Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
Configuration Management (CM)
Configuration Management (CM) Requirements
Configuration Management contains 9 CMMC Level 2 requirements focused on how you set up, maintain, and change your systems. These controls ensure your systems stay secure over time and that changes do not introduce vulnerabilities.
Configuration Management means establishing and maintaining consistent, secure settings for your hardware, software, and network systems throughout their lifecycle.
Systems with inconsistent or insecure configurations create vulnerabilities attackers exploit. Configuration Management provides the discipline to prevent configuration drift and maintain security.
Why Configuration Management Matters for CMMC
The Department of Defense requires Configuration Management because systems protecting Controlled Unclassified Information (CUI) must be configured securely and stay that way.
CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.
Common security problems Configuration Management prevents:
- Default passwords left unchanged
- Unnecessary services running
- Missing security settings
- Uncontrolled changes are breaking security
- Inconsistent configurations across similar systems
- Unknown software installed
The 9 Configuration Management Requirements
CM.L2-3.4.1: System Baselining
“Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”
A baseline configuration is your documented standard for how systems should be configured. This requirement means:
- Document the approved configuration for each system type
- Maintain an inventory of all hardware and software
- Keep configurations and inventory current as changes occur
Baseline configuration is the documented, approved setup for a system that serves as the reference point for all future changes.
CM.L2-3.4.2: Security Configuration Enforcement
“Establish and enforce security configuration settings for information technology products employed in organizational systems.”
This requirement means actually implementing secure settings, not just documenting them:
- Configure systems according to security best practices
- Use security configuration guides (like CIS Benchmarks or STIGs)
- Apply settings consistently across similar systems
STIG stands for Security Technical Implementation Guide—DoD-published configuration standards for various systems.
CIS Benchmarks are security configuration recommendations published by the Center for Internet Security.
CM.L2-3.4.3: System Change Control
“Track, review, approve or disapprove, and log changes to organizational systems.”
Changes to systems must follow a controlled process:
- Request changes formally
- Review changes for security impact before implementing
- Approve or reject based on the review
- Log all changes made
Uncontrolled changes are a major source of security problems and system outages.
CM.L2-3.4.4: Security Impact Analysis
“Analyze the security impact of changes before implementation.”
Before making changes, assess how they affect security:
- Will this change open new network ports?
- Does this change affect access controls?
- Will this change disable security features?
- What could go wrong?
Do not implement changes without understanding security implications.
CM.L2-3.4.5: Access Restrictions for Change
“Define, document, implement, and enforce physical and logical access restrictions associated with changes to organizational systems.”
Limit who can make changes to systems:
- Restrict administrative access to authorized personnel
- Require authentication before changes
- Control physical access to systems
- Document who has change authority
Not everyone should be able to modify system configurations.
CM.L2-3.4.6: Least Functionality
“Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.”
Systems should only run what they need to run:
- Disable unnecessary services and features
- Remove unused software
- Turn off ports and protocols not required
- Eliminate unnecessary user functions
Every enabled feature is a potential attack surface. Minimize what runs on your systems.
CM.L2-3.4.7: Nonessential Functionality Restriction
“Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.”
This requirement expands on the least functionality with specific actions:
- Block unnecessary network ports at firewalls
- Disable unneeded Windows features and services
- Prevent installation of unauthorized software
- Remove or disable default accounts
CM.L2-3.4.8: Application Execution Policy
“Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.”
Control what software can run on your systems:
- Blacklisting: Block known bad software (minimum approach)
- Whitelisting: Only allow approved software to run (stronger approach)
Whitelisting means only software on an approved list can execute. Blacklisting means any software can run except what is specifically blocked.
CM.L2-3.4.9: User-Installed Software Control
“Control and monitor user-installed software.”
Manage software installed by users:
- Restrict users’ ability to install software
- Approve software before installation
- Monitor for unauthorized software
- Remove unapproved installations
Uncontrolled software installation introduces malware and unauthorized applications.
Implementing Configuration Management
Create Baseline Configurations
Document standard configurations for each system type:
- Workstations (by operating system)
- Servers (by function)
- Network devices
- Mobile devices
Include specific settings: enabled/disabled services, security configurations, installed software, and network settings.
Use Security Configuration Guides
Leverage established security baselines:
- CIS Benchmarks (free) for most systems
- DISA STIGs (government standard) for DoD environments
- Vendor security guides
These guides provide tested, secure configurations so you do not start from scratch.
Establish Change Control Process
Create a simple change management process:
- Request: Document what change is needed and why
- Review: Assess security and operational impact
- Approve: Authorized person approves or rejects
- Implement: Make the change
- Document: Record what was done and when
- Verify: Confirm change worked as expected
Maintain Inventory
Track all hardware and software:
- Hardware: Computers, servers, network devices, mobile devices
- Software: Operating systems, applications, versions
- Update inventory when systems are added, removed, or changed
Automated inventory tools help maintain accurate records.
Restrict Software Installation
Configure systems to control software:
- Remove local administrator rights from regular users
- Use application control tools
- Monitor for new software installations
- Establish an approved software list
Common Configuration Management Mistakes
Mistake 1: No Documentation
Configurations exist only in administrators’ heads. Document baseline configurations and keep documentation current.
Mistake 2: Inconsistent Systems
Similar systems configured differently create security gaps and operational problems. Standardize configurations.
Mistake 3: Skipping Change Control
Making changes without review and approval eventually causes security incidents or outages. Follow your process.
Mistake 4: Default Settings
Leaving systems with default configurations (including default passwords) creates known vulnerabilities. Configure according to security baselines.
Key Takeaways
Configuration Management’s 9 requirements establish discipline around how systems are set up and changed. Create baseline configurations, implement secure settings, control changes, and minimize what runs on your systems.
Document your standard configurations, use established security baselines, implement change control processes, and maintain accurate inventory. These controls prevent configuration drift that degrades security over time.
Related Articles:
- What is CMMC Level 2?
- CMMC Level 2 Security Controls Overview
- NIST SP 800-171 Rev 2 – Configuration Management Family
- CIS Benchmarks
- DISA STIGs
- 32 CFR Part 170 – CMMC Program Rule
Official Sources: This article is based on NIST SP 800-171 Revision 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” specifically the Configuration Management family (Section 3.4), and the DoD CMMC Level 2 Assessment Guide.
Need help with Configuration Management for CMMC compliance? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.