The intended audience includes information resource owners and custodians; and pertains to information resources considered moderate or high impact.

The information resource owner, or designee, shall:

• 1.1

  Establish mandatory configuration settings for components employed within the information resource;

• 1.2

  Configure security settings of information resource components to the most restrictive mode consistent with operational requirements;

• 1.3

  Document the configuration settings; and

• 1.4

  Enforce the configuration settings in all components of the information resource.