GRCWatch
Sign inStart free trial

CMMC Level 2 CM.L2-3.4.2: Security Configuration Enforcement

Security configuration enforcement is critical to reducing attack surface and preventing unauthorized system access. CM.L2-3.4.2 requires organizations to establish and maintain baseline security configurations across all IT products in their environment. Meeting this control protects sensitive data and demonstrates configuration management discipline to auditors.

What this means

This control requires you to define, document, and actively enforce security configuration standards across all information technology products in your organization. Rather than allowing ad-hoc or inconsistent security settings, you must create baseline configurations that reflect industry best practices and your organization's security requirements, then ensure these standards are implemented and maintained across your IT infrastructure.

How to comply

  1. 1.Document baseline security configurations for each major IT product category (operating systems, databases, applications, network devices, etc.)
  2. 2.Define configuration management policies that specify approved settings, change control procedures, and deviation handling
  3. 3.Deploy configuration management tools to enforce baseline settings automatically across your environment
  4. 4.Establish a change control process that prevents unauthorized configuration modifications
  5. 5.Conduct regular configuration reviews and audits to identify and remediate deviations from baseline
  6. 6.Maintain centralized records of all approved configurations and approved exceptions with business justification
  7. 7.Train IT staff on configuration standards and the importance of maintaining baseline security settings

Evidence auditors look for

  • Documented baseline security configuration standards for operating systems, applications, and network devices
  • Configuration management policy documents with approval and change control procedures
  • Configuration management tool dashboards showing enforcement status across systems
  • Change logs demonstrating approval of configuration changes and rollback of unauthorized modifications
  • Audit reports from configuration scans comparing actual settings to approved baselines
  • Evidence of remediation actions taken when systems drifted from baseline configurations
  • Training records documenting IT staff awareness of configuration management requirements

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates configuration baseline creation and enforcement monitoring, flagging deviations in real-time so your team can remediate before audits—eliminating manual baseline audits and change verification.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CM.L2-3.4.1 — Baseline ConfigurationCM.L2-3.4.3 — Configuration Change ControlSI.L2-4.4.1 — Information System Monitoring