CMMC Practice CM.2.064
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Bold Coast Security Guidance
For Level 2 compliance, your policy must state that security hardening baselines are required for each operating system and device type in your environment.
In addition to required system build requirements, system hardening requirements must be created and enforced. The best resource for these is offered without cost by the Center for Internet Security (CIS). At CIS you can find system hardening "Baselines" for every operating system likely to exist on your production network.
As with system builds, hardening baselines are best implemented as checklists which responsible personnel sign after use. This creates an auditable process that can be used to verify your security controls are working as they are designed.
Another piece of this puzzle is monitoring your network environment on a regular basis to ensure configuration and hardening standards are being employed consistently. There are many tool available to automate this process. If your budget does not support the automation, then manual "spot checks" can be employed. A "spot check" consists of random selection of a system, logging into that system and verifying that configuration and hardening settings are in place as required. If variances are identified, those should be documented and compared to the signed checklists so you can determine which member of your workforce performed that particular system build. Then, opportunities for training and policy enforcement can be identified.
DRAFT NIST SP 800-171 R2
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security -related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.
Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections . Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. NIST SP 800-70 and SP 800-128 provide guidance on security configuration settings.
- UK NCSC Cyber Essentials
- CERT RMM v1.2 TM:SG2.SP2
- NIST SP 800-171 Rev 1 3.4.2
- CIS Controls v7.1 1.4, 1.5, 2.1, 2.4, 5.1
- NIST CSF v1.1 ID.AM-1, ID.AM-2, PR.DS-3, PR.DS-7, PR.IP-1, DE.AE-1
- NIST SP 800-53 Rev 4 CM-2, CM-6, CM-8, CM-8(1)