October 2025 Benchmark Revisions
This release focuses primarily on expanding coverage to granular privacy, credential, and device management controls across iOS 18 and macOS Sequoia/Sonoma—especially for DISA STIG and CMMC-related benchmarks, while also refining password and access control policies.
iOS 18
DISA STIG (remediation)
-
New Rules:
Disabling AirPrint credential storage
Disabling automatic app downloads
Disabling Exchange syncing for Notes and Reminders (includes blocking user overrides)
Disabling FaceTime
Disabling AirPrint using iBeacon
Enforcing specific content restrictions for movies and TV
Disabling Siri Assistant
Disabling AirPrint entirely and enforcing trusted TLS for AirPrint
Disabling "Erase All Contents and Settings"
Preventing eSIM transfers, Genmoji, Image Playground, and Image Wand features
Preventing pairing with non-configurator hosts
macOS Sequoia
CIS Level 1 (remediation)
-
New Rule:
Enforce access to Location Services menu in System Settings.
-
Modified Rules:
Changes to enforcing authenticated root, locking out users after failed attempts, password policy timeouts, history, and complexity (length, max lifetime).
Adjustments to controls on remote management and Time Machine encryption configuration.
CMMC Level 1 (remediation)
-
New Rules:
Disable external intelligence features and sign-in.
-
Modified Rules:
Updates to authenticated root, require recovery lock enabled, and disable unlocking active session.
CMMC Level 2 (remediation)
-
New Rules:
Enforce high-trust smartcard certificate.
Disable external intelligence features and sign-in.
-
Modified Rules:
More extensive updates spanning authenticated root, recovery lock, external storage access, unlock restrictions, and comprehensive password policy changes (lockout enforcement, history, lifetime, minimum length, requirements for special characters), and remote management policy.
DISA STIG (remediation)
-
New Rule:
Disable iPhone Mirroring.
-
Modified Rules:
Same extensive password-related and system access rules as above, including secure boot verification.
-
Rules Removed:
os_ess_installed (Enterprise Security Solution installation)
pwpolicy_history_enforce
NIST (monitor only)
-
Modified Rules:
Widespread modifications covering authenticated root, external storage policies, recovery lock, secure boot, session unlocking, full password complexity enforcement, and remote management policies.
macOS Sonoma
CIS Level 1 (remediation)
-
New Rule:
Disable System Settings Siri.
-
Modified Rules:
Updates to password policy rules and Time Machine encryption settings.
-
Rules Removed:
Siri Listen Disable setting.
CMMC Level 1 (remediation)
No policy changes reported for this cycle.
DISA STIG (remediation)
-
Modified Rules:
Password policy lockouts, max/min length and lifetime, and special character enforcement.
-
Rules Removed:
pwpolicy_history_enforce.
NIST (monitor only)
-
Modified Rules:
Same comprehensive password policy modifications as in other frameworks, including lockout enforcement and character/length requirements.
These changes enable alignment with evolving federal standards and modern device management requirements.
Sources
GitHub - usnistgov/macos_security: macOS Security Compliance Project