CM.L2-3.4.1 — Establish and maintain baseline system configurations
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Verbatim NIST SP 800-171 Rev 2 requirement text (3.4.1).
How it's scored
5 points deducted from your SPRS score if unmet.
An open gap here is not POA&M-eligible (only 1-point requirements qualify under 32 CFR 170.21, with one narrow exception at SC.L2-3.13.11): it must be fully implemented before a Level 2 assessment can certify.
What an assessor checks: the 6 assessment objectives
NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks CM.L2-3.4.1 MET only when every applicable objective is satisfied — and examines evidence, not assertions.
| Objective | Determination statement |
|---|---|
| 3.4.1[a] | a baseline configuration is established. |
| 3.4.1[b] | the baseline configuration includes hardware, software, firmware, and documentation. |
| 3.4.1[c] | the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle. |
| 3.4.1[d] | a system inventory is established. |
| 3.4.1[e] | the system inventory includes hardware, software, firmware, and documentation. |
| 3.4.1[f] | the inventory is maintained (reviewed and updated) throughout the system development life cycle. |
Where do you stand on CM.L2-3.4.1?
The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.
Get your free Muster Score →Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.