Configuration Management.

Establishing a known-good configuration and enforcing security settings on every system.

3.4.1 Know Your Inventory. CM.L2-3.4.1 · System Baselining Baseline configurations and current asset inventory for every piece of hardware and software in your CUI environment. 5 pts 3.4.2 Harden Everything. CM.L2-3.4.2 · Security Configuration Enforcement Apply security configuration baselines to all systems. No factory defaults. Document and enforce. 5 pts

Tracking changes, analyzing security impact, and limiting who can make them.

3.4.3 Control Every Change. CM.L2-3.4.3 · System Change Management Every change to CUI systems goes through a documented process: request, review, approve, implement, log. 1 pts 3.4.4 Check Before You Change. CM.L2-3.4.4 · Security Impact Analysis Assess the security impact of every change before implementing it. 1 pts 3.4.5 Lock Down Change Access. CM.L2-3.4.5 · Access Restrictions for Change Only authorized people can make physical and logical changes to CUI systems — documented and technically enforced. 3 pts

Least functionality, restricted services, allowlisted software, and user-installed software control.

3.4.6 Shrink the Attack Surface. CM.L2-3.4.6 · Least Functionality Configure systems to provide only essential capabilities. Disable everything else. 1 pts 3.4.7 Block What's Not Needed. CM.L2-3.4.7 · Nonessential Functionality Actively restrict, disable, or prevent nonessential programs, functions, ports, protocols, and services. 1 pts 3.4.8 Whitelist or Blacklist Software. CM.L2-3.4.8 · Application Execution Policy Application control on CUI systems — decide which software is authorized and enforce it technically. 3 pts 3.4.9 No Unauthorized Software. CM.L2-3.4.9 · User-Installed Software Control and monitor user-installed software. Users can't install without approval. 1 pts