Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY CM

CM.L2-3.4.2

Security Configuration Enforcement

Requirement

Establish and enforce security configuration settings for information technology products employed in organizational systems.

Further discussion

Information security is an integral part of a company’s configuration management process. Security-related configuration settings are customized to satisfy the company’s security requirements and are applied them to all systems once tested and approved. The configuration settings must reflect the most restrictive settings that are appropriate for the system. Any required deviations from the baseline are reviewed, documented, and approved. Example You manage baseline configurations for your company’s systems, including those that process, store, and transmit CUI. As part of this, you download a secure configuration guide for each of your asset types (servers, workstations, network components, operating systems, middleware, and applications) from a well-known and trusted IT security organization. You then apply all of the settings that you can while still ensuring the assets can perform the role for which they are needed. Once you have the configuration settings identified and tested, you document them to ensure all applicable machines can be configured the same way [a,b]. Potential Assessment Considerations • Do security settings reflect the most restrictive settings appropriate [a]? • Are changes or deviations to security settings documented [b]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/