January 5, 2019

Compliance for Macs: CIS, HIPAA, NIST, FedRAMP

 What does it mean to make the Macs in your organization 'compliant'? Well, oftentimes that depends on your vertical, customers, product, and even people.

While some organizations must comply with only internal standards developed by IT and/or Security departments, many organizations struggle to meet additional standards or frameworks, such as CIS, NIST, HIPAA, and FedRAMP.

The sad truth is that knowing how to become (and stay) compliant isn't easy. Let's take a look at some of the most common standards as they relate to macOS.



CIS - Center for Internet Security

The Center for Internet Security Apple OS Benchmark is viewed as the gold standard for how all companies should secure their Macs, at a minimum. Even companies that do not have to adhere to a governing body should look to CIS for their Macs. The comprehensive set of rules covers all aspects of macOS with recommended configurations. It is continuously updated via open forums that can be accessed by anyone.

NIST - National Institute of Standards and Technology

Developed for the Department of Defense, the STIG (Security Technical Implementation Guide) for macOS standard is very extensive, however quite outdated. The most recent standard was published in 2018, but for a macOS version that was several years older than the release date. We recommend using CIS as well as the criteria listed in NIST to ensure the latest features addressed.

HIPAA - Health Insurance Portability and Accountability Act

The guidelines for becoming HIPAA compliant are incredibly complex, yet very undefined in relation to macOS (fka OS X). We identified the specific Mac requirements when building the parameter library inside Kandji. However, HIPAA primarily focuses on best practices surrounding the safety of PHI (protected health information).

FedRAMP - The Federal Risk and Authorization Management Program

The scope for devices needing FedRAMP is vast, including large-scale, elastic, cloud computing in multi-tenant data centers. Ensuring your Mac endpoints are FedRAMP compliant requires you to adopt the latest CIS Benchmark (see above). Luckily, CIS is the most updated, and active (community) guideline published for macOS to-date.

Beyond Standards

Internal leadership may decide they need to enforce even more policies for one reason or another. Mac compliance is only part of the story. There are additional settings for networks, non-Mac devices, and even staff training that must be performed to be ensure organization-wide participation. Luckily, we take the guesswork out of macOS endpoint compliance, so you can focus on other areas.

Kandji Makes it Easy

Regardless of what you need to enforce on your Mac fleet, Kandji makes it easy. Kandji offers a library of configurations based on the standards listed above and more. Just enable the parameters you need, and sit back as your Macs are configured and automatically remediated (to prevent compliance drift) – all without having to write any code.

Give Kandji a try today for free to ensure Mac security & compliance with ease.



Subscribe to the Kandji Blog