usnistgov · tonyyo11 · May 21, 2026 · May 26, 2026 · Jun 4, 2026
diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml
@@ -34,11 +34,13 @@ profile:
       - os_anti_virus_installed
       - os_authenticated_root_enable
       - os_config_data_install_enforce
+      - os_external_apfs_hfs_volumes_encrypted
       - os_gatekeeper_enable
       - os_guest_folder_removed
       - os_home_folders_secure
       - os_httpd_disable
       - os_install_log_retention_configure
+      - os_internal_apfs_volumes_encrypted
       - os_mail_summary_disable
       - os_mobile_file_integrity_enable
       - os_nfsd_disable
@@ -87,6 +89,7 @@ profile:
       - system_settings_firewall_stealth_mode_enable
       - system_settings_guest_access_smb_disable
       - system_settings_guest_account_disable
+      - system_settings_hot_corners_secure
       - system_settings_improve_assistive_voice_disable
       - system_settings_improve_search_disable
       - system_settings_improve_siri_dictation_disable

diff --git a/baselines/cis_lvl2.yaml b/baselines/cis_lvl2.yaml
@@ -45,11 +45,13 @@ profile:
       - os_authenticated_root_enable
       - os_bonjour_disable
       - os_config_data_install_enforce
+      - os_external_apfs_hfs_volumes_encrypted
       - os_gatekeeper_enable
       - os_guest_folder_removed
       - os_home_folders_secure
       - os_httpd_disable
       - os_install_log_retention_configure
+      - os_internal_apfs_volumes_encrypted
       - os_mail_summary_disable
       - os_mobile_file_integrity_enable
       - os_nfsd_disable

diff --git a/baselines/cisv8.yaml b/baselines/cisv8.yaml
@@ -74,13 +74,15 @@ profile:
       - os_dictation_disable
       - os_directory_services_configured
       - os_ess_installed
+      - os_external_apfs_hfs_volumes_encrypted
       - os_filevault_autologin_disable
       - os_gatekeeper_enable
       - os_handoff_disable
       - os_home_folders_secure
       - os_httpd_disable
       - os_icloud_storage_prompt_disable
       - os_install_log_retention_configure
+      - os_internal_apfs_volumes_encrypted
       - os_iphone_mirroring_disable
       - os_ir_support_disable
       - os_library_validation_enabled

diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml
@@ -97,8 +97,8 @@ titles:
   800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
   800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
   800-171: NIST 800-171 Rev 3
-  cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1)
-  cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2)
+  cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 1)
+  cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 2)
   cmmc_lvl1: US CMMC 2.0 Level 1
   cmmc_lvl2: US CMMC 2.0 Level 2
   cisv8: CIS Controls Version 8

diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml
@@ -45,8 +45,8 @@ macOS:
 odv:
   hint: See man audit_control for possible values.
   recommended: 7d
-  cis_lvl1: 60d OR 5G
-  cis_lvl2: 60d OR 5G
+  cis_lvl1: 30d
+  cis_lvl2: 30d
   stig: 7d
   nlmapgov_base: 180d
   nlmapgov_plus: 180d

