firmware password requirement not applicable to Apple silicon according to STIG #171

New Issue

michael · 2026-01-19T18:29:29Z

michael commented

2026-01-19 18:29:29 +00:00

Originally created by @bernstei on GitHub.

Is there any way to automatically handle the fact that the firmware password does not exist for Apple silicon, and the STIG (not sure about other security guidelines), at least as of macOS 12, says that rule is not applicable?

2b025e09a2/rules/os/os_firmware_password_require.yaml (L1)

Originally created by @bernstei on GitHub. Is there any way to automatically handle the fact that the firmware password does not exist for Apple silicon, and the STIG (not sure about other security guidelines), at least as of macOS 12, says that rule is not applicable? https://github.com/usnistgov/macos_security/blob/2b025e09a2e2458602fdee001bc9122decef4a0c/rules/os/os_firmware_password_require.yaml#L1

michael closed this issue

2026-01-19 18:29:29 +00:00

michael commented

2026-01-19 18:29:29 +00:00

@robertgendler commented on GitHub:

10705d9597/rules/os/os_firmware_password_require.yaml (L49)

Somehow it got dumped along the way. Here it is on main with i386

@robertgendler commented on GitHub: https://github.com/usnistgov/macos_security/blob/10705d95975fedf195d73ca1f0200ecc1b5c6158/rules/os/os_firmware_password_require.yaml#L49 Somehow it got dumped along the way. Here it is on main with `i386`

michael commented

2026-01-19 18:29:29 +00:00

@robertgendler commented on GitHub:

Also it appears to be on the dev_ventura_stig branch. I'm going to close this out. But I'll make sure it shows up when we merge it all together.

@robertgendler commented on GitHub: Also it appears to be on the `dev_ventura_stig` branch. I'm going to close this out. But I'll make sure it shows up when we merge it all together.

michael commented

2026-01-19 18:29:29 +00:00

@bernstei commented on GitHub:

You're right, but I noticed this on much later versions too. Big Sur and/or Monterey, e.g., I'm pretty sure.

@bernstei commented on GitHub: You're right, but I noticed this on much later versions too. Big Sur and/or Monterey, e.g., I'm pretty sure.

michael commented

2026-01-19 18:29:29 +00:00

@robertgendler commented on GitHub:

OH! I just realized you're on the Catalina branch.

2 things, Catalina doesn't support Apple Silicon devices. And Catalina is EOL so no updates will be made to it.

@robertgendler commented on GitHub: OH! I just realized you're on the `Catalina` branch. 2 things, Catalina doesn't support Apple Silicon devices. And Catalina is EOL so no updates will be made to it.

michael commented

2026-01-19 18:29:29 +00:00

@robertgendler commented on GitHub:

Weird. I swear that used to have an i386 tag. Anyway that would do the trick. It'll skip checking and remediating on Apple Silicon once we add that

@robertgendler commented on GitHub: Weird. I swear that used to have an `i386` tag. Anyway that would do the trick. It'll skip checking and remediating on Apple Silicon once we add that

michael commented

2026-01-19 18:29:29 +00:00

@bernstei commented on GitHub:

It's working now - weird.

@bernstei commented on GitHub: It's working now - weird.

michael commented

2026-01-19 18:29:29 +00:00

@bernstei commented on GitHub:

Hmm - the i386 tag is there on Big Sur and Monterey, but I'm sure I've gotten this showing up as a rule failure on M1 macs, because I had to track it down and disable it. Let me see what's going on. I'll reopen if needed.

@bernstei commented on GitHub: Hmm - the `i386` tag is there on Big Sur and Monterey, but I'm sure I've gotten this showing up as a rule failure on M1 macs, because I had to track it down and disable it. Let me see what's going on. I'll reopen if needed.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#171