Skip to main content

CFG-03.1: Periodic Review

CFG 8 — High Detect

Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.

Control Question: Does the organization periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services?

General (30)
Framework Mapping Values
CSA CCM 4 AIS-02 IVS-03 IVS-04
GovRAMP Moderate CM-07(01)
GovRAMP High CM-07(01)
ISO 27002 2022 8.8 8.27
ISO 27017 2015 9.2.5 9.2.6 12.6.1 14.2.5
NIST 800-53 R4 CM-7(1)
NIST 800-53 R4 (moderate) CM-7(1)
NIST 800-53 R4 (high) CM-7(1)
NIST 800-53 R5 (source) CM-7(1)
NIST 800-53B R5 (moderate) (source) CM-7(1)
NIST 800-53B R5 (high) (source) CM-7(1)
NIST 800-82 R3 MODERATE OT Overlay CM-7(1)
NIST 800-82 R3 HIGH OT Overlay CM-7(1)
NIST 800-161 R1 CM-7(1)
NIST 800-161 R1 Level 2 CM-7(1)
NIST 800-161 R1 Level 3 CM-7(1)
NIST 800-171 R2 (source) 3.4.7
NIST 800-171A (source) 3.4.7[a] 3.4.7[b] 3.4.7[c] 3.4.7[d] 3.4.7[e] 3.4.7[f] 3.4.7[g] 3.4.7[h] 3.4.7[i] 3.4.7[j] 3.4.7[k] 3.4.7[l] 3.4.7[m] 3.4.7[n] 3.4.7[o]
NIST 800-171 R3 (source) 03.04.06.c 03.04.08.c
NIST 800-171A R3 (source) A.03.04.06.ODP[06]
PCI DSS 4.0.1 (source) 1.2.7 11.6.1 12.3.1 12.3.4 12.4.2 12.5.2 12.5.2.1 12.6.2 12.6.3
PCI DSS 4.0.1 SAQ A (source) 11.6.1
PCI DSS 4.0.1 SAQ A-EP (source) 1.2.7 11.6.1 12.3.1
PCI DSS 4.0.1 SAQ C (source) 12.3.1
PCI DSS 4.0.1 SAQ D Merchant (source) 1.2.7 11.6.1 12.3.1 12.3.4 12.5.2 12.6.2 12.6.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.2.7 11.6.1 12.3.1 12.3.4 12.4.2 12.5.2 12.5.2.1 12.6.2 12.6.3
SWIFT CSF 2023 2.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CFG-03.1
SCF CORE ESP Level 2 Critical Infrastructure CFG-03.1
SCF CORE ESP Level 3 Advanced Threats CFG-03.1
US (11)
Framework Mapping Values
US CMMC 2.0 Level 2 (source) CM.L2-3.4.7
US CMMC 2.0 Level 3 (source) CM.L2-3.4.7
US CMS MARS-E 2.0 CM-7(1)
US FedRAMP R4 CM-7(1)
US FedRAMP R4 (moderate) CM-7(1)
US FedRAMP R4 (high) CM-7(1)
US FedRAMP R5 (source) CM-7(1)
US FedRAMP R5 (moderate) (source) CM-7(1)
US FedRAMP R5 (high) (source) CM-7(1)
US IRS 1075 CM-7(1)
US - TX TX-RAMP Level 2 CM-7(1)
EMEA (3)
Framework Mapping Values
EMEA Spain BOE-A-2022-7191 21.2
EMEA Spain 311/2022 21.2
EMEA UK DEFSTAN 05-138 2430 2507
APAC (2)
Framework Mapping Values
APAC India SEBI CSCRF DE.CM.S5
APAC Japan ISMAP 9.2.5 9.2.6 12.6.1 12.6.1.18.PB 14.2.5
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.04.06.C 03.04.08.C

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to periodically review system configurations to identify and disable unnecessary and/ or non-secure functions, ports, protocols and services.

Level 1 — Performed Informally

Configuration Management (CFG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Standardized across the organization. o Consistently aligned with industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).

