The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Compliance

CMMC Configuration Management Requirements: The 9 Controls, Their Point Values, and What Assessors Check

By The Defense Compliance Report Editorial Team · Last reviewed · Last verified

This page provides educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner (RP) or Registered Provider Organization (RPO), and, where legal or contractual interpretation is required, a qualified federal-contracts attorney.

About this resource

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance—explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

The CMMC configuration management requirements are the nine security requirements in the Configuration Management (CM) family—CM.L2-3.4.1 through CM.L2-3.4.9—that CMMC Level 2 inherits from NIST Special Publication 800-171 Revision 2. They carry 44 assessment objectives and up to 33 scoring points. Six of the nine are worth five points each and cannot be carried on a plan of action, so if any one of those six is still NOT MET when your assessment results are finalized, there is no conditional pass. The assessment does not pass.

That last clause is the part most short “CM controls” summaries skip. They hand you nine bullet points as if they were nine equal boxes to tick. They are not. Under the CMMC Scoring Methodology, six of these nine requirements are worth five points each and are ineligible for a Plan of Action and Milestones (POA&M)—the mechanism that lets you defer a fix and still pass conditionally. The other three are worth one point each and may be deferrable. So the family is not a checklist of equal items; it is a tiered set in which two-thirds of the requirements, if unmet at finalization, end the assessment outright.

We built this page to put the whole family in one place—requirement text, objective counts, point values, conditional-status treatment, and evidence—straight from the primary sources: NIST SP 800-171 Rev. 2, the DoD CMMC Assessment Guide for Level 2, the CMMC Scoring Methodology at 32 CFR § 170.24, and the rest of 32 CFR Part 170. Every figure below is dated and sourced. Here is the fast version.

CMMC configuration management at a glance

At a glanceAnswer
Requirements in the CM family9 (CM.L2-3.4.1 – CM.L2-3.4.9)
Applies atCMMC Level 2 and Level 3 (Level 1 has zero CM requirements)
Assessment objectives44 across the nine requirements
Maximum scoring exposureUp to 33 points of a 110-point Level 2 score
Five-point requirements (must be MET when results are finalized)6 — CM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8
One-point requirements (may be POA&M candidates)3 — CM.L2-3.4.3, 3.4.4, 3.4.9
Governing standardNIST SP 800-171 Rev. 2 (not Rev. 3 — see below)
Assessment objective sourceNIST SP 800-171A (June 2018), incorporated by reference at 32 CFR § 170.2

Who this page is for: IT directors, CISOs, compliance managers, FSOs, and small-business owners in the Defense Industrial Base (DIB) who handle Controlled Unclassified Information (CUI), are implementing or self-assessing CMMC Level 2, and need to know exactly what the CM requirements demand and where the real risk sits.

Who this page is not for:Contractors who handle only Federal Contract Information (FCI) and are trying to work out whether Level 1 applies—the CM family does not exist at Level 1, and this is the wrong page to size your obligation. Start with your solicitation and contract clause; the clause sets your level, not a checklist.

What are the nine CMMC configuration management requirements?

CMMC Level 2 has nine configuration management requirements, numbered CM.L2-3.4.1 through CM.L2-3.4.9, drawn directly from the Configuration Management (CM) family of NIST SP 800-171 Rev. 2. Together they require a contractor to define an approved system state, control and analyze every change to it, strip away unnecessary functionality, govern what software can run, and monitor what users install. The DoD CMMC Assessment Guide for Level 2 breaks those nine requirements into 44 assessment objectives across the family.

One terminology note before the table, because it trips people up. You will see these called “controls,” “practices,” and “requirements” interchangeably. The formal term in the CMMC Final Rule and in NIST SP 800-171 is security requirements. Older CMMC 1.0 material used “practices” and control IDs like “CM.2.061.” Those IDs are dead. If a resource still numbers configuration management as “CM.2.061,” it predates the current model, and you should treat everything else on that page with corresponding skepticism.

The CMMC Configuration Management Control Matrix

RequirementWhat it requires (plain English)Points if NOT METPOA&M-eligible?ObjectivesWhere it usually breaks down (editorial)
CM.L2-3.4.1 — Baseline & inventoryEstablish and maintain baseline configurations and a system inventory covering hardware, software, firmware, and documentation5No6No documented baseline. “It’s in our heads” or “our MSP knows” is a NOT MET
CM.L2-3.4.2 — Security settingsEstablish security configuration settings, put them in the baseline, and enforce them5No2Settings are documented but not enforced—or no approved settings baseline exists at all
CM.L2-3.4.3 — Change controlTrack, review, approve or disapprove, and log system changes1Yes*4Tickets record what happened, but not the review and approval before it happened
CM.L2-3.4.4 — Impact analysisAnalyze the security impact of a change before you implement it1Yes*1The change process has no security-impact step; a scan run afterward is offered instead
CM.L2-3.4.5 — Access to changeDefine, document, approve, and enforce physical and logical restrictions on who can make changes5No8Logical admin is covered; physical access to infrastructure is ignored entirely
CM.L2-3.4.6 — Least functionalityDefine essential capabilities and configure systems to provide only those5No2“Essential” is never defined in writing, so nothing can be verified against it
CM.L2-3.4.7 — Nonessential functionsFor programs, functions, ports, protocols, and services: define what’s essential and restrict the rest5No15A firewall port list is offered, leaving programs, functions, and services unanswered
CM.L2-3.4.8 — Execution policyChoose deny-by-exception or permit-by-exception, specify the software, and enforce it5No3Antivirus or EDR is presented as an “execution policy” with no defined, enforced model
CM.L2-3.4.9 — User-installed softwareSet a user-installation policy, control installation under it, and monitor it1Yes*3Local-admin removal is treated as the whole answer; monitoring—the third objective—is missing
Family totalNine interdependent requirements33 pts3 of 944

*“POA&M-eligible” means the requirement’s point value permits it on a Conditional POA&M. Being a one-point requirement makes it a candidate only—it can sit on the POA&M solely if your overall score is at least 88, none of the six requirements the rule bars from POA&Ms is on it, and the other conditions in 32 CFR § 170.21(a)(2) are met. Sources: NIST SP 800-171 Rev. 2, family 3.4; DoD CMMC Assessment Guide—Level 2; NIST SP 800-171A (June 2018) for objective counts (incorporated by reference at 32 CFR § 170.2); 32 CFR § 170.24 for point values; 32 CFR § 170.21 for POA&M conditions.

