Your systems are hardened to a defined secure baseline — and it's enforced.
What it actually means
Having a baseline (3.4.1) isn't enough — you have to enforce hardened security settings on the products you use. In practice that's applying a recognized hardening standard (CIS Benchmarks / DISA STIGs) through group policy, Intune, or your config-management tooling, and keeping machines in that state.
Pass or fail — an assessor needs a "yes" to each
- Security configuration settings are defined (e.g., CIS/STIG-based).
- They're enforced via GPO/Intune/config management, not set by hand.
- Drift from the hardened state is detected/corrected.
What to have ready
- Hardening standard + the enforced policy (GPO/Intune profiles)
- Compliance/drift reports
- Mapping to CIS or STIG where used
Where teams trip up
- Default, out-of-the-box configurations
- A baseline document that isn't actually enforced
- Settings applied once, then drift over time
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →