Back to Control Explorer
CM.2.064
Content
Control Acronym
CM
Family
Configuration Management
CMMC Level
2
800-171 Control #
3.4.2
CMMC Description
Establish and enforce security configuration settings for information technology products employed in organizational systems.
CMMC Clarification
Security-related configuration settings should be customized and included as part of an organization’s baseline configurations for all information systems. These configuration settings should satisfy the organization’s security requirements and changes or deviations to the security settings should be documented. Organizations should document the Securityrelated configuration settings and apply them to all systems once tested and approved. The configuration settings should reflect the most restrictive settings that are appropriate for the system. This ensures that information security is an integral part of an organization’s configuration management process. Example You are in charge of establishing baseline configurations for your organization’s systems. As part of this, you document the most restrictive settings that still allow the system to function as required and apply this configuration to all applicable systems. This secure configuration, also known as a system lockdown, blocks unapproved applications from running on the system. The lockdown configuration aligns with your organization’s security requirements.
800-171 Description
Establish and enforce security configuration settings for information technology products employed in organizational systems.
800-171 Discussion
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings.
Other Source Discussion
N/A
CIS Control References
CIS Controls v7.1 1.4, 1.5, 2.1, 2.4, 5.1
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 CM-2, CM-6, CM-8, CM-8(1)
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.4.2
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 ID.AM-1, ID.AM-2, PR.DS-3, PR.DS-7, PR.IP-1, DE.AE-1
CERT RMM Reference
CERT RMM v1.2 TM:SG2.SP2
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
UK NCSC Cyber Essentials
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
CM.2.064.[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
Assessment Sub-Criteria 2
CM.2.064.[b] security configuration settings for information technology products employed in the system are enforced.