CMMC Compliance
CMMC Configuration Management Requirements: The 9 Controls, Their Point Values, and What Assessors Check
About this resource
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance—explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
The CMMC configuration management requirements are the nine security requirements in the Configuration Management (CM) family—CM.L2-3.4.1 through CM.L2-3.4.9—that CMMC Level 2 inherits from NIST Special Publication 800-171 Revision 2. They carry 44 assessment objectives and up to 33 scoring points. Six of the nine are worth five points each and cannot be carried on a plan of action, so if any one of those six is still NOT MET when your assessment results are finalized, there is no conditional pass. The assessment does not pass.
That last clause is the part most short “CM controls” summaries skip. They hand you nine bullet points as if they were nine equal boxes to tick. They are not. Under the CMMC Scoring Methodology, six of these nine requirements are worth five points each and are ineligible for a Plan of Action and Milestones (POA&M)—the mechanism that lets you defer a fix and still pass conditionally. The other three are worth one point each and may be deferrable. So the family is not a checklist of equal items; it is a tiered set in which two-thirds of the requirements, if unmet at finalization, end the assessment outright.
We built this page to put the whole family in one place—requirement text, objective counts, point values, conditional-status treatment, and evidence—straight from the primary sources: NIST SP 800-171 Rev. 2, the DoD CMMC Assessment Guide for Level 2, the CMMC Scoring Methodology at 32 CFR § 170.24, and the rest of 32 CFR Part 170. Every figure below is dated and sourced. Here is the fast version.
CMMC configuration management at a glance
| At a glance | Answer |
|---|---|
| Requirements in the CM family | 9 (CM.L2-3.4.1 – CM.L2-3.4.9) |
| Applies at | CMMC Level 2 and Level 3 (Level 1 has zero CM requirements) |
| Assessment objectives | 44 across the nine requirements |
| Maximum scoring exposure | Up to 33 points of a 110-point Level 2 score |
| Five-point requirements (must be MET when results are finalized) | 6 — CM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8 |
| One-point requirements (may be POA&M candidates) | 3 — CM.L2-3.4.3, 3.4.4, 3.4.9 |
| Governing standard | NIST SP 800-171 Rev. 2 (not Rev. 3 — see below) |
| Assessment objective source | NIST SP 800-171A (June 2018), incorporated by reference at 32 CFR § 170.2 |
Who this page is for: IT directors, CISOs, compliance managers, FSOs, and small-business owners in the Defense Industrial Base (DIB) who handle Controlled Unclassified Information (CUI), are implementing or self-assessing CMMC Level 2, and need to know exactly what the CM requirements demand and where the real risk sits.
Who this page is not for:Contractors who handle only Federal Contract Information (FCI) and are trying to work out whether Level 1 applies—the CM family does not exist at Level 1, and this is the wrong page to size your obligation. Start with your solicitation and contract clause; the clause sets your level, not a checklist.
What are the nine CMMC configuration management requirements?
CMMC Level 2 has nine configuration management requirements, numbered CM.L2-3.4.1 through CM.L2-3.4.9, drawn directly from the Configuration Management (CM) family of NIST SP 800-171 Rev. 2. Together they require a contractor to define an approved system state, control and analyze every change to it, strip away unnecessary functionality, govern what software can run, and monitor what users install. The DoD CMMC Assessment Guide for Level 2 breaks those nine requirements into 44 assessment objectives across the family.
One terminology note before the table, because it trips people up. You will see these called “controls,” “practices,” and “requirements” interchangeably. The formal term in the CMMC Final Rule and in NIST SP 800-171 is security requirements. Older CMMC 1.0 material used “practices” and control IDs like “CM.2.061.” Those IDs are dead. If a resource still numbers configuration management as “CM.2.061,” it predates the current model, and you should treat everything else on that page with corresponding skepticism.
