From 703a421fd9c7b81a796026ac3bd02c530361cce0 Mon Sep 17 00:00:00 2001
From: Bob Gendler <robert.gendler@nist.gov>
Date: Mon, 25 Mar 2024 11:39:24 -0400
Subject: [PATCH 1/2] refactor[rules] touchid and unlock with watch

Changed 800-53 reference to IA-5
Added note about 800-63
---
 .../system_settings_apple_watch_unlock_disable.yaml         | 6 ++++--
 .../system_settings_touchid_unlock_disable.yaml             | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
index e9a856a6..7928b895 100644
--- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
+++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
@@ -4,6 +4,8 @@ discussion: |
   Apple Watches are not an approved authenticator and their use _MUST_ be disabled.
 
   Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
+
+  Unlocking the system with an Apple Watch is not an approved authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
   $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
@@ -19,9 +21,9 @@ references:
   cci:
     - CCI-000056
   800-53r5:
-    - AC-11
+    - IA-5
   800-53r4:
-    - AC-11
+    - IA-5
   srg:
     - SRG-OS-000028-GPOS-00009
   disa_stig:
diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml
index 448caced..e3ef45e5 100644
--- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml
+++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml
@@ -6,6 +6,8 @@ discussion: |
   TouchID _MUST_ be disabled for "Unlocking your Mac" on all macOS devices that are capable of using Touch ID.
 
   The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method.
+
+  TouchID is not an approved biometric authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
   $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
@@ -21,9 +23,9 @@ references:
   cci:
     - CCI-000056
   800-53r5:
-    - AC-11
+    - IA-5
   800-53r4:
-    - AC-11
+    - IA-5
   srg:
     - SRG-OS-000028-GPOS-00009
   disa_stig:

From bd5afc10c9d8c57c1e30b28d644e03c145e8fb70 Mon Sep 17 00:00:00 2001
From: Bob Gendler <robert.gendler@nist.gov>
Date: Tue, 2 Apr 2024 09:44:58 -0400
Subject: [PATCH 2/2] Added NOTE:

---
 .../system_settings_apple_watch_unlock_disable.yaml             | 2 +-
 .../system_settings/system_settings_touchid_unlock_disable.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
index 7928b895..0cfbe032 100644
--- a/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
+++ b/rules/system_settings/system_settings_apple_watch_unlock_disable.yaml
@@ -5,7 +5,7 @@ discussion: |
 
   Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
 
-  Unlocking the system with an Apple Watch is not an approved authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
+  NOTE: Unlocking the system with an Apple Watch is not an approved authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
   $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\
diff --git a/rules/system_settings/system_settings_touchid_unlock_disable.yaml b/rules/system_settings/system_settings_touchid_unlock_disable.yaml
index e3ef45e5..9cda7a32 100644
--- a/rules/system_settings/system_settings_touchid_unlock_disable.yaml
+++ b/rules/system_settings/system_settings_touchid_unlock_disable.yaml
@@ -7,7 +7,7 @@ discussion: |
 
   The system _MUST_ remain locked until the user establishes access using an authorized identification and authentication method.
 
-  TouchID is not an approved biometric authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
+  NOTE: TouchID is not an approved biometric authenticator for US Federal Government usage as it has not been verified to meet the strength requirements outlined in NIST SP 800-63.
 check: |
   /usr/bin/osascript -l JavaScript << EOS
   $.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\