Configuration Management
Configuration Management is about knowing and controlling your environment. What systems do you have? Are they configured securely? Who can change them? What software is allowed to run?
The Three Themes
Section titled “The Three Themes”Baselines & Inventory (3.4.1–3.4.2) — Document what a properly configured system looks like and maintain a current inventory of every piece of hardware and software. Harden everything to security benchmarks.
Change Control (3.4.3–3.4.5) — Every change goes through documented approval. Analyze security impact before implementing. Restrict who can make changes to production.
Attack Surface (3.4.6–3.4.9) — Disable unnecessary features, block unnecessary ports and protocols, control which software can execute, and prevent unauthorized installations.
All 9 Requirements
Section titled “All 9 Requirements”| Ref | Short Name | What It Covers |
|---|---|---|
| 3.4.1 | Know Your Inventory | Baseline configs and asset inventory |
| 3.4.2 | Harden Everything | Security baselines applied and enforced |
| 3.4.3 | Control Every Change | Track, review, approve, and log every change |
| 3.4.4 | Check Before You Change | Security impact analysis before implementation |
| 3.4.5 | Lock Down Change Access | Only authorized personnel make changes |
| 3.4.6 | Shrink the Attack Surface | Only essential capabilities enabled |
| 3.4.7 | Block What’s Not Needed | Actively prevent nonessential programs, ports, protocols |
| 3.4.8 | Whitelist or Blacklist Software | Application control — approved software only |
| 3.4.9 | No Unauthorized Software | Control and monitor user-installed software |