Configuration Management
Configuration Management is about running your systems in a known, deliberate state: baselines, change control, and locking down what is not needed. Uncontrolled configuration drift is where quiet vulnerabilities live.
The 9 Configuration Management requirements
44 assessment objectives across this family.
- 3.4.1System BaseliningEstablish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.5 pt✕ POA&M
- 3.4.2Security Configuration EnforcementEstablish and enforce security configuration settings for information technology products employed in organizational systems.5 pt✕ POA&M
- 3.4.3System Change ManagementTrack, review, approve or disapprove, and log changes to organizational systems.1 pt
- 3.4.4Security Impact AnalysisAnalyze the security impact of changes prior to implementation.1 pt
- 3.4.5Access Restrictions For ChangeDefine, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.5 pt✕ POA&M
- 3.4.6Least FunctionalityEmploy the principle of least functionality by configuring organizational systems to provide only essential capabilities.5 pt✕ POA&M
- 3.4.7Nonessential FunctionalityRestrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.5 pt✕ POA&M
- 3.4.8Application Execution PolicyApply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.5 pt✕ POA&M
- 3.4.9User-installed SoftwareControl and monitor user-installed software.1 pt
Build Configuration Management, and all 14 families, with an officer
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
Questions, answered
How many CMMC Level 2 requirements are in Configuration Management?+
The Configuration Management family (CM) has 9 of the 110 CMMC Level 2 requirements, assessed against 44 objectives from NIST SP 800-171A.
What is the Configuration Management family about?+
Configuration Management is about running your systems in a known, deliberate state: baselines, change control, and locking down what is not needed. Uncontrolled configuration drift is where quiet vulnerabilities live.