Skip to main content

CFG-02: Secure Baseline Configurations

CFG 10 — Critical Protect

Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.

Control Question: Does the organization develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards?

General (66)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.1-POF7 CC6.7-POF1 CC7.1 CC7.1-POF1 CC8.1 CC8.1-POF12 CC8.1-POF6
CIS CSC 8.1 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.10 10.3 10.4 10.5 16.7
CIS CSC 8.1 IG1 4.1 4.3 4.4 4.5 4.6 4.7 10.3
CIS CSC 8.1 IG2 4.1 4.3 4.4 4.5 4.6 4.7 4.8 4.11 10.3 10.4 10.5 16.7
CIS CSC 8.1 IG3 4.1 4.3 4.4 4.5 4.6 4.7 4.8 4.11 10.3 10.4 10.5 16.7
COBIT 2019 BAI10.02 DSS06.06
CSA CCM 4 AIS-02 CCC-06 IVS-03 IVS-04 UEM-07
CSA IoT SCF 2 CLS-05 IOT-02 IOT-07 SWS-01 SWS-02
GovRAMP Core CM-02 CM-06
GovRAMP Low CM-02 CM-06
GovRAMP Low+ CM-02 CM-06
GovRAMP Moderate CM-02 CM-06 SA-08
GovRAMP High CM-02 CM-06 SA-08
IEC TR 60601-4-5 2021 4.2 5.1
IEC 62443-4-2 2019 CR 2.2 (6.4.1) CR 7.6 (11.8.1)
IMO Maritime Cyber Risk Management 3.5.3.2 3.5.3.3 3.5.3.4 3.5.3.5
ISO 27002 2022 8.3 8.5 8.9 8.12 8.25 8.26
ISO 27017 2015 9.4.1 CLD.9.5.2 14.1.1
MITRE ATT&CK 10 T1001, T1001.001, T1001.002, T1001.003, T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1008, T1011.001, T1020.001, T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1027, T1029, T1030, T1036, T1036.001, T1036.003, T1036.005, T1036.007, T1037, T1037.002, T1037.003, T1037.004, T1037.005, T1046, T1047, T1048, T1048.001, T1048.002, T1048.003, T1052, T1052.001, T1053, T1053.002, T1053.005, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1071, T1071.001, T1071.002, T1071.003, T1071.004, T1072, T1080, T1090, T1090.001, T1090.002, T1091, T1092, T1095, T1098.004, T1102, T1102.001, T1102.002, T1102.003, T1104, T1105, T1106, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1111, T1114, T1114.002, T1119, T1127, T1127.001, T1129, T1132, T1132.001, T1132.002, T1133, T1134.005, T1137, T1137.001, T1137.002, T1137.003, T1137.004, T1137.005, T1137.006, T1176, T1185, T1187, T1189, T1201, T1204, T1204.001, T1204.002, T1204.003, T1205, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1216, T1216.001, T1218, T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.012, T1218.013, T1218.014, T1219, T1220, T1221, T1484, T1485, T1486, T1490, T1491, T1491.001, T1491.002, T1505, T1505.001, T1505.002, T1505.003, T1505.004, T1525, T1528, T1530, T1539, T1542.004, T1542.005, T1543, T1543.001, T1543.002, T1543.003, T1543.004, T1546, T1546.002, T1546.003, T1546.004, T1546.006, T1546.010, T1546.013, T1546.014, T1547.003, T1547.007, T1547.008, T1547.011, T1547.013, T1548, T1548.002, T1548.003, T1548.004, T1550.001, T1550.003, T