CMMC Level 2
Control 3.4.2
Establish and Enforce Security Configuration Settings
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Establish and enforce security configuration settings for information technology products employed in organizational information systems.
What This Means in Plain English
All your IT systems must be configured securely, following industry benchmarks like CIS or DISA STIGs. Default passwords must be changed, unnecessary services disabled, and security features enabled according to documented standards.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- CIS Benchmark-aligned Group Policy templates applied to all Windows systems
- FortiGate firewalls configured per DISA STIG security guidelines
- Automated configuration compliance scanning using Sophos XDR device compliance checks
- Microsoft Secure Score monitoring and remediation for Microsoft 365 settings
- ComplianceArmor documenting approved security configuration settings for each system type
Assessment Guidance
Assessors will compare system configurations against documented security settings, verify that hardening benchmarks (CIS, STIG) are applied, test for default credentials and unnecessary services, and check that configuration enforcement is automated where possible.
Common Implementation Gaps
- Systems using factory default configurations
- No documented security configuration standards
- Default administrator passwords not changed
- Unnecessary services and ports left enabled
- No automated compliance scanning for configuration drift
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | CM-6 |
| PCI DSS | Req 2.2 - Develop configuration standards for all system components |
Need Help Implementing 3.4.2?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment