A Snapshot of CIS’s Work to Strengthen macOS Security

Every day, the Center for Internet Security (CIS) facilitates the development of hardening guidelines that teams can use to secure their organization’s systems. These CIS Benchmarks wouldn’t be possible without the participation of volunteer subject matter experts around the world. The same goes for the technology vendors themselves.

In this blog, we’ll review what we’ve accomplished in partnership with Apple.

Three Updated CIS Apple macOS Benchmarks

In a recent CIS Benchmarks Update, we announced the release of the following three CIS Apple macOS Benchmarks:

  • CIS Apple macOS 10.15 Catalina Benchmark v2.1.0
  • CIS Apple macOS 11.0 Big Sur Benchmark v2.1.0
  • CIS Apple macOS 12.0 Monterey Benchmark v1.1.0

The Apple macOS Benchmarks have received significant improvements over the past two years. Specifically, the CIS Community, including Apple, modified the three CIS Apple macOS Benchmarks in the following ways:

  • Added Mobile Configuration Profiles for every applicable recommendation.
  • Reformatted the audit and remediation sections to denote the three methodologies used for the Benchmark: Graphical, Command Line, and Profile. (Apple has noted that configuration profiles are their preferred method of configuration.)
  • Added new recommendations (or fleshed out previous ones), removed depreciated recommendations, and moved recommendations to a more appropriate section/sub-section based on the changes made to the macOS operating system.
  • Designed the Benchmarks to give proper guidance to Macs using both Intel and Apple Silicon Processors as Apple makes that transition. 
  • Created the first CIS Build Kits for macOS that allow the user to use Mobile Configuration Profiles to configure their machine for every recommendation that can be configured with a profile.

According to Mia LaVada, Product Owner of CIS Benchmarks and Cloud, these changes trace back to an important purpose.

"Just like all of the CIS Benchmarks Communities, the strength of CIS Apple macOS Benchmarks derives from the strength of the expertise of the community members and helps Apple users improve the security of their operating systems," she explained.

Users can download PDF versions of these CIS Benchmarks to protect their on-premises systems. If they're looking to secure cloud-based resources, they can launch our CIS Hardened Images. These virtual machine (VM) images are pre-configured to the security recommendations of the CIS Benchmarks.

Currently, we have CIS Hardened Images available for Apple macOS 10.5, 11.0, and 12.0 in the AWS Marketplace. Here's a full list of our CIS Hardened Images.

Collaboration in the macOS Security Compliance Project

In addition to developing the three CIS Apple macOS Benchmarks mentioned above, CIS worked to incorporate the CIS macOS Benchmarks and CIS Critical Security Controls (CIS Controls) v8 settings into the macOS Security Compliance Project.

The macOS Security Compliance Project (mSCP) is a joint open-source effort between multiple government agencies such as NIST, NASA, and Los Alamos National Laboratory as well as industry leaders such as Jamf and CIS. The project provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS system security in an automated way.

Implementers can use this project to create customized security baselines of technical security controls by leveraging a library of rules that are mapped to compliance requirements in existing security guides or used to develop customized guidance. By using a library of rules that enhance security and mapping them back to existing guides and policies, a single rule can support multiple security guides and regulated industry policies while also allowing for documentation and QA to be uniformly managed through a single effort. This approach simplifies and radically accelerates work to update annual security guidance using a unification and standardization of effort.

The project also aims to normalize and accelerate annual adoption of OSes/hardware by making guidance available to meet the needs of new operating systems on release. Collaborating with different agencies and groups reduces worldwide effort in creating annual guidance by unifying and consolidating compliance efforts into a single project. This also creates a unified approach to setting controls. Overall, this gives vendors and Apple insight into customers' hardening needs.

The project currently supports the CIS Benchmarks and the CIS Controls v8 along with NIST 800-53, NIST 800-171, DISA STIGs, and CNSSI 1253.

Our Work on Apple Continues!

Looking ahead, we have some exciting projects planned for Apple systems. We’re particularly looking forward to releasing a CIS Apple macOS 13 Benchmark by the end of 2022. This CIS Benchmark will support teams to secure their organization’s Mac devices as they upgrade to macOS 13 Ventura.

In the meantime, we invite you to use our existing CIS Apple macOS Benchmarks.