CMMC Practice 3.4.2, derived from NIST SP 800-171 Rev 2 Security Requirement 3.4.2, requires organizations to establish and enforce security configuration settings for all IT products employed within the system. Configuration settings must reflect the most restrictive mode consistent with operational requirements, meaning unnecessary features, ports, protocols, and services must be disabled or removed. These settings must be formally documented and incorporated into the baseline configuration established under 3.4.1. Enforcement means the organization has technical and/or procedural controls in place to detect and remediate deviations from those settings, not merely document them. Guidance sources such as DISA STIGs, CIS Benchmarks, and NIST SP 800-70 National Checklists provide authoritative starting points for establishing these settings.
Where it stops · what it isn't
- —This practice does not cover the initial inventory of hardware and software components, which is addressed by 3.4.1
- —This practice does not govern the change control process for modifying approved configurations, which is addressed by 3.4.3
- —This practice does not address physical access controls to hardware, which falls under Physical Protection (PE) domain requirements
- —This practice does not require automated configuration management tools specifically, though they are strongly recommended; manual processes can satisfy the requirement if consistently applied and documented
- —This practice does not cover incident response procedures triggered by detected configuration violations, which is addressed by the Incident Response (IR) domain
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.