CMMC Practice CM.L2-3.4.2 – Security Configuration Enforcement: Establish and enforce security configuration settings for information technology products employed in organizational systems.
Links to Publicly Available Resources
This article lists free and commercial tools that a company can use to help comply with CIS Controls 10 and 11. This is a summary page for the 140+ configuration guidelines for various technology groups to safeguard systems developed by CIS. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. The National Checklist Program (NCP), defined by the NIST SP 800-70, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. This is a video from Qualys that shows how to assess a security configuration. This is a security hardening guide for Red Hat Enterprise Linux 8, developed by Red Hat, Inc. This is a router and switch security policy provided by SANS. This document serves an example of the minimum requirements for security configuration for routers and switches. This is a presentation from a Splunk Conference on how to use splunk to assess and implement critical security control #3 which is secure configurations for hardware and software. This is UC Berkley’s secure device configuration guideline with adherence to their security policy mandate. This is an example of a how to assess a secure configuration. Network Infrastructure Security, typically applied to enterprise IT environments, is a process of protecting the underlying networking infrastructure by installing preventative measures to deny unauthorized access, modification, deletion, and theft of resources and data. This is a video from CIS that covers secure configurations for hardware and software.
Discussion [NIST SP 800-171 R2]
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.
Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.
NIST SP 800-70 and SP 800-128 provide guidance on security configuration settings.
Further Discussion
Information security is an integral part of a company’s configuration management process. Security-related configuration settings are customized to satisfy the company’s security requirements and are applied them to all systems once tested and approved. The configuration settings must reflect the most restrictive settings that are appropriate for the system. Any required deviations from the baseline are reviewed, documented, and approved.