:

5.1: Establish Secure Configurations

Sub-control 5.1 states that you must maintain documented security configuration standards for all authorized operating systems and software.

Asset Type	Security Function	Implementation Groups
Applications	Protect	1, 2, 3

Dependencies

Sub-control 2.1: Maintain Inventory of Authorized Software

Inputs

Authorized Software List: The list of authorized software. This can be pulled from sub-control 2.1.
Security Configuration Standards: The list of enterprise security configuration standards.

Assumptions

Documentation of secure configuration standards should include any approved deviations/exceptions from industry-standard security baselines such as CIS benchmarks, DISA Security Technical Implementation Guides (STIGs), or U.S. government configuration baselines (USGCB).

Operations

Perform a calculation to compute the intersection (M1) of I1 and I2.

Measures

Measure	Definition
M1 = List of authorized software with security configuration standards	A list of all the software/applications the organization has, including operating systems, that have associated enterprise security configuration standards.
M2 = Count of items in M1	A count of the total number of items in M1.
M3 = List of authorized software with security configuration standards	A list of all the software/applications the organization has, including operating systems, that do not have associated enterprise security configuration standards.
M4 = Count of items in M3	A count of the total number of items in M3.
M5 = List of security configuration standards without associated software	A list of all the enterprise security configuration standards that do not have installed applications/software or operating systems within the organization.
M6 = Count of items in M5	A count of the total number of items in M5.
M7 = List of authorized software	A list of authorized applications/software and operating systems.
M8 = Count of items in M7	A count of the total number of items in M7.

Metrics

Security Configuration Standards Coverage

Metric	Calculation
The percentage of the total OS/Software in an enterprise that have security configuration standards documented and maintained.	(M8 - M4) / M8

Copyright © 2025 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other products or services are trademarks of their respective owners.