What the table reveals that a plain list buries

  • The CM family is 9 of the 110 Level 2 requirements—about 8%—but it accounts for up to 33 pointsof scoring exposure. Summing the point values in § 170.24 across all 110 requirements gives 313 possible deductions (a DCR calculation), so CM carries roughly 10.5% of everything you can lose. It punches above its weight.
  • Six of nine are five-pointers. Having two-thirds of a single family sit at the top point value is an unusually high concentration, and it reshapes how you should prioritize.
  • 3.4.7 alone carries 15 assessment objectives—the most of any requirement in the CM family. If you are going to be under-resourced somewhere, it will be here.

These nine are not nine islands. They form a chain: you cannot maintain a meaningful baseline (3.4.1) without knowing what is in scope; you cannot detect an unauthorized change (3.4.3) without an approved prior state to compare against; you cannot write a defensible software-execution policy (3.4.8) without the software inventory that lives inside 3.4.1. We call that dependency the Configuration-Control Chain, laid out as an implementation sequence later on.

Which CMMC levels require configuration management?

Configuration management does not exist at CMMC Level 1. It appears in full at Level 2—all nine requirements—and Level 3 adds three enhanced configuration management requirements on top of the Level 2 set. So if your contract requires Level 2 or Level 3, all nine CM requirements are in play; if it requires Level 1, none are.

This is the first place to stop guessing and check your contract. CMMC assigns a level based on the sensitivity of the information your systems touch, and the level is set by the contract clause, not by a checklist.

CMMC LevelConfiguration management requirementsSource
Level 1 (Self-assessment)0—the 15 basic safeguarding requirements in FAR 52.204-21(b)(1) contain no configuration management requirements32 CFR § 170.15; FAR 52.204-21
Level 2 (Self or C3PAO)All 9—CM.L2-3.4.1 through 3.4.9, from NIST SP 800-171 Rev. 2, family 3.432 CFR § 170.14; NIST SP 800-171 Rev. 2
Level 3 (DIBCAC)9 + 3 enhanced—adds CM.L3-3.4.1e, 3.4.2e, and 3.4.3e from NIST SP 800-17232 CFR § 170.14; NIST SP 800-172; DoD CMMC Assessment Guide—Level 3

Level 3 is not “more of the same.” The three enhanced requirements it adds come from NIST SP 800-172, a separate standard for defending against advanced, persistent threats: an authoritative repository for approved software (3.4.1e), automated detection and remediation of unauthorized configurations (3.4.2e), and automated inventory (3.4.3e). Level 3 also requires you to already hold Final Level 2 (C3PAO) status for every information system in the Level 3 assessment scope.

A word on the standard itself, because search results are actively misleading here. CMMC Level 2 maps to NIST SP 800-171 Revision 2. NIST published Revision 3 in May 2024 and has since withdrawn Revision 2 from its current publication set. CMMC still uses the older editions because 32 CFR §§ 170.2 and 170.14 incorporate them by reference. For a CMMC Level 2 assessment, map your implementation and evidence to Revision 2. Track Revision 3, and watch for rulemaking, but don’t implement it for a current assessment.

Current implementation timing—verified

Phase 1 runs November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments; the DoD may still require Level 2 (C3PAO) during Phase 1 at its discretion. Phase 2 begins November 10, 2026. The solicitation and contract control the requirement for a given procurement.

Not sure which provider category you’ll need once you know your level?

The right CMMC provider isn’t the same for every contractor—the category you need depends on your required level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can’t resolve those for you, use our decision tool.

Disclosure: this tool may lead to compensated introductions, disclosed at the point of recommendation. Compensation does not control our category mapping or regulatory analysis.

Find My CMMC Path →

How do the CM requirements affect your CMMC score and POA&M options?

Configuration management carries unusually high scoring consequences: six of the nine requirements are worth five points each and three are worth one point each, for up to 33 points of exposure on a 110-point Level 2 assessment. Only the three one-point requirements—CM.L2-3.4.3, 3.4.4, and 3.4.9—can even be candidates for a POA&M. The six five-point requirements must be MET when your results are finalized; there is no conditional pass with one of them still open.

How the score works.Your Level 2 score is recorded in the Supplier Performance Risk System (SPRS). Under the CMMC Scoring Methodology (32 CFR § 170.24), the score starts at 110—one point for each Level 2 requirement—and a weighted value is subtracted for each requirement scored NOT MET: 5 points for the most critical, 3 for some, and 1 for the rest. To be eligible for ConditionalLevel 2—a passing status with a POA&M attached—your score divided by the number of Level 2 requirements must be at least 0.8, which works out to a score of 88(32 CFR § 170.21(a)(2)(i)).

Point valueCM requirementsCountPoints at stake
5 pointsCM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8630
1 pointCM.L2-3.4.3, 3.4.4, 3.4.933
Total933

There are no three-point requirements in the CM family. That detail matters more than it looks, because of the POA&M rules.

The assessment-ender rule—this is the whole game.Under 32 CFR § 170.21, a POA&M for Conditional Level 2 may hold only one-point requirements (with one narrow, unrelated exception for a CUI-encryption requirement outside this family). Anything worth three or five points must be MET. Applied to configuration management:

The math that makes it concrete.Suppose you walk in with all nine CM requirements NOT MET and everything else perfect. That is a 33-point loss: 110 − 33 = 77. A 77 is below the 88 threshold, so you fail on the CM family alone. But you would fail before the arithmetic even ran, because one of those six five-pointers being open removes the conditional path outright.

One useful distinction: internal plan vs. assessment POA&M.Before an assessment, you can—and should—track every open gap in an internal remediation plan, no matter its point value. The restrictions above apply to the assessmentPOA&M used to obtain Conditional CMMC status, not to your own project tracker.

And don’t count on an “operational” workaround for a real gap. An Operational Plan of Action (OPA) is a legitimate tool: under § 170.24(b)(1)(ii), a genuine temporarydeficiency that is properly managed in an OPA—with deficiency reviews and demonstrated progress—is assessed MET. But the DoD’s CMMC FAQ draws the line clearly: once an assessor records a requirement as NOT MET, that gap belongs on a POA&M, not relabeled as an OPA. An OPA manages temporary risk on an otherwise-implemented control; it does not rescue a control you never implemented. If that control is a five-point CM requirement, Conditional status is off the table.

