usnistgov · robertgendler · Mar 26, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/baselines/nlmapgov_base.yaml b/baselines/nlmapgov_base.yaml
@@ -0,0 +1,24 @@
+title: "iOS/iPadOS 26.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base)"
+description: |
+  This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base) security baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
+authors: |
+  *macOS Security Compliance Project*
+
+  |===
+  |Jordy Witteman|Root3
+  |Aron van den Herik|Root3
+  |===
+parent_values: "nlmapgov_base"
+profile:
+  - section: "ios"
+    rules:
+      - os_background_security_improvement_install_enable
+      - os_force_date_and_time_enable
+      - os_software_update_download_enforce
+      - os_software_update_install_enforce
+      - os_supervised_mdm_require
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_force_pin_enable
diff --git a/baselines/nlmapgov_plus.yaml b/baselines/nlmapgov_plus.yaml
@@ -0,0 +1,57 @@
+title: "iOS/iPadOS 26.0: Security Configuration - NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus)"
+description: |
+  This guide describes the actions to take when securing a iOS/iPadOS 26.0 system against the NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus) security baseline.
+
+  Information System Security Officers and benchmark creators can use this catalog of settings in order to assist them in security benchmark creation. This list is a catalog, not a checklist or benchmark, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios.
+authors: |
+  *macOS Security Compliance Project*
+
+  |===
+  |Jordy Witteman|Root3
+  |Aron van den Herik|Root3
+  |===
+parent_values: "nlmapgov_plus"
+profile:
+  - section: "icloud"
+    rules:
+      - icloud_keychain_disable
+      - icloud_managed_apps_store_data_disabled
+  - section: "ios"
+    rules:
+      - os_airdrop_unmanaged_destination_enable
+      - os_allow_documents_managed_sources_unmanaged_destinations_disable
+      - os_apple_watch_wrist_detection_enable
+      - os_authentication_password_autofill_enable
+      - os_background_security_improvement_install_enable
+      - os_background_security_improvement_removal_disable
+      - os_diagnostics_reports_disable
+      - os_disallow_enterprise_app_trust
+      - os_external_intelligence_integration_sign_in_disable
+      - os_force_date_and_time_enable
+      - os_force_encrypted_backups_enable
+      - os_install_configuration_profile_disable
+      - os_install_vpn_configuration_disable
+      - os_iphone_mirroring_disable
+      - os_limit_ad_tracking_enable
+      - os_mail_maildrop_disable
+      - os_mail_move_messages_disable
+      - os_marketplace_prevent
+      - os_on_device_dictation_enforce
+      - os_on_device_translation_enforce
+      - os_personalized_advertising_disable
+      - os_require_managed_pasteboard_enforce
+      - os_safari_cookies_set
+      - os_safari_force_fraud_warning_enable
+      - os_software_update_download_enforce
+      - os_software_update_install_enforce
+      - os_ssl_for_exchange_activesync_enable
+      - os_supervised_mdm_require
+      - os_unpaired_boot_disable
+      - os_untrusted_tls_disable
+      - os_usb_accessories_when_locked_disable
+      - os_web_distribution_app_installation_disable
+  - section: "passwordpolicy"
+    rules:
+      - pwpolicy_force_pin_enable
+      - pwpolicy_minimum_length_enforce
+      - pwpolicy_simple_sequence_disable
diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml
@@ -104,7 +104,15 @@ authors:
     names:
       - Henry Stamerjohann|Declarative IT GmbH
       - Allen Golbig|Jamf
-      - Bob Gendler|National Institute of Standards and Technology       
+      - Bob Gendler|National Institute of Standards and Technology
+  nlmapgov_base:
+    names:
+      - Jordy Witteman|Root3
+      - Aron van den Herik|Root3
+  nlmapgov_plus:
+    names:
+      - Jordy Witteman|Root3
+      - Aron van den Herik|Root3       
 titles:
   all_rules: All Rules
   800-53r5_high: NIST SP 800-53 Rev 5 High Impact
@@ -118,6 +126,9 @@ titles:
   ios_stig:  Apple iOS/iPadOS 26 STIG - Ver 1, Rel 1  
   indigo_base: BSI indigo iOS 26.x Base Configuration
   indigo_high: BSI indigo iOS 26.x High Configuration
+  nlmapgov_base: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (base)
+  nlmapgov_plus: NLMAPGOV - Nederlandse Maatregelenset Apple Platformen Overheid (plus)
 ddm:
-  supported_types: []
+  supported_types:
+    - com.apple.configuration.softwareupdate.settings
   services: []  
diff --git a/rules/icloud/icloud_keychain_disable.yaml b/rules/icloud/icloud_keychain_disable.yaml
@@ -32,6 +32,8 @@ references:
       - 4.1
       - 4.8
       - 15.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -48,6 +50,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

diff --git a/rules/icloud/icloud_managed_apps_store_data_disabled.yaml b/rules/icloud/icloud_managed_apps_store_data_disabled.yaml
@@ -31,6 +31,8 @@ references:
       - 3.2.1.7 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 2.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -49,6 +51,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

diff --git a/rules/os/os_airdrop_unmanaged_destination_enable.yaml b/rules/os/os_airdrop_unmanaged_destination_enable.yaml
@@ -31,6 +31,8 @@ references:
       - 3.2.1.23 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 3.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -49,6 +51,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

diff --git a/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml b/rules/os/os_allow_documents_managed_sources_unmanaged_destinations_disable.yaml
@@ -30,6 +30,8 @@ references:
       - 3.2.1.21 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 3.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -48,6 +50,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

