In the CMMC world, Configuration Management begins with knowing what you have and how it should look. CM.L2-3.4.1 is foundational—and if you can’t meet this, the rest of the domain is going to fall apart quickly.
As both an Authorized C3PAO and a Level 2 Certified MSP, we see this control misinterpreted as “just have a spreadsheet of assets.” That’s not even close to sufficient.
🔐 CONTROL:
CM.L2-3.4.1 – Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
✅ Assessment Objectives (per CMMC Assessment Guide):
- Baselines are defined for system types (e.g., laptops, servers, firewalls).
- Inventories exist for hardware, software, firmware, and related documentation.
- Baselines and inventories are maintained throughout the SDLC—not just one-time.
🛠️ MSP Perspective: How to Implement It
- Define baseline configurations for each major system type. Use CIS Benchmarks, Microsoft Security Baselines, or vendor guidance.
- Automate inventories using RMM tools, CMDBs, or asset management platforms. At a minimum, track:
- Serial numbers
- System type
- Operating system
- Software packages
- Firmware versions
- Network roles (e.g., DNS server, file server)
- Tie your configuration management system into onboarding/offboarding, provisioning, and patching workflows to reflect lifecycle stages.
- Maintain version-controlled documentation for all configuration baselines and associated changes.
⚙️ Tip: A SharePoint library, Git repo, or configuration database works well for storing baseline templates and change logs.
🔍 Assessor Perspective: What We Look For
When assessing this control, we seek:
- Baseline documentation with clear security configurations tied to system roles.
- Asset inventories that include all in-scope systems—not just workstations.
- Lifecycle tracking: Can you show us how that asset was deployed, maintained, updated, and (eventually) retired or re-imaged?
- Objective evidence: Screenshots of CM tools, exports of inventories, version control histories, and procedures that link this all together.
🚫 A Word document that says “we use Windows 10” is not a baseline.
✅ A policy stating the required CIS Level 1 Windows 10 baseline, with version history and Intune enforcement proof, is.
🧠 Common Pitfalls
- “We have an inventory in Excel” but it’s not updated or tied to the configuration process.
- No written baseline configurations, or baselines that are never enforced.
- Failure to show lifecycle tracking—particularly for systems that were replaced or decommissioned.
🧩 Final Guidance
Treat this control as your source of truth for how systems should behave. Without it, how will you prove if something’s misconfigured, out of date, or exposed?
This isn’t just a checkbox- it’s your security backbone.