Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Policy and procedures to determine how the baseline configurations for information systems are implemented and maintained during the system lifecycle including validation that the integrity of the baseline configuration is not violated when new applications are installed or removed (known as impact analysis). 

·  Inventory of hardware, software, firmware with versions, patch level and associated network and security configuration settings.

Where baseline configurations cannot be met or where operational effectiveness is impaired, deviations must be documented, assessed for risk to the organization, and countermeasures identified and implemented.

Threat Actors:   

i) may attempt to access a network through open or unsecured ports

·  Configuration Management Plans, System Security Plans for evidence of evaluation conducted to determine least functionality of applications, servers, personal computers, and network devices.

·  Evidence that system testing has been conducted to determine the baseline configurations.

·  Policy and procedures to determine how the baseline configurations are implemented, maintained, and reviewed when changes are made to the system that could alter the minimal configuration settings.

·   List of system configuration settings or security configuration checklists.

The principle of least functionality means that the system has been evaluated and configured with only those settings and configurations that are necessary for the intent or function within the organizational environment. 

Threat Actors:   

i) may attempt to compromise a system by infecting software updates of unnecessary or unapproved software

·  Policy and procedure that address user installed software to determine if organizational approval of software is required.  

·  Evidence of organizational approval for software in use on the information systems.

·  Automated or manual capabilities in place to identify the installation of unauthorized user software.

·  Security awareness training to determine if the organizational policy on user installed software is included in the training.

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Configuration documentation to identify that the security settings are included with the baseline configurations.

·  Configuration security settings  to determine the most restrictive settings were enforced without resulting in an operational reduction of deficiency, and that any security setting changes, or deviations are documented.

The practice is part of baseline configurations but is focused on security related settings. 

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Policy and procedures related to Configuration Management to determine if changes are audited or reviewed by authorized company personnel.

·  Records of changes to systems to determine the change has been authorized and documented.

·  Evidence that changes are tracked and documented in an approved services management or equivalent tracking capability.

Changes to information systems pursuant to this practice include modifications to hardware, software, or firmware components and configuration settings.

Threat Actors:   

i) may take advantage of your lack of a security impact assessment and seek to exploit configuration changes that may have occurred after new software was installed.

·   Policy and procedures related to configuration management or relevant documents to determine if changes affecting system security requirement are tested prior to implementation.

·  Security Impact Analysis documentation to demonstrate where a change occurred there was an evaluation to verify compliance or minimal settings for security purposes. 

To be effective and not degrade or impede system operations or performance, testing of changes are best determined and validated prior to implementation on an operational system.  Auditors may also look for evidence of this type of testing and the conditions in which it was conducted.