1552, T1552.001, T1552.004, T1552.006, T1553, T1553.001, T1553.003, T1553.005, T1554, T1555.004, T1555.005, T1556, T1556.004, T1557, T1557.001, T1557.002, T1558, T1558.001, T1558.002, T1558.003, T1558.004, T1559, T1559.001, T1559.002, T1561, T1561.001, T1561.002, T1562, T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.010, T1563, T1563.001, T1563.002, T1564.006, T1564.007, T1564.009, T1565, T1565.001, T1565.002, T1566, T1566.001, T1566.002, T1569, T1569.002, T1570, T1571, T1572, T1573, T1573.001, T1573.002, T1574, T1574.001, T1574.004, T1574.005, T1574.007, T1574.008, T1574.009, T1574.010, T1598, T1598.002, T1598.003, T1599, T1599.001, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002
MPA Content Security Program 5.1 TS-1.1 TS-2.3 TS-2.11
NIST AI 600-1 MS-2.3-001
NIST Privacy Framework 1.0 PR.PO-P1
NIST 800-37 R2 I-2
NIST 800-53 R4 CM-2 CM-2(3) CM-6 SA-8
NIST 800-53 R4 (low) CM-2 CM-6
NIST 800-53 R4 (moderate) CM-2 CM-6 SA-8
NIST 800-53 R4 (high) CM-2 CM-6 SA-8
NIST 800-53 R5 (source) AU-2 CM-2 CM-6 PL-10 SA-8 SA-15(5)
NIST 800-53B R5 (low) (source) CM-2 CM-6 SA-8 PL-10
NIST 800-53B R5 (moderate) (source) CM-2 CM-6 SA-8 PL-10
NIST 800-53B R5 (high) (source) CM-2 CM-6 SA-8 PL-10
NIST 800-53 R5 (NOC) (source) SA-15(5)
NIST 800-82 R3 LOW OT Overlay CM-2 CM-6 SA-8 PL-10
NIST 800-82 R3 MODERATE OT Overlay CM-2 CM-6 SA-8 PL-10
NIST 800-82 R3 HIGH OT Overlay CM-2 CM-6 SA-8 PL-10
NIST 800-160 3.4.7 3.4.8
NIST 800-161 R1 CM-2 CM-6 PL-10 SA-8
NIST 800-161 R1 C-SCRM Baseline CM-2 CM-6 PL-10 SA-8
NIST 800-161 R1 Flow Down CM-2 CM-6
NIST 800-161 R1 Level 1 SA-8
NIST 800-161 R1 Level 2 CM-2 CM-6 PL-10 SA-8
NIST 800-161 R1 Level 3 CM-2 CM-6 PL-10 SA-8
NIST 800-171 R2 (source) 3.3.3 3.4.1 3.4.2
NIST 800-171A (source) 3.4.1[a] 3.4.1[b] 3.4.1[c] 3.4.2[a] 3.4.2[b]
NIST 800-171 R3 (source) 03.01.01.h 03.01.08.a 03.01.08.b 03.01.09 03.01.10.a 03.01.10.b 03.01.10.c 03.01.11 03.01.12.a 03.01.16.a 03.01.18.a 03.04.01.a 03.04.02.a 03.04.06.a 03.04.06.b 03.04.06.d 03.05.07.d 03.05.07.e 03.05.07.f 03.05.12.d 03.08.07.a 03.13.12.b
NIST 800-171A R3 (source) A.03.01.03[01] A.03.01.16.a[03] A.03.01.16.c A.03.01.18.a[02] A.03.03.08.a[02] A.03.04.01.a[01] A.03.04.01.a[02] A.03.04.02.a[01] A.03.04.02.a[02] A.03.04.06.ODP[01] A.03.04.06.ODP[02] A.03.04.06.ODP[03] A.03.04.06.ODP[04] A.03.04.06.ODP[05] A.03.04.06.b[01] A.03.04.06.b[02] A.03.04.06.b[03] A.03.04.06.b[04] A.03.04.06.b[05] A.03.05.04[01] A.03.05.04[02] A.03.05.07.c A.03.05.07.d A.03.05.07.e A.03.05.07.f A.03.07.05.b[02]
NIST 800-207 NIST Tenet 5
NIST 800-218 PO.5.2 PW.9.1
NIST CSF 2.0 (source) PR.DS-10 PR.PS PR.PS-05
OWASP Top 10 2021 A01:2021 A02:2021 A03:2021 A04:2021 A05:2021 A06:2021 A07:2021 A08:2021 A09:2021 A10:2021
