System baselines are part of Configuration Management (CM). Maintaining an inventory of hardware and software is important, but the evidence of managing baselines lies in the configuration management process, which establishes and documents standard system configurations, approved software, and change control. The CMMC practice CM.L2-3.4.1 requires the OSC to establish and maintain baseline configurations.
Exact extracts:
“Baseline configurations are documented, formally reviewed, and maintained as part of configuration management.”
“Assessment Objectives … Determine if: baseline configurations are established; baseline configurations are maintained.”
“Potential Assessment Methods – Examine: configuration management policy; documented baseline configuration; inventory of system components.”
Expanded explanation:
Hardware/software lists show what exists, but without baseline control they do not demonstrate effective management.
Configuration management evidence includes: CM policies, baselines for operating systems, software versions, patch levels, and configuration checklists.
This ensures that unauthorized changes or unapproved software do not deviate from the security posture.
Why the other options are incorrect:
A (Media protection): Relates to storage devices and handling, not baselines.
B (Physical protection): Relates to facility and hardware security, not configuration.
D (Identification and authentication policy): Addresses user access, not baseline configuration.
[References:, CMMC Assessment Guide – Level 2, CM.L2-3.4.1 “Establish and Maintain Baseline Configurations.”, NIST SP 800-171 Rev. 2, 3.4.1., ===========]
