Disable password hints: Still in the Login Options pane, uncheck Show password hints.
Disable guest account and sharing: Select the guest account and uncheck both Allow guests to log in to this computer and Allow guests to connect to shared folders. If you really do want to enable guests to log in, enable the account and check Enable parental controls. From there, click the Open Parental Controls button and check Limit Applications; you can then lock the guest into using merely a few apps, even just a Web browser. If you follow the advice later in this article and enable FileVault for encryption, guests will only be able to log in and use Safari, and they'll never be able to see any of your data.
Disable Apple ID password reset: Back in the main Users & Groups pane, uncheck Allow user to reset password using Apple ID for all of your accounts. If you do maintain an admin account separate from your standard day-to-day one, it's okay to disable this option for that admin account and keep it on for your standard one. If you didn't have this option selected and if someone were to get your Apple ID, it would also give them access to your computer and the potential ability to lock you out. And yes, if you lose your password you may be locked out of your Mac, so...don't.
This pane is located in System Preferences > Security & Privacy, and Apple has made a ton of changes since the release of the NSA guide. Here are recommended settings, organized by tab.
General: Check Require password after sleep or screen saver begins and set it for immediately. Then check Disable automatic login. Next, enable Gatekeeper by selecting Mac App Store and identified developers in the 'Allow applications downloaded from' section; for even more security, choose Mac App Store. (You can still install other downloaded applications by Command-clicking them and selecting Open.) Finally, click the Advanced button and uncheck Automatically update safe downloads list, a list of apps Apple believes are safe. (When you're the NSA, nothing is safe.)
FileVault: FileVault 2 is far better than the original FileVault, and I recommend it with one big caveat—you must keep really good backups. To enable it, click Turn On FileVault. Then select the user accounts you want to allow to log in to the computer when the disk is locked (this should be your admin account, your standard account, and any other users who might need to boot the Mac). Then be sure to write down the displayed recovery key. This is the only way to get back into your Mac if you forget your password. If you lose both your password and the recovery key, it's game over for you and your Mac.
Sign up for CIO Asia eNewsletters.