PCI DSS 4.0.1 (source) 1.1 1.2.1 1.2.6 2.2 2.2.1 8.3.2 8.5 10.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2 10.6 10.6.1 10.6.2 10.6.3 11.2
PCI DSS 4.0.1 SAQ A-EP (source) 1.2.1 1.2.6 2.2.1 8.3.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2 10.6.1 10.6.2 10.6.3
PCI DSS 4.0.1 SAQ B-IP (source) 1.2.6
PCI DSS 4.0.1 SAQ C (source) 2.2.1 8.3.2 10.2.1.2 10.2.1.4 10.2.1.5 10.2.2 10.6.1 10.6.2 10.6.3
PCI DSS 4.0.1 SAQ D Merchant (source) 1.2.1 1.2.6 2.2.1 8.3.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2 10.6.1 10.6.2 10.6.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.2.1 1.2.6 2.2.1 8.3.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2 10.6.1 10.6.2 10.6.3
Shared Assessments SIG 2025 N.11
SPARTA CM0047 CM0037
SWIFT CSF 2023 1.3 2.3 2.10 4.1
TISAX ISA 6 3.1.4
SCF CORE Fundamentals CFG-02
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CFG-02
SCF CORE ESP Level 1 Foundational CFG-02
SCF CORE ESP Level 2 Critical Infrastructure CFG-02
SCF CORE ESP Level 3 Advanced Threats CFG-02
SCF CORE AI Model Deployment CFG-02
US (39)
Framework Mapping Values
US C2M2 2.1 ASSET-3.A.MIL1 ASSET-3.B.MIL2 ASSET-3.C.MIL2 ARCHITECTURE-3.E.MIL2 ARCHITECTURE-3.F.MIL2 ARCHITECTURE-3.G.MIL2 ARCHITECTURE-4.C.MIL2
US CERT RMM 1.2 TM:SG2.SP1 TM:SG4.SP2
US CISA CPG 2022 1.E 2.A 2.B 2.G 2.H 2.K 2.N 2.O 2.V
US CJIS Security Policy 5.9.3 (source) 5.13.1.3 5.13.1.4 IA-5
US CMMC 2.0 Level 2 (source) AU.L2-3.3.3 CM.L2-3.4.1 CM.L2-3.4.2
US CMMC 2.0 Level 3 (source) CM.L2-3.4.1 CM.L2-3.4.2
US CMS MARS-E 2.0 CM-2 CM-6 SA-8
US DoD Zero Trust Execution Roadmap 1.8.2 2.5.1 6.6.2 6.6.3
US DFARS Cybersecurity 252.204-70xx 252.204-7008
US DHS CISA TIC 3.0 3.PEP.EM.LCTPR
US DHS ZTCF APP-01 NTW-02
US FedRAMP R4 CM-2 CM-6 SA-8
US FedRAMP R4 (low) CM-2 CM-6
US FedRAMP R4 (moderate) CM-2 CM-6 SA-8
US FedRAMP R4 (high) CM-2 CM-6 SA-8
US FedRAMP R4 (LI-SaaS) CM-2 CM-6
US FedRAMP R5 (source) CM-2 CM-6 PL-10 SA-8
US FedRAMP R5 (low) (source) CM-2 CM-6 PL-10
US FedRAMP R5 (moderate) (source) CM-2 CM-6 PL-10 SA-8
US FedRAMP R5 (high) (source) CM-2 CM-6 PL-10 SA-8
US FedRAMP R5 (LI-SaaS) (source) CM-2 CM-6 PL-10
US FFIEC D3.PC.Im.B.5 D1.G.IT.B.4
US HHS 45 CFR 155.260 155.260(a)(6)
US HIPAA Administrative Simplification 2013 (source) 164.312(a)(2)(iii) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.312(a)(2)(iii) 164.312(e)(1) 164.312(e)(2)(i) 164.312(e)(2)(ii)
US HIPAA HICP Small Practice 1.S.A 2.S.A 3.S.A 6.S.B 6.S.C
US HIPAA HICP Medium Practice 1.M.A 2.M.A 7.M.D 9.M.A 9.M.B
US HIPAA HICP Large Practice 1.M.A 2.M.A 7.M.D 9.M.A 9.M.B 2.L.A
US IRS 1075 2.D.8 3.3.7 CM-2 CM-6 SA-8
US NERC CIP 2024 (source) CIP-010-4 1.1 CIP-010-4 1.1.1 CIP-010-4 1.1.2 CIP-010-4 1.1.3 CIP-010-4 1.1.4 CIP-010-4 1.1.5 CIP-010-4 2.1
