CMMC Domain CM Configuration Management

Implementing practices for creating standard configurations, approving changes, and monitoring for unapproved changes.

CM.2.062
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
CM.4.073
Employ application whitelisting and an application vetting process for systems identified by the organization.
CM.3.069
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
CM.3.067
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
CM.3.068
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
CM.2.066
Analyze the security impact of changes prior to implementation.
CM.2.063
Control and monitor user-installed software.
CM.2.061
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
CM.2.064
Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.5.074
Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).
CM.2.065
Track, review, approve, or disapprove, and log changes to organizational systems.