Skip to main content
CFG

Configuration Management

28 controls

Enforce secure configurations according to vendor-recommended and industry-recognized secure practices that enforce the concepts of “least privilege” and “least functionality” for all systems, applications and services.

SCF # Control Name Weight NIST CSF Frameworks
CFG-01 Configuration Management Program 9 — Critical Govern 104
CFG-01.1 Assignment of Responsibility 5 — Medium Identify 7
CFG-02 Secure Baseline Configurations 10 — Critical Protect 138
CFG-02.1 Reviews & Updates 8 — High Detect 66
CFG-02.2 Automated Central Management & Verification 7 — High Detect 49
CFG-02.3 Retention Of Previous Configurations 3 — Low Identify 26
CFG-02.4 Development & Test Environment Configurations 5 — Medium Protect 21
CFG-02.5 Configure Technology Assets, Applications and/or Services (TAAS) for High-Risk Areas 8 — High Protect 69
CFG-02.6 Network Device Configuration File Synchronization 7 — High Protect 9
CFG-02.7 Approved Configuration Deviations 9 — Critical Protect 37
CFG-02.8 Respond To Unauthorized Changes 9 — Critical Respond 28
CFG-02.9 Baseline Tailoring 9 — Critical Protect 38
CFG-03 Least Functionality 10 — Critical Protect 96
CFG-03.1 Periodic Review 8 — High Detect 47
CFG-03.2 Prevent Unauthorized Software Execution 7 — High Protect 34
CFG-03.3 Explicitly Allow / Deny Applications 5 — Medium Protect 58
CFG-03.4 Split Tunneling 8 — High Protect 36
CFG-04 Software Usage Restrictions 9 — Critical Protect 44
CFG-04.1 Open Source Software 9 — Critical Protect 20
CFG-04.2 Unsupported Internet Browsers & Email Clients 7 — High Protect 12
CFG-05 User-Installed Software 10 — Critical Protect 57
CFG-05.1 Unauthorized Installation Alerts 8 — High Detect 20
CFG-05.2 Restrict Roles Permitted To Install Software 9 — Critical Protect 14
CFG-06 Configuration Enforcement 7 — High Protect 18
CFG-06.1 Integrity Assurance & Enforcement (IAE) 3 — Low Protect 14
CFG-07 Zero-Touch Provisioning (ZTP) 8 — High Protect 2
CFG-08 Sensitive / Regulated Data Access Enforcement 7 — High Protect 15
CFG-08.1 Sensitive / Regulated Data Actions 7 — High Protect 4

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free