STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apple macOS 14 (Sonoma) Security Technical Implementation Guide

V-259575

CAT II (Medium)

The macOS system must enable recovery lock.

Rule ID

SV-259575r991589_rule

STIG

Apple macOS 14 (Sonoma) Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000366

Discussion

A recovery lock password must be enabled and set. Single user mode, recovery mode, the Startup Manager, and several other tools are available on macOS by holding down specific key combinations during startup. Setting a recovery lock restricts access to these tools. IMPORTANT: Recovery lock passwords are not supported on Intel devices. This rule is only applicable to Apple Silicon devices.

Check Content

For non-Apple Silicon systems, this is not applicable.

Verify the macOS system is configured with recovery lock with the following command:

/usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockEnabled = 1"

If the result is not "1", this is a finding.

Fix Text

Configure the macOS system with recovery lock with the SetRecoveryLock command. This can be used to set a Recovery Lock password and must be from the MDM.