Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - CM.L2-3.4.1 – Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Understanding the Requirement
This control requires you to define, document, and keep up-to-date a set of baseline configurations and a complete inventory for every class of system your organization uses (workstations, servers, network gear, printers, etc.). Baselines are the agreed specifications that determine how a system should be built and secured, and inventory records must capture hardware, software, firmware, and supporting documentation. The baseline and inventory must be maintained and reviewed throughout the system development life cycle so that builds, changes, and deployments remain consistent and auditable. This guidance is part of NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 and should be applied pragmatically for SMB scale and staffing.
Technical Implementation
-
Create baseline templates by system type.
For each system class (e.g., Windows workstation, macOS laptop, Linux server, edge router, printer), produce a baseline document that lists required OS versions, approved applications, required security settings (firewall, antivirus, local user controls), firmware policy, and minimum documentation (owner, purpose, recovery steps). Keep templates lightweight and use checklists for faster deployment.
-
Automate build and enforcement where possible.
Use image deployment, group policy, MDM, configuration management tools (e.g., Intune, JAMF, Ansible, or your RMM solution) to apply baseline settings and approved software. Automation reduces human error and ensures every new device matches the baseline on first boot and during reimages.
-
Maintain a single source of truth inventory.
Implement a CMDB or an asset inventory (can be a secure cloud spreadsheet or lightweight asset management tool) that records hardware serial/model, OS and firmware versions, installed software versions, location/owner, and baseline template applied. Update the inventory during onboarding, decommissioning, and major changes.
-
Integrate baseline control with change management.
Require a documented change request (who, what, why, rollback plan) for deviations from the baseline or for baseline updates. Approve changes and update both the baseline documents and inventory records before deploying them broadly.
-
Schedule periodic reviews and version control.
Review baselines and inventories on a regular cadence (quarterly or after major software/firmware releases). Use simple version control (date/version number, author, change log) so auditors can see baseline evolution and reasoning for changes.
-
Validate compliance with lightweight audits and monitoring.
Run automated scans (patch/asset discovery, configuration assessments) and sample manual checks to verify devices conform to baselines. Track exceptions, remediation timelines, and whether exceptions are temporary or require baseline updates.
Example in a Small or Medium Business
A 45-person engineering firm designates its IT lead, Maria, to establish baseline configurations and inventories. She starts by creating three baseline templates: Windows 11 workstations, Ubuntu-based servers, and Cisco/edge network devices. Each template lists required software, permitted services, local security settings (screen lock, disk encryption, antivirus), firmware update schedule, and required documentation fields (owner, asset tag, warranty). Maria uses the company RMM and a custom image to deploy the workstation baseline to new hires and enforces policies via group policy and MDM. She maintains a cloud-hosted asset list that records every device, the baseline applied, firmware and software versions, and lifecycle stage; the help desk updates the inventory when devices are replaced or repaired. For any change—like approving a new developer tool—Maria raises a documented change request, tests the change on a pilot group, and then updates the baseline and inventory before company-wide rollout. Quarterly, she runs an automated configuration scan and performs a targeted manual audit of ten machines to ensure compliance and record any remediation actions.
Summary
Establishing and maintaining baseline configurations and inventories combines clear policy with practical technical controls: baseline templates, automated deployment and enforcement, a single source of truth inventory, change control, and periodic validation. For SMBs, the priorities are simplicity, automation where feasible, and disciplined record-keeping so every system build and change is predictable, secure, and auditable—fulfilling the intent of the control while keeping operational overhead manageable.
