NIST macOS Security Compliance Project (mSCP)

The macOS Security Compliance Project (mSCP) is an open-source initiative maintained by NIST, NASA, DISA, and Los Alamos National Laboratory. It provides a programmatic approach to generating security baselines, compliance scripts, configuration profiles, and human-readable documentation for macOS – all from a single set of YAML rule definitions. For Mac administrators who need to comply with NIST 800-53, CIS Benchmarks, DISA STIGs, or CMMC, the mSCP is the most efficient path from framework requirement to deployed configuration.

What the mSCP Is

The project lives at github.com/usnistgov/macos_security and consists of:

• YAML rule files – Each rule defines a single security setting with its description, check command, fix command, and mappings to multiple compliance frameworks.
• Baseline definitions – YAML files that select which rules to include for a given compliance target (e.g., NIST 800-53 Moderate, CIS Level 1, DISA STIG).
• Generation scripts – Python scripts that consume rules and baselines to produce configuration profiles (.mobileconfig), compliance check scripts (Bash/zsh), and documentation (AsciiDoc/PDF).

The key insight is that one rule can map to multiple frameworks simultaneously. A rule like “enable FileVault” satisfies NIST 800-53 SC-28, CIS Benchmark 2.6.1, and DISA STIG requirements all at once. The mSCP captures these mappings so you write the rule once and generate artifacts for any framework.

Supported Baselines

The mSCP ships with baselines for the following compliance frameworks:

Each baseline is a YAML file that references the rules to include and any baseline-specific parameter overrides (e.g., different password lengths for different baselines).

How It Works

The workflow follows three steps:

YAML Rules + Baseline Definition
        ↓ (generate_baseline.py)
Tailored Baseline (selected rules + parameters)
        ↓ (generate_guidance.py)
Output Artifacts:
  ├── Configuration Profiles (.mobileconfig)
  ├── Compliance Check Script (Bash)
  ├── Compliance Fix Script (Bash)
  └── Documentation (AsciiDoc / PDF)

Getting Started

Prerequisites

• macOS (the generation scripts run on macOS)
• Python 3.9+
• Git
• Ruby (for AsciiDoc documentation generation, optional)

Clone the Repository

git clone https://github.com/usnistgov/macos_security.git
cd macos_security

Install Dependencies

# Install Python dependencies
pip3 install -r requirements.txt

# Optional: Install Ruby gems for documentation generation
sudo gem install asciidoctor asciidoctor-pdf

Explore the Rule Structure

Each rule lives in the rules/ directory, organized by category. Here is a simplified example of a rule YAML file:

id: os_filevault_enable
title: "Enable FileVault"
discussion: |
  FileVault provides full-disk encryption to protect data at rest.
  All Mac systems must have FileVault enabled.
check: |
  /usr/bin/fdesetup status | /usr/bin/grep -c "FileVault is On."
result:
  integer: 1
fix: |
  /usr/bin/sudo /usr/bin/fdesetup enable
references:
  cis:
    benchmark: ["2.6.1"]
    controls v8: ["3.6"]
  800-53r5: ["SC-28", "SC-28(1)"]
  disa_stig: ["APPL-14-000005"]
  cmmc: ["RE.L2-3.8.6"]
severity: "high"
mobileconfig: true
mobileconfig_info:
  com.apple.MCX.FileVault2:
    Enable: "On"
    Defer: true

This single file generates a check command, a fix command, a configuration profile payload, and documentation – mapped to CIS, NIST, DISA, and CMMC simultaneously.

Generating a Baseline

To produce a tailored baseline for a specific framework:

# Generate the NIST 800-53 Moderate baseline for macOS 15 (Sequoia)
sudo ./scripts/generate_baseline.py -k 800-53r5_moderate

# Generate the CIS Level 1 baseline
sudo ./scripts/generate_baseline.py -k cis_lvl1

# Generate the DISA STIG baseline
sudo ./scripts/generate_baseline.py -k stig

This produces a baseline YAML file in the build/ directory containing the selected rules and their parameters.