US NISPOM 2020 8-202 8-311 8-610
US NNPI (unclass) 1.2 3.1 5.1 5.2
US NSTC NSPM-33 6.10
US - CA CCPA 2025 7123(c)(11) 7123(c)(4)(B) 7123(c)(5) 7123(c)(5)(A) 7123(c)(5)(B)
US - CO Colorado Privacy Act 6-1-1305(4)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.6(a) 500.7(a)(5)
US - TX DIR Control Standards 2.0 CM-2 CM-6 SA-8
US - TX TX-RAMP Level 1 CM-2 CM-6
US - TX TX-RAMP Level 2 CM-2 CM-6 SA-8
EMEA (21)
Framework Mapping Values
EMEA EU AI Act 17.1(e)
EMEA EU EBA GL/2019/04 3.4.4(36)(b)
EMEA EU DORA 9.3(a) 9.3(b) 9.3(c) 9.3(d)
EMEA EU NIS2 21.5
EMEA EU NIS2 Annex 12.3.2(b) 6.3.2(a) 6.3.2(b) 6.3.3
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 6.8
EMEA Germany C5 2020 AM-02 AM-03 OPS-23
EMEA Israel CDMO 1.0 3.3 4.9 4.12 4.15 6.1 9.21 12.13 12.24 12.29 13.5 13.6 14.2 15.6
EMEA Saudi Arabia CSCC-1 2019 1-3-2-3 2-3-1-7
EMEA Saudi Arabia IoT CGIoT-1 2024 1-2-2 2-14-2 2-15-2 2-5-1 2-6-3
EMEA Saudi Arabia ECC-1 2018 1-3-3 2-4-1 2-4-2 5-1-3-7
EMEA Saudi Arabia OTCC-1 2022 2-2-1-5 2-3-1-1 2-3-1-7
EMEA Saudi Arabia SACS-002 TPC-10 TPC-13 TPC-14 TPC-15 TPC-16 TPC-17 TPC-22 TPC-38 TPC-56 TPC-63 TPC-87
EMEA Spain BOE-A-2022-7191 20(d)
EMEA Spain 311/2022 20(d)
EMEA Spain CCN-STIC 825 7.3.2 [OP.EXP.2]
EMEA UAE NIAF 3.2.1
EMEA UK CAF 4.0 B4 B4.b
EMEA UK CAP 1850 B4
EMEA UK Cyber Essentials 2
EMEA UK DEFSTAN 05-138 2204 2310 2400 2401 2418
APAC (9)
Framework Mapping Values
APAC Australia Essential 8 ML1-P6 ML1-P7 ML2-P5 ML2-P6 ML2-P7 ML3-P4 ML3-P5 ML3-P6 ML3-P7
APAC Australia ISM June 2024 ISM-0341 ISM-0343 ISM-0345 ISM-0380 ISM-0383 ISM-0567 ISM-1316 ISM-1318 ISM-1319 ISM-1321 ISM-1406 ISM-1407 ISM-1408 ISM-1409 ISM-1418 ISM-1491 ISM-1492 ISM-1562 ISM-1584 ISM-1604 ISM-1608 ISM-1621 ISM-1622 ISM-1623 ISM-1624 ISM-1654 ISM-1655 ISM-1710 ISM-1745
APAC India SEBI CSCRF PR.IP.S1
APAC Japan ISMAP 9.4.1 9.4.1.8.PB 14.1.1
APAC New Zealand HISF 2022 HHSP54 HHSP60 HHSP65 HML16 HML54 HML60 HML64 HMS09 HSUP14 HSUP46 HSUP52
APAC New Zealand HISF Suppliers 2023 HSUP14 HSUP46 HSUP52
APAC New Zealand NZISM 3.6 14.1.8.C.01 14.1.9.C.01 14.1.9.C.02 14.1.10.C.01 14.1.10.C.02 14.3.7.C.01 23.2.21.C.01
APAC Singapore Cyber Hygiene Practice 4.3(a)
APAC Singapore MAS TRM 2021 11.2.5 11.3.1 11.3.2
Americas (3)
Framework Mapping Values
Americas Canada CSAG 4.16 4.20
Americas Canada OSFI B-13 3.2.8
Americas Canada ITSP-10-171 03.01.01.H 03.01.08.A 03.01.08.B 03.01.09 03.01.10.A 03.01.10.B 03.01.10.C 03.01.11 03.01.12.A 03.01.16.A 03.01.18.A 03.04.01.A 03.04.02.A 03.04.06.A 03.04.06.B 03.04.06.D 03.05.07.D 03.05.07.E 03.05.07.F 03.05.12.D 03.08.07.A 03.13.12.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.

