Configuration Management.

Establishing a known-good configuration and enforcing security settings on every system.

3.4.1 Know Your Inventory. Baseline configurations and current asset inventory for every piece of hardware and software in your CUI environment. 5 pts 3.4.2 Harden Everything. Apply security configuration baselines to all systems. No factory defaults. Document and enforce. 5 pts

Tracking changes, analysing security impact, and limiting who can make them.

3.4.3 Control Every Change. Every change to CUI systems goes through a documented process: request, review, approve, implement, log. 1 pts 3.4.4 Check Before You Change. Assess the security impact of every change before implementing it. 1 pts 3.4.5 Lock Down Change Access. Only authorized people can make physical and logical changes to CUI systems — documented and technically enforced. 3 pts

Least functionality, restricted services, allowlisted software, and user-installed software control.

3.4.6 Shrink the Attack Surface. Configure systems to provide only essential capabilities. Disable everything else. 1 pts 3.4.7 Block What's Not Needed. Actively restrict, disable, or prevent nonessential programs, functions, ports, protocols, and services. 1 pts 3.4.8 Whitelist or Blacklist Software. Application control on CUI systems — decide which software is authorized and enforce it technically. 3 pts 3.4.9 No Unauthorized Software. Control and monitor user-installed software. Users can't install without approval. 1 pts