Welcome to our comprehensive guide on Configuration Management for CMMC Level 2 compliance. Navigating the requirements for CMMC Level 2 can be complex, but our expert-driven guide is designed to make this process straightforward and actionable. We've made this guide easy to follow and helpful. With advice from a certified CMMC expert, we'll walk you through the critical elements of CMMC Level 2 Configuration Management, Change Management, and security configuration, providing a clear roadmap for compliance.
If your organization requires further assistance, book a free consultation with our experts to help you meet all CMMC Level 2 requirements with confidence.
“Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”
Level Of Effort: High
Keeping a standard setup for all your organization's systems is crucial. This means tracking all your hardware, software, firmware, and important documents. Start tracking them as soon as you get them and keep them up while they are in use.
Set your computers to this standard setup: Use tools like Group Policy Objects (GPO) or Intune. If you're on Mac or Linux, get help from your I.T. team. Note: Test these setups carefully. They can sometimes cause unexpected issues. Start with one computer, then gradually apply to others.
Make a list of all your hardware and software: Include everything from servers to mobile devices. Note down details like the type, model, and serial number. Your I.T. team can help with the software part.
Evidence:
Your setup document or checklist: Keep a copy of the document that details your baseline configuration.
Proof of system settings: Use a vulnerability scanner to check that your systems match the baseline settings.
Inventories of hardware and software: Maintain detailed lists of all your hardware and software.
Records of inventory updates: Keep a sheet that tracks your regular (like quarterly or annual) inventory reviews.
CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT
“Establish and enforce security configuration settings for information technology products employed in organizational information systems.”
“Track, review, approve/disapprove, and audit changes to information systems.”
Level Of Effort: Medium
For your organization, it's important to have a structured way to keep track of, review, decide on, and record all changes to your IT systems. This control helps ensure changes don't cause security issues or mess up your services.
Here's how you can manage changes in your I.T. systems and what kind of proof you should keep:
Recommendations:
Create a Change Management Policy: Make a document that shows the steps for starting, reviewing, and carrying out changes. This might start with a support ticket about the change, then say who checks and approves it. At the end, update the ticket with what happens next – whether the change happens, gets adjusted, or is turned down. Your policy should cover:
Who checks and approves big changes to your I.T. systems?
Where are these changes reviewed? Maybe in a regular meeting or a special meeting if there are lots of changes.
What's a big change versus a small one? For example, small might be updating software, while big could be switching to a new app.
Do small changes need to be checked right away, or can you list them and review them later?
How do you do a security impact analysis before you start any changes? This might involve using tools like VirusTotal or risk assessment tools.
Keep a log of all system changes: Have a sheet where you write down all the big changes. Note whether they were okayed or not, based on your Change Management Policy.
Evidence:
Your Change Management Policy: Keep a standalone policy or include it in your Security System Plan (SSP).
Change Management tracking sheet: Maintain a list of all major changes. This should show if they were approved or disapproved based on your policy.
“Analyze the security impact of changes prior to implementation.”
Level Of Effort: Low
To handle this well, make sure a person who knows about CMMC and information security is involved in your team, especially when making big changes according to your Change Management Policy, as described earlier in this article. This job fits well for your I.T. team or a cybersecurity consultant if you don't have this kind of expertise at your company. It's important not to miss this step. We've seen companies face big security problems because they didn't think about how changes would affect their security!
CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE
“Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.”
Level Of Effort: Medium
This rule is about setting clear rules and getting the right approvals for who can make changes to your business's computer systems. It makes sure that only people who are trained and allowed to do so can change these systems. This is important to keep the systems safe and secure.
Recommendations:
Document who can access key areas: Write down who can get into places with CUI, like servers or data centers. Explain how these places are locked, such as with keys, alarms, or badge access. If they aren’t locked, start locking them.
List users authorized to make system changes: Create a list of people who can change systems with CUI. Note which systems they can work on.
Consider two-person rules for big companies: For major changes, think about requiring two people to do them. For example, one person might have the passwords, but they need the other person to ask for them to make changes.
Evidence:
List of users and access methods: Keep a record of who can access important places and how these places are secured.
