Supported platforms: macOS, iOS/iPadOS, and visionOS.
The macOS Security Compliance Project (mSCP) is an open-source project that helps organizations secure their Apple devices. You choose the security rules to enforce, and mSCP generates everything you need:
- Configuration profiles to apply the rules
- Declarative Device Management (DDM) assets for device management solutions that support declarative delivery
- Documentation to explain the setup
- Compliance scripts to verify and enforce rules that profiles cannot
Beyond the built-in frameworks, organizations can build customized baselines to meet their specific cybersecurity needs. Vendors can also use mSCP as a source to build manifests, datapoints, and other compliance content for their products.
The security rules are derived from NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5. mSCP is a joint project of federal IT security staff from the National Institute of Standards and Technology (NIST), the National Aeronautics and Space Administration (NASA), the Defense Information Systems Agency (DISA), and Los Alamos National Laboratory (LANL), along with a community of contributors who test the project and provide feedback to keep it on the cutting edge of Apple platform security.
mSCP is the technical implementation of NIST SP 800-219 (Rev. 2), Automated Secure Configuration Guidance from the macOS Security Compliance Project — the official NIST guidance for automated secure configuration of macOS. Apple also acknowledges the project on its Platform Certifications page.
To learn more, visit the project website. If you would like to contribute, see the contributor guidance.
Supported Frameworks
- NIST SP 800-53
- NIST SP 800-171r3
- NIST SP 800-171r2 (CMMC)
- CIS Benchmarks (Level 1 & 2)
- CIS Controls (v8)
- CNSSI 1253
- DISA STIG
- BSI Indigo
- NLMAPGOV (Base and Plus)
- HICP — Health Industry Cybersecurity Practices (Large Organizations)
Don't see your framework listed? Reach out through the contributor guidance or the project website to find out how we can get it included.
Usage
Civilian agencies are to use the National Checklist Program as required by NIST 800-70.
Note
Part 39 of the Federal Acquisition Regulations, section 39.101 paragraph (c) states, “In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at https://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.”
Authors
| Name | Organization |
|---|---|
| Bob Gendler | NIST |
| Allen Golbig | Jamf |
| Dan Brodjieski | NASA |
| John Mahlman IV | Leidos |
| Aaron Kegerreis | DISA |
| Cody Keats | Coursera |
| Henry Stamerjohann | Declarative IT GmbH |
| Marco A Piñeyro II | State Department |
| Jason Blake | NIST |
| Blair Heiserman | NIST |
| Joshua Glemza | NASA |
| Elyse Anderson | NASA |
| Gary Gapinski | NASA |
Changelog
Refer to the CHANGELOG for a complete list of changes.
NIST Disclaimer
Any identification of commercial or open-source software in this document is done so purely in order to specify the methodology adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the software identified are necessarily the best available for the purpose.