Skip to main content
NetStable
Level 2 CM.L2-3.4.2

Establish and enforce security configuration settings

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to define and maintain secure configurations for all hardware and software systems, then enforce those settings consistently. Think of it like creating a 'security blueprint' for every device and application in your network, then making sure nobody deviates from it. For example: 1) A company sets all workstations to automatically lock after 15 minutes of inactivity and enforces this via Group Policy. 2) A cloud server is configured to only allow encrypted connections, with automated tools blocking any non-compliant configurations.

🎯 Why It Matters

Misconfigured systems are the #1 cause of preventable breaches in defense contracting. A 2023 DoD report found 62% of contractor breaches stemmed from unpatched systems or default configurations. The SolarWinds attack exploited servers with unchanged admin passwords. Proper configuration management could have prevented this. From DoD's perspective, consistent configurations ensure: 1) Predictable security postures across the supply chain 2) Reduced attack surfaces 3) Faster incident response when all systems follow the same rules.

How to Implement

  1. 1. Use CSP-native tools (AWS Config, Azure Policy, GCP Security Command Center) to define configuration baselines
  2. 2. Create custom rulesets using SCAP or CIS benchmarks for your specific workloads
  3. 3. Implement automated remediation (e.g., AWS Config auto-remediate, Azure Policy 'DeployIfNotExists')
  4. 4. Configure real-time alerts for configuration drift (e.g., CloudTrail+EventBridge for AWS)
  5. 5. Document exceptions in a change-controlled CMDB
⏱️
Estimated Effort
Initial setup: 40-80 hours (security team + sysadmins). Ongoing: 4-8 hours/month for reviews.

📋 Evidence Examples

Approved Configuration Baseline Document

Format: PDF/Word with version control
Frequency: Review quarterly, update when standards change
Contents: CIS Benchmark references, custom settings, exception log
Collection: Export from document management system

Configuration Compliance Scan Reports

Format: CSV/PDF from scanning tools
Frequency: Weekly scans, monthly attestation
Contents: Hostname, check ID, pass/fail status, timestamp
Collection: Automated weekly exports from Nessus/Qualys

Remediation Tickets

Format: ServiceNow/Jira records
Frequency: Track until closure
Contents: Non-compliant system, required action, owner, SLA dates
Collection: API pull from ITSM system

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CM.L2-3.4.2 ("Establish and enforce security configuration settings"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your configuration management process, including baseline configurations, change control procedures, vulnerability management, and how configuration compliance is monitored and enforced. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CM.L2-3.4.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to establish and enforce security configuration settings. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CM.L2-3.4.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to establish and enforce security configuration settings. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CM.L2-3.4.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all system types within the CUI boundary requiring baselines
  • Document configuration management tools and CMDB
  • Map change control workflow from request to implementation
  • Ensure this control covers all systems within your defined CUI boundary where establish and enforce security configuration settings applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Configuration Management Policy
  • 📄 Baseline configuration documents
  • 📄 Change management records
  • 📄 CMDB/asset inventory
  • 📄 Evidence artifacts specific to CM.L2-3.4.2
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will compare actual system configurations against documented baselines, review change tickets for proper approval workflow, and verify vulnerability remediation within SLA.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have documented configuration standards for all systems?

✅ YES → Proceed to Q2
❌ NO → GAP: Start with CIS Benchmarks for your OS types. Remediate within 30 days.
Remediation:
Template: https://www.cisecurity.org/cis-benchmarks/

Question 2: Are configurations automatically enforced?

✅ YES → Proceed to Q3
❌ NO → GAP: Implement GPOs (Windows) or Ansible (Linux). Remediate within 45 days.
Remediation:
Guide: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10

Question 3: Do weekly scans detect configuration drift?

✅ YES → Proceed to Q4
❌ NO → GAP: Deploy OpenSCAP or Qualys agent. Remediate within 14 days.
Remediation:
Tutorial: https://www.open-scap.org/getting-started/

Question 4: Is there evidence of remediation for all non-compliant systems?

✅ YES → COMPLIANT
❌ NO → GAP: Create ticketing workflow. Remediate findings within 7 days of detection.
Remediation:
Example: https://www.servicenow.com/products/it-service-management.html

⚠️ Common Mistakes (What Auditors Flag)

1. Using default configurations

Why this happens: Time pressure during deployment
How to avoid: Build pre-hardened golden images using Packer

2. No exception documentation

Why this happens: Lack of change control process
How to avoid: Require signed justification forms for deviations

3. Scanning but not fixing

Why this happens: No accountability for remediation
How to avoid: Assign owners in tickets with SLA deadlines

4. Inconsistent cloud vs on-prem rules

Why this happens: Separate teams managing environments
How to avoid: Use Terraform to enforce identical baselines

📚 Parent Policy

This practice is governed by the Configuration Management Policy

View CM Policy →

📚 Related Controls

CM.L2-3.4.1 (Baseline configurations) CM.L2-3.4.3 (Configuration change control) SI.L2-3.14.7 (Identify unauthorized configuration changes)
Previous
CM.L2-3.4.1
Back to CM
Next
CM.L2-3.4.3