CMMC Level 2: Configuration Management & Maintenance

Configuration management and maintenance practices ensure your systems are set up securely and stay that way. These 18 practices cover establishing secure baselines, managing changes, and maintaining systems without introducing vulnerabilities.

Configuration Management (CM) - 12 Practices

Configuration Management from NIST SP 800-171 section 3.4 ensures systems are configured securely, changes are controlled, and configurations remain consistent. Misconfigurations are one of the leading causes of security breaches.

Baseline Configurations (3.4.1 - 3.4.2)

• 3.4.1: Establish and maintain baseline configurations and inventories of organizational systems throughout their life cycles
• 3.4.2: Establish and enforce security configuration settings for IT products

What is a baseline? A baseline is a documented, approved configuration state that serves as the reference point for your systems. It includes operating system settings, installed software, network configurations, and security controls.

Implementation guidance:

• Use industry benchmarks like CIS Benchmarks or DISA STIGs as starting points
• Document your organization's approved baseline for each system type
• Maintain a current inventory of all hardware and software
• Use configuration management tools (Ansible, Puppet, SCCM, Intune) to enforce baselines
• Scan systems regularly to detect configuration drift

Change Control (3.4.3 - 3.4.5)

• 3.4.3: Track, review, approve or disapprove, and log changes to organizational systems
• 3.4.4: Analyze the security impact of changes prior to implementation
• 3.4.5: Define, document, approve, and enforce physical and logical access restrictions associated with changes

Change management process:

1. Request: Document the proposed change and its purpose
2. Review: Assess security impact. Will this change affect CUI protection?
3. Approve: Designated authority approves or rejects the change
4. Test: Test in non-production environment when possible
5. Implement: Make the change with appropriate access controls
6. Verify: Confirm the change works and didn't break security
7. Document: Update baselines and system documentation

Example changes requiring review:

• Installing new software
• Modifying firewall rules
• Changing user permissions
• Adding network connections
• Updating operating systems

Least Functionality (3.4.6 - 3.4.8)

• 3.4.6: Employ the principle of least functionality by configuring systems to provide only essential capabilities
• 3.4.7: Restrict, disable, or prevent use of nonessential programs, functions, ports, protocols, and services
• 3.4.8: Apply deny-by-exception (blacklisting) policy to prevent use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow execution of authorized software

Implementation guidance:

• Remove or disable unnecessary services (e.g., Telnet, FTP, SMBv1)
• Uninstall unused software and features
• Close unnecessary network ports
• Disable autorun/autoplay features
• Implement application whitelisting (Windows Defender Application Control, AppLocker)
• Block known-bad file types at the email gateway

User-Installed Software (3.4.9)

3.4.9: Control and monitor user-installed software.

Implementation:

• Remove local admin rights from standard users
• Implement a software request process
• Use a company software portal for approved applications
• Monitor for unauthorized software installations
• Scan for and remove unauthorized software

Maintenance (MA) - 6 Practices

The Maintenance domain from NIST 800-171 section 3.7 ensures that system maintenance is performed securely without exposing CUI or introducing vulnerabilities.

Maintenance Performance (3.7.1 - 3.7.2)

• 3.7.1: Perform maintenance on organizational systems
• 3.7.2: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance

Implementation guidance:

• Schedule regular maintenance windows
• Document maintenance procedures
• Control and inventory maintenance tools
• Scan maintenance tools for malware before use
• Supervise maintenance personnel who aren't employees
• Review maintenance logs for anomalies

Equipment Sanitization (3.7.3)

3.7.3: Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Why it matters: If a server or laptop is sent for repair, the hard drive may contain CUI. You must remove or encrypt CUI before equipment leaves your control.

Implementation:

• Remove or destroy storage media before external repair
• Use full-disk encryption so data is protected even if media can't be removed
• Maintain chain of custody for equipment
• Use cleared/vetted repair facilities when possible
• Document sanitization procedures performed

Media Inspection (3.7.4)

3.7.4: Check media containing diagnostic and test programs for malicious code before use.

Implementation:

• Scan USB drives and other media from vendors before connecting
• Use a standalone scanning station not connected to production networks
• Maintain a library of trusted diagnostic tools
• Verify integrity of downloaded tools using checksums

Remote Maintenance (3.7.5 - 3.7.6)

• 3.7.5: Require multifactor authentication to establish nonlocal maintenance sessions and terminate such sessions when complete
• 3.7.6: Supervise maintenance activities of personnel without required access authorization

Implementation guidance:

• Require MFA for all remote maintenance connections
• Use encrypted connections (SSH, VPN) for remote maintenance
• Log all remote maintenance sessions
• Terminate sessions immediately when maintenance is complete
• If vendors need access, supervise them (screen sharing, on-site escort)
• Disable remote access tools when not in active use

Implementation Best Practices

Configuration Management Database (CMDB)

A CMDB tracks your IT assets and their configurations:

• Hardware inventory (servers, workstations, network devices)
• Software inventory (installed applications, versions)
• Network topology and connections
• Configuration baselines
• Asset owners and custodians
• Relationship between assets

Automation Tools

Consider these tools for configuration management:

• Microsoft Intune/SCCM: Windows endpoint configuration
• Ansible/Puppet/Chef: Infrastructure as code
• Group Policy: Windows domain configuration
• AWS Config/Azure Policy: Cloud configuration
• Nessus/Qualys: Configuration compliance scanning

Evidence for Assessment

Prepare the following for your C3PAO assessment:

• Configuration management policy and procedures
• Hardware and software inventory
• Baseline configuration documentation
• Configuration scan results showing compliance
• Change management records (requests, approvals, implementation)
• Security impact analysis examples
• Application whitelist/blacklist documentation
• Maintenance logs and records
• Remote maintenance session logs
• Evidence of maintenance tool scanning

Key Takeaways

• Establish and document secure baseline configurations for all system types
• Implement formal change management with security impact analysis
• Remove unnecessary software, services, and functions
• Control user-installed software through least privilege
• Secure maintenance activities, especially remote maintenance with MFA
• Sanitize equipment before it leaves your control

Next in the Series

Continue to CMMC Level 2: Physical, Personnel & Media Protection to learn about protecting your physical environment and handling sensitive media.

Need help tracking your configuration baselines? Get early access to Pretorin and let AI help you document and monitor your security controls.