>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

CM.L2-3.4.2Security Configuration Enforcement

Level 2
800-171: 3.4.2

>Control Description

Establish and enforce security configuration settings for information technology products employed in organizational systems.

>Cross-Framework Mappings

NIST SP 800-171

3.4.2
Compare

SCF

CFG-02
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • How do you select and approve security configuration settings?
  • What standards or benchmarks guide your security configurations (e.g., CIS, DISA STIGs)?
  • Who is responsible for defining and enforcing security configuration settings?
  • What is your process for reviewing and updating security configuration standards?
  • How do you handle exceptions to security configuration requirements?

Technical Implementation:

  • What tools enforce security configuration settings (GPO, Ansible, Puppet)?
  • How do you apply security benchmarks (CIS, DISA STIGs) to systems?
  • What configuration management tools deploy security settings?
  • How do you verify security configurations are properly applied?
  • What scanning tools detect non-compliant configurations?
  • What technologies prevent users from changing security settings?

Evidence & Documentation:

  • What baseline configuration documentation can you provide?
  • What configuration management plan describes your CM processes?
  • What change request records and approvals can you show?
  • What configuration scanning reports show compliance with baselines?
  • What asset inventory documentation lists all system components?
  • What security configuration benchmarks are applied to systems?
  • What evidence shows configuration changes are tracked and logged?

Ask AI

Configure your API key to use AI features.