CM.L2-3.4.2

CM.L2-3.4.2: Security Configuration Enforcement

Establish and enforce security configuration settings for information technology products employed in organizational systems.

CM.L2-3.4.2 is about enforcement. You have security configuration baselines in place (that’s CM.L2-3.4.1). Now you need to push those baselines out to your devices and make sure they stay in place. This means using management tools to enforce settings centrally, monitoring for changes, and taking action when devices drift out of compliance.

For small contractors, this typically means Intune for cloud-managed devices, Group Policy for domain-joined Windows machines, or a combination of both. In practice, this control doesn’t get deep scrutiny in most assessments. The assessor mainly wants to see that you have a standard build and can show the policy specs that enforce it on each endpoint. CIS benchmarks and DISA STIGs haven’t been a major assessment topic for most small contractors, though referencing them strengthens your position.

What the assessor is actually evaluating

The assessor is looking for evidence that your security configurations are actively enforced across devices, not just defined in a policy document. Specifically, they want to see:

  1. What settings are you enforcing? Can you show a list of enforced settings that aligns with your baselines?
  2. How are they pushed? What tool or process ensures devices receive and maintain these configurations?
  3. What happens when devices drift? Do you detect when a setting changes, and do you re-enforce it or block device access?
  4. What are the consequences for non-compliance? Do non-compliant devices lose access to organizational resources?

Intune compliance policies and configuration profiles are the modern answer. Group Policy works well for domain-joined machines. For cloud-only environments, Intune is where this enforcement happens. The assessor expects you to have compliance dashboards showing device status.

Common enforced settings at the L2 level include screen lock timeout (10-15 minutes), password complexity, BitLocker or full-disk encryption, firewall enabled, automatic updates enabled, and restrictions on USB or removable media.

How to present your evidence

  1. Compliance dashboard. Export a screenshot from Intune or Group Policy showing device compliance status. Make sure the dashboard clearly shows the enforced configurations and which devices are compliant.
  2. Policy document. Provide a copy of your baseline configurations (from CM.L2-3.4.1). Cross-reference this with the enforced configurations in Intune or Group Policy.
  3. Enforcement mechanism. Show the Intune compliance policy or Group Policy Object (GPO) that implements these settings. Include the specific settings being enforced (not just the name of the policy).
  4. Drift detection and remediation. Show how you monitor for drift. If a device falls out of compliance, what happens? Does Intune re-enforce the setting? Do you have Conditional Access rules that block access?
  5. Conditional Access rules. If you’re using Intune, show the Conditional Access policies that require device compliance. This ties enforcement to access control.
Example SSP Language: CM.L2-3.4.2

All Windows devices that access or process CUI are managed through Microsoft Intune and joined to our Azure AD tenant. We have defined baseline configurations for Windows 10/11 devices, including password policy (minimum 12 characters, complexity required), screen lock timeout (10 minutes), BitLocker encryption, Windows Defender Firewall enabled, and automatic Windows Update scheduling for Patch Tuesdays. These configurations are enforced through Intune compliance policies and configuration profiles. All domain-joined machines are managed via Group Policy Objects that enforce the same baseline settings. Compliance status is monitored daily through Intune dashboards. Devices that fall out of compliance are automatically remediated through Intune; if remediation fails, the device is blocked from accessing organizational email and cloud resources via Conditional Access rules. For contractors and remote workers, enrollment in Intune is required before access to CUI systems is granted.

Common failures

Configurations documented but not enforced. You have a security policy document that lists all the settings devices should have, but you’re not pushing those settings through Intune or Group Policy. The settings might be configured on devices manually, but there’s no ongoing enforcement or drift detection. The assessor will ask: “If I change this setting on my device, what happens?” If the answer is nothing, you fail this practice.

No drift detection. You enforced baseline configurations six months ago via Intune or GPO, but you don’t actively monitor whether devices still comply. A user disables Windows Defender Firewall, and you never know. Without drift detection, you can’t prove enforcement is active.

BYOD devices with no MDM. You have personal devices accessing CUI without any management tool enforcing security configurations. Even if users are required to follow security policies, there’s no technical enforcement.

Compliance policies without consequences. Intune shows device compliance status, but non-compliant devices still have full access to everything. Enforcement requires teeth—if you’re not blocking access or remediating drift, you’re not really enforcing.

Non-standardized enforcement. You enforce baselines on some machines via Intune and others via manual configuration scripts or manual patching. This is inconsistent and difficult to audit.

If you use an MSP or MSSP

Your MSP or MSSP typically manages Intune or Group Policy configuration and can provide compliance dashboards showing which devices meet your baselines. When you work with them, make sure you have written agreements defining:

  1. What baseline configurations they will enforce.
  2. How frequently they monitor compliance.
  3. What actions they take when devices fall out of compliance (re-enforce, alert you, block access).
  4. How they report compliance status to you for your own records.

Your MSP should be able to provide compliance reports on demand. During an assessment, you should be able to run a report showing device compliance yourself, not just rely on the MSP. If your MSP blocks access to non-compliant devices via Conditional Access, make sure you understand how that rule works and can explain it to the assessor.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks and what good answers sound like

What specific settings are you enforcing for Windows devices?
We enforce screen lock timeout to 10 minutes of inactivity, password minimum length of 12 characters with complexity requirements, BitLocker encryption for all drives, Windows Defender Firewall enabled on all profiles (Domain, Private, Public), automatic Windows Updates scheduled for the second Tuesday of each month, and restrictions on USB mass storage devices. These settings are defined in our baseline configuration standard and enforced via Intune configuration profiles for all managed Windows 10 and 11 devices.
How do you ensure these settings stay enforced if a user changes them?
Intune continuously evaluates device compliance against our policies. If a device falls out of compliance (for example, if a user disables Windows Defender or changes the screen lock timeout), Intune detects this within 24 hours and attempts remediation by re-enforcing the setting. If remediation fails after three attempts, we have a Conditional Access rule that blocks the device from accessing organizational email and cloud resources until compliance is restored.
What about macOS or Linux devices?
At this time, we only deploy macOS devices to senior management, and those devices are managed via Jamf Pro with baseline configurations for screen lock, FileVault encryption, and firewall enabled. Linux servers are not managed endpoints; they are only accessed by IT staff through bastion hosts with logging and MFA. Since our primary user population uses Windows, that's where our enforcement is most mature.
Can you show me a compliance report?
Yes. [Provide a screenshot or export from Intune showing the Devices > Compliance dashboard. The report should show total devices enrolled, number compliant, number non-compliant, and which specific policies each device is evaluated against.] This report runs daily and is reviewed weekly by our IT team.
What happens if a contractor's device doesn't meet your baselines?
Contractors are not allowed to access CUI until their device is enrolled in Intune and passes a baseline compliance check. If a contractor device falls out of compliance during a project, access to CUI systems is immediately revoked via Conditional Access. The contractor is notified and given instructions to remediate the issue before access is restored.

Disclaimer: This guidance is provided for informational purposes to help organizations prepare for CMMC assessments. It is not a substitute for official CMMC documentation, NIST guidelines, or professional security advice. Organizations should consult with qualified CMMC assessors and security professionals to ensure their practices meet CMMC requirements in their specific context. Requirements and assessment criteria may change; verify against the official CMMC standards and your assessment scope.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← IR.L2-3.6.1: Incident Handling All Practices CM.L2-3.4.1: Baseline Configurations →