The macOS and CMMC Compliance: A Detailed Discussion
Introduction
The growing popularity of Mac computers across various industries, especially with Small to Medium size defense contractors, the question often arises about the ability of achieving compliance with NIST 800–171 and CMMC cybersecurity standards that the SMM (Small to Medium Sized-Manufacturer) and SMB (Small to Medium-Sized Business) needs. The macOS offers wonderful features for the developer and, additionally, has a very user-friendly interface that appeals to a broad spectrum of users. But there are several aspects of cybersecurity compliance that must be examined. This brief article is presented to highlight several concerns and possible mitigations that can be implemented to address compliance in your organization.
Challenges with Identity Provider and Multi-Factor Authentication
One of the primary challenges with Macs in achieving compliance with NIST 800–171/CMMC L2 is the requirement for each user to have a unique identity and for all events to be traceable to a unique individual. Typically, joining computers to an identity provider such as Azure AD or Active Directory is the approach to address this. However, Macs do not support joining to Azure AD, and an Active Directory join is less than optimal from a support perspective, since the AD join is not as cleanly matched to the MacOS. Using Azure Active Directory or Microsoft Active Directory will require the use of a third-party service to provide identity services to the Mac so they can “join” to an identity provider.
Enforcing multi-factor authentication on Macs presents another hurdle, as the Mac OS does not natively support multi-factor authentication. This requires the addition of another system, potentially a third identity provider, to enforce multi-factor authentication on the device, leading to increased complexity and cost.
Compliance with FIPS Validated Encryption
Another significant aspect of compliance is the requirement for FIPS validated encryption to protect Controlled Unclassified Information (CUI). While Microsoft offers an “easy button” to disable non-FIPS 140–2 validated encryption, Mac administrators do not have the ability to block non-FIPS validated encryption on the endpoint. Additional due diligence is needed to ensure that all encryption protecting CUI is FIPS 140–2 validated, which may involve using a cryptographic module validation program search tool.
Virtualization and Network Scope
There is a common consideration of using software virtualization on Macs to run a Windows computer, allowing employees to have a single piece of hardware while using their virtualized Windows PC. This approach does not support compliance, as the Mac comes into scope of an assessment due to the network for the PC traversing the Mac. This means that both the in-scope PC and the out-of-scope Mac would be in-scope, potentially leading to compliance challenges.
Achieving CMMC Compliance with the MacOS
Despite the aforementioned challenges, it is possible for Macs to achieve CMMC compliance. But it comes with added complexity and costs. One approach gaining traction is the migration of Mac users to a virtualized desktop hosted in Azure or Azure Government when working on systems in scope of CMMC. This provides a clean boundary and facilitates a more streamlined environment, addressing some of the compliance challenges associated with Macs.
As the landscape of compliance standards continues to evolve, tailored solutions, such as leveraging virtualized desktop environments, are emerging to address the unique challenges posed by Macs in achieving compliance with NIST 800–171 and CMMC.
For further insights and tailored solutions in Azure infrastructure and CMMC compliance, organizations can seek expertise from providers like C3 Integrated Solutions, who specialize in addressing the specific compliance and business requirements in this domain. This detailed analysis provides a comprehensive understanding of the challenges and potential solutions for Macs to achieve compliance with NIST 800–171 and CMMC, offering valuable insights for organizations navigating the complexities of compliance in diverse computing environments.
Integrating Mac Computers with Active Directory
You can configure a Mac to access basic user account information in an Active Directory domain of a Windows 2000 (or later) server (Apple, Inc., n.d.). The AD connector is listed in the Services pane of Directory Utility, and it generates all attributes required for macOS authentication from standard attributes in Active Directory user accounts. The connector also supports Active Directory authentication policies, including password changes, expirations, forced changes, and security options. Because the connector supports these features, you don’t need to make schema changes to the Active Directory domain to get basic user account information.
The macOS won’t be able to join an Active Directory domain without a domain functional level of at least Windows Server 2008 unless you explicitly enable “weak crypto.” Even if the domain functional levels of all domains are 2008 or later, the administrator may need to specify each domain trust to use Kerberos AES encryption explicitly.
How Mac uses DNS to query the Active Directory domain
The macOS uses the Domain Name System (DNS) to query the topology of the on-premises Active Directory domain. It uses Kerberos for authentication and the Lightweight Directory Access Protocol (LDAPv3) for user and group resolution. When macOS is fully integrated with Active Directory, users:
- Are subject to the organization’s domain password policies
- Use the same credentials to authenticate and gain authorization to secured resources
- Can be issued user and machine certificate identities from an Active Directory Certificate Services server
- Can automatically traverse a Distributed File System (DFS) namespace and mount the appropriate underlying Server Message Block (SMB) server.
Mac clients assume full read access to attributes that are added to the directory. Therefore, it might be necessary to change the access control list (ACL) of those attributes to permit computer groups to read these added attributes.
Domain password policies
Apple notes that at bind time (and at periodic intervals thereafter), macOS queries the Active Directory domain for the password policies. These policies are enforced for all network and mobile accounts on a Mac.
During a login attempt while the network accounts are available, macOS queries Active Directory to determine the length of time before a password change is required. By default, if a password change is required within 14 days, the login window asks the user to change it. If the user changes the password, the change occurs in Active Directory as well as in the mobile account (if one is configured), and the login keychain password is updated.
Distributed File System namespace support
The macOS supports traversing distributed file system (DFS) namespaces if the Mac is bound to Active Directory. A Mac bound to Active Directory queries DNS and domain controllers in the Active Directory domain to automatically resolve the appropriate Server Message Block (SMB) server for a particular namespace.
