TickYouOff
Sign in
Back
🔒

Apple macOS 15 (Sequoia) STIG Compliance Checklist

Medium 21 items · 4 hours
testuser's avatar
testuser Published 2 months ago
Security

This checklist helps administrators implement the Apple macOS 15 (Sequoia) STIG (Ver 1, Rel 6) guidance for managed environments. It’s intended for system administrators, security engineers, and compliance teams preparing macOS 15 systems for DoD or similar regulated use.

Source: https://ncp.nist.gov/checklist/1257

Progress
0 / 21
  1. Download the Apple macOS 15 STIG and XCCDF/SCC automated content — Get official STIG PDF and XCCDF/SCC content from DISA or NIST for authoritative controls.
  2. Review the STIG summary and Smart Card guidance — Read sections on Smart Card policy and remote access to avoid lockouts.
  3. Test STIG settings in a lab or non-production environment — Validate changes and rollback procedures before production deployment.
  4. Backup system and critical data before applying STIG changes — Create full backups or snapshots to restore if changes cause issues.
  5. Patch macOS to the latest 15.x release — Install all macOS security updates to meet baseline requirements.
  6. Configure authentication policies
  7. Enforce password complexity and expiration — Set complexity, minimum length, and rotation to DoD or organizational policy.
  8. Enable smart card authentication per STIG guidance — Follow the STIG supplemental guidance to avoid loss of OS access.
  9. Disable automatic login and Guest account — Ensure no account allows bypassing authentication on boot.
  10. Harden macOS security settings
  11. Enable FileVault full-disk encryption — Encrypt system volumes to protect data at rest.
  12. Enable System Integrity Protection (SIP) — Keep SIP enabled to limit kernel and system file changes.
  13. Enable Gatekeeper and restrict app installation — Require notarized apps and limit sources to reduce malware risk.
  14. Configure network and remote access controls
  15. Disable unnecessary network services and close unused ports — Stop and disable services not required for system function.
  16. Restrict remote access and enforce VPN and MFA — Allow remote access only via approved VPNs and multifactor auth.
  17. Configure logging and auditing; forward logs to a central system — Enable unified audit logging and ship events to SIEM or log server.
  18. Apply configuration management and baseline with XCCDF/SCC content — Use the downloaded automated content to enforce baselines across hosts.
  19. Validate compliance and generate STIG reports — Run scans, review findings, and produce artifacts for A&A and auditors.
  20. Document configuration changes and record STIG exceptions — Keep change records, rationale, and any accepted deviations.
  21. Submit comments or change requests to DISA when appropriate — Send proposed revisions or feedback to the DISA contact if needed.
Sign in to save
📝 My Notes