Security Configuration Settings for NIST SP 800-171 & CMMC Compliance

Every information technology product such as Windows computers, Linux Servers, Microsoft 365, and even printers have an array of system settings that impact security. These can be settings that enable or disable insecure protocols (e.g., SNMP v.1, Telnet), settings that enforce encryption on the device, and settings affecting audit logging. To meet these requirements, you need to identify which security settings you will implement on each of your information technology products and configure these settings.

Out of all of the NIST SP 800-171 security controls this is one of the most important. Information technology products generally come with vulnerabilities out of the box, establishing and enforcing security configurations will remediate these vulnerabilities. For example, if you setup a new router it will generally have a default login such as username: admin and password: admin. As you can tell, this is not very secure. The same router may have the login page accessible at both HTTP (unencrypted) and HTTPS (encrypted), a security setting on the router can limit the login page to only HTTPS.

By implementing security configurations on your systems, you also start to meet other NIST SP 800-171 requirements. For example, if you enabling audit logging on a system you are helping to meet your Audit control family requirements. If you enforce complex password requirements for a system you are helping to meet your Identification & Authentication requirements.

You need to identify the different types of information products that make up your information system. Most small business have the following: Microsoft 365, Windows computers, potentially Mac computers, printers/scanners, a router, a switch, and a file server (rarer these days).

The easiest way to determine which security configuration settings to configure on your systems is to use a guide. The Center for Internet Security and Defense Information Systems Agency have guides telling you which settings to configure on everything from Windows computers, Microsoft 365, printers, switches, firewalls etc. By using these comprehensive and well researched guides you ensure that you aren’t overlooking any important security settings.

Document which of these settings you plan to configure on each of your information technology products. It is recommended that implement as many as you can, however some settings may be ignored if they impact the system's ability to perform mission essential functions.

After you have determined which security configuration settings you will enforce on your systems you need to actually configure them. For Windows systems this can be accomplished using Microsoft Azure AD and Microsoft Endpoint manager. You simply configure the settings using configuration profiles and apply them to your computes. For information technology products such as printers you will likely have to manually configure the settings on each printer separately unless all of your printer models are the same and you reuse the same configuration file on all of them.