Deretti Cyber Labs CMMC Desk · Domains · Configuration Management

Configuration management.

Baselines, change control, and giving a system only the functions it needs.

Configuration Management is 9 of Level 2’s 110 requirements. It governs what a system is supposed to look like, how it’s allowed to change, and how much unnecessary capability it carries by default. A system built to a documented baseline, changed only through a reviewed process, and stripped of functions it doesn’t need is a smaller target than one where nobody’s quite sure what’s installed or why. What follows breaks down CM’s nine requirements.

This page explains the family. It does not replace the requirement text or assessment objectives.

01What this family protects

Configuration Management protects the gap between what a system is supposed to be and what it’s actually become. Every unreviewed change, every default setting left in place, every unnecessary service still running is a small deviation from the documented baseline — and deviations are where unexpected weaknesses tend to hide, not because anyone did anything wrong, but because nobody was tracking the drift.

02The rule says

All 9 requirements, condensed to their operative sentence. NIST SP 800-171 Rev. 2 §3.4 has the full text and discussion for each; Source Library covers when to open it.

The 9 Configuration Management requirements of NIST SP 800-171 Revision 2
§Requirement
3.4.1Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.2Establish and enforce security configuration settings for information technology products employed in organizational systems.
3.4.3Track, review, approve or disapprove, and log changes to organizational systems.
3.4.4Analyze the security impact of changes prior to implementation.
3.4.5Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
3.4.6Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
3.4.7Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
3.4.8Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
3.4.9Control and monitor user-installed software.

03In practice

Baselines and inventory (3.4.1). A documented starting point for what “normal” looks like on a system or component — what hardware, software, firmware, and configuration it’s supposed to have — maintained as systems change, not written once at setup and left to drift.

Configuration settings (3.4.2). Security-relevant settings — account and file permissions, which ports and protocols are open, remote-connection settings — set deliberately and consistently rather than left at manufacturer defaults, which are built for ease of setup, not security.

Change control (3.4.3–3.4.5). Changes to a system get tracked, reviewed, and approved before they happen rather than made ad hoc, with a security-impact check (3.4.4) before implementation and access to make changes restricted to people who are actually authorized to make them (3.4.5). For a small shop this can be a lightweight process — a short approval step and a log — rather than a formal change advisory board.

Least functionality (3.4.6–3.4.8). Systems configured to do only what they need to do: unnecessary programs, ports, protocols, and services disabled or removed (3.4.6–3.4.7), and software execution controlled by policy — deny known-bad, permit-by-exception is the stronger of the two approaches the rule allows (3.4.8).

User-installed software (3.4.9). A defined policy on what employees can and can’t install themselves, enforced in whatever way fits the organization — technical controls, a clear written policy, or both.

04Where it fails

Most often, the gap is a baseline that was accurate once, at setup, and has quietly drifted since — a workstation gets reimaged differently than its baseline called for, or a server picks up a one-off configuration change during a support call that never gets folded back into the documented standard.

A second gap is change control that exists on paper but not in practice: a documented approval process that changes routinely skip because the person making the change is also the person who’d approve it, and there’s no one else to ask.

05What evidence may look like

A current system baseline or configuration standard, even a simple one, compared against what’s actually deployed; change-log entries or tickets showing changes were reviewed and approved before being made; a hardening checklist or configuration guide showing unnecessary services were deliberately disabled, not merely never turned on; and a written policy on user-installed software, with any enforcing technical controls noted.

06At the shop

At the shop

Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard’s MSP maintains a baseline configuration image for shop-floor workstations and re-images from it rather than patching drift in place, so a machine that’s misbehaving can be brought back to a known state quickly. Any change to the CAD/CAM server — a new plugin, an OS update outside the routine patch cycle — goes through a two-line approval in the shared IT ticket system before it happens, logged by whoever approved it and whoever made the change, even when both are the same two-person team.

07Commonly confused with

Access Control (AC). CM’s access restrictions for change (3.4.5) sound like AC’s account-and-privilege requirements, but they’re scoped narrowly to who may make configuration changes — a subset of AC’s broader question of who can access a system at all. See Access Control.

System & Information Integrity (SI). CM’s baseline and least-functionality requirements reduce what could go wrong in the first place; SI’s flaw-remediation and monitoring requirements deal with what happens once something does. See System & Information Integrity.

09Sources

Primary sources for the Configuration Management family
DocumentWhat it’s for
NIST SP 800-171 Rev. 2, §3.4Full requirement text and discussion for all 9 CM requirements.
NIST SP 800-171AAssessment objectives — how an assessor determines MET for each CM requirement.
32 CFR 170.4Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program.