high
--- a/config/default/rules/os/os_exchange_SMIME_encryption_per_message_disable.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_encryption_per_message_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95466-9
+        - CCE-95623-5
      ios_18:
        - CCE-94528-7
      ios_17:
@@ -17,9 +17,14 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.6.1 - Mail)
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0': {}
+    '26.0':
+      benchmarks:
+        - name: indigo_high
+          severity: medium
    '18.0':
      benchmarks:
        - name: indigo_high
--- a/config/default/rules/os/os_exchange_SMIME_signing_certificate_overwirte_disable.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_signing_certificate_overwirte_disable.yaml
@@ -7,8 +7,6 @@ discussion: |
 references:
  nist:
    cce:
-      ios_26:
-        - CCE-95467-7
      ios_18:
        - CCE-94529-5
      ios_17:
@@ -19,7 +17,6 @@ references:
        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0': {}
    '18.0':
      benchmarks:
        - name: indigo_high
--- a/config/default/rules/os/os_exchange_SMIME_signing_certificate_overwrite_disable.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_signing_certificate_overwrite_disable.yaml
@@ -0,0 +1,23 @@
+id: os_exchange_SMIME_signing_certificate_overwrite_disable
+title: Disable changing the S/MIME signing settings
+discussion: |
+  The iOS device needs some specific configurations for the Exchange setup to meet the minimum requirements.
+
+  The option for a user to overwrite the of S/MIME configuration _MUST_ prevented.
+references:
+  nist:
+    cce:
+      ios_26:
+        - CCE-95624-3
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
+platforms: {}
+tags:
+  - ios
+  - indigo_high
+mobileconfig_info:
+  - PayloadType: com.apple.mail.managed
+    PayloadContent:
+      - SMIMESigningCertificateUUIDUserOverrideable: false
--- a/config/default/rules/os/os_exchange_SMIME_signing_enabled.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_signing_enabled.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95468-5
+        - CCE-95625-0
      ios_18:
        - CCE-94530-3
      ios_17:
@@ -17,9 +17,13 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.6.1 - Mail)
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0': {}
+    '26.0':
+      benchmarks:
+        - name: indigo_high
    '18.0':
      benchmarks:
        - name: indigo_high
--- a/config/default/rules/os/os_exchange_SMIME_signing_overwrite_disable.yaml
+++ b/config/default/rules/os/os_exchange_SMIME_signing_overwrite_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95469-3
+        - CCE-95626-8
      ios_18:
        - CCE-94531-1
      ios_17:
@@ -17,9 +17,13 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.6.1 - Mail)
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0': {}
+    '26.0':
+      benchmarks:
+        - name: indigo_high
    '18.0':
      benchmarks:
        - name: indigo_high
--- a/config/default/rules/os/os_exchange_mail_recents_sync_disable.yaml
+++ b/config/default/rules/os/os_exchange_mail_recents_sync_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95470-1
+        - CCE-95613-6
      ios_18:
        - CCE-94532-9
      ios_17:
@@ -17,10 +17,14 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.6.1 - Mail)
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: indigo_high
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_notes_disable.yaml
+++ b/config/default/rules/os/os_exchange_notes_disable.yaml
@@ -4,22 +4,35 @@ discussion: 'Exchange ActiveSync Notes service can be disabled for an account. N
 references:
  nist:
    cce:
+      ios_26:
+        - CCE-95614-4
      ios_18:
        - CCE-94468-6
  disa:
    cci:
      - CCI-000764
    disa_stig:
+      ios_26:
+        - AIOS-26-011300
      ios_18:
        - AIOS-18-011300
    sfr:
      - 'FMT_SMF_EXT.1.1 #47'
  bsi:
    indigo:
-      ios_18:
+      ios_26:
        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
+    '26.0':
+      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_notes_user_override_disable.yaml
+++ b/config/default/rules/os/os_exchange_notes_user_override_disable.yaml
@@ -4,22 +4,35 @@ discussion: Exchange ActiveSync Notes service can be disabled for a user. Settin
 references:
  nist:
    cce:
+      ios_26:
+        - CCE-95615-1
      ios_18:
        - CCE-94468-6
  disa:
    cci:
      - CCI-000764
    disa_stig:
+      ios_26:
+        - AIOS-26-011300
      ios_18:
        - AIOS-18-011300
    sfr:
