Requirement text: CM.2.064: Establish and enforce security configuration settings for information
technology products employed in organizational systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Configuration settings are the set of parameters that can be changed in hardware, software,
or firmware components of the system that affect the security posture or functionality of the
system. Information technology products for which security-related configuration settings
can be defined include mainframe computers, servers, workstations, input and output
devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers,
gateways, voice and data switches, wireless access points, network appliances, sensors),
operating systems, middleware, and applications.
Security parameters are those parameters impacting the security state of systems including
the parameters required to satisfy other security requirements. Security parameters
include: registry settings; account, file, directory permission settings; and settings for
functions, ports, protocols, and remote connections. Organizations establish organization-
wide configuration settings and subsequently derive specific configuration settings for
systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists,
lockdown and hardening guides, security reference guides, security technical
implementation guides) provide recognized, standardized, and established benchmarks that
stipulate secure configuration settings for specific information technology
platforms/products and instructions for configuring those system components to meet
operational requirements. Common secure configurations can be developed by a variety of
organizations including information technology product developers, manufacturers,
vendors, consortia, academia, industry, federal agencies, and other organizations in the
public and private sectors.
NIST SP 800-70 and SP 800-128 provide guidance on security configuration settings.
CMMC CLARIFICATION
Security-related configuration settings should be customized and included as part of an
organization’s baseline configurations for all information systems. These configuration
settings should satisfy the organization’s security requirements and changes or deviations
to the security settings should be documented. Organizations should document the Security-
related configuration settings and apply them to all systems once tested and approved. The
configuration settings should reflect the most restrictive settings that are appropriate for the
system. This ensures that information security is an integral part of an organization’s
configuration management process.
Example
You are in charge of establishing baseline configurations for your organization’s systems. As
part of this, you document the most restrictive settings that still allow the system to function
as required and apply this configuration to all applicable systems. This secure configuration,
also known as a system lockdown, blocks unapproved applications from running on the
system. The lockdown configuration aligns with your organization’s security requirements.
References
• NIST SP 800-171 Rev 1 3.4.2
• CIS Controls v7.1 1.4, 1.5, 2.1, 2.4, 5.1
• NIST CSF v1.1 ID.AM-1, ID.AM-2, PR.DS-3, PR.DS-7, PR.IP-1, DE.AE-1
• CERT RMM v1.2 TM:SG2.SP2
• NIST SP 800-53 Rev 4 CM-2, CM-6, CM-8, CM-8(1)
• UK NCSC Cyber Essentials