Introduction
Red Hat defines Configuration Management as “a process for maintaining computer systems, servers, and software in a desired, consistent state”. [1] In other words, a company will have a complete catalog of its systems’ original configurations, plus any patches or other updates, with details as to why and when changes were made.
Inventories and Baseline Configurations
| Control | |
| 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
The first step in creating a configuration management system is to establish a documented inventory of organizational systems and their “baseline configurations”. A baseline configuration is the settings originally applied to the system to ensure it operates as intended. This reference point is then updated periodically (with corresponding updates to change management logs and other pertinent documentation) as the system configurations change based on operational requirements and new security threats.
The principles of least functionality and privilege are suggested inclusions of organizational system baseline configurations.
Security Configuration Settings
| Control | |
| 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. |
Security should never be an afterthought! Security configuration settings are sets of rules and parameters established by an organization as a baseline to secure all levels of infrastructure. Security configuration settings should encompass data center routers, gateways, firewalls, voice and data switches, servers, storage, and all access points, user workstations, operating systems, and passwords.
It’s recommended to keep a Security Configuration Checklist or Hardening Guide.
Configuration Change Management
| Control | |
| 3.4.3 | Track, review, approve or disapprove, and log changes to organizational systems. |
| 3.4.4 | Analyze the security impact of changes prior to implementation. |
| 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. |
Any change in configuration (including system upgrades or modifications, patches, port change for ingress and/or egress traffic, permissions, and group policies) involves a systematic review in a hierarchy, and proper documentation to the baseline configuration. NIST SP 800-128 provides guidance for configuration control. Proper physical and logical access restrictions is an essential part of effective configuration change management.
A good change management system is crucial to ensuring that configuration updates do not compromise the function or security of an information system. Steps must be taken before, during, and after a change to a system is made, including the following:
- Formally the change;
- Conduct a security analysis of the change impact;
- Once approved, prioritize and schedule the change;
- Plan the implementation of the change;
- Complete the implementation of the change;
- Conduct a post-implementation review.
In certain circumstances, a proof-of-concept test may be a solution and part of security analysis.
Least Functionality, Non-Essentials, and Software Use Management
| Control | |
| 3.4.6 | Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
| 3.4.7 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
| 3.4.8 | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
The principle of least functionality is based on information systems being configured to provide only the capabilities that are required to fulfill the purpose of the system, and to restrict non-essential functions, such as ports and protocols.
Simpler makes more secure! Non-essential programs, services, inbound and outbound ports, protocols and system services at entry points, should be restricted or removed from information systems. Control and management of programs should be policy driven by either blacklisting or whitelisting executables or software programs both on server as well as endpoints. Blacklisting, deny-all or deny-by-exception feature allows all software to run except those on an unauthorized list. On the contrary, Whitelisting, or permit-by-exception, does not allow any software to run except if on an authorized list. Generally the more effective policy is Whitelisting. Furthermore, verifying the integrity of whitelisted programs through cryptographic checksums, digital signatures, or hashing functions is strongly recommended.
User-Installed Software
| Control | |
| 3.4.9 | Control and monitor user-installed software. |
User Installed Software, again, comes back to permissions and necessary privileges controlled and granted only as needed. Policy and technical controls should be established to identify permitted or prohibited software installation, including update and security patches. The policy enforcement controls and methods may be procedural, automated, or both. Current technologies allow for all necessary system updates to be controlled by system administrators with no user interaction.
If there are privileged users in the organization with permission to upload software to a workstation, policy should dictate that the user request approval of the software prior to uploading. Additionally, all user-installed software should be monitored for patches and updates.
Need Help?
If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.
FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities. With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.
Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC). Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements. An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.
As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.
FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a CMMC-AB Registered Provider Organization.
Please visit https://foxguardsolutions.com/cmmc/ for more information.
[1] https://www.redhat.com/en/topics/automation/what-is-configuration-management