Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Policy and procedures to determine how the baseline configurations for information systems are implemented and maintained during the system lifecycle including validation that the integrity of the baseline configuration is not violated when new applications are installed or removed (known as impact analysis). 

·  Inventory of hardware, software, firmware with versions, patch level and associated network and security configuration settings.

Where baseline configurations cannot be met or where operational effectiveness is impaired, deviations must be documented, assessed for risk to the organization, and countermeasures identified and implemented.

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Configuration documentation to identify that the security settings are included with the baseline configurations.

·  Configuration security settings  to determine the most restrictive settings were enforced without resulting in an operational reduction of deficiency, and that any security setting changes, or deviations are documented.

The practice is part of baseline configurations but is focused on security related settings. 

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

·  Policy and procedures related to Configuration Management to determine if changes are audited or reviewed by authorized company personnel.

·  Records of changes to systems to determine the change has been authorized and documented.

·  Evidence that changes are tracked and documented in an approved services management or equivalent tracking capability.

Changes to information systems pursuant to this practice include modifications to hardware, software, or firmware components and configuration settings.

Threat Actors:   

i) may take advantage of your lack of a security impact assessment and seek to exploit configuration changes that may have occurred after new software was installed.

·   Policy and procedures related to configuration management or relevant documents to determine if changes affecting system security requirement are tested prior to implementation.

·  Security Impact Analysis documentation to demonstrate where a change occurred there was an evaluation to verify compliance or minimal settings for security purposes. 

To be effective and not degrade or impede system operations or performance, testing of changes are best determined and validated prior to implementation on an operational system.  Auditors may also look for evidence of this type of testing and the conditions in which it was conducted.

Assessment NOTES: A CMMC assessor may want to review, observe, or test the following

Configuration and Control Management Program to ensure that it addresses:  the identification of employees who are approved to make physical or logical changes to the systems, such employees are authorized by system owners or IT security, and change documentation includes the name of the employee(s) making the changes.

Threat Actors:   

i) may attempt to access a network through open or unsecured ports

·  Configuration Management Plans, System Security Plans for evidence of evaluation conducted to determine least functionality of applications, servers, personal computers, and network devices.

·  Evidence that system testing has been conducted to determine the baseline configurations.

·  Policy and procedures to determine how the baseline configurations are implemented, maintained, and reviewed when changes are made to the system that could alter the minimal configuration settings.

·   List of system configuration settings or security configuration checklists.

The principle of least functionality means that the system has been evaluated and configured with only those settings and configurations that are necessary for the intent or function within the organizational environment. 

Threat Actors:   

i) may attempt to discover/access a network through open or unsecured ports by using common scanning techniques

ii) can compromise your system through your use of unnecessary programs/software that maintain a connection to external servers for updates/diagnostics

·  System configuration files to ensure that unnecessary ports, services, or sub-systems have been removed or disabled.   

·  Security benchmarks (or hardening guides) and tools (such as those provide by NSA and the Center for Internet Security (CIS)) utilized to harden cyber assets.