diff --git a/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml b/rules/os/os_external_apfs_hfs_volumes_encrypted.yaml
@@ -0,0 +1,56 @@
+id: os_external_apfs_hfs_volumes_encrypted
+title: Ensure All APFS and HFS+ External User Storage Volumes Are Encrypted
+discussion: |
+  All APFS and HFS+ external user storage volumes _MUST_ be encrypted.
+
+  While FileVault protects the boot volume, data may be copied to attached external storage and reduce the protection afforded by FileVault. All external user data volumes (APFS or HFS+) _MUST_ be encrypted to protect user data from loss or tampering. CoreStorage has been deprecated and replaced with APFS for volume encryption.
+check: |
+  fail=$(/usr/sbin/diskutil list external | /usr/bin/grep -E "APFS Volume|Apple_HFS|Logical Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk '
+    /Volume Name:/{name=$0; sub(/^[ \t]*Volume Name:[ \t]*/,"",name)}
+    /FileVault:/{
+      if ($2=="No") {
+        if (list=="") list=name; else list=list ", " name
+      }
+    }
+    END{print list}')
+  if [ -z "$fail" ]; then
+    /bin/echo "Yes"
+  else
+    /bin/echo "Unencrypted external volumes: $fail"
+  fi
+result:
+  string: "Yes"
+fix: |
+  Use Disk Utility to erase a user disk and format as APFS (Encrypted).
+
+  NOTE: It is recommended using APFS over HFS+ where possible. If you do need to use an HFS+/CoreStorage external drive for compatibility reasons, you need to format the drive to MacOS Extended (Journaled) (or MacOS Extended (Case-Sensitive, Journaled) if Case-Sensitive is required).
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  cis:
+    benchmark:
+      - 5.3.2 (level 1)
+    controls v8:
+      - 3.6
+      - 3.11
+      - 13.6
+      - 14.8
+macOS:
+  - '26.0'
+tags:
+  - cis_lvl1
+  - cis_lvl2
+  - cisv8
+severity: medium
+mobileconfig: false
+mobileconfig_info:
diff --git a/rules/os/os_internal_apfs_volumes_encrypted.yaml b/rules/os/os_internal_apfs_volumes_encrypted.yaml
@@ -0,0 +1,56 @@
+id: os_internal_apfs_volumes_encrypted
+title: Ensure All Internal User Storage APFS Volumes Are Encrypted
+discussion: |
+  All internal user storage APFS volumes _MUST_ be encrypted.
+
+  While FileVault protects the boot volume, data may be copied to other attached internal storage and reduce the protection afforded by FileVault. All internal APFS volumes that carry user data and do not have a specific role (Preboot, Recovery, VM) _MUST_ be encrypted to protect user data from loss or tampering.
+check: |
+  fail=$(/usr/sbin/diskutil list internal | /usr/bin/grep "APFS Volume" | /usr/bin/awk '{print $NF}' | /usr/bin/xargs -n1 /usr/sbin/diskutil info 2>/dev/null | /usr/bin/awk '
+    /Volume Name:/{name=$0; sub(/^[ \t]*Volume Name:[ \t]*/,"",name)}
+    /FileVault:/{
+      if ($2=="No" && name !~ /^(Preboot|Recovery|VM)$/) {
+        if (list=="") list=name; else list=list ", " name
+      }
+    }
+    END{print list}')
+  if [ -z "$fail" ]; then
+    /bin/echo "Yes"
+  else
+    /bin/echo "Unencrypted internal user APFS volumes: $fail"
+  fi
+result:
+  string: "Yes"
+fix: |
+  Use Disk Utility to erase a user disk and format as APFS (Encrypted).
+
+  NOTE: APFS Encrypted disks will be described as "FileVault" whether they are the boot volume or not.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4:
+    - N/A
+  srg:
+    - N/A
+  disa_stig:
+    - N/A
+  cis:
+    benchmark:
+      - 5.3.1 (level 1)
+    controls v8:
+      - 3.6
+      - 3.11
+      - 13.6
+      - 14.8
+macOS:
+  - '26.0'
+tags:
+  - cis_lvl1
+  - cis_lvl2
+  - cisv8
+severity: medium
+mobileconfig: false
+mobileconfig_info:
diff --git a/rules/os/os_world_writable_library_folder_configure.yaml b/rules/os/os_world_writable_library_folder_configure.yaml
@@ -5,7 +5,7 @@ discussion: |
 
   NOTE: Some vendors are known to create world-writable folders to the System Library folder. You may need to add more exclusions to this check and fix to match your environment.
 check: |
-  /usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null | /usr/bin/wc -l | /usr/bin/xargs
+  /usr/bin/find /Library -type d -perm -002 ! -perm -1000 ! -xattrname com.apple.rootless 2>/dev/null | /usr/bin/grep -vE "/Library/AppStore" | /usr/bin/wc -l | /usr/bin/xargs
 result:
   integer: 0
 fix: |

diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml
@@ -60,8 +60,7 @@ discussion: |
   5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured +
   5.2.5 Ensure Complex Password Must Contain Special Character Is Configured +
   5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured +
-  5.3.1 Ensure All User Storage APFS Volumes are Encrypted +
-  5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted +
+  5.3.3 Audit Connected FAT32 and ExFAT Drives
   |===
 
   [cols="15%h, 85%a"]

diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml
@@ -5,9 +5,9 @@ discussion: |
 
   Turning off guest access prevents anonymous users from accessing files shared via SMB.
 check: |
-  /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess
+  /usr/sbin/sysadminctl -smbGuestAccess status 2>&1 | /usr/bin/grep -c "SMB guest access disabled"
 result:
-  boolean: 0
+  integer: 1
 fix: |
   [source,bash]
   ----

diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml
@@ -49,14 +49,15 @@ references:
     - 03.01.10
   cis:
     benchmark:
-      - 2.7.1 (level 2)
+      - 2.7.1 (level 1)
     controls v8:
       - 4.3
   cmmc:
     - AC.L2-3.1.10
 macOS:
   - '26.0'
 tags:
+  - cis_lvl1
   - cis_lvl2
   - cisv8
   - cnssi-1253_low