CM β Configuration Management Domain Notes
CMMC Domain: CM (Configuration Management)
NIST 800-171 Family: 3.4.x
CM.L2-3.4.7 β NONESSENTIAL FUNCTIONALITY (Ports, Protocols, Services)
Control: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
- Active thread on this in 2026-02
- "You define your baseline, you define your ports, protocols, services" β assessors work from YOUR defined baseline
- Get baselines sorted early β one practitioner spent a full week building the baseline document
- Baseline should live in SharePoint with full revision history for GCC High environments
- Source: https://old.reddit.com/r/CMMC/comments/1r8ganf/ (2026-02-18) + https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03-09)
CM.L2-3.4.8 β APPLICATION EXECUTION POLICY
Control: Apply deny-by-exception (blacklisting) OR deny-all, permit-by-exception (whitelisting) policy to prevent unauthorized software execution.
Windows
- ThreatLocker β most cited solution for application whitelisting/allowlisting
- EDR solutions with trusted application lists (Defender, CrowdStrike, etc.)
- AppLocker / WDAC (Windows Defender Application Control) β mentioned but noted as complex for cloud-native remote workers
Linux
- SELinux β explicitly mentioned as the right tool by community
- AppArmor β alternative to SELinux
- Approved repo restriction β prevent installs from unapproved repos; restrict sudo; monitor executable paths
- Deny-by-exception approach: approved repos + role-based access restricting
apt/yumaccess works - Administrative control accepted: define essential apps as those already installed; non-essential controlled by RBAC (regular users can't install software; new software requires change control)
Assessor Behavior
- Most assessors accept deny-by-exception (blacklisting) approach when clearly documented
- Full whitelisting (SELinux/AppArmor) is "possible but assessors usually accept" enforced controls
- Administrative-only control possible: "You can control this administratively; there isn't a requirement for a technical solution"
- Documentation must be clear β what apps are approved, how new apps get approved, who can install
Source: https://old.reddit.com/r/CMMC/comments/1q7drdu/ (2026-01-08)
CM General Notes
Baselines
- Configuration baselines are a significant effort β 1 week for a thorough baseline is normal
- Must be documented, version-controlled, and accessible
- Separate thread on baselines: https://old.reddit.com/r/CMMC/comments/1quzldg/ (2026-02-03)
- Question: "Did you have to create configuration baseline files for each system?" β assessors expect per-system baselines
- Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03-09) comments
Firewall Configuration (CM + SC overlap)
- Implement block-all inbound/outbound with allow-by-exception BEFORE the assessment
- Know your firewall posture β don't discover gaps the night before the audit
- Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03-09)
ThreatLocker + Network Stack
- Active community thread on using ThreatLocker for application control in CMMC environments
- Source: https://old.reddit.com/r/CMMC/comments/1r5hp1v/ (2026-02-15)
CM Baseline β Real-World Build Notes (2026-03-11)
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (40-person GCC High org, Kieri assessment)
- Baseline document took 1 full week to build properly
- Structure: separate sections per device type (different PC models, iPhones, Macs, OS minimums)
- Windows 11 25H2 set as OS minimum baseline
- For cloud-based environments: "specifying that all devices must be enrolled and compliant (with clearly defined compliance criteria) does a lot of the heavy lifting"
- Baseline document kept in SharePoint with full revision history (Word document with version tracking)
- Used AI (Claude) + PowerShell outputs to structure baseline content faster
- macOS: macOS Security Compliance Project + Jamf Compliance Editor for Mac-specific baselines
CM.L2-3.4.x (General) β NEW SOFTWARE REVIEW PROCESS (NEW DISCUSSION)
Context: Community discussion on the need for better processes and resources for reviewing new software.
Need for Structured Review
- Observation: There is a recognized need within the community for free guidelines, survey-type lists, or checklists to formally review new software before it is added to the network or goes into production.
- Relevance: Directly supports Configuration Management (CM) controls related to change management, ensuring new software aligns with security policies and compliance requirements before deployment.
- Current Gap: Many organizations, especially smaller ones, currently lack a standardized approach for reviewing new software.
- Source: https://old.reddit.com/r/CMMC/comments/1rsmdhz/ (2026-03-14)
Related Posts
- CM.L2-3.4.8 Application Execution Policy β 2026-01-08
- L2 3.4.7 Ports/Protocols/Services β 2026-02-18
- Baselines β 2026-02-03
- ThreatLocker + Network Stack β 2026-02-15
- WSL - Windows Subsystem for Linux β 2026-01-12 (score 15, likely about in-scope vs out-of-scope)