NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT
3.4.1 — Baseline Configuration
Develop and maintain under configuration control, a current baseline configuration of the system. Review and update the baseline configuration of the system {{ insert: param, A.03.04.01.ODP.01 }} and when system components are installed or modified.
CMMC Practice Mapping
Assessment Objectives
- a current baseline configuration of the system is developed.
- a current baseline configuration of the system is maintained under configuration control.
- the baseline configuration of the system is updated {{ insert: param, A.03.04.01.ODP.01 }}.
- the baseline configuration of the system is reviewed when system components are installed or modified.
- the baseline configuration of the system is updated when system components are installed or modified.
- the baseline configuration of the system is reviewed {{ insert: param, A.03.04.01.ODP.01 }}.
Practitioner Notes
A baseline configuration is basically a snapshot of how your systems are set up right now — what software is installed, what settings are active, what hardware is in place. Think of it as your "known good" starting point. If something goes wrong or changes unexpectedly, you compare back to the baseline to figure out what moved.
You need to keep this documented and update it whenever you make changes — new software installs, patches, hardware swaps, or configuration tweaks.
Example 1: Use Microsoft Endpoint Configuration Manager (MECM/SCCM) to run a hardware and software inventory scan across all endpoints. Export the baseline report from Assets and Compliance > Overview > Device Collections and store it in your configuration management repository. Re-run and compare after each change window.
Example 2: In a smaller environment, maintain a baseline spreadsheet or use a tool like Nessus to run a credentialed scan. Under Scans > New Scan > Advanced Scan > Discovery, enable host enumeration and software inventory plugins. Save the scan results as your documented baseline and schedule quarterly re-scans.