Skip to main content

END-01: Endpoint Device Management (EDM)

END 10 — Critical Govern

Mechanisms exist to facilitate the implementation of Endpoint Device Management (EDM) controls.

Control Question: Does the organization facilitate the implementation of Endpoint Device Management (EDM) controls?

General (42)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.7-POF4
CIS CSC 8.1 10
CIS CSC 8.1 IG1 10.1
CIS CSC 8.1 IG2 10.1
CIS CSC 8.1 IG3 10.1
COBIT 2019 DSS05.01 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.06 DSS05.07
CSA CCM 4 TVM-02 UEM-01 UEM-05 UEM-07
GovRAMP Low MP-02
GovRAMP Low+ MP-02
GovRAMP Moderate MP-02
GovRAMP High MP-02
IEC TR 60601-4-5 2021 4.2
IMO Maritime Cyber Risk Management 3.5.3.4
ISO 27002 2022 7.7 8.1 8.5
ISO 27017 2015 11.2.9
NIST 800-53 R4 MP-2
NIST 800-53 R4 (low) MP-2
NIST 800-53 R4 (high) MP-2
NIST 800-53 R5 (source) MP-2
NIST 800-53B R5 (low) (source) MP-2
NIST 800-53B R5 (moderate) (source) MP-2
NIST 800-53B R5 (high) (source) MP-2
NIST 800-82 R3 LOW OT Overlay MP-2
NIST 800-82 R3 MODERATE OT Overlay MP-2
NIST 800-82 R3 HIGH OT Overlay MP-2
NIST 800-171 R2 (source) 3.14.2
NIST 800-171A (source) 3.4.1[a] 3.4.1[b] 3.4.1[c] 3.4.2[a] 3.4.2[b]
NIST 800-171 R3 (source) 03.14.02.a
NIST 800-171A R3 (source) A.03.01.03[01]
NIST 800-207 NIST Tenet 4
NIST CSF 2.0 (source) DE.CM-09
PCI DSS 4.0.1 (source) 1.5 1.5.1 5.1
PCI DSS 4.0.1 SAQ A-EP (source) 1.5.1
PCI DSS 4.0.1 SAQ C-VT (source) 1.5.1
PCI DSS 4.0.1 SAQ D Merchant (source) 1.5.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.5.1
Shared Assessments SIG 2025 M.1.1
SWIFT CSF 2023 6.1
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) END-01
SCF CORE ESP Level 1 Foundational END-01
SCF CORE ESP Level 2 Critical Infrastructure END-01
SCF CORE ESP Level 3 Advanced Threats END-01
US (36)
Framework Mapping Values
US C2M2 2.1 ARCHITECTURE-3.A.MIL1 ARCHITECTURE-3.B.MIL1
US CERT RMM 1.2 AM:SG1.SP1 KIM:SG2.SP1 KIM:SG2.SP2
US CJIS Security Policy 5.9.3 (source) MP-2
US CMMC 2.0 Level 1 (source) SI.L1-B.1.XIII
US CMMC 2.0 Level 2 (source) SI.L2-3.14.2
US CMMC 2.0 Level 3 (source) SI.L2-3.14.2
US CMS MARS-E 2.0 MP-2
US DoD Zero Trust Execution Roadmap 2.4.2 2.4.3 2.4.4
US DHS CISA TIC 3.0 3.UNI.IDMRP
US DHS ZTCF EPM-03
US FAR 52.204-21 52.204-21(b)(1)(xiii)
US FedRAMP R4 MP-2
US FedRAMP R4 (low) MP-2
US FedRAMP R4 (moderate) MP-2
US FedRAMP R4 (high) MP-2
US FedRAMP R4 (LI-SaaS) MP-2
US FedRAMP R5 (source) MP-2
US FedRAMP R5 (low) (source) MP-2
US FedRAMP R5 (moderate) (source) MP-2
US FedRAMP R5 (high) (source) MP-2
US FedRAMP R5 (LI-SaaS) (source) MP-2
US HIPAA Administrative Simplification 2013 (source) 164.310(b)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.310(b)
US HIPAA HICP Small Practice 2.S.A 8.S.A
US HIPAA HICP Medium Practice 1.M.A 2.M.A 9.M.A 9.M.B
US HIPAA HICP Large Practice 1.M.A 2.M.A 9.M.A 9.M.B 1.L.A
US IRS 1075 2.D.8 3.3.7 MP-2
US NERC CIP 2024 (source) CIP-011-3 1.2
US NISPOM 2020 8-310
US NNPI (unclass) 5.1 5.2 17.2
US NSTC NSPM-33 6.10
US SSA EIESR 8.0 5.8
US - TX DIR Control Standards 2.0 MP-2
US - TX TX-RAMP Level 1 MP-2
US - TX TX-RAMP Level 2 MP-2
US - VT Act 171 of 2018 2447(c)(6) 2447(c)(7)
EMEA (14)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.4.4(36)(d)
EMEA EU NIS2 Annex 6.9.1
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Israel CDMO 1.0 7.1 7.3 15.5
EMEA Saudi Arabia CSCC-1 2019 2-3-1-2 2-5
EMEA Saudi Arabia ECC-1 2018 2-3-4 2-4-4
EMEA Saudi Arabia OTCC-1 2022 2-5 2-5-1 2-5-1-1 2-5-1-2 2-5-1-3 2-5-1-4 2-5-1-5 2-5-2
EMEA Saudi Arabia SACS-002 TPC-12 TPC-22
EMEA South Africa 19
EMEA Spain CCN-STIC 825 8.3.1 [MP.EQ.1]
EMEA UK CAF 4.0 B3.d
EMEA UK Cyber Essentials 4
EMEA UK DEFSTAN 05-138 2317 2411
APAC (5)
Framework Mapping Values
APAC Japan ISMAP 11.2.9
APAC New Zealand HISF 2022 HHSP34 HSUP30
APAC New Zealand HISF Suppliers 2023 HSUP30
APAC Singapore Cyber Hygiene Practice 4.5
APAC Singapore MAS TRM 2021 11.3.1 11.3.2 11.3.3 11.3.4 11.3.5 11.4.1 11.4.2 11.4.3
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 5.12
Americas Canada CSAG 4.3 4.4
Americas Canada ITSP-10-171 03.14.02.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation of Endpoint Device Management (EDM) controls.

Level 1 — Performed Informally

Endpoint Security (END) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • IT/cybersecurity personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments, including the implementation of appropriate cybersecurity and data protection controls.
  • Anti-malware technologies are decentralized but are deployed on all technology assets that can run Anti-malware software.
  • Data management is decentralized.
Level 2 — Planned & Tracked

Endpoint Security (END) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: IT personnel implement and maintain an asset management capability, including endpoint devices.

  • Endpoint security management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for endpoint security management.
  • Anti-malware technologies are decentralized but are deployed on all technology assets that can run anti-malware software.
  • Physical controls, administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
  • Data/process owners are expected to take the initiative to work with Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.
  • Data protection controls are primarily administrative in nature (e.g., policies & standards) to manage endpoint devices.
Level 3 — Well Defined

Endpoint Security (END) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for endpoint security practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise with regards to endpoint security.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to endpoint security.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including endpoint security.
  • An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” practices for the management of user, group and system accounts, including privileged accounts.
  • Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
  • Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
  • Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
  • An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
  • An ITAM function, or similar function, uses a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets that is configured to perform integrity checking and alert on unauthorized configuration changes.
  • A Security Operations Center (SOC), or similar function, centrally manages anti-malware and anti-phishing technologies, in accordance with industry-recognized practices for Prevention, Detection & Response (PDR) activities.
  • A Security Incident Event Manager (SIEM), or similar automated tool, is tuned to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
  • The Human Resources (HR) department ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices.
  • Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the any unauthorized configuration is malicious in nature.
  • A Data Protection Impact Assessment (DPIA) is used to help ensure the protection of Personal Data (PD) processed, stored or transmitted on endpoint devices, so that cybersecurity and data protection controls are implemented in accordance with applicable statutory, regulatory and contractual obligations.
  • Administrative processes exist and technologies are configured to notify individuals that Personal Data (PD) is collected by sensors.
  • File Integrity monitor (FIM) technology is deployed to all HVAs to detect and report unauthorized changes to business-critical system files and configurations.
  • Host-based Intrusion Detection/Prevention Systems (HIDS/HIPS) technology is deployed to all HVAs to detect and report unauthorized changes to business-critical system files and configurations.
Level 4 — Quantitatively Controlled

Endpoint Security (END) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of Endpoint Device Management (EDM) controls.

Assessment Objectives

  1. END-01_A01 security configuration settings for information technology products employed in the system are established and included in the baseline configuration.
  2. END-01_A02 a current baseline configuration for systems, applications and services is developed and documented.
  3. END-01_A03 the baseline configuration includes hardware, software, firmware and documentation.
  4. END-01_A04 the baseline configuration is maintained (reviewed / updated) throughout the system development life cycle under configuration control.
  5. END-01_A05 security configuration settings for information technology products employed in the system are enforced.
  6. END-01_A06 configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using organization-defined common secure configurations.
  7. END-01_A07 a control baseline for the system is selected.
  8. END-01_A08 thresholds to which attack surfaces are to be reduced are defined.
  9. END-01_A09 the developer of the system, system component or system service is required to reduce attack surfaces to organization-defined thresholds.
  10. END-01_A10 approved authorizations are enforced for controlling the flow of CUI within the system.
  11. END-01_A11 endpoint security management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  12. END-01_A12 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support endpoint security management operations.
  13. END-01_A13 responsibility and authority for the performance of endpoint security management-related activities are assigned to designated personnel.
  14. END-01_A14 personnel performing endpoint security management-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-AST-01 IT Asset Management (ITAM)

Documented evidence of an IT Asset Management (ITAM) program that addresses the due diligence and due care activities associated with maintaining both secure and compliant systems, applications and services.

Asset Management
E-END-01 Endpoint Security Tools

Documented evidence of endpoint security tools employed by the organization to ensure secure and compliant systems, applications and processes (e.g., antimalware, FIM, etc.).

Endpoint Security

Technology Recommendations

Micro/Small

  • Secure Baseline Configurations (SBC)
  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Change control program

Small

  • Secure Baseline Configurations (SBC)
  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Change control program

Medium

  • Secure Baseline Configurations (SBC)
  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Change control program

Large

  • Secure Baseline Configurations (SBC)
  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Change control program

Enterprise

  • Secure Baseline Configurations (SBC)
  • IT Asset Management (ITAM) program
  • Configuration Management (CM) program
  • Change control program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free