Secure Controls Framework
Download The SCF

Configuration Management (CFG)

Domain Principle

Establish and enforce secure configuration baselines that implement least privilege and least functionality for Technology Assets, Applications and Services (TAAS) to support a defensible secure configuration posture.

Domain Intent

Organizations establish, maintain, monitor and enforce secure configurations aligned with vendor recommendations and industry-recognized secure practices to preserve system integrity and prevent unauthorized or unintended functionality.

Domain Guide

Secure configuration baselines are the difference between systems that are designed to be secure and systems that happen to be secure until someone changes a setting. The CFG domain establishes what those baselines are, requires they align with vendor recommendations and industry-recognized hardening standards and mandates enforcement so that drift from baseline is detected and remediated.

 

The SCF's intent for CFG centers on least privilege and least functionality: systems should run with the minimum services, ports and permissions necessary for their function. Every enabled feature that isn't needed is attack surface. Every default credential that isn't changed is a known vulnerability. CFG governs the discipline of applying that principle consistently across TAAS rather than relying on individual administrators to remember to do it.

 

Configuration management is distinct from Change Management (CHG) because CHG governs the process of change; CFG governs the target state. An organization can have excellent change processes and still deploy systems to an insecure baseline. Both domains are required to address the full problem.