validated and refreshed on a regular basis (such as every six months) to update their security configuration in light of recent vulnerabilities and attack vectors. The master images themselves must be stored on securely configured servers, with integrity checking tools and change management to ensure only authorized changes to the images are possible.
QW: Change factory default settings on hardware and software and implementing network hardening procedures. This would typically include removal of unnecessary usernames and logins, as well as the disabling or removal of unnecessary services. Such hardening also involves, among other measures, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and firewalls.
QW: At least once per month, run assessment programs on a varying random sample of systems to measure the number that are and are not configured according to the secure configuration guidelines. Provide senior executives with charts showing the number of systems that match configuration guidelines versus those that do not match, illustrating the change of such numbers month by month for each organizational unit.
Vis/Attrib: Implement and test a vulnerability monitoring system to ensure it measures all secure configuration elements that can be measured through remote testing, using features such as those included with SCAP to gather configuration vulnerability information. Provide senior executives with charts showing the number of vulnerabilities identified, separated out for comparison based on organizational units.
Procedures and tools for implementing this control:
Organizations can implement this control using commercial and/or free vulnerability scanning tools that evaluate the security configuration of machines and software. Some have also found commercial services using remotely managed scanning appliances to be effective as well. To help standardize the definitions of discovered vulnerabilities in multiple departments of an agency or even across agencies, it is preferred to use vulnerability scanning tools that measure security flaws and map them to vulnerabilities and issues categorized using one or more of the following industry-recognized vulnerability, configuration, and platform classification schemes and languages: CVE, CCE, OVAL, CPE, CVSS, and/or XCCDF. In addition, recent changes in licensing associated with popular free vulnerability scanners require users to pay for certain