usnistgov · tonyyo11 · May 21, 2026
diff --git a/baselines/cis_lvl1.yaml b/baselines/cis_lvl1.yaml
@@ -87,6 +87,7 @@ profile:
       - system_settings_firewall_stealth_mode_enable
       - system_settings_guest_access_smb_disable
       - system_settings_guest_account_disable
+      - system_settings_hot_corners_secure
       - system_settings_improve_assistive_voice_disable
       - system_settings_improve_search_disable
       - system_settings_improve_siri_dictation_disable

diff --git a/includes/mscp-data.yaml b/includes/mscp-data.yaml
@@ -97,8 +97,8 @@ titles:
   800-53r5_moderate: NIST SP 800-53 Rev 5 Moderate Impact
   800-53r5_low: NIST SP 800-53 Rev 5 Low Impact
   800-171: NIST 800-171 Rev 3
-  cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 1)
-  cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.0.0 Benchmark (Level 2)
+  cis_lvl1: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 1)
+  cis_lvl2: CIS Apple macOS 26.0 Tahoe v1.1.0 Benchmark (Level 2)
   cmmc_lvl1: US CMMC 2.0 Level 1
   cmmc_lvl2: US CMMC 2.0 Level 2
   cisv8: CIS Controls Version 8

diff --git a/rules/audit/audit_retention_configure.yaml b/rules/audit/audit_retention_configure.yaml
@@ -45,8 +45,8 @@ macOS:
 odv:
   hint: See man audit_control for possible values.
   recommended: 7d
-  cis_lvl1: 60d OR 5G
-  cis_lvl2: 60d OR 5G
+  cis_lvl1: 30d
+  cis_lvl2: 30d
   stig: 7d
   nlmapgov_base: 180d
   nlmapgov_plus: 180d

diff --git a/rules/supplemental/supplemental_cis_manual.yaml b/rules/supplemental/supplemental_cis_manual.yaml
@@ -60,8 +60,9 @@ discussion: |
   5.2.4 Ensure Complex Password Must Contain Numeric Character Is Configured +
   5.2.5 Ensure Complex Password Must Contain Special Character Is Configured +
   5.2.6 Ensure Complex Password Must Contain Uppercase and Lowercase Characters Is Configured +
-  5.3.1 Ensure All User Storage APFS Volumes are Encrypted +
-  5.3.2 Ensure All User Storage CoreStorage Volumes are Encrypted +
+  5.3.1 Ensure All Internal User storage APFS Volumes Are Encrypted +
+  5.3.2 Ensure All APFS And HFS+ External User Storage Volumes Are Encrypted +
+  5.3.3 Ensure No FAT32 And ExFAT Drives Are Connected
   |===
 
   [cols="15%h, 85%a"]

diff --git a/rules/system_settings/system_settings_guest_access_smb_disable.yaml b/rules/system_settings/system_settings_guest_access_smb_disable.yaml
@@ -5,9 +5,9 @@ discussion: |
 
   Turning off guest access prevents anonymous users from accessing files shared via SMB.
 check: |
-  /usr/bin/defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess
+  /usr/sbin/sysadminctl -smbGuestAccess status 2>&1 | /usr/bin/grep -c "SMB guest access disabled"
 result:
-  boolean: 0
+  integer: 1
 fix: |
   [source,bash]
   ----

diff --git a/rules/system_settings/system_settings_hot_corners_secure.yaml b/rules/system_settings/system_settings_hot_corners_secure.yaml
@@ -49,14 +49,15 @@ references:
     - 03.01.10
   cis:
     benchmark:
-      - 2.7.1 (level 2)
+      - 2.7.1 (level 1)
     controls v8:
       - 4.3
   cmmc:
     - AC.L2-3.1.10
 macOS:
   - '26.0'
 tags:
+  - cis_lvl1
   - cis_lvl2
   - cisv8
   - cnssi-1253_low