Back to Control Families

Configuration Management

9 controls in this family. Select a control for detailed guidance, implementation examples, and assessment questions.

3.4.1

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

3.4.2

Establish and enforce security configuration settings for information technology products employed in organizational systems.

3.4.3

Track, review, approve or disapprove, and log changes to organizational systems.

3.4.4

Analyze the security impact of changes prior to implementation.

3.4.5

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

3.4.6

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

3.4.7

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

3.4.8

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

3.4.9

Control and monitor user-installed software.

Need Complete CMMC Guidance?

Get full access to all controls, detailed implementation guidance, and expert support.

Request Full Access