03.04.02 — (a) Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: {{ insert: param, A.03.04.02.ODP.01 }} . (b) Identify, document, and approve any deviations from established configuration settings.

What this control requires

(a) Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: {{ insert: param, A.03.04.02.ODP.01 }} . (b) Identify, document, and approve any deviations from established configuration settings.

Source: NIST SP 800-171 R3 §03.04.02 (official control text).

Why this matters

Configuration settings determine how systems behave and what attack surface they expose. Default configurations prioritize ease-of-use over security, leaving unnecessary services running, weak encryption enabled, and excessive permissions granted. Attackers exploit these weaknesses to gain initial access, move laterally, and exfiltrate data. This control requires organizations to lock down every configurable parameter—operating systems, network devices, applications, cloud services—to the most restrictive settings that still allow business functions to operate. Any deviation from these hardened baselines must be documented and justified, creating accountability and preventing configuration drift that reintroduces vulnerabilities over time.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls