Skip to main content
NetStable

⚙️ CM — Configuration Management

Establish and maintain baseline configurations and inventories

← Back to all domains

9 Practices

L2 CM.L2-3.4.1

Establish and maintain baseline configurations and inventories

This control requires organizations to document and maintain standardized 'baseline' configurations for all hardware and software systems that handle ...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.2

Establish and enforce security configuration settings

This control requires organizations to define and maintain secure configurations for all hardware and software systems, then enforce those settings co...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.3

Track, review, approve/disapprove, and audit changes to systems

This practice requires organizations to have a structured process for managing changes to their systems. This includes tracking every change, reviewin...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.4

Analyze the security impact of changes prior to implementation

This control requires organizations to evaluate how proposed changes to their systems or software might affect security before making those changes. T...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.5

Define, document, approve, and enforce physical and logical access restrictions

This practice requires organizations to clearly define and document who has access to their physical and digital systems, how that access is approved,...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.6

Employ the principle of least functionality

The principle of least functionality means configuring systems to provide only the essential capabilities needed for their intended purpose and nothin...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.7

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services

This practice requires organizations to identify and limit unnecessary software, network ports, and services that could create security vulnerabilitie...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.8

Apply deny-by-exception policy to prevent the use of unauthorized software

This practice requires organizations to implement a 'deny-by-exception' policy for software usage, meaning that only explicitly approved software is a...

Level 2 — Advanced View Control →
L2 CM.L2-3.4.9

Control and monitor user-installed software

This practice requires organizations to actively manage and track software that employees install on company devices. It means you need systems to pre...

Level 2 — Advanced View Control →