Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Domains
CMMC Deep Dive: Configuration Management (CM)
A detailed guide to the Configuration Management (CM) domain, focusing on establishing and maintaining secure system configurations.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
Configuration Management
CM
Baselines
Change Control
This article is part of our series on The 14 CMMC Domains.*
The Configuration Management (CM) domain ensures that systems are established and maintained in a secure, consistent, and known state. This involves creating secure baselines and managing all changes to those baselines in a controlled manner.
Why It Matters
Systems that are not securely configured are vulnerable to attack. A strong CM process prevents unauthorized changes, reduces the attack surface by disabling non-essential services, and ensures system integrity over time.
Key Practices
- CM.L2-3.4.1: Establish and maintain baseline configurations and inventories of systems.
- CM.L2-3.4.2: Establish and enforce security configuration settings.
- CM.L2-3.4.3: Track, review, approve, and log changes to systems.
- CM.L2-3.4.6: Employ the principle of least functionality.
What Assessors Look For
- Documented baseline configurations (e.g., CIS Benchmarks, DISA STIGs).
- A formal change management policy and process.
- Records of change requests, approvals, and implementation.
- System inventories (hardware and software).
- Evidence of technical enforcement (e.g., Group Policy, scripts).