      - 'FMT_SMF_EXT.1.1 #47'
  bsi:
    indigo:
-      ios_18:
+      ios_26:
        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
+    '26.0':
+      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_peraccountVPN.yaml
+++ b/config/default/rules/os/os_exchange_peraccountVPN.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95471-9
+        - CCE-95616-9
      ios_18:
        - CCE-94533-7
      ios_17:
@@ -17,10 +17,15 @@ references:
    indigo:
      ios_17:
        - ANNEX D (Section 5.6.1 - Mail)
+      ios_26:
+        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: indigo_base
+        - name: indigo_high
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_prevent_move_enforce.yaml
+++ b/config/default/rules/os/os_exchange_prevent_move_enforce.yaml
@@ -7,8 +7,6 @@ discussion: |
 references:
  nist:
    cce:
-      ios_26:
-        - CCE-95472-7
      ios_18:
        - CCE-94534-5
      ios_17:
@@ -19,8 +17,6 @@ references:
        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
-    '26.0':
-      supervised: false
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_reminders_disable.yaml
+++ b/config/default/rules/os/os_exchange_reminders_disable.yaml
@@ -4,22 +4,35 @@ discussion: 'Exchange ActiveSync system can disable the Reminders service for an
 references:
  nist:
    cce:
+      ios_26:
+        - CCE-95617-7
      ios_18:
        - CCE-94468-6
  disa:
    cci:
      - CCI-000764
    disa_stig:
+      ios_26:
+        - AIOS-26-011300
      ios_18:
        - AIOS-18-011300
    sfr:
      - 'FMT_SMF_EXT.1.1 #47'
  bsi:
    indigo:
-      ios_18:
+      ios_26:
        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
+    '26.0':
+      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_exchange_reminders_user_override_disable.yaml
+++ b/config/default/rules/os/os_exchange_reminders_user_override_disable.yaml
@@ -4,22 +4,35 @@ discussion: Exchange ActiveSync system can disable the Reminders service for an
 references:
  nist:
    cce:
+      ios_26:
+        - CCE-95618-5
      ios_18:
        - CCE-94468-6
  disa:
    cci:
      - CCI-000764
    disa_stig:
+      ios_26:
+        - AIOS-26-011300
      ios_18:
        - AIOS-18-011300
    sfr:
      - 'FMT_SMF_EXT.1.1 #47'
  bsi:
    indigo:
-      ios_18:
+      ios_26:
        - ANNEX D (Section 5.6.1 - Mail)
 platforms:
  iOS:
+    '26.0':
+      supervised: false
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_external_intelligence_integration_disable.yaml
+++ b/config/default/rules/os/os_external_intelligence_integration_disable.yaml
@@ -19,14 +19,29 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-015400
      ios_18:
        - AIOS-18-015400
+      visionos_26:
+        - AVOS-02-015400
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_external_intelligence_integration_sign_in_disable.yaml
+++ b/config/default/rules/os/os_external_intelligence_integration_sign_in_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95474-3
+        - CCE-95627-6
      ios_18:
        - CCE-94518-8
      visionos_26:
@@ -21,10 +21,18 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-015400
      ios_18:
        - AIOS-18-015400
+      visionos_26:
+        - AVOS-02-015400
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX K
  cis:
    benchmark:
      ios_26:
@@ -39,6 +47,12 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_external_storage_access_defined.yaml
+++ b/config/default/rules/os/os_external_storage_access_defined.yaml
@@ -3,7 +3,7 @@ title: Access to External Storage Must Be Defined
 discussion: |-
  Access to external storage _MUST_ be managed.

-  NOTE: Apple's built in method using declative device management method only allows you to set external storage manament to Allowed, ReadOnly, and Disallowed.
+  NOTE: Apple's built in method using declarative device management method only allows you to set external storage management to Allowed, ReadOnly, and Disallowed.
 references:
  nist:
    cce:
@@ -40,6 +40,7 @@ odv:
        - ReadOnly
        - Disallowed
  recommended: Allowed
+  nlmapgov_plus: ReadOnly
 tags:
  - cmmc_lvl2
  - 800-53r5_low
@@ -48,6 +49,7 @@ tags:
  - cnssi-1253_moderate
  - cnssi-1253_low
  - cnssi-1253_high
+  - nlmapgov_plus
 ddm_info:
  declarationtype: com.apple.configuration.diskmanagement.settings
  ddm_key: ExternalStorage
--- a/config/default/rules/os/os_facetime_disable.yaml
+++ b/config/default/rules/os/os_facetime_disable.yaml
@@ -4,6 +4,9 @@ discussion: |
  FaceTime _MUST_ be disabled.
