CMMCDocs.comHome / Glossary / Configuration Management (CM) Family
Configuration Management (CM) Family
Also known as: CM family
The CM family covers 9 NIST SP 800-171 requirements governing configuration baselines, change control, least functionality, and software allowlisting.
The Configuration Management (CM) family contains 9 NIST SP 800-171 Rev 2 security requirements that govern how the contractor establishes, maintains, and enforces secure configurations on in-scope systems.
Key CM requirements include establishing and maintaining baseline configurations (CM.L2-3.4.1, CM.L2-3.4.2), tracking and approving changes (CM.L2-3.4.3, CM.L2-3.4.4, CM.L2-3.4.5), enforcing least functionality (CM.L2-3.4.6, CM.L2-3.4.7), application execution policies including allowlisting (CM.L2-3.4.8), and controlling user-installed software (CM.L2-3.4.9).
A C3PAO will ask to see the configuration baseline documents, the change control record for the past 90 days, and live evidence that unauthorized software is being blocked. Application allowlisting (CM.L2-3.4.8) is one of the harder requirements to fully implement and a common source of POA&M items.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account