Level 1 — Performed Informally

Configuration Management (CFG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Standardized across the organization. o Consistently aligned with industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).

  • IT personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments.
  • Secure configurations are not:
  • The review of any request for deviating from baseline configurations is documented and a risk assessment performed to determine if the deviation is acceptable.
Level 2 — Planned & Tracked

Configuration Management (CFG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Enforce logging to link system access to individual users or service accounts using a non-repudiation capability to protect against an individual falsely denying having performed a particular action. o Generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis. o Restrict access to the management of event logs for privileged users to protect event logs and audit tools from unauthorized access, modification and deletion. o Retain security event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements. o Store logs locally and forward logs to a centralized log repository to provide an alternate audit capability in the event of a failure in the primary audit capability. o Use internal system clocks to generate time stamps for security event logs that are synchronized with an authoritative time source.

  • Configuration management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for configuration management.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
  • Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
  • Apart from workstation and server operating system baselines, configuration management is decentralized.
  • Cybersecurity personnel use a structured process to design, build and maintain secure configurations for test, development, staging and production environments.
  • Deviations to baseline configurations are required to have a risk assessment and the business process owner acceptance of the risk(s) associated with the deviation.
  • Unauthorized configuration changes are investigated to determine if the unauthorized configuration is malicious in nature.
  • Logical Access Control (LAC) is enforced to prohibit non-administrative users from being able to install unauthorized software.
  • Secure baseline configurations:
Level 3 — Well Defined

Configuration Management (CFG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Enforce logging that links system access to individual users or service accounts using non-repudiation to protect against an individual falsely denying having performed a particular action. o Generate logs that contain sufficient information to establish necessary details of activity and allow for forensic analysis. o Prevent sensitive/regulated data from being captured in log files. o Restrict access to the management of event logs for privileged users to protect event logs and audit tools from unauthorized access, modification and deletion. o Retain security event logs for a time period consistent with records retention requirements for investigations of security incidents and to meet statutory, regulatory and contractual retention requirements. o Store logs locally and forward logs to a centralized log repository to provide an alternate audit capability in the event of a failure in primary audit capability. o Use internal system clocks to generate time stamps for security event logs that are synchronized with an authoritative time source. o Verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies.

  • The configuration management function is formally assigned with defined roles and responsibilities.
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
  • Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
  • Deviations to baseline configurations are required to have a risk assessment and business process owner approval of the risk(s) associated with the deviation.
  • Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
  • An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
  • Logical Access Control (LAC) is used to limit the ability of non-administrators from making configuration changes to systems, applications and services, including the of installation of unauthorized software.
  • A Security Incident Event Manager (SIEM), or similar automated tool, monitors for unauthorized activities, accounts, connections, devices and software.
  • Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.
  • Secure baseline configurations:
Level 4 — Quantitatively Controlled

