Mastering Configuration Management in CMMC: How to Control Your System Settings and Changes Securely
Key Takeaways
- Configuration Management is essential for controlling system settings and preventing unauthorized changes, beginning at CMMC Level 2 for organizations handling Controlled Unclassified Information.
- This domain includes nine vital practices ensuring systems are securely configured, changes are authorized, and inventories are maintained and monitored.
- Effective compliance requires documented baselines, change approval records, and enforcement of security settings across all devices, including mobile and portable media.
Introduction: Why Configuration Management Matters in CMMC Compliance
In brief, mastering Configuration Management (CM) means you keep your IT environment stable and safe by ensuring all changes are deliberate and tracked. Failing to control system settings and changes is a frequent cause of data breaches, such as the 2017 Equifax incident caused by an unpatched system, a glaring CM failure.
For organizations handling Controlled Unclassified Information (CUI), CM practices are a must, beginning at CMMC Level 2. If you want to avoid vulnerabilities from unauthorized system changes and stay audit-ready, understanding and implementing CM controls aligned with NIST and 32 CFR Part 170 is critical.
This article explains the purpose, requirement levels, key controls, common pitfalls, and practical tools to help your organization build robust Configuration Management aligned with CMMC standards.
What Is Configuration Management and Why Does CMMC Prioritize It?
At its core, Configuration Management is the discipline of maintaining consistent and secure system settings throughout an asset’s lifecycle. This includes software, hardware, documentation, and related configurations.
"Organizations must develop, document, and maintain under configuration control, a current baseline configuration of the information system." —NIST SP 800-171 Revision 2, Requirement 3.4.1
In CMMC, CM is about avoiding unintended consequences from system changes. For example:
- Preventing unauthorized software installations that may introduce malware.
- Ensuring replacement servers have the same secure settings as decommissioned hardware.
Because cyber attackers often exploit misconfigurations, CM is a frontline defense. It ensures your systems do not become weak links due to accidental or malicious changes.
For more on how CM fits into the broader cybersecurity landscape, see our post on The 17 CMMC Domains Explained. To understand how this ties into your overall CMMC compliance strategy, check out our article on How Organizations Are Tackling CMMC 2.0 Compliance.
Configuration Management Domain in CMMC: Scope and Controls
CMMC’s Configuration Management domain is domain number five out of seventeen. It is built exclusively for Level 2 and higher, zero controls are required at Level 1 (which focuses on Federal Contract Information).
| Level | Number of CM Practices | Description |
|---|---|---|
| 1 | 0 | Not required for FCI only |
| 2 | 9 | Required for all CUI-handling contractors |
Your organization must implement the nine practices below to comply if you handle CUI:
| Practice Code | Title | Summary in Plain English |
|---|---|---|
| CM.L2-3.4.1 | Establish System Baselines | Define and document how systems should be configured |
| CM.L2-3.4.2 | Enforce Security Configuration Settings | Lock down systems to secure, approved settings |
| CM.L2-3.4.3 | Track System Inventory | Keep a current list of all hardware and software |
| CM.L2-3.4.4 | Analyze Security Impact of Changes | Assess security implications before applying changes |
| CM.L2-3.4.5 | Approve and Document Changes | Only allow changes that are approved and well-documented |
| CM.L2-3.4.6 | Use Least Functionality | Disable unneeded features or services |
| CM.L2-3.4.7 | Restrict Use of Portable Media | Control or block USB drives and other external storage |
| CM.L2-3.4.8 | Apply CM to Mobile Devices | Enforce security settings and policies on smartphones and tablets |
| CM.L2-3.4.9 | Control User-Installed Software | Prevent unapproved software installations |
What Does Compliance Look Like?
Meeting CM requirements means collecting and maintaining evidence that shows sound control over your system configurations and changes. Common evidence pieces include:
- Documented CM policies and baseline configurations.
- Records of change approvals and impact analysis.
- Lists of all devices and software assets.
- Automated logs and screenshots from management systems like Active Directory, SCCM, or Mobile Device Management tools.
- Proof of enforcement of policies against unauthorized software installation and portable media usage.
Auditors will want to see:
- Clear baseline configurations and change control procedures.
- Traceable audit trails proving that every change is authorized and tracked.
- Security settings consistently applied across laptops, servers, and mobile devices.
- Restrictions on software installation and use of portable media.
Leveraging a compliance tracking platform like the CMMC Dashboard can simplify these tasks by automatically gathering logs, maintaining version-controlled documentation, and tracking approval workflows seamlessly.
Avoid These Common Pitfalls in Configuration Management
| Mistake | Risk | How to Prevent |
|---|---|---|
| Relying on Default Settings | Defaults often have security weaknesses | Harden baselines using guides like CIS Benchmarks |
| Allowing Uncontrolled Software | Opens malware and shadow IT risks | Implement allowlists, restrict admin rights |
| Failing to Track Changes | Difficult to analyze incidents or reverse issues | Use formal change tracking processes with approval steps |
| Neglecting Mobile Devices | Mobile endpoints can be vulnerable too | Include mobile in CM scope with MDM tools |
| Treating Inventory as Enough | Inventory alone doesn’t control configurations | Link assets to baselines and documented change approvals |
Tools and Resources to Help You Implement CMMC CM Controls
- CIS Benchmarks: Industry-standard guides for securely configuring systems.
- System Security Plan (SSP) Templates: Include Configuration Management sections for documentation.
- Change Request Forms: Manual or integrated forms that document approval workflows.
- Inventory Tools: Spiceworks, OCS Inventory NG for tracking hardware and software.
- Mobile Device Management (MDM): Microsoft Intune, Jamf, VMware Workspace ONE to enforce policies on mobile assets.
If you want to learn more about related domains impacting compliance such as access permissions or audit trails, read our detailed post on Understanding the Access Control Domain in CMMC and Mastering Audit and Accountability in CMMC.
Conclusion: Secure Your Systems with Strong Configuration Management
Configuration Management is vital for any cybersecurity program aiming to protect sensitive data and comply with CMMC standards. With nine specific Level 2 practices, it governs how you define, enforce, and document system settings and changes, covering desktops, servers, mobile devices, and even portable media.
Remember the key points:
- Define and document secure baseline configurations.
- Ensure every system change is reviewed, approved, and tracked.
- Monitor your complete device and software inventory continually.
- Extend controls to mobile devices and restrict user-installed software.
- Use industry tools and automation to simplify compliance evidence collection.
By prioritizing Configuration Management, you reduce security risks and improve your readiness for CMMC audits.
If you are ready to dive deeper, explore all CMMC domains in our The 17 CMMC Domains Explained post, or get started today with our compliance tool that automates tracking and auditing of configuration management practices by signing up for the CMMC Dashboard.
"Security configuration settings must be implemented and enforced uniformly across components." — 32 CFR Part 170, Configuration Management domain
FAQ
Q: Do I need to implement CM controls if my organization only handles FCI?
A: No, CM controls become mandatory starting at CMMC Level 2, which covers handling Controlled Unclassified Information (CUI).
Q: How does cloud usage affect Configuration Management?
A: Cloud services must meet FedRAMP Moderate standards or equivalent. Your on-premises systems connecting to the cloud must still comply with CM requirements.
Q: Are mobile devices included in the CM domain?
A: Yes, if mobile devices access CUI or corporate environments, they must follow CM policies using Mobile Device Management (MDM) tools.
Sources:
- NIST