If you do land a POA&M on one of the three deferrable CM requirements, the clock is real: you have 180 daysfrom your Conditional CMMC Status Date to remediate and pass a closeout assessment, or the conditional status expires (32 CFR §§ 170.17, 170.21). The practical takeaway: prioritize the six five-pointers first, ruthlessly.

Can you fix a NOT MET requirement before a C3PAO assessment is finalized?

Sometimes—but narrowly. Under 32 CFR § 170.17(c)(2), a C3PAO may re-evaluate a NOT MET requirement during the assessment and for 10 business days after the active assessment period, but only if additional evidence is available, the new evidence doesn’t weaken any already-MET requirement, and the CMMC Assessment Findings Report hasn’t been delivered. It is a window to surface evidence you already have—not to build a control you don’t.

This is a real and underappreciated feature of a Level 2 certification assessment, and it is why “assessment-ender” on this page means a five-point gap that is stillNOT MET when results are finalized—not a gap the assessor flags mid-week. Read the conditions carefully:

In practice, during the assessment week the C3PAO will tell you which requirements are short on evidence and ask you to produce it. After the active period, that 10-business-day window is your last chance to close the gap with existing proof before the report is finalized. Use it for what it is: an evidence-completeness safety net, not a remediation runway.

Is your CMMC score the same as your SPRS / NIST 800-171 self-assessment score?

Not exactly, and conflating them causes real confusion. CMMC status and scoring are governed by 32 CFR Part 170 and the DFARS 252.204-7021 clause. The older DFARS 252.204-7019 and -7020 clauses concern a separate “NIST SP 800-171 DoD Assessment” (Basic, Medium, or High) that also posts a score to SPRS. Both live in SPRS and use similar subtractive math, but they are distinct regimes—do not treat your legacy 800-171 self-assessment score as your CMMC assessment result.

ClauseWhat it does
DFARS 252.204-7012Safeguarding covered defense information and 72-hour cyber-incident reporting; implements NIST SP 800-171
DFARS 252.204-7019 / -7020The NIST SP 800-171 DoD Assessment (Basic/Medium/High) and SPRS-score framework that predates CMMC and may still appear in contracts
DFARS 252.204-7021Contractual CMMC status, maintenance, annual affirmation, DoD access, and flow-down obligations

The point for this page: when someone asks “what’s your SPRS score?” they may mean your legacy NIST 800-171 DoD Assessment score oryour CMMC assessment score. They are scored under different authorities. Your CMMC Level 2 score is the one produced under the CMMC Scoring Methodology at § 170.24 and recorded as a CMMC Status.

What evidence do CMMC assessors look for in configuration management?

CMMC does not define a single, universal evidence package for the CM family. Assessments use three methods—Examine, Interview, and Test—so a defensible evidence set connects approved documentation, the people who run each process, and a repeatable demonstration that the process and its technical controls actually work, mapped to every applicable assessment objective. The examples below are evidence-planning guidance drawn from the DoD guide’s potential methods and objects, not a guaranteed checklist; assessors select what fits, and no single artifact makes a requirement MET on its own.

MethodWhat it establishesWhat it looks like for configuration management
ExamineThe requirement is defined and records existPolicies, procedures, the SSP, baselines, inventories, settings standards, change tickets, logs, exception records
InterviewThe responsible people understand and actually perform the processThe system owner, an administrator, the change approver, whoever controls physical access
TestThe process or technical control genuinely worksA configuration-drift check, a blocked software-execution attempt, a change traced from request to closure, an installation alert firing

Under § 170.24, a requirement is MET only when all applicable objectives are satisfied by evidence that is final and approved—working papers, drafts, and unapproved policies don’t count. Assessors are looking for all three legs of the triangle to line up, and to line up with the System Security Plan (SSP).

Looks implemented—still scored NOT MET

What you show the assessorWhy it may still fail
An Intune configuration profileNo approved baseline it maps to, no applicability list, no deviation handling, no enforcement result
An asset inventory exportNo firmware or documentation coverage; a one-time export with no maintenance process
Change ticketsNo review or approval before implementation; the person who did the work also closed the ticket
Firewall rulesNo definition of essential ports and protocols, and nothing covering programs, functions, and services
“No local admin for users”No monitoring of installation activity and no documented exception path
An EDR productNo defined execution-policy model and no proof it enforces one
A STIG or CIS checklistNot tied to the actual baseline; unexplained deviations; never shown to be deployed and enforced
“Our MSP handles it”Responsibilities not mapped to objectives; you can’t produce the operating evidence yourself
A polished policy documentNo evidence the stated procedure is actually running
Undated screenshotsNo date, no system identity, no scope relationship, no repeatable way to collect them again

The honest truth about configuration management

You can own every tool CMMC seems to want—Intune, Group Policy, a remote monitoring platform, a ticketing system, EDR—and still be scored NOT MET. Owning a tool is not evidence by itself. An Intune console proves a setting is possible; it does not prove you defined an approved baseline, enforced it across the systems in scope, and can put the records in front of an assessor on demand.

The good news, for a shop already on Microsoft 365 with an admin who can own documentation: this is usually a paperwork-and-discipline problem, not a rip-and-replace problem.You very likely already own the tooling for most of this family. What’s missing is the connective tissue—the approved baseline, the enforcement record, the change trail, the monitoring output—that turns your existing work into evidence. Separate missing proof from missing implementation before you buy or migrate anything.

Get the configuration management evidence checklist

Walk your own environment before an assessor does: our CM readiness checklist runs the nine requirements and their 44 objectives, with the artifact each one expects, the interview it implies, and the test that proves it. No CUI or sensitive configuration details required.

Get the CM Readiness Checklist →

What does each CMMC configuration management requirement actually require?

Each of the nine requirements resolves a different piece of configuration control, and passing one does not satisfy the others. The deep dives below give you, for every requirement: what the rule says, its assessment objectives spelled out, what an assessor examines and tests, the failure that sinks it most often, and—just as important—what the requirement does not secretly require.

Read the one you’re stuck on. Each is written to stand alone.

CM.L2-3.4.1—Establish and maintain baseline configurations and inventories

5 pointsPOA&M ineligible6 objectives

A system inventory tells you what exists. A baseline tells you what the approved state should be. CMMC 3.4.1 requires both—and requires each to include hardware, software, firmware, and documentation, and to stay maintained over the system’s life. It carries six assessment objectives.

The six objectives, in plain form: [a] a baseline configuration is established; [b] the baseline includes hardware, software, firmware, and documentation; [c] the baseline is maintained; [d] a system inventory is established; [e] the inventory includes hardware, software, firmware, and documentation; [f] the inventory is maintained. In short, two living records—an approved baseline and an inventory—each covering all four component types, each kept current.

What an assessor checks: Examine the baseline records and the inventory, including firmware and documentation coverage; interview the people who own asset management and system configuration; test how a change flows into an updated baseline and inventory.

The failure that sinks it:A device inventory exists—usually an export from a remote monitoring tool—but there is no approved baselineat all, or firmware and documentation are omitted, or the inventory is a one-time snapshot no one maintains. And the deadliest version: the baseline lives in an administrator’s head, or “our MSP knows it.” The objectives require the baseline and inventory to be established and maintained, and § 170.24 requires the evidence to be final and approved—so undocumented is NOT MET.

What it does NOT require:A commercial configuration management database (CMDB). No product is named. A controlled spreadsheet, a repository, or a platform export can support compliance if it is complete, approved, and maintained—though no single artifact, by itself, guarantees a MET finding.

Worth knowing:Baseline configuration (3.4.1) has appeared on DCMA DIBCAC’s published list of the most frequently “Other Than Satisfied” NIST SP 800-171 requirements, drawn from 117 of its historical assessments. If you fix one thing first, fix this: it’s a five-pointer, it can’t go on a POA&M, and it’s where assessors find gaps most often.

CM.L2-3.4.2—Establish and enforce security configuration settings

5 pointsPOA&M ineligible2 objectives

CMMC 3.4.2 is not satisfied by choosing a hardening benchmark. Your organization must establish its security settings, include them in the baseline, and enforcethem on the products in scope. It has two assessment objectives—and the second, enforcement, is where it comes apart.

The two objectives: [a] security configuration settings for IT products are established and included in the baseline; [b] those settings are enforced. Picking CIS Benchmarks or a Microsoft Security Baseline is a start, not a finish. You have to establish the settings that apply to each product, fold them into your baseline, and enforce them, with a way to identify and handle deviations.

What an assessor checks: Examine the approved settings, the deviations and their approvals, and any compliance or drift reports; interview security or platform engineering; test that the selected settings are actually enforced on live systems.

The failure that sinks it:A hardening spreadsheet or benchmark report exists but isn’t tied to the real baseline, is full of unexplained deviations, or was never deployed and enforced. No approved settings baseline, or settings that aren’t enforced—that’s the classic NOT MET.

What it does NOT require: A named benchmark. CMMC 3.4.2 does not mandate DISA STIGs, CIS Benchmarks, or any single standard. It requires settings established and enforced. Nor does it name a specific enforcement tool: show how settings are enforced and how deviations are identified and handled.

CM.L2-3.4.3—Track, review, approve or disapprove, and log system changes

1 pointPOA&M candidate*4 objectives

CMMC 3.4.3 is about the controlled history of changes, not the existence of a ticketing tool. The record has to show four things—that changes are tracked, reviewed, approved or disapproved, and logged—which is exactly its four assessment objectives. This is a one-point requirement and, unlike most of the family, it can be a POA&M candidate.

The four objectives: [a] changes are tracked; [b] changes are reviewed; [c] changes are approved or disapproved; [d] changes are logged. The requirement applies to more than servers—cloud tenant changes, identity-platform changes, and infrastructure-as-code changes are all changes.

What an assessor checks: Examine change tickets, approval records, and the change log; interview the change approver and system owner; test a sample change traced from request through approval to closure.

The failure that sinks it: Tickets document what happened after the work, but show no review or approval before it. A ticket closed by the person who did the work is not, by itself, proof that an authorized review and an approve-or-disapprove decision happened before implementation.

What it does NOT require:A committee formally named a “Change Control Board.” The Level 2 Assessment Guide contemplates a change control board “or similar,” which explicitly leaves room for a right-sized approval process at a smaller company. The record must show an authorized approval decision and a process capableof disapproval—but you don’t have to manufacture a rejected change if none occurred.

CM.L2-3.4.4—Analyze the security impact of changes before implementation

1 pointPOA&M candidate*1 objective

A change working technically is not a change that’s ready. CMMC 3.4.4 requires a security-impact analysis performed beforeimplementation—a check on how the change affects your security requirements, CUI flow, scope, and protections. It is a single assessment objective, one point, and can be a POA&M candidate.

The one objective: [a] the security impact of changes is analyzed prior to implementation. Before a change goes in, someone has to ask and record: does this alter how CUI flows? Does it pull a new system or service into scope? Does it weaken access, logging, encryption, or segmentation? Does it change something the SSP asserts?

What an assessor checks: Examine a security-impact field or attached analysis on change records; interview the security lead or system owner; test that the analysis preceded implementation for real changes.

The failure that sinks it:A generic “risk: low” checkbox, or—the tell assessors catch immediately—a vulnerability scan run afterdeployment offered as the “impact analysis.” The analysis has to come first, and it has to consider security, not just function.

What it does NOT require:A heavyweight formal risk assessment for every routine change. The rule doesn’t prescribe one fixed format or length; the evidence must still show that security impact was analyzed before implementation, in proportion to the change.

CM.L2-3.4.5—Control physical and logical access to make changes

5 pointsPOA&M ineligible8 objectives

CMMC 3.4.5 goes well beyond limiting domain-admin accounts. You must define, document, approve, and enforce restrictions on both physical and logicalaccess associated with changes—eight assessment objectives, four for each dimension. This is a five-point requirement and cannot go on a POA&M.

The eight objectives double the same four actions across two dimensions. Physical: [a] defined, [b] documented, [c] approved, [d] enforced. Logical: [e] defined, [f] documented, [g] approved, [h] enforced. Logical is the part everyone remembers—privileged groups, admin roles, credential restrictions. Physical is the part that fails assessments: who can physically touch the server, the network closet, the firmware, the removable components through which a change can be made.

What an assessor checks: Examine the privileged-access and change-authority definitions, the approvals, and the physical restrictions on infrastructure; interview identity/security administration and physical security; test that unauthorized actors cannot make changes, logically or physically.

The failure that sinks it: A screenshot of the privileged-users group is offered as the whole answer. It proves logical membership but not approval, not enforcement, and nothing about physical access. Eight objectives, and only two got addressed.

What it does NOT require: A data center with mantraps. A locked server room and an approved access list can contributeevidence for a small office—but they don’t, by themselves, establish all eight objectives. The point is that physical and logical change-access are defined, documented, approved, and enforced in proportion to your environment.

