CMMC 2.13
CMMC · Rev 2.132FAMILY CM
CM.L2-3.4.2
Security Configuration Enforcement
Requirement
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Further discussion
Information security is an integral part of a company’s configuration management process. Security-related configuration settings are customized to satisfy the company’s security requirements and are applied them to all systems once tested and approved. The configuration settings must reflect the most restrictive settings that are appropriate for the system. Any required deviations from the baseline are reviewed, documented, and approved.
Example
You manage baseline configurations for your company’s systems, including those that process, store, and transmit CUI. As part of this, you download a secure configuration guide for each of your asset types (servers, workstations, network components, operating systems, middleware, and applications) from a well-known and trusted IT security organization. You then apply all of the settings that you can while still ensuring the assets can perform the role for which they are needed. Once you have the configuration settings identified and tested, you document them to ensure all applicable machines can be configured the same way [a,b].
Potential Assessment Considerations
• Do security settings reflect the most restrictive settings appropriate [a]?
• Are changes or deviations to security settings documented [b]?
Supporting controls
NIST 800-171 · Rev 21 mapped
Create a free account or log in to view the cross-referenced controls.
Implementation strategies
10 recommended strategies for this practice.
Create a free account or log in to view the implementation strategies.
Source: DoD CIO · https://dodcio.defense.gov/CMMC/