In this episode of my Configuration Management explanatory series, I break down NIST SP 800-53 CM-6 (Configuration Settings) and simplify what the control is really asking you to do. The core requirement is straightforward: I need the organization to establish, document, and enforce secure configuration settings for system components—using the most restrictive settings that still meet operational needs. I also call out common secure configuration baselines you’ll see in real environments like USGCB, CIS Benchmarks, and STIGs, and why they matter when you’re building your configuration baseline. I walk through the CM-6 requirements in Rev. 5: define common secure configurations, implement them, identify/document/approve deviations, and monitor/control changes. I’m very clear on deviations—if a team can’t implement a benchmark or hardening step, that’s not “hand-waving”; it must be documented with rationale and approved based on operational requirements. Finally, I explain how to assess/test CM-6: review policies and procedures, interview key personnel (including the CCB), examine baseline settings, validate deviations and approvals, and evaluate continuous monitoring mechanisms—often using automated scanning tools to detect misconfigurations and unauthorized changes.