CM.L2-3.4.6—Least functionality

5 pointsPOA&M ineligible2 objectives

Least functionality means defining the capabilities a system genuinely needs and configuring it to provide only those. CMMC 3.4.6 is the high-level “what should this system be able to do?” requirement, and it has two assessment objectives: essential capabilities defined, and systems configured to provide only those. It is a five-point requirement and cannot go on a POA&M.

The two objectives: [a] essential system capabilities are defined; [b] the system is configured to provide only those defined capabilities. The requirement is conceptual, and that is exactly why people struggle with it. It asks you to write down, per system or role, what the system is for—and then to turn off everything else. A file server doesn’t need a media player. An engineering workstation needs its CAD suite and little else.

What an assessor checks: Examine the essential-capability definitions and the approved build profiles; interview the system owner; test that unnecessary capabilities are actually unavailable.

The failure that sinks it:The team has hardened its systems but can’t explain what “essential” means for each one. Hardening without a written definition of essential capability leaves nothing for the assessor to verify the configuration against.

What it does NOT require:A specific hardening tool. It requires the definition and the resulting configuration. This is the requirement 3.4.7 builds on—so define essential capability well here, and 3.4.7 gets easier.

CM.L2-3.4.7—Restrict nonessential programs, functions, ports, protocols, and services

5 pointsPOA&M ineligible15 objectives

This is the most granular requirement in the family. CMMC 3.4.7 makes you address five separate categories—programs, functions, ports, protocols, and services—and for each one, define what is essential, define nonessential use, and restrict or disable it. That is 15 assessment objectives, the most of any requirement in the CM family. Five points, and it cannot go on a POA&M.

The reason 3.4.7 carries so many objectives is arithmetic: five categories, each with three determinations—essential use defined, nonessential use defined, nonessential use restricted/disabled/prevented—equals fifteen. Miss any one of the five categories and you’ve missed the requirement.

A definition that saves confusion: a functionis a capability or feature a system or application provides—macro execution, file sharing, remote administration, scripting, browser extensions, print services. It is not a “function” in the programming sense. 3.4.7 is not asking you to catalog every program ever written. It’s asking you to define essential versus nonessential use in your assessed environment, and to restrict the nonessential.

What an assessor checks:Examine your definitions and enforcement across all five categories—installed-program controls, feature/role configurations, firewall and host rules, protocol configurations, service states; interview the endpoint, network, and application owners; test across the categories, not just ports.

The failure that sinks it: A firewall rule set is offered as the answer. Ports are handled; programs, functions, protocols, and services are not defined or restricted. Four of five categories are silent.

What it does NOT require:A single product to cover all five categories. Most environments use a combination—host and network firewalls for ports and protocols, endpoint controls for programs, configuration management for services and functions. The requirement is coverage across all five, however you achieve it.

CM.L2-3.4.8—Apply an application execution policy (allowlisting or denylisting)

5 pointsPOA&M ineligible3 objectives

CMMC 3.4.8 requires a defined and enforced software-execution policy—but it lets you choose between deny-by-exception (a denylist) and permit-by-exception (an allowlist). Allowlisting is the stronger model, but the requirement text does not make it mandatory. There are three assessment objectives: specify which model you use, specify the software allowed or denied, and implement it as specified. Five points, and it cannot go on a POA&M.

The three objectives: [a] a policy specifying whether allow-all/deny-by-exception or deny-all/permit-by-exception is used is specified; [b] the software allowed to execute (or denied) under that policy is specified; [c] the policy is implemented as specified. “You have to allowlist everything” is a common—and incorrect—reading. The rule permits either approach. What it does not permit is having no defined model at all.

What an assessor checks: Examine the approved execution policy and the allow/deny list; interview endpoint security and IT operations; test with permitted and prohibited software to confirm the model is enforced.

The failure that sinks it:Antivirus, EDR, or a software inventory is presented as an “execution policy.” None of those, by itself, is a defined allow/deny model with enforcement. The policy exists on paper—allowlisting was deemed too disruptive to engineering software—and is silently unenforced.

What it does NOT require:AppLocker, WDAC, or any named product, and it does not require allowlisting specifically. Choose a model that fits your environment, document it, define the software, and enforce it. If permit-by-exception would break your engineers’ toolchain, deny-by-exception, implemented properly, is a compliant choice.

CM.L2-3.4.9—Control and monitor user-installed software

1 pointPOA&M candidate*3 objectives

CMMC 3.4.9 has three distinct parts, and that is exactly its three assessment objectives: establish a user-installation policy, control installation under that policy, and monitorit. Removing local-administrator rights can help you control installation, but it does not, by itself, demonstrate monitoring. This is a one-point requirement and can be a POA&M candidate.

The three objectives: [a] a policy for controlling user-installed software is established; [b] installation of software by users is controlled based on the policy; [c] installation of software by users is monitored. The requirement recognizes that users will try to install things, and it wants a policy, a control, and visibility. The control is what everyone does. The monitoring is what everyone forgets.

What an assessor checks: Examine the installation policy, the technical controls, and installation logs or alerts; interview endpoint administration; test that installation is prevented or detected and handled.

The failure that sinks it:“We removed local admin, so users can’t install anything.” That addresses control. It says nothing about a policy or about monitoring—the third objective.

What it does NOT require:A specific endpoint management platform, and it does not prescribe one alert for every attempted installation. It requires the policy, the control, and a way to monitor installation activity and policy compliance—achieved by whatever combination fits your environment, but all three, not two of three.

Realizing you’re short-staffed for this?

If the deep dives made clear you don’t have the hours or in-house depth to build all nine—especially the five-pointers—that’s a category decision, not a failure. Readiness, remediation, and evidence work route to a Registered Provider Organization (RPO), a Managed Security Service Provider (MSSP), or a managed-compliance firm—never to a C3PAO, which assesses and, by rule, cannot also implement. Our tool maps your level, scope, and timeline to the right category.

Educational triage only—do not submit CUI or sensitive contract details. Disclosure: this tool may lead to compensated introductions, disclosed at the point of recommendation.

Find My CMMC Path →

3.4.6 vs 3.4.7 vs 3.4.8 vs 3.4.9: what’s the difference?

These four requirements overlap in theme but ask genuinely different questions. CM.L2-3.4.6 defines what capabilities a system should have. 3.4.7 restricts five specific categories of nonessential functionality. 3.4.8 controls what software is allowed to execute. 3.4.9 controls and monitors what users install. Treating them as one requirement is the fastest way to fail three of them.