diff --git a/rules/os/os_apple_watch_wrist_detection_enable.yaml b/rules/os/os_apple_watch_wrist_detection_enable.yaml
@@ -24,6 +24,8 @@ references:
       - 3.2.1.27 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 3.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -40,6 +42,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: low
 supervised: false
 mobileconfig: true

diff --git a/rules/os/os_authentication_password_autofill_enable.yaml b/rules/os/os_authentication_password_autofill_enable.yaml
@@ -24,6 +24,8 @@ references:
     - 3.2.1.26 (level 1 - Institutionally-Owned Devices)
     controls v8:
     - 3.3
+  bio:
+  - 8.27
 iOS:
 - "26.0"
 tags:
@@ -38,6 +40,7 @@ tags:
 - cnssi-1253_moderate
 - cnssi-1253_low
 - cnssi-1253_high
+- nlmapgov_plus
 supervised: true
 mobileconfig: true
 mobileconfig_info:

diff --git a/rules/os/os_background_security_improvement_install_enable.yaml b/rules/os/os_background_security_improvement_install_enable.yaml
@@ -0,0 +1,24 @@
+id: os_background_security_improvement_install_enable
+title: Enforce Background Security Improvements are Automatically Installed using DDM.
+discussion: |
+  Background Security Improments _MUST_ be configured to enforce automatic installation and that the user cannot modify the setting within Settings.
+check: " "
+fix: |
+  This is implemented by Declarative Device Management (DDM).
+references:
+  bio:
+    - 8.08
+iOS:
+  - "26.0"
+tags:
+  - ios
+  - nlmapgov_base
+  - nlmapgov_plus
+supervised: true
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+  declarationtype: com.apple.configuration.softwareupdate.settings
+  ddm_key: RapidSecurityResponse
+  ddm_value:
+    Enable: true
diff --git a/rules/os/os_background_security_improvement_removal_disable.yaml b/rules/os/os_background_security_improvement_removal_disable.yaml
@@ -0,0 +1,23 @@
+id: os_background_security_improvement_removal_disable
+title: Disable rollback of Background Security Improvements using DDM.
+discussion: |
+  The ability for the user to roll back Background Security Improvements _MUST_ be disabled.
+check: " "
+fix: |
+  This is implemented by Declarative Device Management (DDM).
+references:
+  bio:
+    - 8.08
+iOS:
+  - "26.0"
+tags:
+  - ios
+  - nlmapgov_plus
+supervised: true
+mobileconfig: false
+mobileconfig_info:
+ddm_info:
+  declarationtype: com.apple.configuration.softwareupdate.settings
+  ddm_key: RapidSecurityResponse
+  ddm_value:
+    EnableRollback: false
diff --git a/rules/os/os_diagnostics_reports_disable.yaml b/rules/os/os_diagnostics_reports_disable.yaml
@@ -28,6 +28,8 @@ references:
       - 3.2.1.25 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 4.8
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -46,6 +48,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

diff --git a/rules/os/os_disallow_enterprise_app_trust.yaml b/rules/os/os_disallow_enterprise_app_trust.yaml
@@ -22,6 +22,8 @@ references:
       - N/A
     controls v8:
       - N/A
+  bio:
+    - 8.27
 iOS:
   - '26.0'
 tags:
@@ -35,6 +37,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: low
 supervised: false
 mobileconfig: true

diff --git a/rules/os/os_external_intelligence_integration_sign_in_disable.yaml b/rules/os/os_external_intelligence_integration_sign_in_disable.yaml
@@ -30,6 +30,9 @@ references:
       - 15.3
   indigo:
     - ANNEX K
+  bio:
+    - 8.12
+    - 8.12.01
 iOS:
   - '26.0'
 tags:
@@ -45,6 +48,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: true
 mobileconfig: true

diff --git a/rules/os/os_force_date_and_time_enable.yaml b/rules/os/os_force_date_and_time_enable.yaml
@@ -25,6 +25,8 @@ references:
     - 3.2.1.17 (level 1 - Institutionally-Owned Devices)
     controls v8:
     - 8.4
+  bio:
+  - 8.17
 iOS:
 - "26.0"
 tags:
@@ -42,6 +44,8 @@ tags:
 - cnssi-1253_moderate
 - cnssi-1253_low
 - cnssi-1253_high
+- nlmapgov_base
+- nlmapgov_plus
 supervised: false
 mobileconfig: true
 mobileconfig_info:

diff --git a/rules/os/os_force_encrypted_backups_enable.yaml b/rules/os/os_force_encrypted_backups_enable.yaml
@@ -30,6 +30,8 @@ references:
       - 3.2.1.10 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 11.3
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -48,6 +50,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: false
 mobileconfig: true

diff --git a/rules/os/os_install_configuration_profile_disable.yaml b/rules/os/os_install_configuration_profile_disable.yaml
@@ -27,6 +27,8 @@ references:
       - 3.2.1.15 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 4.1
+  bio:
+    - 8.27
 iOS:
   - '26.0'
 tags:
@@ -40,6 +42,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: medium
 supervised: true
 mobileconfig: true

diff --git a/rules/os/os_install_vpn_configuration_disable.yaml b/rules/os/os_install_vpn_configuration_disable.yaml
@@ -29,6 +29,8 @@ references:
       - 3.2.1.16 (level 1 - Institutionally-Owned Devices)
     controls v8:
       - 12.7
+  bio:
+    - 8.12
 iOS:
   - '26.0'
 tags:
@@ -45,6 +47,7 @@ tags:
   - cnssi-1253_low
   - cnssi-1253_high
   - ios_stig
+  - nlmapgov_plus
 severity: low
 supervised: true
 mobileconfig: true