CM.L2-3.4.2 — Establish and enforce security configuration settings for information technology products employed in organizational systems.

What this control requires

Establish and enforce security configuration settings for information technology products employed in organizational systems.

Source: CMMC L2 v2.13 CM.L2-3.4.2 / NIST SP 800-171 R2 3.4.2 (official control text).

Why this matters

Default configurations of IT products are designed for ease-of-use, not security. Attackers exploit known default credentials, open ports, and permissive settings to breach systems. This control requires the organization to systematically define, document, and enforce hardened configurations across all technology—servers, workstations, network devices, cloud services, and applications. Without standardized secure baselines, each system becomes a potential entry point. Enforcing configuration settings reduces attack surface, closes known vulnerabilities, and ensures every device meets a minimum security threshold before connecting to the network or handling CUI.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls