DISA STIGs for Apple Platforms

DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides) are the U.S. Department of Defense standard for securing information systems. If your organization handles DoD data, operates on DoD networks, or supports government contracts that reference NIST 800-171 or FedRAMP, you will likely need to implement STIGs on your Mac and iOS fleet. Even outside of government, STIGs represent a rigorous hardening standard that any security-conscious organization can adopt.

What Are STIGs?

STIGs are configuration standards published by DISA (part of the DoD) that define how operating systems, applications, and network devices must be configured to meet Department of Defense security requirements. Each STIG contains individual “rules” (also called “findings” or “checks”) that specify a required configuration, a method to verify it, and a remediation procedure.

STIGs are updated regularly – typically with each major OS release and periodically throughout the year as new vulnerabilities and requirements emerge.

Where to Find Apple STIGs

All STIGs are publicly available at no cost:

• DISA STIG Library: public.cyber.mil/stigs/
• Search for “Apple macOS” or “Apple iOS” to find the current platform STIGs
• Download the STIG ZIP file, which contains the XCCDF (machine-readable) and viewer-ready content

STIG Severity Categories

Every STIG rule is assigned a Category (CAT) rating that indicates the severity of non-compliance:

Tip: Prioritize CAT I findings first – these represent the highest risk. In DoD environments, any open CAT I finding can block a system’s Authorization to Operate (ATO).

macOS STIG Overview

The Apple macOS STIG covers the following key areas:

Password and Authentication Policy

• Minimum password length (15 characters)
• Password complexity requirements (uppercase, lowercase, numeric, special character)
• Account lockout after failed attempts
• Session lock after inactivity (screensaver timeout of 15 minutes or less)
• Smart Card authentication enforcement (CAC/PIV for DoD networks)

# Check password policy settings
pwpolicy -getaccountpolicies 2>/dev/null

# Check screen lock timeout
sysadminctl -screenLock status 2>&1

Audit Configuration

• OpenBSM auditing must be enabled and configured
• Audit logs must capture authentication events, privilege escalation, file access, and administrative actions
• Audit log retention must meet minimum requirements
• Audit logs must be stored on a separate partition or forwarded to a SIEM

# Verify auditing is running
sudo launchctl list com.apple.auditd

# Check audit control configuration
sudo cat /etc/security/audit_control

System Integrity and Security Features

• System Integrity Protection (SIP) must be enabled
• Gatekeeper must be enabled and enforcing
• FileVault full-disk encryption must be active
• Signed System Volume (SSV) must not be tampered with
• Firmware password (Intel) or Activation Lock (Apple Silicon) must be configured

# Verify SIP
csrutil status

# Verify Gatekeeper
spctl --status

# Verify FileVault
fdesetup status

Network Configuration

• macOS firewall must be enabled
• Bluetooth must be disabled when not required
• Internet Sharing must be disabled
• AirDrop must be restricted
• Remote access services (SSH, Screen Sharing, ARD) must be disabled unless explicitly required and documented

Software and Update Policy

• Only authorized software may be installed (Gatekeeper enforcement)
• macOS must be kept at a supported version with current security patches
• Automatic update checks must be enabled

iOS/iPadOS STIG Overview

The Apple iOS/iPadOS STIG focuses on mobile device management requirements:

MDM Requirements

• All iOS devices must be enrolled in an approved MDM solution
• MDM must be able to enforce all STIG-required settings remotely
• MDM must support remote lock and remote wipe

Passcode and Authentication

• Minimum 6-digit alphanumeric passcode (DoD standard)
• Auto-lock after 5 minutes of inactivity
• Maximum 10 failed passcode attempts before wipe
• Biometric authentication may supplement but not replace passcode

Data Protection

• Device encryption (enabled by default when a passcode is set)
• Managed Open In to prevent data leakage between managed and personal apps
• Prevent backup to unapproved cloud services
• Restrict screenshots and screen recording in managed apps

Network and Communication

• VPN required for all connections to DoD networks
• Per-app VPN for managed applications
• Wi-Fi configurations deployed via MDM only
• Disable personal hotspot

Using STIG Viewer

DISA provides the STIG Viewer tool for reviewing and tracking STIG compliance:

1. Download STIG Viewer from public.cyber.mil/stigs/srg-stig-tools/
2. Import the macOS STIG XCCDF file
3. Review each finding, marking it as Not a Finding, Open, or Not Applicable
4. Document your justification for each status
5. Export the checklist (.ckl) for submission to your authorizing official

Note: STIG Viewer is a Java application that runs on macOS. For large environments, consider automating compliance checks rather than manually reviewing each finding in the viewer.

Automating STIG Compliance with mSCP

The NIST macOS Security Compliance Project (mSCP) includes a DISA STIG baseline. This is the most efficient way to automate STIG implementation on your Mac fleet.

# Clone the mSCP repository
git clone https://github.com/usnistgov/macos_security.git
cd macos_security

# Generate the STIG baseline
sudo ./scripts/generate_baseline.py -k stig

# Generate compliance artifacts (profiles, scripts, documentation)
sudo ./scripts/generate_guidance.py baselines/stig.yaml

This produces:

• Configuration profiles (.mobileconfig) that enforce STIG-required settings
• A compliance check script that audits every STIG rule and reports pass/fail
• A fix script that remediates non-compliant settings
• Documentation mapping each rule to its STIG ID

Jamf-Based STIG Deployment

For organizations using Jamf Pro, the STIG deployment workflow is:

1. Upload mSCP-generated profiles to Jamf Pro as Configuration Profiles
2. Scope profiles to appropriate Smart Groups (all managed Macs, or specific departments)
3. Deploy the compliance check script as a recurring Jamf Pro Policy
4. Capture results in an Extension Attribute for dashboard reporting
5. Create Smart Groups for non-compliant devices
6. Deploy remediation policies scoped to non-compliant groups

Example: Extension Attribute for STIG Compliance

#!/bin/bash
# Count open STIG findings
FAILURES=$(/path/to/stig_compliance.sh 2>/dev/null | grep -c "FAIL")
if [ "$FAILURES" -eq 0 ]; then
    echo "<result>Compliant</result>"
else
    echo "<result>$FAILURES findings open</result>"
fi

SCAP Scanning

The Security Content Automation Protocol (SCAP) provides a standardized way to assess STIG compliance. DISA publishes SCAP benchmarks alongside STIGs.

• SCAP Compliance Checker (SCC) – DISA’s official scanning tool. Runs on macOS and produces automated compliance reports in XCCDF and ARF formats.
• Download SCC from public.cyber.mil/stigs/scap/
• SCAP results can be imported into DISA’s eMASS (Enterprise Mission Assurance Support Service) or other GRC platforms

# Run SCC from the command line (after installation)
sudo /Applications/SCC/scc -u /path/to/macOS_STIG_SCAP_Benchmark.zip

When STIGs Are Required

STIGs are mandatory or strongly recommended in the following contexts:

Even if your organization is not required to implement STIGs, the macOS STIG serves as an excellent hardening reference that goes beyond CIS Benchmarks in certain areas (particularly audit configuration and Smart Card authentication).

Next Steps

• Automate compliance with the mSCP: NIST macOS Security Compliance Project (mSCP)
• Start with CIS if STIGs are too prescriptive for your environment: CIS Benchmarks for macOS
• Understand the strategic framework: The CIS Controls: A Mac Admin’s Guide