PR.PS-01 Configuration Management - NIST CSF 2.0 Checklist

PR.PS-01 requires organizations to configuration management practices are established and applied. This NIST CSF 2.0 control falls under the Protect (PR) function and the Platform Security category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: PR.PS-01
Title: Configuration Management
Function: Protect (PR)
Category: Platform Security
Framework: NIST CSF 2.0

Configuration management practices are established and applied.

Configuration management practices are established and applied. The organization defines secure baseline configurations for hardware and software and enforces those configurations through automated tools.

Why This Matters

Default and misconfigured systems are among the most common attack vectors. Consistent secure configurations eliminate known weaknesses before attackers can exploit them.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of PR.PS-01.

Define secure baseline configurations based on CIS Benchmarks or DISA STIGs
Automate configuration deployment using infrastructure-as-code or configuration management tools
Scan for configuration drift from baselines at least monthly
Maintain a change management process for configuration modifications
Harden default configurations before deploying any new system
Document approved exceptions to baseline configurations with risk acceptance

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with PR.PS-01 during an audit.

Secure baseline configuration documents or CIS Benchmark adoption records
Configuration management tool deployment evidence
Configuration compliance scan reports showing drift detection
Change management records for configuration changes
Exception documentation with risk acceptance sign-off

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with PR.PS-01.

Secure baselines are defined but never enforced through automated scanning
Cloud resources are provisioned without applying hardening standards
Configuration changes bypass the change management process during emergencies and are never reconciled

FAQ

What does PR.PS-01 require?

PR.PS-01 (Configuration Management) requires that configuration management practices are established and applied. The organization defines secure baseline configurations for hardware and software and enforces those configurations through automated tools. This control is part of the NIST CSF 2.0 Protect function under the Platform Security category.

How do I prove compliance with PR.PS-01?

To demonstrate compliance with PR.PS-01, prepare the following evidence: Secure baseline configuration documents or CIS Benchmark adoption records; Configuration management tool deployment evidence; Configuration compliance scan reports showing drift detection. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment