CMMC Practice CM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems.
This article lists free and commercial tools that a company can use to help comply with CIS Controls 10 and 11. This is a summary page for the 140+ configuration guidelines for various technology groups to safeguard systems developed by CIS. This document provides assessment guidance for conducting Cybersecurity Maturity Model This is a video from Qualys that shows how to assess a security configuration. This is a security hardening guide for Red Hat Enterprise Linux 8, developed by Red Hat, Inc. This is a router and switch security policy provided by SANS. This document serves an example of the minimum requirements for security configuration for routers and switches. This is a presentation from a Splunk Conference on how to use splunk to assess and implement critical security control #3 which is secure configurations for hardware and software. This is UC Berkley’s secure device configuration guideline with adherence to their security policy mandate. This is an example of a how to assess a secure configuration. Security Threats to network devices and what ways to protect them. This is a video from CIS that covers secure configurations for hardware and software.
Certification (CMMC) assessments for Level 3 and Level 2.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Security-related configuration settings should be customized and included as part of an organization’s baseline configurations for all information systems. These configuration settings should satisfy the organization’s security requirements and changes or deviations to the security settings should be documented. Organizations should document the Security-related configuration settings and apply them to all systems once tested and approved. The configuration settings should reflect the most restrictive settings that are appropriate for the system. This ensures that information security is an integral part of an organization’s configuration management process.