Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

Configuration Management (CM)

Configuration Management (CM) Requirements

Configuration Management contains 9 CMMC Level 2 requirements focused on how you set up, maintain, and change your systems. These controls ensure your systems stay secure over time and that changes do not introduce vulnerabilities.

Configuration Management means establishing and maintaining consistent, secure settings for your hardware, software, and network systems throughout their lifecycle.

Systems with inconsistent or insecure configurations create vulnerabilities attackers exploit. Configuration Management provides the discipline to prevent configuration drift and maintain security.

Why Configuration Management Matters for CMMC

The Department of Defense requires Configuration Management because systems protecting Controlled Unclassified Information (CUI) must be configured securely and stay that way.

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.

Common security problems Configuration Management prevents:

  • Default passwords left unchanged
  • Unnecessary services running
  • Missing security settings
  • Uncontrolled changes are breaking security
  • Inconsistent configurations across similar systems
  • Unknown software installed

The 9 Configuration Management Requirements

CM.L2-3.4.1: System Baselining

“Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”

A baseline configuration is your documented standard for how systems should be configured. This requirement means:

  • Document the approved configuration for each system type
  • Maintain an inventory of all hardware and software
  • Keep configurations and inventory current as changes occur

Baseline configuration is the documented, approved setup for a system that serves as the reference point for all future changes.

CM.L2-3.4.2: Security Configuration Enforcement

“Establish and enforce security configuration settings for information technology products employed in organizational systems.”

This requirement means actually implementing secure settings, not just documenting them:

  • Configure systems according to security best practices
  • Use security configuration guides (like CIS Benchmarks or STIGs)
  • Apply settings consistently across similar systems

STIG stands for Security Technical Implementation Guide—DoD-published configuration standards for various systems.

CIS Benchmarks are security configuration recommendations published by the Center for Internet Security.

CM.L2-3.4.3: System Change Control

“Track, review, approve or disapprove, and log changes to organizational systems.”

Changes to systems must follow a controlled process:

  • Request changes formally
  • Review changes for security impact before implementing
  • Approve or reject based on the review
  • Log all changes made

Uncontrolled changes are a major source of security problems and system outages.

CM.L2-3.4.4: Security Impact Analysis

“Analyze the security impact of changes before implementation.”

Before making changes, assess how they affect security:

  • Will this change open new network ports?
  • Does this change affect access controls?
  • Will this change disable security features?
  • What could go wrong?

Do not implement changes without understanding security implications.

CM.L2-3.4.5: Access Restrictions for Change

“Define, document, implement, and enforce physical and logical access restrictions associated with changes to organizational systems.”

Limit who can make changes to systems:

  • Restrict administrative access to authorized personnel
  • Require authentication before changes
  • Control physical access to systems
  • Document who has change authority

Not everyone should be able to modify system configurations.

CM.L2-3.4.6: Least Functionality

“Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.”

Systems should only run what they need to run:

  • Disable unnecessary services and features
  • Remove unused software
  • Turn off ports and protocols not required
  • Eliminate unnecessary user functions

Every enabled feature is a potential attack surface. Minimize what runs on your systems.

CM.L2-3.4.7: Nonessential Functionality Restriction

“Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.”

This requirement expands on the least functionality with specific actions:

  • Block unnecessary network ports at firewalls
  • Disable unneeded Windows features and services
  • Prevent installation of unauthorized software
  • Remove or disable default accounts

CM.L2-3.4.8: Application Execution Policy

“Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.”

Control what software can run on your systems:

  • Blacklisting: Block known bad software (minimum approach)
  • Whitelisting: Only allow approved software to run (stronger approach)

Whitelisting means only software on an approved list can execute. Blacklisting means any software can run except what is specifically blocked.

CM.L2-3.4.9: User-Installed Software Control

“Control and monitor user-installed software.”

Manage software installed by users:

  • Restrict users’ ability to install software
  • Approve software before installation
  • Monitor for unauthorized software
  • Remove unapproved installations

Uncontrolled software installation introduces malware and unauthorized applications.

Implementing Configuration Management

Create Baseline Configurations

Document standard configurations for each system type:

  • Workstations (by operating system)
  • Servers (by function)
  • Network devices
  • Mobile devices

Include specific settings: enabled/disabled services, security configurations, installed software, and network settings.

Use Security Configuration Guides

Leverage established security baselines:

  • CIS Benchmarks (free) for most systems
  • DISA STIGs (government standard) for DoD environments
  • Vendor security guides

These guides provide tested, secure configurations so you do not start from scratch.

Establish Change Control Process

Create a simple change management process:

  1. Request: Document what change is needed and why
  2. Review: Assess security and operational impact
  3. Approve: Authorized person approves or rejects
  4. Implement: Make the change
  5. Document: Record what was done and when
  6. Verify: Confirm change worked as expected

Maintain Inventory

Track all hardware and software:

  • Hardware: Computers, servers, network devices, mobile devices
  • Software: Operating systems, applications, versions
  • Update inventory when systems are added, removed, or changed

Automated inventory tools help maintain accurate records.

Restrict Software Installation

Configure systems to control software:

  • Remove local administrator rights from regular users
  • Use application control tools
  • Monitor for new software installations
  • Establish an approved software list

Common Configuration Management Mistakes

Mistake 1: No Documentation

Configurations exist only in administrators’ heads. Document baseline configurations and keep documentation current.

Mistake 2: Inconsistent Systems

Similar systems configured differently create security gaps and operational problems. Standardize configurations.

Mistake 3: Skipping Change Control

Making changes without review and approval eventually causes security incidents or outages. Follow your process.

Mistake 4: Default Settings

Leaving systems with default configurations (including default passwords) creates known vulnerabilities. Configure according to security baselines.

Key Takeaways

Configuration Management’s 9 requirements establish discipline around how systems are set up and changed. Create baseline configurations, implement secure settings, control changes, and minimize what runs on your systems.

Document your standard configurations, use established security baselines, implement change control processes, and maintain accurate inventory. These controls prevent configuration drift that degrades security over time.


Related Articles:

Official Sources: This article is based on NIST SP 800-171 Revision 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” specifically the Configuration Management family (Section 3.4), and the DoD CMMC Level 2 Assessment Guide.


Need help with Configuration Management for CMMC compliance? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.

Table of Contents