Business Owner’s Guide to CMMC
Ep 7: Configuration Management
Watch episode 7 of our Business Owner’s Guide to CMMC series with Ben Scully (Avatara) and Dan Langley (Lupa Advisors), or read the transcript below. Stay tuned weekly for new episodes containing actionable insights and an overview of each CMMC domain.
Video Transcript:
BEN: Next in our Guide to CMMC, configuration management. Talk to me a little bit about this category.
DAN: Okay, configuration management. There are nine controls that we look at within this category. It’s all about, what is my base system that the user has? Are the right securities and privileges in place for that system? How much can they change? What don’t I want them to change? Can a user come in and, with a thumb drive, install software? What software do they have access to? It’s all about that configuration and, more importantly, it’s about change management.
BEN: Right. I think this is—if I can toot the Avatara message a little bit—this is a category where our starting point is a bit of a competitive advantage because we’re so focused. We’ve talked a little bit about centralization of the data and making it easier to secure, but the fact that we just drive standardization, right? Standardization around server build, standardization around desktop app setup, the VPN setup. Everything being done the same way makes it easier to document what you’re doing, but also secure. And then, one of the things that, when you have a secure environment, can be a little bit annoying as a user is that you can’t just go in and have user-based admin access and install software. You have to have processes in place to say, okay, is this software that should be implemented on my environment? And, if so, do I have it documented so I know where it is? That’s just good business practice anyway, to know your enterprise software list and who has it. But it’s even more critical from a security standpoint, so people aren’t walking into the organization and downloading a Trojan or whatever it may be. So, you have to have those things in place.
DAN: Also, if I know what I have, I know what I need to patch.
BEN: That’s true.
DAN: That’s back to the very beginning. If a security vulnerability has been released in ABC software, I know about it and I can apply that patch, so I’m not exposed.
BEN: Right. And you would never know if a user was able to just go in and install software.
DAN: Exactly.
BEN: Great, thank you.
Next Episode
Watch Episode 8 on Identification & Authentication.
Need help getting compliant?
Avatara’s DoD Platform is a turnkey solution for centralized data and easier compliance. Schedule a free consultation today to learn more.
