In this blog, we discuss the complex challenge of macOS compliance within the Dutch government. We highlight the BIO (Baseline Informatiebeveiliging Overheid – Baseline Information Security Government) and how it applies to Apple workplaces. We delve into the CIS Benchmark and the macOS Security Compliance Project (mSCP) as tools to achieve compliance. Finally, we discuss the future with BIO 2.0 and the role of Root3 in assisting government organizations in dealing with this.

Root3 regularly collaborates with government organizations in consultancy and implementation to elevate Apple workstations to a higher level. We ensure that end-users have the best possible Apple experience, a secure workplace, and optimal integration with other systems. A theme that is often discussed and implemented but remains challenging for many to address appropriately is compliance with the BIO (Baseline Informatiebeveiliging Overheid). It can still be quite tricky to strike the right balance between user experience and security when it comes to macOS. In this blog, we delve deeper into the possibilities for macOS compliance and how Root3 applies this to its clients.

What is the BIO?

To begin with, what is the BIO exactly? The BIO is a basic framework to enhance information security within government organizations such as municipalities, national government, water boards, and provinces in The Netherlands. Every organization within the government must adhere to it. The norm follows the structure and measures of the NEN-ISO/IEC 27001:2017 and NEN-ISO/IEC 27002:2017. This makes it clear, recognizable, and an international standard. For Root3, this is not unfamiliar territory as we have been certified according to ISO 9001 and ISO 27001 since 2019. Recently, we have also transitioned from ISO 27001:2017 to the new standard of 2022! The BIO is likely to be updated later this year according to this norm, the BIO 2.0.

Additional government measures

In addition to the structure of ISO 27001, additional government measures are part of the BIO that, for example, require slightly more specific policies and are tailored to the Dutch market and Dutch government organizations. This includes, for example, the obligation to conduct a screening and request a Certificate of Conduct as part of a job application procedure. Or a concrete measure to always implement two-factor authentication when an application is accessed from an untrusted zone. The same applies to a password policy where the BIO specifies specific requirements for a password policy while ISO 27001 describes this more vaguely.

The BIO and macOS

The questions organizations ask Root3 are: how do we ensure that our macOS workstations are BIO-compliant? How do we interpret the BIO specifically for macOS? Where do we find the information?

Because the BIO is actually very versatile, it does not specifically indicate how it applies to macOS. This is logical because technical measures are determined based on the risk to the confidentiality, availability, and integrity of information. This risk obviously varies per organization, and thus the implementation can also vary per organization. However, there is a need to demonstrate that workplaces comply with the policy for senior management. In practice, we see that this can be quite a challenge, and CISOs want to see on paper that measures have been taken and comply with the BIO. But has the BIO been interpreted correctly for a platform like macOS and does it still provide a workable situation and a good Apple experience?

CIS Benchmark the answer?

In some projects for the Dutch government, Root3 has implemented solutions based on the CIS Benchmark to meet the requirements of the BIO. The CIS Benchmark is a technical benchmark developed by the non-profit organization Center for Internet Security. This benchmark contains specific recommendations for macOS, why an organization would want to apply these recommendations, how to achieve this technically, and how to verify it through audits in an automated manner.

The CIS Benchmark has now become a widely accepted security baseline and is therefore widely applied because it describes concrete technical measures specifically for macOS. In this form, it provides guidance for government organizations. However, the “label” BIO is missing, making it difficult to explain and demonstrate to the CISO that the workplaces are BIO-compliant.

macOS Security Compliance Project

For the reasons mentioned above, we work with the macOS Security Compliance Project (mSCP). This open-source project originated a few years ago from the need to easily generate a security baseline, including resources to apply the baseline, verify it, and documentation, for example, for the CISO. Essentially, you can develop your own baseline with accompanying documentation to hand over to an auditor, CISO, CIO, and IT manager, etc. This documentation describes the policy precisely and how it can be validated.

mSCP rules

Technically, the mSCP is set up with ‘rules’. These rules are technical measures specifying how a setting should be configured and verified, such as how a password policy on macOS should be configured with a minimum of 12 characters or how to prevent iCloud Desktop & Documents from being used. The rules are then linked to the relevant baselines, allowing the technical details of the rules to be centrally managed, for example, if the implementation method changes in a new version of macOS. The updated rule is then immediately applied to all baselines where this rule is used.

Support from community and experts

Centrally managing the rules in the mSCP project offers many advantages. Because many organizations use this project and Apple also acknowledges the project, these rules are usually well tested by the community with beta versions of macOS. This makes it very likely that there will be a compatible baseline for a new (major) version of macOS on day one of the release.

There are also other baselines such as some from NIST (National Institute of Standards and Technology), CMMC (Cybersecurity Maturity Model Certification), and CNSSI (Committee on National Security Systems), but these are mainly for the US market and a baseline for the BIO is missing.

Customized baseline based on standard

To address this problem, Root3 works based on the macOS Security Compliance Project to develop its own baseline with relevant rules according to the organization’s risks and requirements from the BIO. We strongly believe in best practices because we see in the field which measures work well but also which measures mainly hinder productivity. Therefore, we start with a baseline based on the CIS Benchmark with some exceptions or additions. As Root3, we are able to interpret the rules for macOS and provide clarification on the impact on workplaces, ultimately resulting in a balanced baseline that is BIO-compliant.

The future: BIO 2.0

Developments in technology and information security are ongoing, and international standards quickly become outdated. For this reason, work is currently underway on BIO 2.0, which is based on the new standard ISO/IEC 27002:2022. This new standard is simplified and modernized, offering more practical (technical) measures and better applicability. In this transition as well, Root3 is ready to assist government organizations in interpreting BIO 2.0 for macOS and developing an appropriate baseline.