Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-219 (Initial Public Draft)

Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)

Date Published: February 17, 2022
Comments Due: March 23, 2022 (public comment period is CLOSED)
Email Questions to:


Mark Trapnell (NIST), Eric Trapnell (NIST), Murugiah Souppaya (NIST), Bob Gendler (NIST), Karen Scarfone (Scarfone Cybersecurity)


This publication provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. It introduces the mSCP, describes use cases for leveraging the mSCP content, and gives an overview of the resources available on the project’s GitHub site. The GitHub site provides practical, actionable recommendations in the form of secure baselines and associated rules, and it is continuously curated and updated to support each new release of macOS.

We encourage you to use this comment template when preparing and submitting your comments.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



Apple; baseline; configuration management; endpoint device security; macOS; macOS Security Compliance Project (mSCP); operating system security; security compliance
Control Families

None selected