NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT
3.4.2 — Configuration Settings
Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: {{ insert: param, A.03.04.02.ODP.01 }} . Identify, document, and approve any deviations from established configuration settings.
CMMC Practice Mapping
Assessment Objectives
- the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are established and documented: {{ insert: param, A.03.04.02.ODP.01 }}.
- any deviations from established configuration settings are identified and documented.
- any deviations from established configuration settings are approved.
- the following configuration settings for the system are implemented: {{ insert: param, A.03.04.02.ODP.01 }}.
Practitioner Notes
This practice is about making sure your systems are locked down to their most restrictive settings that still let people do their jobs. You document those settings, and if anyone needs an exception — say, opening an extra port or enabling a service — that deviation gets formally approved and written down.
The key idea: start tight, loosen only where justified, and document every exception.
Example 1: Apply DISA STIGs through Group Policy. In the Group Policy Management Console, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components and import the relevant STIG GPO backup. For any settings your operations require you to deviate from, document the finding ID, justification, and approving authority in a Plan of Action and Milestones (POA&M).
Example 2: In the M365 Admin Center, go to Settings > Org Settings > Security & Privacy and disable external sharing in SharePoint unless explicitly approved. Document the restrictive default and any tenant-level exceptions in your System Security Plan (SSP).