CM.L2-3.4.2 Security Configuration Enforcement

CMMC Practice CM.L2-3.4.2 – Security Configuration Enforcement: Establish and enforce security configuration settings for information technology products employed in organizational systems.

Links to Publicly Available Resources


Security-related configuration settings should be customized and included as part of an organization’s baseline configurations for all information systems. These configuration settings should satisfy the organization’s security requirements and changes or deviations to the security settings should be documented. Organizations should document the Security-related configuration settings and apply them to all systems once tested and approved. The configuration settings should reflect the most restrictive settings that are appropriate for the system. This ensures that information security is an integral part of an organization’s configuration management process.