Security Configuration Settings for NIST SP 800-171 & CMMC Compliance

Learn how to meet your configuration management requirements for NIST SP 800-171 and CMMC.

Join our newsletter:

Requirement: 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.

What does this requirement mean?

Every information technology product such as Windows computers, Linux Servers, Microsoft 365, and even printers have an array of system settings that impact security. These can be settings that enable or disable insecure protocols (e.g., SNMP v.1, Telnet), settings that enforce encryption on the device, and settings affecting audit logging. To meet these requirements, you need to identify which security settings you will implement on each of your information technology products and configure these settings.

Why is this control important?

Out of all of the NIST SP 800-171 security controls this is one of the most important. Information technology products generally come with vulnerabilities out of the box, establishing and enforcing security configurations will remediate these vulnerabilities. For example, if you setup a new router it will generally have a default login such as username: admin and password: admin. As you can tell, this is not very secure. The same router may have the login page accessible at both HTTP (unencrypted) and HTTPS (encrypted), a security setting on the router can limit the login page to only HTTPS.
By implementing security configurations on your systems, you also start to meet other NIST SP 800-171 requirements. For example, if you enabling audit logging on a system you are helping to meet your Audit control family requirements. If you enforce complex password requirements for a system you are helping to meet your Identification & Authentication requirements.

How do you meet this requirement?

Identify your information technology products

You need to identify the different types of information products that make up your information system. Most small business have the following: Microsoft 365, Windows computers, potentially Mac computers, printers/scanners, a router, a switch, and a file server (rarer these days).

Establish the security configuration settings

The easiest way to determine which security configuration settings to configure on your systems is to use a guide. The Center for Internet Security and Defense Information Systems Agency have guides telling you which settings to configure on everything from Windows computers, Microsoft 365, printers, switches, firewalls etc. By using these comprehensive and well researched guides you ensure that you aren’t overlooking any important security settings.
Document which of these settings you plan to configure on each of your information technology products. It is recommended that implement as many as you can, however some settings may be ignored if they impact the system's ability to perform mission essential functions.

Enforce the security configuration settings

After you have determined which security configuration settings you will enforce on your systems you need to actually configure them. For Windows systems this can be accomplished using Microsoft Azure AD and Microsoft Endpoint manager. You simply configure the settings using configuration profiles and apply them to your computes. For information technology products such as printers you will likely have to manually configure the settings on each printer separately unless all of your printer models are the same and you reuse the same configuration file on all of them.

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.