CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems.

CMMC Practice CM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Security-related configuration settings should be customized and included as part of an organization’s baseline configurations for all information systems. These configuration settings should satisfy the organization’s security requirements and changes or deviations to the security settings should be documented. Organizations should document the Security-related configuration settings and apply them to all systems once tested and approved. The configuration settings should reflect the most restrictive settings that are appropriate for the system. This ensures that information security is an integral part of an organization’s configuration management process.