Authorized user list in your SSP: Include a list in your Security System Plan (SSP) of people allowed to make system changes.
Two-person rule documentation (if used): If you use a two-person rule for big changes, put this info in your SSP.
CM.L2-3.4.6 – LEAST FUNCTIONALITY
“Employ the principle of least functionality by configuring the information system to provide only essential capabilities.”
Level Of Effort: Medium
Your business's systems should only have the features they need. This idea, called the principle of least functionality, makes your systems simple and secure. Let's look at how to do this and what kind of proof you should keep.
Recommendations:
Remove unnecessary functions from systems: Check your systems and software, removing features that aren’t needed. Actions to consider include:
Deleting default programs not in use (like web servers, PowerShell, FTP servers) before deploying computers.
Configuring your local firewall to only keep essential ports open. The standard should be to block everything that’s not necessary.
Disabling services that are not required before starting a new server.
Wherever possible, allow each system component to perform only a single function.
Coordinate with your I.T. team on new setups: Ensure new computers are set up to these standards. Encourage your I.T. team to use standardized setup templates, known as golden images, and checklists.
Evidence:
Configuration screenshots: Keep images of your system configurations, showing that unnecessary features have been removed.
“Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.”
Level Of Effort: Medium
Under CM.L2-3.4.6 – LEAST FUNCTIONALITY, you've set up computers to have only the most necessary features. It's important to keep this up. After you decide on the right settings, use the vulnerability scanner from RA.L2-3.11.2 – VULNERABILITY SCAN to regularly check your computers. This will help you make sure they still follow your set rules.
CM.L2-3.4.8 – APPLICATION EXECUTION POLICY
“Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.”
Level Of Effort: Medium
Managing which software can run on your system is key for this control. You can choose a blacklisting method (blocking certain programs) or a whitelisting method (only allowing certain programs).
Here's a plan for managing your software and the evidence you should keep:
Recommendations:
Get a list of all software on your computers: Ask your I.T. team to make an inventory of all software installed. They can usually do this with system management tools.
Decide which programs are okay: Look through the list with your I.T. team’s help. Decide what's approved and what's not. Remove any programs from your computers that aren’t allowed.
Set up your computers to only run allowed programs: Use tools like Group Policy Objects or Intune for this. For Mac or Linux, ask your I.T. team for help. Some antivirus or Endpoint Detection and Response (EDR) solutions let you make lists of allowed and blocked apps. ThreatLocker is a popular choice for app whitelisting on Windows computers.
Evidence:
Software inventory: Keep a copy of the list showing all the software on your computers. It might be in Excel or PDF format.
Keep track of your decisions: You can do this in the inventory if it’s in Excel.
Screenshot of your software policy: Have screenshots showing your computer settings that only allow the software you’ve approved.
Pro Tip: When checking your software list, pay extra attention to:
Remote control software like Teamviewer or LogMeIn.
File transfer programs (FTP, SFTP, etc.).
Any antivirus or virtual private network (VPN) software that’s not approved.
CM.L2-3.4.9 – USER-INSTALLED SOFTWARE
"Control and monitor user-installed software."
Level Of Effort: Medium
Managing what software your team installs on their computers helps keep your systems safe from malware. Here's a straightforward way to do this and the kind of proof you should have:
Recommendations:
Restrict software installation rights: Change settings so only a few people can install programs. Your I.T. team can assist with this. Depending on your systems, it might be a simple policy change. The worst case will take 30-60 minutes per computer for an I.T. admin to make the change.
Use tools to manage installations: Look into tools like AutoElevate, Microsoft Applocker, or ThreatLocker to comply with CMMC. These let you control what gets installed. Talk to your I.T. team to see which one is right for you.
Test your system regularly: Make sure your controls are working by testing your system to prevent unauthorized installations.
Evidence:
Screenshots of user settings: Keep screenshots showing that installation rights are limited to certain users.
Proof of installation control tools: Have screenshots showing these tools are in place on all computers, especially those handling CUI.
Logs of your testing: Document when and how you test your systems, along with the results.