Configuration Management (CFG) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Configuration Management (CFG) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. CFG-02_A01 a current baseline configuration for systems, applications and services is developed and documented.
  2. CFG-02_A02 the baseline configuration includes hardware, software, firmware and documentation.
  3. CFG-02_A03 security configuration settings for information technology products employed in the system are enforced.
  4. CFG-02_A04 the baseline configuration is maintained (reviewed / updated) throughout the system development life cycle under configuration control.
  5. CFG-02_A05 configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using organization-defined common secure configurations.
  6. CFG-02_A06 thresholds to which attack surfaces are to be reduced are defined.
  7. CFG-02_A07 the developer of the system, system component or system service is required to reduce attack surfaces to organization-defined thresholds.
  8. CFG-02_A08 a control baseline for the system is selected.
  9. CFG-02_A09 approved authorizations are enforced for controlling the flow of CUI within the system.
  10. CFG-02_A10 configuration requirements are established for each type of wireless access to the system.
  11. CFG-02_A11 wireless networking capabilities not intended for use are disabled prior to issuance and deployment.
  12. CFG-02_A12 configuration requirements are established for mobile devices.
  13. CFG-02_A13 audit logging tools are protected from unauthorized access, modification, and deletion.
  14. CFG-02_A14 a current baseline configuration of the system is developed.
  15. CFG-02_A15 a current baseline configuration of the system is maintained under configuration control.
  16. CFG-02_A16 the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are established and documented: <A.03.04.02.ODP[01]: configuration settings>.
  17. CFG-02_A17 the following configuration settings for the system are implemented: <A.03.04.02.ODP[01]: configuration settings>.
  18. CFG-02_A18 functions to be prohibited or restricted are defined.
  19. CFG-02_A19 ports to be prohibited or restricted are defined.
  20. CFG-02_A20 protocols to be prohibited or restricted are defined.
  21. CFG-02_A21 connections to be prohibited or restricted are defined.
  22. CFG-02_A22 services to be prohibited or restricted are defined.
  23. CFG-02_A23 the use of the following functions is prohibited or restricted: <A.03.04.06.ODP[01]: functions>.
  24. CFG-02_A24 the use of the following ports is prohibited or restricted: <A.03.04.06.ODP[02]: ports>.
  25. CFG-02_A25 the use of the following protocols is prohibited or restricted: <A.03.04.06.ODP[03]: protocols>.
  26. CFG-02_A26 the use of the following connections is prohibited or restricted: <A.03.04.06.ODP[04]: connections>.
  27. CFG-02_A27 the use of the following services is prohibited or restricted: <A.03.04.06.ODP[05]: services>.
  28. CFG-02_A28 replay-resistant authentication mechanisms for access to privileged accounts are implemented.
  29. CFG-02_A29 replay-resistant authentication mechanisms for access to non-privileged accounts are implemented.
  30. CFG-02_A30 passwords are only transmitted over cryptographically protected channels.
  31. CFG-02_A31 passwords are stored in a cryptographically protected form.
  32. CFG-02_A32 a new password is selected upon first use after account recovery.
  33. CFG-02_A33 organization-defined composition and complexity rules for passwords are enforced.
  34. CFG-02_A34 replay resistance is implemented in the establishment of nonlocal maintenance and diagnostic sessions.
  35. CFG-02_A35 the following composition and complexity rules for passwords are enforced: <A.03.05.07.ODP[02]: rules>.

Evidence Requirements

E-AST-12 Secure Baseline Configurations Reviews

Documented evidence of a review process to ensure Secure Baseline Configurations (SBC) are current and applicable (e.g., system configuration settings and associated documentation).

Asset Management
E-AST-13 Secure Baseline Configurations - Cloud-Based Services

Documented evidence of secure baseline configurations for all deployed types of cloud-based services or applications.

Asset Management
E-AST-14 Secure Baseline Configurations - Databases

Documented evidence of secure baseline configurations for all deployed types of databases.

Asset Management
E-AST-15 Secure Baseline Configurations - Embedded Technologies

Documented evidence of secure baseline configurations for all deployed types of embedded technologies.

Asset Management
E-AST-16 Secure Baseline Configurations - Major Applications

Documented evidence of secure baseline configurations for all deployed types of major applications.

Asset Management
E-AST-17 Secure Baseline Configurations - Minor Applications

Documented evidence of secure baseline configurations for all deployed types of minor applications.

Asset Management
E-AST-18 Secure Baseline Configurations - Mobile Devices

Documented evidence of secure baseline configurations for all deployed types of mobile devices.

Asset Management
E-AST-19 Secure Baseline Configurations - Network Devices

Documented evidence of secure baseline configurations for all deployed types of network devices.

Asset Management
E-AST-20 Secure Baseline Configurations - Server Class Systems

Documented evidence of secure baseline configurations for all deployed types of server-class operating systems.

Asset Management
E-AST-21 Secure Baseline Configurations - Workstation Class Systems

Documented evidence of secure baseline configurations for all deployed types of workstation-class operating systems.

Asset Management

Technology Recommendations

Micro/Small

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides

Small

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides

Medium

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Netwrix Auditor (https://netrix.com)

Large

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Netwrix Auditor (https://netrix.com)

Enterprise

  • Secure Baseline Configurations (SBC)
  • Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
  • Center for Internet Security (CIS) Benchmarks
  • Original Equipment Manufacturer (OEM) security guides
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Netwrix Auditor (https://netrix.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free