CMMCDocs.comCM.L2-3.4.1
Also known as: Baseline configuration requirement
The NIST SP 800-171 requirement that mandates the contractor establish and maintain baseline configurations for in-scope systems.
CM.L2-3.4.1 requires the contractor to 'establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.'
In practice, this means documenting what 'normal' looks like for each in-scope system: which OS version, which patches, which installed software, which configuration settings. The baseline becomes the reference against which drift is detected.
A C3PAO will ask for the baseline documents (golden images, hardening guides, gold-master configurations) and verify that they are current, version-controlled, and tied to the asset inventory.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account