Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 

Assessment Objectives 

• [a]: Determine if baseline configurations of the system are established. 

• [b]: Determine if baseline configurations of the system are maintained. 

• [c]: Determine if inventories of system components (including hardware, software, firmware, and documentation) are established. 

• [d]: Determine if inventories of system components (including hardware, software, firmware, and documentation) are maintained. 

Spirit of the Control and Objectives 

This control ensures that organizations define, document, and maintain baseline configurations and inventories of all system components to support effective security, change management, and risk mitigation. Baseline configurations serve as a reference point for system security settings, approved software versions, and hardware configurations, ensuring that changes are properly managed and unauthorized modifications are detected. 

A well-maintained inventory of hardware, software, firmware, and system documentation allows organizations to track assets, prevent unauthorized devices or software, and maintain configuration control throughout the system’s lifecycle. 

Common Ways to Meet the Control 

• Develop and document baseline configurations: Define standard configurations for operating systems, network devices, applications, and security settings. 

• Use configuration management tools: Leverage automated tools such as SCCM, Ansible, Chef, or Puppet to track and enforce baseline configurations. 

• Maintain an asset inventory: Implement automated asset management solutions to continuously track and update hardware, software, and firmware inventories. 

• Enforce change control processes: Require formal change approvals and documentation before modifying baseline configurations. 

• Implement system hardening standards: Apply security baselines such as CIS Benchmarks, DISA STIGs, or vendor-recommended settings to protect system integrity. 

• Regularly audit and update configurations: Perform periodic reviews and updates to baseline configurations to reflect system changes, patches, and security enhancements. 

• Ensure system documentation is up-to-date: Maintain accurate documentation of system configurations, network diagrams, and software inventories to support security and compliance. 

How We Interpret the Control 

This control ensures that organizations establish standardized system configurations and maintain an up-to-date inventory of IT assets to prevent unauthorized changes and security misconfigurations. Organizations should document approved system states, track all system components, and enforce configuration controls to maintain security, compliance, and operational stability. 

This control aligns closely with CM.L2-3.4.6, which requires organizations to employ automated mechanisms to maintain an accurate and up-to-date inventory of system components. 

What an Assessor Looks For 

• Documented baseline configurations, detailing approved system settings, software versions, and security controls. 

• Records of baseline configuration updates, demonstrating that configurations are reviewed and updated as needed. 

• System component inventories, including lists of authorized hardware, software, firmware, and associated documentation. 

• Change management logs, showing approved modifications to baseline configurations and system inventories. 

• Evidence of automated configuration management tools, such as system scans or reports verifying compliance with baselines. 

• Security audits or configuration reviews, ensuring that systems adhere to established baselines and unauthorized changes are detected. 

Additional Comments 

Baseline Configurations vs. System Inventories Summary 

While both baseline configurations and system inventories are critical for system security and management, they serve different functions. Baseline configurations define the approved security settings, software versions, and system configurations that must be maintained to ensure security and consistency. In contrast, system inventories track all organizational IT assets, including hardware, software, and firmware, ensuring visibility and accountability. Together, these practices support effective change control, vulnerability management, and security monitoring in alignment with NIST SP 800-171 Rev. 2 requirements.