Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Control and monitor user-installed software.

Establish and enforce security configuration settings for information technology products employed in organizational systems

Track, review, approve, or disapprove, and log changes to organizational systems.

Analyze the security impact of changes prior to implementation.

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.