CM.L2-3.4.1
Baseline Configs and System Inventory: CM.L2-3.4.1 Guide
Document and maintain the approved state of every system and keep an inventory of everything connected to your network
CM.L2-3.4.2
CM.L2-3.4.2: Security Configuration Enforcement
Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.L2-3.4.3
CM.L2-3.4.3: System Change Management
Track, review, and approve or disapprove changes to systems in the CUI boundary.
CM.L2-3.4.4
Assessing Risk Before Making Changes: CM.L2-3.4.4 Guide
Analyze the security impact of changes to information systems before implementation.
CM.L2-3.4.5
Who Can Make Changes to CUI Systems: CM.L2-3.4.5 Guide
Define, document, and enforce approval requirements for physical and logical access to systems.
CM.L2-3.4.6
CM.L2-3.4.6: Least Functionality
Employ the principle of least functionality by configuring systems to run only essential services and software.
CM.L2-3.4.7
CM.L2-3.4.7: Nonessential Functionality
Restrict or disable nonessential functions, ports, protocols, and services.
CM.L2-3.4.8
CM.L2-3.4.8: Application Execution Policy
Apply a deny-by-exception application execution policy to restrict software to authorized applications only.
CM.L2-3.4.9
CM.L2-3.4.9: User-Installed Software
Control user-installed software to prevent unauthorized applications from running on systems.