How do CSPs realistically implement FedRAMP’s configuration requirements for CM-6 that mention USGCB, which exists only for very old versions that are no longer supported?

The US Government Configuration Baselines (USGCB) are not particularly relevant anymore. Only a handful of technologies were ever addressed, and these are out of date (e.g., Windows XP, Windows Vista, Windows 7, RHEL 5 desktop, and IE 7/8). Therefore, CSPs can safely ignore the FedRAMP-defined parameter for CM-6 (a) that requires the use of USGCB as the foundation of configuration baselines. Instead, organizations should follow the “Additional FedRAMP Requirements” and leverage the Center for Internet Security (CIS) Level 1 guidance. For system components and technologies that don’t have a CIS guide, organizations should use NIST’s National Checklist Program Repository to find another generally acceptable configuration hardening guide. Or, if needed, organizations can leverage guidance from the vendor and product user groups as a reference to define a customized list of configuration settings that meet the requirement of CM-6, namely, that the settings “reflect the most restrictive mode consistent with operational requirements.”