Establishes and maintains baseline configurations and inventories for OCSI systems — covering 9 controls per NIST SP 800-171 Rev 2.
OCSI shall establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles. Configuration changes shall be controlled, tracked, and reviewed.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems | System baseline documented: HTML5/CSS3/Vanilla JS web application hosted on GoDaddy. Asset inventory maintained including all deployed files, CDN dependencies (Google Fonts, FontAwesome), and server configuration. | Implemented |
| 3.4.2 | Establish and enforce security configuration settings for IT products | Security configurations enforced via: .htaccess security headers, CSP meta tags, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy, and Permissions-Policy restrictions. | Implemented |
| 3.4.3 | Track, review, approve, or disapprove, and log changes to organizational systems | PARTIAL. Deployment script (deploy-godaddy.cjs) tracks files uploaded. However, no formal change management process exists — no approval workflow, no pre-deployment security review, and audit logging of deployments is not centralized. | Partial |
| 3.4.4 | Analyze the security impact of changes prior to implementation | NOT IMPLEMENTED. No formal security impact analysis process exists. No external MSSP has been engaged for change reviews. Code changes are not security-reviewed before deployment. | Not Implemented |
| 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes | FTP deployment credentials restricted to authorized personnel only. Deployment requires explicit .env configuration. Public access to CUI-containing systems requires authentication. | Implemented |
| 3.4.6 | Employ the principle of least functionality by configuring systems to provide only essential capabilities | Web application serves only required functionality: public marketing site + authenticated Command Center. No unnecessary services, debug endpoints, or admin panels exposed. .htaccess restricts directory browsing. | Implemented |
| 3.4.7 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services | Application uses only HTTPS (port 443). No server-side scripting engines exposed. External resource loading restricted via CSP. Permissions-Policy disables camera, microphone, and geolocation APIs. | Implemented |
| 3.4.8 | Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software | CSP enforces allowlist for scripts, styles, and fonts. Only explicitly permitted CDN sources (Google Fonts, FontAwesome) allowed. All other external sources blocked by default. | Implemented |
| 3.4.9 | Control and monitor user-installed software | Web application does not allow user-installed software or extensions. All functionality is server-delivered. Browser extension impact mitigated by CSP restrictions. | Implemented |
| Component | Version/Detail | Purpose |
|---|---|---|
| Web Server | Apache (GoDaddy Shared Hosting) | Production hosting |
| Application | HTML5 / CSS3 / Vanilla JS | Website + Command Center |
| Google Fonts | Inter, Plus Jakarta Sans | Typography (styling only) |
| FontAwesome | 6.5.1 (CDN) | Icons (styling only) |
| Deployment | Node.js FTP (basic-ftp) | Secure file transfer |