Skip to main content
NetStable
Level 2 CM.L2-3.4.1

Establish and maintain baseline configurations and inventories

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to document and maintain standardized 'baseline' configurations for all hardware and software systems that handle Controlled Unclassified Information (CUI). Think of it like creating a master recipe for your IT systems - you need to document the exact settings, versions, and components that are approved for use, then track any changes made. For example, your baseline might specify that all Windows workstations must have automatic updates enabled, firewall rules configured, and only approved software installed. Another example: a network switch baseline would document firmware versions, password policies, and port configurations. The goal is to prevent security gaps caused by inconsistent or undocumented configurations.

🎯 Why It Matters

Uncontrolled configurations are a top cause of security breaches. The 2023 Verizon DBIR found 60% of breaches involved vulnerabilities for which a patch was available but not implemented - often because organizations lacked configuration baselines to track required updates. A real-world example: a defense contractor was breached when an engineer installed unapproved remote access software on a CUI-handling workstation that didn't match the security baseline. The DoD specifically requires this control because inconsistent configurations make systems vulnerable to exploitation and complicate incident response. Potential impacts include: $500K+ in incident response costs, loss of CUI (average $180/record in breach costs), and contract disqualification.

How to Implement

  1. 1. Use cloud-native tools like AWS Systems Manager or Azure Automation to capture baseline configurations of all cloud resources
  2. 2. Document security settings for IAM policies, storage buckets, and network ACLs in a cloud configuration template
  3. 3. Enable drift detection (e.g., AWS Config Rules) to identify unauthorized changes
  4. 4. Export cloud inventory reports monthly (e.g., AWS EC2 Inventory or Azure Resource Graph)
  5. 5. Store baselines in version control (e.g., GitLab) with change history
⏱️
Estimated Effort
Initial setup: 40-80 hours (IT staff). Ongoing: 4-8 hours/month. Skill level: Mid-level system administrator familiar with scripting and asset management.

📋 Evidence Examples

Baseline Configuration Document

Format: PDF/Word
Frequency: Update quarterly or after major changes
Contents: Approved settings for all system types (workstations, servers, network devices), version numbers, security configurations
Collection: Export from CMDB or compile from system scans

Hardware Inventory Report

Format: CSV/Excel
Frequency: Monthly
Contents: All devices (make/model/serial), location, CUI designation, owner
Collection: Automated scan with Lansweeper or manual spreadsheet

Configuration Change Log

Format: Excel/ServiceNow ticket
Frequency: Continuous
Contents: Date, system changed, what changed, who approved
Collection: Extract from change management system

Drift Detection Report

Format: PDF
Frequency: Monthly
Contents: Systems not matching baseline, date detected, remediation status
Collection: Run Nessus compliance scan or AWS Config report

Baseline Review Meeting Minutes

Format: Word/PDF
Frequency: Quarterly
Contents: Attendees, changes reviewed, approval decisions
Collection: Document in Change Control Board meetings

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CM.L2-3.4.1 ("Establish and maintain baseline configurations and inventories"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your configuration management process, including baseline configurations, change control procedures, vulnerability management, and how configuration compliance is monitored and enforced. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CM.L2-3.4.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to establish and maintain baseline configurations and inventories. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CM.L2-3.4.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to establish and maintain baseline configurations and inventories. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CM.L2-3.4.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all system types within the CUI boundary requiring baselines
  • Document configuration management tools and CMDB
  • Map change control workflow from request to implementation
  • Ensure this control covers all systems within your defined CUI boundary where establish and maintain baseline configurations and inventories applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Configuration Management Policy
  • 📄 Baseline configuration documents
  • 📄 Change management records
  • 📄 CMDB/asset inventory
  • 📄 Evidence artifacts specific to CM.L2-3.4.1
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will compare actual system configurations against documented baselines, review change tickets for proper approval workflow, and verify vulnerability remediation within SLA.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have documented baseline configurations for all systems handling CUI?

✅ YES → Proceed to Q2
❌ NO → GAP: Create baseline templates starting with highest-risk systems (CUI workstations, file servers). Use NIST SP 800-128 as guide. Timeline: 30 days.
Remediation:
Start with Windows/Linux hardening guides from CIS Benchmarks

Question 2: Can you produce an up-to-date inventory of all hardware/software that handles CUI?

✅ YES → Proceed to Q3
❌ NO → GAP: Conduct full inventory scan using Lansweeper (free for <100 devices) or PowerShell Get-ComputerInfo. Timeline: 14 days.
Remediation:
Tag CUI systems in inventory for easy identification

Question 3: Do you have a process to detect and remediate configuration drift?

✅ YES → Proceed to Q4
❌ NO → GAP: Implement monthly Nessus compliance scans comparing to baselines. Timeline: 21 days.
Remediation:
Start with critical systems (domain controllers, firewalls)

Question 4: Are baseline reviews conducted at least annually?

✅ YES → Proceed to Q5
❌ NO → GAP: Schedule baseline review meeting with IT and security staff. Timeline: 60 days.
Remediation:
Use Change Control Board meetings for this purpose

Question 5: Can you show evidence of baseline enforcement (e.g., automated remediation of non-compliant systems)?

✅ YES → COMPLIANT
❌ NO → GAP: Implement Group Policy Objects (GPO) or SCCM for Windows, Ansible for Linux. Timeline: 45 days.
Remediation:
Start with 5 critical security settings (auto-updates, firewall, etc.)

⚠️ Common Mistakes (What Auditors Flag)

1. Missing network devices in inventory

Why this happens: Focus only on servers/workstations, forgetting switches/routers
How to avoid: Use network scanning tools (NMAP, RANCID) to find all devices

2. Baselines not updated after upgrades

Why this happens: Failing to document new version settings
How to avoid: Make baseline updates part of change control process

3. No process to handle exceptions

Why this happens: Rigid baselines that don't account for legitimate variations
How to avoid: Create exception request form with risk assessment

4. Spreadsheet inventories that quickly become outdated

Why this happens: Manual tracking is time-consuming
How to avoid: Implement automated inventory tools (OCS Inventory, PDQ Inventory)

5. No version control for baseline documents

Why this happens: Using shared drives without change history
How to avoid: Store in Git repository or SharePoint with versioning

📚 Parent Policy

This practice is governed by the Configuration Management Policy

View CM Policy →

📚 Related Controls

CM.L2-3.4.2 (Configuration change control) CM.L2-3.4.3 (Security impact analysis) SI.L2-3.14.4 (Update malicious code protection mechanisms)
Previous
CA.L2-3.12.4
Back to CM
Next
CM.L2-3.4.2