CM.L2-3.4.1 — Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

What this control requires

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Source: CMMC L2 v2.13 CM.L2-3.4.1 / NIST SP 800-171 R2 3.4.1 (official control text).

Why this matters

This control ensures the organization maintains a living inventory of every device, application, and configuration setting across its infrastructure. Without accurate baselines and inventories, you cannot detect unauthorized changes, deploy patches consistently, or respond to incidents effectively. Attackers exploit unknown or misconfigured assets—shadow IT, forgotten servers, or unauthorized software—to establish persistence. Baseline configurations act as the authoritative reference: approved settings for workstations, servers, and network devices that prevent configuration drift and ensure every system meets security standards before deployment and throughout its lifecycle.

What evidence assessors expect

Assessors typically look for: CSV export, configuration export, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls