NIST SP 800-171 & CMMC 2.0 - 3.4.1
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
NIST SP 800-171 & CMMC 2.0 - 3.4.6
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
NIST SP 800-171 & CMMC 2.0 - 3.4.9
Control and monitor user-installed software.
NIST SP 800-171 & CMMC 2.0 - 3.4.2
Establish and enforce security configuration settings for information technology products employed in organizational systems
NIST SP 800-171 & CMMC 2.0 - 3.4.3
Track, review, approve, or disapprove, and log changes to organizational systems.
NIST SP 800-171 & CMMC 2.0 - 3.4.4
Analyze the security impact of changes prior to implementation.
NIST SP 800-171 & CMMC 2.0 - 3.4.5
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
NIST SP 800-171 & CMMC 2.0 - 3.4.7
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
NIST SP 800-171 & CMMC 2.0 - 3.4.8
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.