  • IT personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments.
  • Secure configurations are not:
Level 2 — Planned & Tracked

Configuration Management (CFG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Configuration management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for configuration management.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
  • Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
  • Apart from workstation and server operating system baselines, configuration management is decentralized.
  • Cybersecurity personnel use a structured process to design, build and maintain secure configurations for test, development, staging and production environments.
  • Deviations to baseline configurations are required to have a risk assessment and the business process owner acceptance of the risk(s) associated with the deviation.
  • Unauthorized configuration changes are investigated to determine if the unauthorized configuration is malicious in nature.
  • Logical Access Control (LAC) is enforced to prohibit non-administrative users from being able to install unauthorized software.
  • Cybersecurity personnel perform an annual review of existing configurations to ensure security objectives are still being met.
Level 3 — Well Defined

Configuration Management (CFG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • The configuration management function is formally assigned with defined roles and responsibilities.
  • An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
  • Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
  • Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
  • Deviations to baseline configurations are required to have a risk assessment and business process owner approval of the risk(s) associated with the deviation.
  • Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
  • An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
  • Logical Access Control (LAC) is used to limit the ability of non-administrators from making configuration changes to systems, applications and services, including the of installation of unauthorized software.
  • A Security Incident Event Manager (SIEM), or similar automated tool, monitors for unauthorized activities, accounts, connections, devices and software.
  • Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.
  • Cybersecurity personnel perform an annual review of existing configurations to ensure security objectives are still being accomplished, or up on the release of a new application or service that requires additional configuration settings.
Level 4 — Quantitatively Controlled

Configuration Management (CFG) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Configuration Management (CFG) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. CFG-03.1_A01 the frequency at which to review the system to identify unnecessary or nonsecure functions, ports, protocols, connections, or services is defined.
  2. CFG-03.1_A02 organization-defined functions, ports, protocols, software and services deemed to be unnecessary and/or non-secure are disabled or removed.
  3. CFG-03.1_A03 essential programs are defined.
  4. CFG-03.1_A04 essential functions are defined.
  5. CFG-03.1_A05 essential ports are defined.
  6. CFG-03.1_A06 essential protocols are defined.
  7. CFG-03.1_A07 essential services are defined.
  8. CFG-03.1_A08 the use of nonessential programs is defined.
  9. CFG-03.1_A09 the use of nonessential programs is restricted, disabled or prevented as defined.
  10. CFG-03.1_A10 the use of nonessential functions is defined.
  11. CFG-03.1_A11 the use of nonessential functions is restricted, disabled or prevented as defined.
  12. CFG-03.1_A12 the use of nonessential ports is defined.
  13. CFG-03.1_A13 the use of nonessential protocols is defined.
  14. CFG-03.1_A14 the use of nonessential ports is restricted, disabled or prevented as defined.
  15. CFG-03.1_A15 the use of nonessential protocols is restricted, disabled or prevented as defined.
  16. CFG-03.1_A16 the use of nonessential services is defined.
  17. CFG-03.1_A17 the use of nonessential services is restricted, disabled or prevented as defined.
  18. CFG-03.1_A18 functions to be disabled or removed when deemed unnecessary or non-secure are defined.
  19. CFG-03.1_A19 ports to be disabled or removed when deemed unnecessary or non-secure are defined.
  20. CFG-03.1_A20 protocols to be disabled or removed when deemed unnecessary or non-secure are defined.
  21. CFG-03.1_A21 software to be disabled or removed when deemed unnecessary or non-secure is defined.
  22. CFG-03.1_A22 services to be disabled or removed when deemed unnecessary or non-secure are defined.

Technology Recommendations

Micro/Small

  • Configuration Management (CM) program
  • Change control program

Small

  • Configuration Management (CM) program
  • Change control program

Medium

  • Configuration Management (CM) program
  • Change control program

Large

  • Configuration Management (CM) program
  • Change control program

Enterprise

  • Configuration Management (CM) program
  • Change control program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free