 references:
  nist:
+    cce:
+      ios_26:
+        - CCE-95627-6
    800-53r5:
      - CM-6
      - CM-7
@@ -11,12 +14,19 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-017800
      ios_18:
        - AIOS-18-017800
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
 platforms:
  iOS:
+    '26.0':
+      supervised: true
+      benchmarks:
+        - name: ios_stig
+          severity: high
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_files_network_drive_access_disable.yaml
+++ b/config/default/rules/os/os_files_network_drive_access_disable.yaml
@@ -6,13 +6,13 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95475-0
+        - CCE-95629-2
      ios_18:
        - CCE-94438-9
      ios_17:
        - CCE-93423-2
      visionos_26:
-        - CCE-95575-7
+        - CCE-96709-1
    800-53r5:
      - AC-20(2)
  disa:
@@ -21,10 +21,14 @@ references:
      - CCI-000097
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-014300
      ios_18:
        - AIOS-18-014300
      ios_17:
        - AIOS-17-014300
+      visionos_26:
+        - AVOS-02-014300
    sfr:
      - 'FMT_SMF_EXT.1.1 #47'
  cis:
@@ -41,12 +45,20 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
      benchmarks:
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_files_usb_drive_access_disable.yaml
+++ b/config/default/rules/os/os_files_usb_drive_access_disable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95476-8
+        - CCE-95630-0
      ios_18:
        - CCE-94439-7
      ios_17:
@@ -19,6 +19,8 @@ references:
      - CCI-000097
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-013300
      ios_18:
        - AIOS-18-013300
      ios_17:
@@ -39,12 +41,20 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
      benchmarks:
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_find_my_friends_disable.yaml
+++ b/config/default/rules/os/os_find_my_friends_disable.yaml
@@ -8,7 +8,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95477-6
+        - CCE-95631-8
      ios_18:
        - CCE-94440-5
      ios_17:
@@ -23,6 +23,8 @@ references:
      - CCI-000097
      - CCI-000370
    disa_stig:
+      ios_26:
+        - AIOS-26-013100
      ios_18:
        - AIOS-18-013100
      ios_17:
@@ -33,10 +35,17 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
      supervised: true
+      benchmarks:
+        - name: ios_stig
+          severity: low
+        - name: indigo_high
+          severity: low
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_firmware_password_require.yaml
+++ b/config/default/rules/os/os_firmware_password_require.yaml
@@ -34,8 +34,6 @@ references:
    srg:
      - SRG-OS-000480-GPOS-00227
    disa_stig:
-      macos_26:
-        - APPL-26-003013
      macos_15:
        - APPL-15-003013
      macos_14:
@@ -46,9 +44,9 @@ references:
 platforms:
  macOS:
    '26.0':
-      benchmarks:
-        - name: disa_stig
-          severity: medium
+      enforcement_info:
+        fix:
+          additional_info: 'NOTE: See discussion on how to enable firmware password.'
    '15.0':
      benchmarks:
        - name: disa_stig
--- a/config/default/rules/os/os_force_date_and_time_enable.yaml
+++ b/config/default/rules/os/os_force_date_and_time_enable.yaml
@@ -33,6 +33,8 @@ references:
    indigo:
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -42,6 +44,8 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: indigo_base
+        - name: indigo_high
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_force_encrypted_backups_enable.yaml
+++ b/config/default/rules/os/os_force_encrypted_backups_enable.yaml
@@ -6,7 +6,7 @@ references:
  nist:
    cce:
      ios_26:
-        - CCE-95479-2
+        - CCE-95658-1
      ios_18:
        - CCE-94442-1
      ios_17:
@@ -22,6 +22,8 @@ references:
      - CCI-000370
      - CCI-000381
    disa_stig:
+      ios_26:
+        - AIOS-26-010700
      ios_18:
        - AIOS-18-010700
      ios_17:
@@ -47,6 +49,9 @@ references:
      ios_17:
        - ANNEX D (Section 5.3 - Description of security/key management)
        - ANNEX K
+      ios_26:
+        - ANNEX D (Section 5.3 - Description of security/key management)
+        - ANNEX K
 platforms:
  iOS:
    '26.0':
@@ -56,6 +61,12 @@ platforms:
        - name: cis_lvl2_byod
        - name: cis_lvl1_enterprise
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: medium
+        - name: indigo_base
+          severity: medium
+        - name: indigo_high
+          severity: medium
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_gatekeeper_enable.yaml
+++ b/config/default/rules/os/os_gatekeeper_enable.yaml
@@ -106,6 +106,8 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_base
+  - nlmapgov_plus
