TickYouOff
Sign in
Back
🔒

Apple macOS 26 (Tahoe) STIG Implementation Checklist

Hard 20 items · 1 day
testuser's avatar
testuser Published 2 months ago
Security

This checklist helps administrators and users implement the Apple macOS 26 (Tahoe) STIG on Apple Silicon devices. It covers obtaining STIG artifacts, enrolling devices, enforcing smart card and crypto policies, enabling encryption and logging, and running automated scans. Suitable for IT staff and security-conscious users preparing systems for DoD compliance.

Source: https://ncp.nist.gov/checklist/1308

Progress
0 / 20
  1. Download Apple macOS 26 STIG documents — Obtain STIG PDF from cyber.mil or public.cyber.mil for authoritative guidance.
  2. Download XCCDF and automated SCC content for macOS ARM64 — Get XCCDF 1.1.4 and SCC automated content for Apple Silicon from DISA.
  3. Verify device is Apple Silicon running macOS 26.0.0 — Confirm cpe:/o:apple:macos:26.0.0 target matches the system before applying guidance.
  4. Enroll the device in a managed MDM solution — Required for centralized policy, updates, and compliance enforcement.
  5. Configure automatic system and security updates via MDM — Ensure security updates are applied promptly and centrally managed.
  6. Enable FileVault full-disk encryption — Activate FileVault and securely store recovery key per policy.
  7. Configure and enforce smart card / CAC authentication — Follow STIG supplemental guidance; misconfiguration can lock out access.
  8. Install smart card middleware and trusted CAC certificates — Add required middleware and system certificates for CAC authentication.
  9. Test smart card login and fallback administrative accounts — Validate CAC login works and emergency admin access is available.
  10. Confirm System Integrity Protection (SIP) and secure-boot settings meet STIG — Verify SIP enabled and secure-boot policies align with DISA guidance.
  11. Disable guest and other unused user accounts — Remove or disable accounts that are not required to reduce attack surface.
  12. Configure firewall and limit incoming connections — Enable macOS firewall; allow only required services and ports.
  13. Harden Gatekeeper and app execution policies — Require notarized apps and enforce execution restrictions per STIG.
  14. Disable Remote Login (SSH) if not required — Turn off remote access services or restrict them to authorized hosts.
  15. Configure audit logging and forward logs to a central server — Send logs to SIEM or central collector per DoDI 8500.01 and STIG requirements.
  16. Run STIG/XCCDF scan and remediate findings — Use SCAP/XCCDF tools to scan, then apply remediations for each finding.
  17. Verify FIPS-compliant cryptography where required — Ensure crypto modules and settings meet FIPS requirements where applicable.
  18. Backup system configuration and document baseline settings — Capture configuration, keys, and a system image for recovery and audit.
  19. Submit comments or change requests to DISA if needed — Email proposed revisions to [email protected] per STIG maintenance process.
  20. Schedule regular STIG reviews and re-evaluations — Plan periodic rescans after OS updates or configuration changes.
Sign in to save
📝 My Notes