CMMCDocs.comConfiguration Management (CM) is one of the most operationally impactful control families in NIST SP 800-171. It requires you to establish baseline configurations for your systems, control changes to those configurations, and restrict the use of unnecessary software and services. Done well, configuration management improves both security and system reliability.
CM.L2-3.4.1 — Baseline Configurations
Establish and maintain baseline configurations and inventories of organizational systems throughout their lifecycle. A baseline configuration is a documented, approved set of specifications for a system — the operating system version, installed software, security settings, network configuration, and enabled services. When a system is deployed, it should match its baseline. When it drifts, you should detect and correct it.
For Windows systems, start with CIS Benchmarks or DISA STIGs as your baseline reference. These publicly available guides define secure configuration settings for Windows Server, Windows 10/11, and common applications. You do not need to implement every setting — document which settings you apply, which you do not, and why.
CM.L2-3.4.2 — Security Configuration Enforcement
Establish and enforce security configuration settings for information technology products. This goes beyond documentation — you must actively enforce configurations, not just document them. Group Policy in Active Directory environments is the primary enforcement mechanism for Windows systems. For Linux systems, tools like Ansible, Puppet, or Chef can enforce configuration baselines.
Monitor for configuration drift. A setting that was correct when deployed but changed later represents a potential security gap. Periodic compliance scans that compare current configurations against your baseline catch drift before it becomes a vulnerability.
CM.L2-3.4.6 — Least Functionality
Employ the principle of least functionality by configuring systems to provide only essential capabilities. This means disabling unnecessary services, removing unused software, closing unnecessary ports, and restricting the use of functions, ports, protocols, and services to only those required for the system's mission. A web server does not need a desktop environment. A user workstation does not need a web server. A file server does not need development tools.
CM.L2-3.4.7 — Restrict Nonessential Software
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Application whitelisting is the gold standard — allowing only approved software to run and blocking everything else. Windows AppLocker or Windows Defender Application Control (WDAC) can enforce application whitelists. If full whitelisting is not feasible, maintain an approved software list and periodically audit installed software against it.
Change Management
CM.L2-3.4.3 through CM.L2-3.4.5 address change control. Track, review, approve or disapprove, and log changes to your systems. A change management process does not need to be bureaucratic — it needs to be consistent. For each change, document what is being changed and why, the expected impact, who approved the change, when it will be implemented, and how to roll back if it fails. Review changes before implementation and verify after. Use a ticketing system to track change requests — this provides auditable evidence that changes are controlled.
Hardware and Software Inventory
You cannot manage what you do not know about. Maintain a current inventory of all hardware and software within your CUI boundary. Include device type, operating system, installed applications, IP address, location, and asset owner. Update the inventory when systems are added, removed, or modified. Your assessor will ask to see this inventory and compare it to what they observe during the assessment.