Skip to main content
  1. Addigy
  2. Security Suite
  3. Compliance

Compliance Benchmark Revision Updates — June 2026

Updated:

This release strengthens data-at-rest encryption, browser hardening, screen-lock enforcement, audit logging, password history, and core system services across macOS Tahoe (26). It also removes the two Rapid Security Response rules.

Note

These changes apply only to default Benchmarks and cloned Benchmarks that already contain these rules. If a rule is not currently included in your Benchmark, you'll need to add it manually.

Several of these changes may affect the end-user experience. Review the updated configurations before deploying them broadly.

What's New

New Rules

os_internal_apfs_volumes_encrypted

Benchmark: CIS Level 1

Requires internal APFS volumes to be encrypted, protecting data at rest on the Mac's built-in storage.

os_external_apfs_hfs_volumes_encrypted

Benchmark: CIS Level 1

Requires external APFS and HFS volumes to be encrypted, protecting data stored on removable and external drives.

system_settings_hot_corners_secure

Benchmark: CIS Level 1

Prevents screen hot corners from being configured to disable the screen saver, helping ensure users cannot bypass automatic screen locking.

os_safari_allow_javascript_disable

Benchmark: NIST 800-53 R5 (High)

Disables JavaScript in Safari to reduce the browser's attack surface.

Updated Rules

os_root_disable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CIS Level 1
  • CMMC Level 1
  • CMMC Level 2
  • Cyber Essentials
  • DISA STIG

Disables the root account to prevent direct root login.

Important: The remediation for this rule has been significantly strengthened in this release. Review the changes before broad deployment.

os_authenticated_root_enable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CIS Level 1
  • CMMC Level 1
  • CMMC Level 2
  • DISA STIG

Ensures the signed system volume (Authenticated Root) is enabled so macOS verifies system integrity during startup.

os_firewall_default_deny_require

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 2

Requires the firewall to deny inbound connections by default.

os_nfsd_disable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CIS Level 1
  • CMMC Level 1
  • CMMC Level 2
  • DISA STIG

Disables the NFS file-sharing service to reduce the system's attack surface.

os_tftpd_disable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 1
  • CMMC Level 2
  • Cyber Essentials
  • DISA STIG

Disables the TFTP service to reduce the system's attack surface.

os_uucp_disable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 1
  • CMMC Level 2
  • DISA STIG

Disables the legacy UUCP service to reduce the system's attack surface.

os_ssh_fips_compliant

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 2
  • DISA STIG

Restricts SSH to FIPS 140-validated cryptographic algorithms, including ciphers, key exchange methods, and MACs.

audit_flags_fm_configure

Benchmarks:

  • CMMC Level 2
  • DISA STIG

Configures audit logging for file modification events.

audit_flags_fm_failed_configure

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 2

Configures audit logging for failed file modification events.

audit_retention_configure

Benchmark: CIS Level 1

Updates audit log retention to a time-based policy of 30 days.

pwpolicy_history_enforce

Benchmark: CIS Level 1

Enforces password history to prevent users from reusing recent passwords.

system_settings_screensaver_timeout_enforce

Benchmark: CIS Level 1

Enforces a maximum idle timeout before the screen saver activates and the screen locks.

system_settings_guest_access_smb_disable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CIS Level 1
  • CMMC Level 1
  • CMMC Level 2

Disables guest access to SMB file shares.

system_settings_location_services_disable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 2
  • DISA STIG

Disables Location Services.

system_settings_softwareupdate_current

Benchmarks:

  • NIST 800-53 R5 (High)
  • CIS Level 1
  • CMMC Level 1
  • CMMC Level 2
  • Cyber Essentials
  • DISA STIG

Ensures Macs are running the current version of macOS with all available security updates installed to address known vulnerabilities.

Removed Rules

os_rapid_security_response_allow

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 1
  • CMMC Level 2
  • Cyber Essentials

Removed from this release.

os_rapid_security_response_removal_disable

Benchmarks:

  • NIST 800-53 R5 (High)
  • CMMC Level 1
  • CMMC Level 2
  • Cyber Essentials

Removed from this release.

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team