CM.L2-3.4.2 – From Set to Secure: Enforcing Configuration Settings the Right Way

When we assess organizations for CMMC Level 2, CM.L2-3.4.2 is one of the clearest indicators of whether their security is proactive or accidental.

Having configuration settings is one thing. Enforcing them is another.

This post explores how to implement and validate this control from the perspective of both an Authorized C3PAO and a Level 2 Certified MSP—because knowing what to set isn’t enough. You need to lock it in and prove it.

🔐 CONTROL:

CM.L2-3.4.2 – Establish and enforce security configuration settings for information technology products employed in organizational systems.

✅ Assessment Objectives (per CMMC Assessment Guide):

1. Security configuration settings are defined based on best practices or hardening guidance.
2. The settings are implemented on applicable systems.
3. The settings are enforced to prevent deviation or unauthorized changes.

🛠️ MSP Perspective: How to Implement It

As an MSP responsible for system integrity, this is where tools shine—but processes matter more.

1. Define your secure configuration settings

• Use CIS Benchmarks, DISA STIGs, or vendor-provided security guides.
• Define per system type: laptops, servers, firewalls, hypervisors, cloud apps.

2. Apply those settings using automation

• Intune Configuration Profiles (for Microsoft environments)
• Group Policy Objects (GPOs) (on domain-joined systems)
• Mobile Device Management (MDM) for mobile and BYOD
• Scripting/Provisioning tools (PowerShell, Ansible, Terraform)

3. Enforce and monitor

• Implement tamper protection on EDR agents (like Microsoft Defender).
• Use Configuration Drift Detection in RMMs or SIEMs.
• Reapply settings on schedule or upon detection of deviation.

🎯 Tip: Use version-controlled GPOs or JSON templates. Document where settings come from and how they’re enforced.

🔍 Assessor Perspective: What We Look For

When evaluating this control during an assessment, we want three things:

1. Source of Settings
   • Where did the configuration standard come from?
   • Is it documented, dated, and versioned?
2. Evidence of Implementation
   • Screenshots or exports of GPOs, Intune policies, firewall configs
   • Confirmation the settings are in place on actual systems
3. Proof of Enforcement
   • Are settings automatically reapplied or protected?
   • Can users/admins change them without going through formal processes?

🚫 Common failure: Settings applied once and never checked again.
✅ Best practice: Enforcement backed by audit logs and self-healing configs.

⚠️ Common Pitfalls

• Relying on GPOs without verifying scope or application (e.g., GPO doesn’t apply to mobile devices or laptops off domain).
• No audit trail or tamper detection on security controls.
• Documentation refers to “standard hardening” but doesn’t link to actual settings.

🧩 Final Guidance

If someone can click “undo” on your security settings without formal review—you haven’t enforced anything.

Enforcing configuration settings isn’t just good practice. It’s required to prevent misconfigurations, drift, and insider error.