RequirementThe core questionMain objectWhat proves it
3.4.6 — Least functionalityWhat capabilities should this system provide?Overall system capabilityAn essential-capability definition plus the configured state
3.4.7 — Nonessential functionsWhich programs, functions, ports, protocols, and services are essential or restricted?Five named categoriesDefinitions, restrictions, configurations, and tests across all five
3.4.8 — Execution policyWhat software is allowed or denied execution?Software executionA defined allow/deny model, the software list, and an enforcement mechanism
3.4.9 — User-installed softwareWhat may users install, and how is that monitored?User installation activityA policy, a control on installation, and monitoring/logs

A single example ties them together

Take a controlled engineering workstation:

Same workstation, four requirements, four distinct forms of evidence. Build them in that order and each one feeds the next. Blur them together and an assessor will find the seams.

Does CMMC require DISA STIGs or CIS Benchmarks?

No. CMMC 3.4.2 requires you to establish and enforce security configuration settings, but it does not name DISA STIGs, CIS Benchmarks, or any single standard as mandatory. A benchmark is a strong, defensible way to prove your settings are “established”—but the requirement is about establishing and enforcing settings, not about which catalog you started from. A separate contract clause, prime, customer, or platform may impose a specific standard; CMMC 3.4.2 itself does not.

Here is the flexibility, plainly stated, and then the catch: because the rule does not choose the benchmark for you, you carry the burden of explaining what settings you selected, why they fit, how deviations are approved, how they’re enforced, and how drift is caught. Flexibility is not a free pass. It’s a documentation obligation.

Approach to settingsCan it supply a settings source?What you still have to demonstrate
DISA STIGsYes, if tailored, approved, deployed, and evidencedApplicability, tailoring, approved deviations, deployment, enforcement, monitoring
CIS BenchmarksYes, if tailored, approved, deployed, and evidencedThe same
Microsoft Security BaselinesYes, if tailored, approved, deployed, and evidencedSource, approval, completeness, tailoring, enforcement
Internally developed baselinePotentiallyA defensible rationale, approval, full requirement coverage, enforcement
Vendor default settings, undocumentedNo defensible basisNothing—there are no approved settings or repeatable enforcement to show

So: pick a recognized benchmark if you can—it makes “established” easy to defend—tailor it to your environment, document what you changed and why, and prove enforcement. If a contract or prime requires a specific standard, that requirement is real and separate from CMMC; follow it. But don’t let anyone tell you CMMC mandates STIGs across the board. It doesn’t.

Which systems and assets must your CM evidence cover?

Your configuration management evidence has to cover every asset inside your CMMC Assessment Scope—and scope is defined by asset category, not by a vague sense of “our network.” Under 32 CFR § 170.19, Level 2 sorts assets into five categories, and the category determines how the nine CM requirements apply. Get scoping wrong and you either fail on assets you didn’t know were in scope, or you spend money hardening assets that never needed it.

Scope comes before everything. You cannot evaluate readiness against the CM family until you know where CUI lives, how it flows, and which systems are in the boundary. Here are the five categories, from the CMMC scoping framework at § 170.19.

Asset categoryWhat it isHow CM applies
CUI AssetsAssets that process, store, or transmit CUIFull scope. All nine CM requirements apply. Must be in the asset inventory and network diagram, with treatment documented in the SSP
Security Protection Assets (SPA)Assets that provide security functions to the scope (e.g., SIEM, firewall management, identity providers)In scope for the requirements relevant to the protection they provide; documented in the SSP
Contractor Risk Managed Assets (CRMA)Assets that can, but are not intended to, process/store/transmit CUI because of your security policies, procedures, and practicesMust be in the asset inventory, network diagram, and SSP treatment; assessment treatment follows § 170.19(c)(1)
Specialized AssetsIoT, OT, government property, test equipment, restricted information systemsManaged per your risk-based approach and documented; assessed against a limited set, not the full CM family
Out-of-Scope AssetsAssets that cannot process, store, or transmit CUI and are appropriately separatedNo CMMC requirements apply—if the separation genuinely holds

The category that catches people is CRMA. Assets there are not exempt: they still have to appear in your inventory, network diagram, and SSP treatment, and their handling is assessed. And the boundary between “out of scope” and “in scope” is only as strong as the separation you can prove.

The scoping lever that actually changes your CM workload isn’t a trick of counting—it’s reducing the number and diversity of in-scope assets. A tightly scoped CUI enclave means fewer systems, fewer platforms, and fewer variations to baseline, harden, and monitor. Building the asset inventory is where scope gets formalized.

How do MSPs, MSSPs, CSPs, and other external service providers affect CM scope?

An MSP, MSSP, cloud service provider, or other External Service Provider (ESP) can pull itself into your assessment through the CUI it handles, the Security Protection Data it holds, or the security functions it performs for you. “Our MSP handles it” does not remove your obligation; it just means part of your evidence lives with someone else.

The reason this matters for configuration management specifically: half of what fails an assessment is unclear ownership. If nobody can say whether you or your MSP maintains the baseline, enforces the settings, or monitors installations, that ambiguity becomes both a technical gap and an evidence gap. Write the split down before the assessor asks.

Where to start: implementing the nine in the right order

Do not implement the CM family in numerical order. Implement it in dependency order, because several requirements depend on the output of others: your inventory and baseline (3.4.1) feed your settings (3.4.2), which feed change control (3.4.3), and your definition of essential capability (3.4.6) is the foundation the functionality and execution requirements (3.4.7, 3.4.8) build on. Building out of order can force rework.

This is the Configuration-Control Chain in practice—a build sequence that keeps each requirement from tripping the next.

  1. Confirm scope first.Know which assets are in the boundary (§ 170.19). Everything downstream is defined against this.
  2. CM.L2-3.4.1—Inventory and baseline. You cannot secure, monitor, or control what you have not inventoried and defined an approved state for. This is the keystone.
  3. CM.L2-3.4.6—Least functionality. Define what each system is forbefore you configure settings—it tells you what “secure” even means here.
  4. CM.L2-3.4.2—Security settings. Establish and enforce settings against the baseline and the essential-capability definition.
  5. CM.L2-3.4.7—Nonessential functions. Restrict the five categories, using the least-functionality definition as your guide.
  6. CM.L2-3.4.8—Execution policy. Decide allow- or deny-by-exception and enforce it against your known software inventory.
  7. CM.L2-3.4.9—User-installed software. Layer the policy, control, and monitoring on top.
  8. CM.L2-3.4.5—Access to change. Lock down who can change the now-defined state, physically and logically.
  9. CM.L2-3.4.3—Change control. Put the review-approve-log process around all of it.
  10. CM.L2-3.4.4—Impact analysis. Add the pre-implementation security-impact step to the change process.

