The National Institute of Standards and Technology, or NIST, is an organization in the U.S. Department of Commerce that deals with many aspects of technology—from communications systems, to quantum science, to health & bioscience. However, one of the things that NIST is best known for is its publications and standards regarding cybersecurity (such as the NIST cybersecurity framework and NIST 800-171).
Maintaining compliance with the NIST cybersecurity framework is a major goal for many organizations because it helps to protect them against cyber threats. How does NIST compliance work for macOS, and how can you achieve it? Here is a guide to NIST standards that should help your organization achieve compliance.
What is NIST Compliance for its Cybersecurity Framework?
As stated on the NIST website, the NIST cybersecurity framework is a voluntary solution that “consists of standards, guidelines, and best practices to manage cybersecurity-related risk.” The NIST cybersecurity framework’s core consists of five different framework functions:
- Identify. “Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.” In other words, this is about learning your organization’s cybersecurity risks so you can identify ways to increase security.
- Protect. “Develop and implement appropriate safeguards to ensure delivery of critical services.” Based on the data gathered for the Identify portion of the framework, you should adopt or create cybersecurity measures that help you ensure business continuity in the face of an attack.
- Detect. “Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.” Your organization should have detection measures in place that allow it to detect a cybersecurity event either as it happens or shortly after it has started.
- Respond. “Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.” Basically, this function consists of creating an incident response plan (IRP) and assigning roles and responsibilities for employees throughout the organization in case of a cybersecurity breach.
- Recover. “Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.” This can be interpreted almost as an extension of the Respond function, but it requires the organization to go a step further to ensure recovery from different types of security incidents. This may mean implementing a disaster recovery (DR) solution such as remote backups of mission-critical data or even queuing up additional computing resources to take over in case of a shutdown.
These core functions can then be broken down into categories and subcategories.
At the time of this writing, the latest version of the framework is Version 1.1, which was published in April 2018. Compliance with NIST standards can be graded on a range of tiers going from “Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed.”
For example, if an organization has a Tier 1 “partial” level of NIST compliance, then it most likely does not have any sort of incident response plan (IRP) in place to handle a security breach, nor the tools necessary to detect it in a timely fashion. So, when hit with a cyberattack, this organization will have to take a manually-directed response and may struggle to recover from the breach.
NIST Compliance for New macOS Versions
Apple frequently reworks its operating system (macOS) to provide more convenience and security for their users. The National Institute of Standards and Technology (NIST), must likewise update their compliance benchmarks for each new version of macOS. However, it takes time for NIST security configuration checklists to be updated to match new versions of macOS.
For example, the NIST macOS 10.13 benchmark document was released in August of 2018—but, at the time of this writing, Apple’s OS is on version 10.14.3 (Mojave).
Why You Should Go Beyond NIST’s Apple OS x 10.13 Benchmarks
As mentioned above, the latest macOS NIST computer security benchmark document is for macOS 10.13 (the High Sierra OS). This document was released in August of 2018, Mojave was released September 24, 2018 (according to Tech Radar). In other words, the NIST compliance standards for macOS 10.13 were not current a month before the document was even released.
Because it takes so long for NIST compliance standards (as well as other cybersecurity guidance documents) to catch up to the ever-changing platforms they are meant to help you protect, it is often necessary to go above and beyond the bare minimum needed for compliance with current NIST macOS hardening measures. Proactively using security settings, tools, and policies that exceed NIST compliance requirements helps improve security and future-proof the company against potential changes to NIST benchmarks.
How Can I Achieve and Maintain Tier 4 NIST Compliance?
Ideally, the goal of following the NIST cybersecurity framework is to achieve Tier 4 compliance that provides the most robust level of protection against cyber threats. However, achieving this level of NIST compliance is often easier said than done.
The trick to achieving and then maintaining Tier 4 “Adaptive” NIST compliance with their cybersecurity framework is to work at it constantly—analyzing your current cybersecurity architecture, measures, policies, and procedures on a regular basis and making adjustments based on the threats you’ve faced and the weaknesses you’ve identified.
Some examples of ways you can work to meet the “Adaptive Tier” of compliance with the NIST cybersecurity framework include:
- Running Penetration Tests. Stress testing your cybersecurity measures and business software for potential vulnerabilities can help uncover weaknesses before they’re exploited.
- Studying Threat Intelligence Feeds. Threat intelligence feeds help cybersecurity professionals remain aware of new and emergent cyber threats so they can start implementing countermeasures. Studying these feeds can help your organization prepare for upcoming threats.
- Periodically Reevaluating Cybersecurity Measures and Policies. Leveraging the information from pen tests, threat intelligence feeds, and past attacks, the organization should review its current cybersecurity measures and determine if they are sufficient for mitigating cybersecurity risks. Budget for cybersecurity measures and activities should be based on an objective assessment of the organization’s overall level of risk based on what it needs to protect and the threats it can reasonably expect to face.
- Creating a Formal Cybersecurity Education Program. A key aspect of achieving adaptive-tier NIST certification is having a thorough understanding of roles, dependencies, and risks throughout the organization. Establishing a security education, training, and awareness program (SETA) that makes cybersecurity part of the onboarding process as well as the ongoing education of employees helps improve employee knowledge and the organization’s ability to effectively respond to cybersecurity incidents.
- Employing Security Information and Event Management (SIEM) Solutions. SIEM systems can provide a wealth of real-time information about cybersecurity events on the network—as well as forensic data after the fact. This helps keep the organization aware of developments in its network security. Intrusion detection and intrusion prevention systems (IDS and IPS) can also help organizations stay abreast of attacks and, in the case of an IPS, partially automate the incident response.
It also helps to create a “target profile” of the cybersecurity state your organization is attempting to achieve, though NIST standards outlined in their cybersecurity framework document do “not prescribe Profile templates, allowing for flexibility in implementation.”
Securing macOS NIST Compliance for Every New Benchmark
How can you future-proof compliance with NIST benchmarks? A good starting point is to take a look at the current benchmarks from organizations such as the Center for Internet Security (CIS)—especially since NIST’s compliance benchmarks are based on CIS standards.
When checking the current benchmarks, be sure to go beyond what the NIST security configuration checklist scores to check the benchmarks that are listed, but not scored. These optional security configurations may help your organization improve its cybersecurity while future-proofing its NIST compliance.
How can following optional extra security configuration benchmarks improve compliance with future NIST computer security requirements? If a requirement that is currently labelled as “optional” or “not scored” today is changed to being a necessary security setting/control, an organization that was following the optional control won’t need to change a thing because they were already compliant.
Another strategy for achieving NIST compliance with security benchmarks is to regularly check for security vulnerabilities in the business’ network and to proactively apply fixes to them. This will often mean securing more than just the macOS devices in the network—for example, the organization may need to start running penetration tests to identify potential issues.
One benefit of regularly pen testing a network to verify NIST macOS hardening against attacks is that it can help identify major opportunities to improve cybersecurity even outside of NIST compliance measures.
Achieving NIST compliance for macOS security benchmarks is most often a matter of being persistent and proactive about applying strong cybersecurity measures and macOS security settings.
Want to learn more about macOS security and compliance with regulatory measures such as NIST’s macOS 10.13 benchmarks? Subscribe to the Kandji blog for more information about macOS security and compliance.