Configuration Management 3.4.1 (3.4.1)

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to create and maintain documented baseline configurations for all systems, including detailed inventories of hardware, software, firmware, and documentation. Think of it as maintaining a master blueprint and parts list for every system in your environment. You must know what you have, what version it is, how it's configured, and keep this information current as systems change. This is foundational for security because you can't protect what you don't know exists or understand how it's configured.

Control Intent

To ensure organizations maintain comprehensive knowledge and control over their IT assets and configurations, enabling effective security management, change control, and incident response throughout the system lifecycle.

Who This Control Applies To

  • All systems that process, store, or transmit CUI
  • Workstations and laptops used by personnel with CUI access
  • Servers hosting applications or data repositories containing CUI
  • Network devices (routers, switches, firewalls) within the CUI environment
  • Mobile devices authorized to access CUI
  • Virtual machines and cloud infrastructure supporting CUI workloads
  • Software applications and operating systems across all CUI systems
  • Firmware on hardware components within scope

Not Applicable When

  • Systems that have been formally decommissioned and removed from the environment
  • Systems that have no connection to CUI and are completely segregated
  • Third-party systems where the organization has no administrative control and relies solely on inherited controls
  • Systems in pre-production development that have not yet been authorized for CUI

Key Objectives

  • 1Establish documented baseline configurations that define approved system states and settings
  • 2Maintain accurate and current inventories of all organizational system components
  • 3Ensure baseline configurations and inventories are reviewed and updated as systems evolve
  • 4Enable accountability and traceability for all system components across their lifecycle

Sample Self-Assessment Questions (Partial)

Do you maintain a documented list of all computers, servers, and devices in your organization?

Do you track what software and versions are installed on each system?

Implementation Approaches (High-Level)

Automated Asset Discovery and Configuration Management Platform

Deploy centralized asset management and configuration management tools that automatically discover, inventory, and monitor system configurations across the environment.

Hybrid Manual and Automated Inventory Management

Combine automated discovery tools for standard systems with manual documentation for specialized or isolated systems, maintained in a centralized inventory database or CMDB.

Spreadsheet-Based Inventory with Documented Baseline Configurations

Maintain detailed inventory in structured spreadsheets with separate documented baseline configuration standards, supported by regular manual reviews and updates.

Cloud-Native Asset and Configuration Management

Leverage cloud provider native tools and APIs to maintain inventory and baseline configurations for cloud-based infrastructure and applications.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If starting from no inventory, prioritize creating initial inventory of CUI systems first, then expand to supporting infrastructure For organizations with partial inventory, focus POA&M on completing missing data fields and establishing update procedures If baseline configurations are undocumented, prioritize documenting current-state configurations for critical systems first For organizations with outdated inventory, establish regular reconciliation process as first milestone If lacking automated tools, consider phased approach: manual processes first, then automation as budget allows Break large inventory efforts into manageable phases by system type or location Establish clear ownership and accountability for inventory maintenance as early milestone For configuration drift issues, implement monitoring and alerting before attempting full remediation If firmware tracking is missing, start with critical infrastructure devices first Consider leveraging existing tools (endpoint management, cloud provider tools) before purchasing new solutions

Related CMMC Controls

3.4.23.4.33.4.63.4.73.4.83.4.93.1.13.1.23.12.4

Frequently Asked Questions

What level of detail is required in the system inventory?

The inventory must include hardware specifications (manufacturer, model, serial number, physical location), software details (applications, versions, license information), firmware versions, network information (IP addresses, machine names for networked devices), and accountability information (system owner, system association). The goal is sufficient detail to enable proper component accountability and security management.

How often must baseline configurations and inventories be updated?

There is no specific mandated frequency, but updates must occur when systems change. Best practice is to update inventories in real-time or near-real-time as changes occur, with periodic reconciliation reviews (quarterly or semi-annually). Baseline configurations should be reviewed and updated whenever significant system changes are made based on security risks or deviations from established baselines.

Can we use spreadsheets to maintain our inventory and baseline configurations?

Yes, spreadsheets are acceptable for small organizations if they are actively maintained, contain all required information, and are regularly reviewed and updated. However, as organizations grow or environments become more complex, automated tools become necessary to maintain accuracy and completeness. The key is demonstrating that your chosen method keeps inventory current and complete.

Do we need separate baseline configurations for every individual system?

No, you need baseline configurations for system types or roles, not every individual system. For example, you might have a baseline for standard user workstations, another for servers, and another for network devices. Individual systems should conform to the appropriate baseline for their type, with any deviations documented as exceptions.

What happens if we discover systems that aren't in our inventory during an assessment?

Undocumented systems represent a significant finding because you cannot secure what you don't know exists. This typically results in a control deficiency and may require a POA&M. The assessor will want to understand how the gap occurred and what processes you're implementing to prevent future inventory gaps. This is why regular reconciliation and automated discovery are important.

How do we handle cloud resources and virtual machines in our inventory?

Cloud resources and VMs must be included in your inventory just like physical systems. Use cloud provider native tools, tagging policies, and APIs to maintain accurate cloud asset inventories. Ensure cloud resources include the same accountability information (owner, purpose, CUI association) as physical systems. Many organizations integrate cloud inventory data into a centralized CMDB for unified visibility.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.