PW.9.2—Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.
PW.9
>Control Description
Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.
>Practice: PW.9
Configure Software to Have Secure Settings by Default
Help improve the security of the software at the time of installation to reduce the likelihood of the software being deployed with weak security settings, putting it at greater risk of compromise.
>Notional Implementation Examples
- 1.Verify that the approved configuration is in place for the software.
- 2.Document each setting’s purpose, options, default value, security relevance, potential operational impact, and relationships with other settings.
- 3.Use authoritative programmatic technical mechanisms to record how each setting can be implemented and assessed by software administrators.
- 4.Store the default configuration in a usable format and follow change control practices for modifying it (e.g., configuration-as-code).
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
CF.1
BSIMM
SE2.2
EO 14028
4e(iv)
4e(ix)
IDA SOAR
23
IEC 62443
SG-3
OWASP SAMM
OE1-A
PCI SSLC
8.1
8.2
SAFECode Agile
Tasks Requiring the Help of Security Experts 12
SAFECode FPSSD
Verify Secure Configurations and Use of Platform Mitigation
SAFECode SIC
Vendor Software Delivery Integrity Controls
Vendor Software Development Integrity Controls
SP 800-161
SA-5
SA-8(23)
SP 800-181 (NICE)
SP-DEV-001
K0009
K0039
K0073
K0153
K0165
K0275
K0531
Ask AI
Configure your API key to use AI features.