Steps 8–10 come last not because they are least important—3.4.5 is a five-pointer—but because a change-control process is only meaningful once there is a defined, approved state to protect. Build the state, then build the controls that guard it.

Are the CM requirements different for a self-assessment vs a C3PAO assessment?

No—the nine requirements, the 44 objectives, and the scoring criteria are identical whether you self-assess or a C3PAO certifies you. What changes is the assessor, the system your results are reported through, the formal re-evaluation you’re entitled to, the artifact-integrity mechanics, and the resulting status path. The bar is the same; the process and the paperwork around it differ.

This matters because contractors sometimes assume a self-assessment is a softer standard for configuration management. It is not. Your Intune baseline, your change log, and your execution policy have to satisfy the same objectives either way. The differences are procedural—but they’re real, and worth knowing before you choose or prepare for your path.

DimensionLevel 2 (Self)Level 2 (C3PAO)
Who assessesYour organizationAn authorized or accredited C3PAO
CM requirements & scoringAll 9, 44 objectives, § 170.24 scoringIdentical
Results submissionEntered directly in SPRSEntered in CMMC eMASS, transmitted to SPRS
Formal re-evaluationNo C3PAO 10-business-day processLimited re-evaluation during the assessment and for 10 business days after (§ 170.17(c)(2))
Assessment artifactsRetain supporting artifactsHash artifacts (NIST-approved algorithm), give the C3PAO the hash list, retain artifacts for six years (§ 170.17(c)(4))
Conditional status≤ 180 days when all conditions are met≤ 180 days when all conditions are met
Final statusCurrent up to 3 years, annual affirmationCurrent up to 3 years, annual affirmation

Two things to keep in view regardless of path

The Affirming Official.Both paths require a senior company official to submit an affirmation of compliance in SPRS at the time of assessment and annually thereafter (32 CFR §§ 170.17, 170.22). That affirmation is a formal representation to the government, and the Affirming Official bears the legal and contractual risk for its accuracy. An inaccurate affirmation can carry False Claims Act exposure—the Department of Justice’s Civil Cyber-Fraud Initiative has already pursued cases tied to misrepresented cybersecurity compliance. This is not a signature to hand to a junior admin.

DIBCAC can still look.Even after a C3PAO certification, the DoD reserves the right to have DCMA DIBCAC assess you; if a later DIBCAC assessment finds the requirements weren’t met or maintained, those results take precedence over your existing CMMC status (§ 170.17).

One correction to a common assumption: the solicitation, contract, or prime-contractor flow-down specifies Level 2 (Self) or Level 2 (C3PAO)—read the clause, don’t infer it.

Who should own CMMC configuration management—and when do you need outside help?

Configuration management is not a one-person job, and unclear ownership causes as many failures as missing technology. Someone has to own the baseline and inventory, someone has to own settings and enforcement, someone has to own the change process, and someone has to own the evidence. On small teams these collapse into one or two people—which is fine, as long as it’s deliberate and documented, not accidental.

CM areaTypical ownerAccountable for
Inventory & baseline (3.4.1)IT / systems administrationComplete, approved, maintained inventory and baseline
Settings & enforcement (3.4.2, 3.4.6, 3.4.7)Security engineering / ITApproved settings, least functionality, enforced and evidenced
Execution & installation (3.4.8, 3.4.9)Endpoint / security operationsExecution policy and user-install control plus monitoring
Change control & impact (3.4.3, 3.4.4, 3.4.5)Change manager / IT leadReview-approve-log process, impact analysis, change-access control
Evidence & SSPCompliance / security leadMapping every objective to current, approved evidence

When outside help makes sense.If you have the technical depth, the hours, and the evidence discipline in-house, much of this family can be built internally—it is not exotic work. But if the deep dives made clear you’re short on any of those, that’s a category decision, not a personal failing:

The one rule you cannot break: keep readiness and assessment separate.The Cyber AB Code of Professional Conduct—which C3PAOs must comply with alongside the impartiality, conflict-of-interest, and ISO/IEC 17020 obligations in § 170.9—bars a firm from both preparing an organization for its assessment and participating in that assessment. Route implementation and remediation to an RPO, MSSP, or managed-compliance provider—never to the C3PAO you intend to hire for the certification.

When you do vet a C3PAO, use the Cyber AB Marketplace to confirm the firm’s current authorized or accredited C3PAO listing—that’s the authoritative check on whether it can legally certify you.

Not sure which category you need—or whether a firm creates a conflict?

The decision turns on your level, your CUI scope, your assessment type, your environment, and your timeline. Our tool maps those to the right provider category and flags the readiness-vs-assessment separation, so you don’t accidentally hire yourself into a conflict.

Educational triage only—do not submit CUI or sensitive contract details. Disclosure: this tool may lead to compensated introductions, disclosed at the point of recommendation. Compensation does not control our category mapping or regulatory analysis.

Find My CMMC Path →

How do you keep configuration management compliant after the assessment?

Passing is a moment; compliance is a state. Configuration management is one of the most operationally demanding families to maintain, because your systems change constantly and every significant change can affect a CM requirement. After the assessment, your baseline, your settings, your change log, and your monitoring all have to keep running—and a significant change can pull something new into scope or knock an implemented control out of compliance.

The significant-change trap.A “significant change” isn’t only a big migration—it can be a change that makes a previously not-applicablerequirement suddenly applicable. Stand up a wireless network you didn’t have before, and wireless-related requirements that were N/A are now in play, with new configuration and evidence obligations. Your Affirming Official is responsible for judging whether a change is significant enough to warrant reassessment, and for the continuing accuracy of your affirmation.

OPA vs. Change Record vs. POA&M—which artifact when

ArtifactWhen it appliesDeadline
Change RecordRoutine, ongoing change management under 3.4.3Per your change process
Operational Plan of Action (OPA)A temporary deficiency or vulnerability that arises after the system was compliant; documents how it’ll be corrected. May support a MET finding when § 170.24(b)(1)(ii) is satisfied. Not the same as a POA&MNo CMMC 180-day closeout clock
POA&MA requirement recorded NOT MET at an assessment (only for eligible requirements)180 days from the Conditional CMMC Status Date

The distinction the DoD FAQ draws: if a significant change introduces a temporary deficiency after you were compliant, an OPA may document the remediation plan. But if a change is identified duringan assessment and results in a requirement being scored NOT MET, that goes on a POA&M with the 180-day clock—and if it’s a five-point CM requirement, it can’t go on a POA&M at all.

