Description
The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system.\n
Supplemental Guidance
Configuration settings are the configurable parameters of the information technology products that compose the information system. Organizations monitor and control changes to the configuration settings in accordance with organizational policies and procedures. OMB FISMA reporting instructions provide guidance on configuration requirements for federal information systems. NIST Special Publication 800-70 provides guidance on producing and using configuration settings for information technology products employed in organizational information systems. Related security controls: CM-2, CM-3, SI-4.\n
Changes from Rev 4
Minor text changes Changed parameter from specific information system checklists to specific common secure configurations Discussion adds explanation of privacy parameters
Enhancements
(1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.\n