Generating Compliance Artifacts

Once you have a baseline, generate the deployable outputs:

# Generate guidance (profiles, scripts, and documentation)
sudo ./scripts/generate_guidance.py baselines/800-53r5_moderate.yaml

# Outputs are placed in the build/ directory:
#   build/800-53r5_moderate/
#   ├── mobileconfigs/       # Configuration profiles
#   ├── 800-53r5_moderate_compliance.sh  # Check script
#   └── 800-53r5_moderate.adoc           # Documentation

Configuration Profiles

The generated .mobileconfig files can be uploaded directly to your MDM for deployment. Each profile corresponds to a payload domain (e.g., com.apple.MCX.FileVault2, com.apple.security.firewall).

Compliance Check Script

The generated Bash script checks every rule in the baseline and reports pass/fail:

# Run the compliance check on a target Mac
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance.sh

# Example output:
# os_filevault_enable: PASS
# os_firewall_enable: PASS
# os_gatekeeper_enable: PASS
# os_password_minimum_length: FAIL (current: 8, expected: 15)

Compliance Fix Script

The generated fix script remediates all failing checks:

# Fix all non-compliant settings (use with caution -- test first)
sudo ./build/800-53r5_moderate/800-53r5_moderate_compliance_fix.sh

Important: Always run the fix script on a test device first. Some remediations (e.g., enabling FileVault, changing password policy) have significant user-facing impact.

Customizing Rules

You can tailor the mSCP to your organization’s needs:

Override Parameters

Create an organizational override file to change default values without modifying the upstream rules:

# custom/org_overrides.yaml
os_password_minimum_length:
  result:
    integer: 20  # Override default 15-character minimum to 20

Add Custom Rules

Write your own YAML rules following the mSCP schema and place them in the custom/rules/ directory. They will be picked up by the generation scripts when referenced in your baseline.

Exclude Rules

If a rule does not apply to your environment, exclude it from your baseline YAML by adding it to the exclude list. Document the justification for each exclusion – auditors will ask.

Integrating with Jamf Pro

The mSCP outputs integrate directly with Jamf Pro:

1. Upload configuration profiles – Upload the generated .mobileconfig files as Configuration Profiles in Jamf Pro. Scope them to the appropriate device groups.
2. Deploy the compliance script – Upload the compliance check script as a Jamf Pro Script. Create a Policy that runs it on a recurring schedule (e.g., weekly) and logs the output to an Extension Attribute.
3. Create Smart Groups – Use the Extension Attribute values to build Smart Groups that identify non-compliant devices.
4. Automate remediation – Scope a remediation Policy (deploying the fix script or updated profiles) to the non-compliant Smart Group.

# Example Jamf Pro Extension Attribute script snippet
#!/bin/bash
RESULT=$(/path/to/800-53r5_moderate_compliance.sh 2>/dev/null | grep "FAIL" | wc -l | tr -d ' ')
echo "<result>$RESULT</result>"

Continuous Compliance

The mSCP enables a continuous compliance cycle:

1. Generate baseline artifacts from the latest mSCP release
2. Deploy configuration profiles via MDM
3. Assess compliance with the generated check script on a schedule
4. Remediate failures via the fix script or updated profiles
5. Report compliance posture to stakeholders
6. Update when macOS versions change or framework requirements are revised

When Apple releases a new macOS version, the mSCP project updates its rules to reflect new settings and deprecated controls. Pull the latest repository and regenerate your artifacts.

Contributing to the Project

The mSCP is open-source and welcomes contributions:

• Report issues for rules that produce incorrect results on new macOS versions
• Submit pull requests for new rules, framework mappings, or bug fixes
• Participate in discussions on the project’s GitHub Issues page
• Follow the contribution guidelines

Next Steps

• Apply CIS Benchmarks to your fleet: CIS Benchmarks for macOS
• Understand DoD requirements: DISA STIGs for Apple Platforms
• Learn the strategic framework: The CIS Controls: A Mac Admin’s Guide