 mobileconfig_info:
  - PayloadType: com.apple.systempolicy.control
    PayloadContent:
--- a/config/default/rules/os/os_genmoji_disable.yaml
+++ b/config/default/rules/os/os_genmoji_disable.yaml
@@ -31,8 +31,12 @@ references:
        - APPL-26-005140
      macos_15:
        - APPL-15-005140
+      ios_26:
+        - AIOS-26-017400
      ios_18:
        - AIOS-18-017400
+      visionos_26:
+        - AVOS-02-017400
    cmmc:
      - CM.L2-3.4.6
      - CM.L2-3.4.7
@@ -57,6 +61,8 @@ platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_handoff_disable.yaml
+++ b/config/default/rules/os/os_handoff_disable.yaml
@@ -14,7 +14,7 @@ references:
      macos_14:
        - CCE-92799-6
      ios_26:
-        - CCE-95481-8
+        - CCE-95659-9
      ios_18:
        - CCE-94443-9
      ios_17:
@@ -46,10 +46,14 @@ references:
        - APPL-15-005058
      macos_14:
        - APPL-14-005058
+      ios_26:
+        - AIOS-26-010800
      ios_18:
        - AIOS-18-010800
      ios_17:
        - AIOS-17-010800
+      visionos_26:
+        - AVOS-02-010800
    cmmc:
      - AC.L1-3.1.1
      - AC.L1-3.1.20
@@ -75,6 +79,8 @@ references:
        - ANNEX K
      ios_17:
        - ANNEX K
+      ios_26:
+        - ANNEX K
 platforms:
  macOS:
    '26.0':
@@ -105,6 +111,12 @@ platforms:
      benchmarks:
        - name: cis_lvl2_byod
        - name: cis_lvl2_enterprise
+        - name: ios_stig
+          severity: low
+        - name: indigo_base
+          severity: low
+        - name: indigo_high
+          severity: low
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_hide_apps_disable.yaml
+++ b/config/default/rules/os/os_hide_apps_disable.yaml
@@ -0,0 +1,29 @@
+id: os_hide_apps_disable
+title: Disable Ability to Hide Apps
+discussion: |
+  Hidden apps cannot be seen by enterprise management applications (e.g., MDM server), and therefore, unauthorized apps or apps with embedded malware could be installed and hidden from the MDM or mobile threat detection (MTD) apps. Hidden apps may lead to the compromise of sensitive data.
+references:
+  nist:
+    cce:
+      ios_26:
+        - CCE-95660-7
+    800-53r5:
+      - CM-7
+      - CM-7(1)
+      - SC-07(10)
+  disa:
+    cci:
+      - CCI-000366
+    disa_stig:
+      ios_26:
+        - AIOS-26-015600
+    sfr:
+      - 'FMT_SMF.1.1 #47'
+platforms: {}
+tags:
+  - ios
+  - ios_stig
+mobileconfig_info:
+  - PayloadType: com.apple.applicationaccess
+    PayloadContent:
+      - allowAppsToBeHidden: false
--- a/config/default/rules/os/os_home_folders_secure.yaml
+++ b/config/default/rules/os/os_home_folders_secure.yaml
@@ -87,3 +87,4 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_plus
--- a/config/default/rules/os/os_httpd_disable.yaml
+++ b/config/default/rules/os/os_httpd_disable.yaml
@@ -109,3 +109,4 @@ tags:
  - cmmc_lvl2
  - cmmc_lvl1
  - cnssi-1253_moderate
+  - nlmapgov_plus
--- a/config/default/rules/os/os_ibeacon_airprint_disable.yaml
+++ b/config/default/rules/os/os_ibeacon_airprint_disable.yaml
@@ -4,18 +4,27 @@ discussion: |
  iBeacon discovery _MUST_ be disabled to prevent AirPrint Bluebooth beacons from being potentially exploited for network phishing.
 references:
  nist:
+    cce:
+      ios_26:
+        - CCE-95661-5
    800-53r5:
      - CM-6
  disa:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-016700
      ios_18:
        - AIOS-18-016700
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
 platforms:
  iOS:
+    '26.0':
+      supervised: true
+      benchmarks:
+        - name: ios_stig
    '18.0':
      supervised: true
      benchmarks:
--- a/config/default/rules/os/os_image_playground_disable.yaml
+++ b/config/default/rules/os/os_image_playground_disable.yaml
@@ -26,8 +26,12 @@ references:
    disa_stig:
      macos_26:
        - APPL-26-005150
+      ios_26:
+        - AIOS-26-017300
      ios_18:
        - AIOS-18-017300
+      visionos_26:
+        - AVOS-02-017300
    cmmc:
      - CM.L2-3.4.6
      - CM.L2-3.4.7
@@ -49,6 +53,8 @@ platforms:
  iOS:
    '26.0':
      supervised: false
+      benchmarks:
+        - name: ios_stig
    '18.0':
      supervised: false
      benchmarks:
--- a/config/default/rules/os/os_image_wand_disable.yaml
+++ b/config/default/rules/os/os_image_wand_disable.yaml
@@ -16,13 +16,22 @@ references:
    cci:
      - CCI-000366
    disa_stig:
+      ios_26:
+        - AIOS-26-017200
      ios_18:
        - AIOS-18-017200
    sfr:
      - 'FMT_MOF_EXT.1.2 #47'
+  bsi:
+    indigo:
+      ios_26:
+        - ANNEX K
 platforms:
  iOS:
-    '26.0': {}
+    '26.0':
+      benchmarks:
+        - name: ios_stig
+        - name: indigo_high
    '18.0':
      benchmarks:
        - name: ios_stig
--- a/Show More
+++ b/Show More