CMMC Practice - CM.2.061

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

CMMC Practice - CM.2.062

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

CMMC Practice - CM.2.063

Control and monitor user-installed software.

CMMC Practice - CM.2.064

Establish and enforce security configuration settings for information technology products employed in organizational systems

CMMC Practice - CM.2.065

Track, review, approve, or disapprove, and log changes to organizational systems.

CMMC Practice - CM.2.066

Analyze the security impact of changes prior to implementation.

CMMC Practice - CM.3.067

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

CMMC Practice - CM.3.068

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

CMMC Practice - CM.3.069

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.