Reference: CMMC 2.11
Family: CM
Level Introduced: 2
Title: Security Configuration Enforcement
Practice:
Establish and enforce security configuration settings for information technology products employed in organizational systems.
CMMC Clarification:
Security-related configuration settings should be customized and included as part of an organization's baseline configurations for all information systems. These configuration settings should satisfy the organization's security requirements and changes or deviations to the security settings should be documented. Organizations should document the Security- related configuration settings and apply them to all systems once tested and approved. The configuration settings should reflect the most restrictive settings that are appropriate for the system. This ensures that information security is an integral part of an organization's configuration management process.
Example
You are in charge of establishing baseline configurations for your organization's systems. As part of this, you document the most restrictive settings that still allow the system to function as required and apply this configuration to all applicable systems. This secure configuration, also known as a system lockdown, blocks unapproved applications from running on the system. The lockdown configuration aligns with your organization's security requirements.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (4)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.