CMMC Domain CM
Implementing practices for creating standard configurations, approving changes, and monitoring for unapproved changes.
- Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- Employ application whitelisting and an application vetting process for systems identified by the organization.
- Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
- Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
- Analyze the security impact of changes prior to implementation.
- Control and monitor user-installed software.
- Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- Establish and enforce security configuration settings for information technology products employed in organizational systems.
- Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).
- Track, review, approve, or disapprove, and log changes to organizational systems.