You can use the Connect to Server feature in the Finder to specify the fully qualified domain name (FQDN) of the DFS namespace, which includes the DFS root to mount the network file system to.
Also, the macOS uses any available Kerberos tickets and mounts the underlying Server Message Block (SMB) server and path. In some Active Directory configurations, you may need to populate the Search Domains field in the DNS configuration for the network interface with the fully qualified Active Directory domain name.
You can access and traverse DFS shares without binding to Active Directory if the DFS environment is configured to use fully qualified domain names in referrals. As long as the Mac can resolve the hostnames of the appropriate servers, connectivity succeeds without the Mac needing to be bound to the directory.
Challenges with Identity Provider and Multi-Factor Authentication
One of the primary challenges with Macs in achieving compliance with NIST 800–171/CMMC L2 is the requirement for each user to have a unique identity and for all events to be traceable to a unique individual. Typically, joining computers to an identity provider such as Azure AD or Active Directory is the approach to address this challenge. However, Macs do not support joining to Azure AD, and an Active Directory join is less than ideal from a support perspective. This necessitates the use of a third-party service to provide identity services to the Mac so they can “join” an identity provider. Moreover, enforcing multi-factor authentication on Macs presents another hurdle, as the Mac OS does not natively support multi-factor authentication. This requires the addition of another system, potentially a third identity provider, to enforce multi-factor authentication on the device, leading to increased complexity and cost.
Compliance with FIPS Validated Encryption
Another significant aspect of compliance is the requirement for FIPS validated encryption to protect Controlled Unclassified Information (CUI). While Microsoft offers an “easy button” to disable non-FIPS 140–2 validated encryption, Mac administrators do not have the ability to block non-FIPS validated encryption on the endpoint. Therefore, additional due diligence is needed to ensure that all encryption protecting CUI is FIPS 140–2 validated, which may involve using the cryptographic module validation program search tool.
Virtualization and Network Scope
There is a common consideration of using software virtualization on Macs to run a Windows computer, allowing employees to have a single piece of hardware while using their virtualized Windows PC. However, this approach does not support the desired compliance, as the Mac comes into scope of an assessment due to the network for the PC traversing the Mac. This means that both the in-scope PC and the out-of-scope Mac would be in-scope, potentially
The macOS Security Compliance Project (mSCP)
To further address the NIST SP 800 171, CMMC, and other compliance requirements, the macOS Security Compliance Project, or mSCP (Automated Secure Configuration guidance from the macOS Security Compliance Project), is a joint effort by several federal agencies (Trapnell, Trapnell, Souppaya, Gendler, and Scarfone, 2022). The goal is to provide tools and resources that can be used by a variety of professionals — from system administrators and security experts to policy writers and auditors — to enhance the security of macOS desktops and laptops in an automated manner.
The mSCP offers practical advice in the form of secure baselines and related rules. They keep their GitHub site updated to accommodate each new macOS release. This publication is a product of NIST, developed in line with its responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014. It also aligns with the requirements of the Office of Management and Budget (OMB) Circular A -130 (Trapnell, et. al, 2022). NIST notes that the mSCP has several key components:
· Security Baseline Files: These are collections of settings that can be used to configure a system to meet a specific level or set of requirements, or to check if a system complies with certain requirements.
· Configuration Profiles and Scripts: These are used to apply configuration settings to a system.
· Content Generation Scripts: These scripts are used to generate baselines, human-readable guidance, baseline compliance checkers, and other types of content.
· Customization Capabilities: This feature allows organizations to generate their own customized content, separate from what the project provides.
· Directories: These include baselines, build, custom, includes, rules, SCAP, scripts, sections, and templates.
Any organization can use the mSCP content to help set and assess the security configuration of macOS systems. Security baselines can be aligned with existing guidance or controls, such as those in NIST SP 800 -53 Revision 5, or they can be customized to meet an organization’s specific needs.
Summary/Conclusion
The growing use of the macOS across various industries achieving compliance with NIST 800–171 and CMMC cybersecurity for the SMM and SMB can be done. However, your work is cut out to address the specifics of the compliance requirements. The macOS offers many good features for software developers and users. However, the features have to be weighed in the context of NIST/CMMC compliance as there will be additional administrative and compliance costs associated with the setup and maintenance of a macOS environment. While this brief article touches on many aspects that can be considered, keeping in touch with the mSCP program noted above as well as macOS updates from Apple is essential.
References
Apple, Inc. (n.d.). Integrate Active Directory using directory utility on Mac. Apple Support. https://support.apple.com/guide/directory-utility/integrate-active-directory-diru39a25fa2/mac
Trapnell, M., Trapnell, E., Souppaya, M., Gendler, B., & Scarfone, K. (2022, November 29). Automated Secure Configuration guidance from the macOS Security Compliance Project (MSCP). NIST. https://www.nist.gov/publications/automated-secure-configuration-guidance-macos-security-compliance-project-mscp
About the Author
Ron McFarland, Ph.D., CISSP, is a Chief Technology Officer at Highervista LLC in Flagstaff, AZ and formerly a Senior Cybersecurity Consultant CMTC (California Manufacturing Technology Consulting) in Long Beach, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, an MSc in Computer Science from Arizona State University, and a Post-Doc Graduate Research Program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security, Cisco CCNA Wireless, and other Cisco courses. He was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications, including the prestigious Certified Information Systems Security Professional (CISSP). He writes for Medium as a guest author to provide information to learners of cybersecurity, students, and clients.
CONTACT Dr. Ron McFarland, Ph.D.
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· YouTube Channel — Smart Cybersecurity: https://www.youtube.com/@RonMcFarland/featured
