CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems.

CMMC Practice CM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems.

Links to Publicly Available Resources

AT&T Cybersecurity – Free and Commercial Tools to Implement the CIS Security Controls, Part 10 &11;: Secure Configurations & Control for Network
This article lists free and commercial tools that a company can use to help comply with CIS Controls 10 and 11.
Center for Internet Security – Benchmarks
This is a summary page for the 140+ configuration guidelines for various technology groups to safeguard systems developed by CIS.
CMMC Level 3 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model
Certification (CMMC) assessments for Level 3 and Level 2.
Qualys SCA – Security Configuration Assessment
This is a video from Qualys that shows how to assess a security configuration.
RedHat – Securing Red Hat Enterprise Linux 8
This is a security hardening guide for Red Hat Enterprise Linux 8, developed by Red Hat, Inc.
SANS – Router and Switch Security Policy
This is a router and switch security policy provided by SANS. This document serves an example of the minimum requirements for security configuration for routers and switches.
Splunk – Assess and Implement Critical Security Control #3
This is a presentation from a Splunk Conference on how to use splunk to assess and implement critical security control #3 which is secure configurations for hardware and software.
University of California Berkeley – Secure Device Configuration Guideline
This is UC Berkley’s secure device configuration guideline with adherence to their security policy mandate. This is an example of a how to assess a secure configuration.
US-CERT – Securing Network Infrastructure Devices
Security Threats to network devices and what ways to protect them.
YouTube – Secure Configuration for Hardware and Software
This is a video from CIS that covers secure configurations for hardware and software.

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Security-related configuration settings should be customized and included as part of an organization’s baseline configurations for all information systems. These configuration settings should satisfy the organization’s security requirements and changes or deviations to the security settings should be documented. Organizations should document the Security-related configuration settings and apply them to all systems once tested and approved. The configuration settings should reflect the most restrictive settings that are appropriate for the system. This ensures that information security is an integral part of an organization’s configuration management process.