Got questions? Contact our team today for a free CMMC Consultation
3.4.1
Establish and maintain baseline configurations and up-to-date inventories of organizational systems (hardware, software, firmware, documentation) across the system development life cycle. Baselines must be documented, authorized, and reviewed regularly. Inventories must reflect changes during installations and removals.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-2: Baseline Configuration
CM-6: Configuration Settings
CM-8: System Component Inventory
CM-8 (1): Inventory Updates During Installations/Removals
Recommended Microsoft Licensing
Establish and maintain baseline configurations and up-to-date inventories of organizational systems (hardware, software, firmware, documentation) across the system development life cycle. Baselines must be documented, authorized, and reviewed regularly. Inventories must reflect changes during installations and removals.
3.4.2
Establish and enforce secure configuration settings for IT products based on industry standards (e.g., CIS Benchmarks, STIGs). Configurations must be applied consistently, reviewed periodically, and enforced using automated tools wherever possible.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-6: Configuration Settings
Recommended Microsoft Licensing
Microsoft 365 E5 with GCC High
(includes Intune for policy enforcement, Defender for Endpoint for secure configuration compliance, and Compliance Center for monitoring/reporting)
3.4.3
Track, review, approve or disapprove, and log changes to organizational systems to ensure only authorized modifications are made and to support system integrity.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-3: Configuration Change Control
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Intune, Defender for Endpoint, and Purview Audit for visibility and policy-based enforcement of configuration changes)
3.4.4
Analyze the security impact of proposed configuration changes before implementation to ensure they do not introduce vulnerabilities or violate existing policies.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-4: Security Impact Analysis
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Defender for Cloud, Intune, and Purview Change Insights for change evaluation and impact analysis workflows)
3.4.5
Define, document, approve, and enforce logical and physical access restrictions to ensure only authorized personnel can initiate or approve configuration changes to organizational systems.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-5: Access Restrictions for Change
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Defender for Endpoint, Intune role-based access control, and Purview Audit for change enforcement)
3.4.6
Enforce the principle of least functionality by configuring systems to disable or remove all non-essential software, services, and network protocols, allowing only those functions required for mission or business operations.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-7: Least Functionality
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Intune, Defender for Endpoint, and Purview to audit and enforce baseline configurations)
3.4.7
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services through centralized configuration management, periodic reviews, and execution restrictions.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-7 (1): Least functionality (periodic review)
CM-7 (2): Least functionality (prevent program execution)
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Intune for app control, Defender for Endpoint for blocking nonessential services, and Group Policy for disabling ports and protocols)
3.4.8
Enforce deny-by-exception (blacklisting) or permit-by-exception (whitelisting) policies to prevent the use of unauthorized software and to ensure only explicitly approved applications are allowed to execute.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-7 (4): Unauthorized software (blacklisting)
CM-7 (5): Authorized software (whitelisting)
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Defender Application Control, Intune Application Protection Policies, and Windows Defender Exploit Guard)
3.4.9
Control and monitor user-installed software through approval workflows, automated detection, and enforcement of software installation restrictions.
More details Less details
+ —
Relevant NIST SP 800-53 R5
CM-11: User-Installed Software
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Intune, Endpoint Manager, Defender for Endpoint, and Attack Surface Reduction rules for software control)
Contact our team today
See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.
Schedule a FREEconsultation