CM.L2-3.4.1  

Reference: CMMC v2.13

Family: CM

Level Introduced: 2

Title: System Baselining

Practice:
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Further Discussion:
An effective cybersecurity program depends on consistent, secure system and component configuration and management. Build and configure systems from a known, secure, and approved configuration baseline. This includes:
• documenting the software and configuration settings of a system;
• placement within the network; and
• other specifications as required by the organization.

Example
You are in charge of upgrading the computer operating systems of your office’s computers. Some of these computers process, store, or transmit CUI. You research how to set up and configure a workstation with the least functionality and highest security and use that as the framework for creating a configuration that minimizes functionality while still allowing users to do their tasks. After testing the new baseline on a single workstation, you document this configuration and apply it to the other computers [a]. You then check to make sure that the software changes are accurately reflected in your master system inventory [e]. Finally, you set a calendar reminder to review the baseline in three months [f].

Potential Assessment Considerations
• Do baseline configurations include software versions and patch level, configuration parameters, network information, and communications with connected systems [a,b]?
• Are baseline configurations updated as needed to accommodate security risks or software changes [c]?

Source: CMMC v2.13