| Configuration Management Program | Mechanisms exist to facilitate the implementation of configuration management controls. |
| Assignment of Responsibility | Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties. |
| System Hardening Through Baseline Configurations | Mechanisms exist to develop, document and maintain secure baseline configurations for technology platforms that are consistent with industry-accepted system hardening standards. |
| Reviews & Updates | Mechanisms exist to review and update baseline configurations: (1) At least annually; (2) When required due to so; or (3) As part of system component installations and upgrades. |
| Automated Central Management & Verification | Automated mechanisms exist to govern and report on baseline configurations of systems through Continuous Diagnostics and Mitigation (CDM), or similar technologies. |
| Development & Test Environment Configurations | Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes. |
| Configure Systems, Components or Services for High-Risk Areas | Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations. |
| Respond To Unauthorized Changes | Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents. |
| Baseline Tailoring | Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: (1) Mission / business functions; (2) Operational environment; (3) Specific threats or vulnerabilities; or (4) Other conditions or situations that could affect mission / business success. |
| Least Functionality | Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services. |
| Periodic Review | Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services. |
| Prevent Unauthorized Software Execution | Mechanisms exist to configure systems to prevent the execution of unauthorized software programs. |
| Explicitly Allow / Deny Applications | Mechanisms exist to explicitly allow (allowlist / whitelist) and/or block (denylist / blacklist) applications that are authorized to execute on systems. |
| Unsupported Internet Browsers & Email Clients | Mechanisms exist to allow only approved Internet browsers and email clients to run on systems. |
| User-Installed Software | Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software. |
| Unauthorized Installation Alerts | Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected. |
| Restrict Roles Permitted To Install Software | Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service. |