NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-2(1)Reviews and Updates

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Practitioner Notes

This enhancement requires you to regularly review and update your baseline configuration — not just set it once and forget it. Baselines must evolve as your environment changes.

Example 1: Schedule quarterly reviews of your GPO baselines to incorporate new DISA STIG releases and verify settings still align with current security requirements.

Example 2: After every major system change (like a Windows version upgrade), update your baseline documentation in Confluence or your GRC tool and get approval from the CCB.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(2) Automation Support for Accuracy and Currency CM-2(3) Retention of Previous Configurations