A sustainable maintenance rhythm looks like this: before a change, run the 3.4.4 impact analysis and route it through 3.4.3 approval; during the change, update the baseline (3.4.1) and settings (3.4.2) so your approved state stays true; after the change, confirm monitoring (3.4.9) still sees what it should and log the whole thing. Do that consistently and your next assessment is a review of a living system, not an archaeology dig.

And mind the clock on your status itself: Final Level 2 status is current for up to three years, subject to annual affirmation; Conditional Level 2 status is current for no more than 180 days. Configuration management, done as ongoing operations rather than a pre-assessment sprint, is what keeps that status intact.

What we verified, and how

We hold this page to the standard we hold providers to. Here is the boundary between what the regulations say, what we calculated, and what is our editorial judgment.

Verified against primary sources ():

Our calculations, labeled as such:the 33-point family exposure, the 313-point total possible deduction and −203 theoretical floor (summed from the § 170.24 values), and the 77-point all-CM-NOT-MET scenario.

Our editorial judgment, labeled as such:the “where it usually breaks down” commentary and the failure patterns in each deep dive. These reflect our reading of the assessment objectives and publicly reported assessment experience—not a measured, dated frequency dataset. Our editorial approach is documented in our Editorial Methodology and Standards, and we correct errors under our Corrections Policy.

Frequently asked questions about CMMC configuration management requirements

How many configuration management requirements are there in CMMC?
Nine at Level 2—CM.L2-3.4.1 through CM.L2-3.4.9—from NIST SP 800-171 Rev. 2. Level 3 adds three enhanced CM requirements from NIST SP 800-172. Level 1 has none.
Which CM requirements can’t go on a POA&M?
The six five-point requirements: CM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, and 3.4.8. If any one of them is still NOT MET when results are finalized, there is no Conditional pass. Only the three one-point requirements— 3.4.3, 3.4.4, 3.4.9—can be POA&M candidates, and only if your overall score is at least 88 and the other § 170.21 conditions are met.
Does CMMC Level 2 use NIST SP 800-171 Revision 2 or Revision 3?
Revision 2. NIST published Revision 3 in May 2024 and later withdrew Revision 2 from its current set, but CMMC still uses Revision 2 (and the June 2018 SP 800-171A objectives) because 32 CFR Part 170 incorporates them by reference. Build to Rev. 2 for your assessment.
Does CMMC require DISA STIGs or CIS Benchmarks?
No. CM.L2-3.4.2 requires you to establish and enforce security configuration settings; it does not mandate any specific benchmark. A benchmark is a defensible way to show settings are “established,” but you still have to tailor, approve, deploy, enforce, and evidence it. A separate contract or prime may require a specific standard.
Is a CMDB required for CM.L2-3.4.1?
No specific product is required. A controlled spreadsheet, repository, or platform export can support compliance if it’s complete, approved, maintained, and covers hardware, software, firmware, and documentation—though no single artifact guarantees a MET finding.
Does CM.L2-3.4.8 require application allowlisting?
No. It requires a defined, enforced execution policy and lets you choose deny-by-exception or permit-by-exception. Allowlisting is stronger, but denylisting done properly is compliant.
Can I fix a NOT MET requirement during a C3PAO assessment?
Within limits. Under § 170.17(c)(2), a NOT MET requirement can be re-evaluated during the assessment and for 10 business days after, if additional existing evidence is available, no MET requirement is weakened, and the Findings Report hasn’t been delivered. It’s a window to surface evidence you already have—not to build a missing control.
Is my SPRS score the same as my CMMC score?
Not necessarily. Your legacy NIST SP 800-171 DoD Assessment score (under DFARS 252.204-7019/-7020) and your CMMC assessment score both post to SPRS but are scored under different authorities. Your CMMC Level 2 score comes from the CMMC Scoring Methodology at § 170.24.
Can an Operational Plan of Action rescue a requirement the assessor marks NOT MET?
No. An OPA can support a MET finding for a genuine temporary deficiency on an implemented control (§ 170.24(b)(1)(ii)), but once an assessor records a requirement as NOT MET, that gap goes on a POA&M—and a five-point CM requirement can’t go on a POA&M at all.
Are the CM requirements different for a self-assessment?
No. The nine requirements, 44 objectives, and scoring are identical. What differs is the assessor, the reporting system (SPRS directly vs. eMASS), the 10-day re-evaluation, artifact hashing, and the status path.
How long does a CMMC status last?
Final Level 2 is current for up to three years, subject to annual affirmation. Conditional Level 2 is current for no more than 180 days, within which you must close your POA&M.
Where do the 44 objectives come from?
NIST SP 800-171A (June 2018), which 32 CFR § 170.2 incorporates by reference as the assessment objectives and methods for Level 2.
Does using an MSP remove my CM obligations?
No. If your MSP handles CUI, provides security functions, or holds Security Protection Data, it enters your scope as an External Service Provider; you document the split in your SSP, a service description, and a customer responsibility matrix, and you still have to produce or point to the evidence.

When you’re ready to act

Configuration management is where a lot of otherwise-solid contractors lose points they didn’t have to—usually because they treated nine unequal requirements as one flat checklist. You now have the map: the six that can end an assessment, the three you can defer, the 44 objectives underneath them, and the evidence that actually holds up.

The next expensive decision isn’t whether to comply. It’s who, if anyone, you bring in to help—and getting that wrong (hiring a firm that can’t then certify you, or buying tools you didn’t need) costs more than the CM work itself.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path →

Disclosure: The Defense Compliance Report may receive compensation for introductions made through this tool, disclosed at the point of recommendation. Compensation never determines our category mapping, our regulatory analysis, or which providers we route to first—recommendations are driven by your stated level, scope, and timeline, not by who pays. We maintain editorial independence: our analysis is grounded in primary sources, and no provider can pay to change it. Do not submit CUI, drawings, system identifiers, or sensitive contract details through the tool. This page is educational research, not legal, contractual, or compliance advice; confirm applicability with a qualified professional.

Primary sources

Published by The Defense Compliance Report· Last verified · Regulatory facts confirmed against primary sources as of that date.

The Defense Compliance Report is an independent trade publication. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.