The CMMC Configuration Management Control Matrix
| Requirement | What it requires (plain English) | Points if NOT MET | POA&M-eligible? | Objectives | Where it usually breaks down (editorial) |
|---|---|---|---|---|---|
| CM.L2-3.4.1 — Baseline & inventory | Establish and maintain baseline configurations and a system inventory covering hardware, software, firmware, and documentation | 5 | No | 6 | No documented baseline. “It’s in our heads” or “our MSP knows” is a NOT MET |
| CM.L2-3.4.2 — Security settings | Establish security configuration settings, put them in the baseline, and enforce them | 5 | No | 2 | Settings are documented but not enforced—or no approved settings baseline exists at all |
| CM.L2-3.4.3 — Change control | Track, review, approve or disapprove, and log system changes | 1 | Yes* | 4 | Tickets record what happened, but not the review and approval before it happened |
| CM.L2-3.4.4 — Impact analysis | Analyze the security impact of a change before you implement it | 1 | Yes* | 1 | The change process has no security-impact step; a scan run afterward is offered instead |
| CM.L2-3.4.5 — Access to change | Define, document, approve, and enforce physical and logical restrictions on who can make changes | 5 | No | 8 | Logical admin is covered; physical access to infrastructure is ignored entirely |
| CM.L2-3.4.6 — Least functionality | Define essential capabilities and configure systems to provide only those | 5 | No | 2 | “Essential” is never defined in writing, so nothing can be verified against it |
| CM.L2-3.4.7 — Nonessential functions | For programs, functions, ports, protocols, and services: define what’s essential and restrict the rest | 5 | No | 15 | A firewall port list is offered, leaving programs, functions, and services unanswered |
| CM.L2-3.4.8 — Execution policy | Choose deny-by-exception or permit-by-exception, specify the software, and enforce it | 5 | No | 3 | Antivirus or EDR is presented as an “execution policy” with no defined, enforced model |
| CM.L2-3.4.9 — User-installed software | Set a user-installation policy, control installation under it, and monitor it | 1 | Yes* | 3 | Local-admin removal is treated as the whole answer; monitoring—the third objective—is missing |
| Family total | Nine interdependent requirements | 33 pts | 3 of 9 | 44 | — |
What the table reveals that a plain list buries
- The CM family is 9 of the 110 Level 2 requirements—about 8%—but it accounts for up to 33 pointsof scoring exposure. Summing the point values in § 170.24 across all 110 requirements gives 313 possible deductions (a DCR calculation), so CM carries roughly 10.5% of everything you can lose. It punches above its weight.
- Six of nine are five-pointers. Having two-thirds of a single family sit at the top point value is an unusually high concentration, and it reshapes how you should prioritize.
- 3.4.7 alone carries 15 assessment objectives—the most of any requirement in the CM family. If you are going to be under-resourced somewhere, it will be here.
These nine are not nine islands. They form a chain: you cannot maintain a meaningful baseline (3.4.1) without knowing what is in scope; you cannot detect an unauthorized change (3.4.3) without an approved prior state to compare against; you cannot write a defensible software-execution policy (3.4.8) without the software inventory that lives inside 3.4.1. We call that dependency the Configuration-Control Chain, laid out as an implementation sequence later on.
Which CMMC levels require configuration management?
Configuration management does not exist at CMMC Level 1. It appears in full at Level 2—all nine requirements—and Level 3 adds three enhanced configuration management requirements on top of the Level 2 set. So if your contract requires Level 2 or Level 3, all nine CM requirements are in play; if it requires Level 1, none are.
This is the first place to stop guessing and check your contract. CMMC assigns a level based on the sensitivity of the information your systems touch, and the level is set by the contract clause, not by a checklist.
| CMMC Level | Configuration management requirements | Source |
|---|---|---|
| Level 1 (Self-assessment) | 0—the 15 basic safeguarding requirements in FAR 52.204-21(b)(1) contain no configuration management requirements | 32 CFR § 170.15; FAR 52.204-21 |
| Level 2 (Self or C3PAO) | All 9—CM.L2-3.4.1 through 3.4.9, from NIST SP 800-171 Rev. 2, family 3.4 | 32 CFR § 170.14; NIST SP 800-171 Rev. 2 |
| Level 3 (DIBCAC) | 9 + 3 enhanced—adds CM.L3-3.4.1e, 3.4.2e, and 3.4.3e from NIST SP 800-172 | 32 CFR § 170.14; NIST SP 800-172; DoD CMMC Assessment Guide—Level 3 |
Level 3 is not “more of the same.” The three enhanced requirements it adds come from NIST SP 800-172, a separate standard for defending against advanced, persistent threats: an authoritative repository for approved software (3.4.1e), automated detection and remediation of unauthorized configurations (3.4.2e), and automated inventory (3.4.3e). Level 3 also requires you to already hold Final Level 2 (C3PAO) status for every information system in the Level 3 assessment scope.
A word on the standard itself, because search results are actively misleading here. CMMC Level 2 maps to NIST SP 800-171 Revision 2. NIST published Revision 3 in May 2024 and has since withdrawn Revision 2 from its current publication set. CMMC still uses the older editions because 32 CFR §§ 170.2 and 170.14 incorporate them by reference. For a CMMC Level 2 assessment, map your implementation and evidence to Revision 2. Track Revision 3, and watch for rulemaking, but don’t implement it for a current assessment.
Current implementation timing—verified
Phase 1 runs November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments; the DoD may still require Level 2 (C3PAO) during Phase 1 at its discretion. Phase 2 begins November 10, 2026. The solicitation and contract control the requirement for a given procurement.
Not sure which provider category you’ll need once you know your level?
The right CMMC provider isn’t the same for every contractor—the category you need depends on your required level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can’t resolve those for you, use our decision tool.
Find My CMMC Path →How do the CM requirements affect your CMMC score and POA&M options?
Configuration management carries unusually high scoring consequences: six of the nine requirements are worth five points each and three are worth one point each, for up to 33 points of exposure on a 110-point Level 2 assessment. Only the three one-point requirements—CM.L2-3.4.3, 3.4.4, and 3.4.9—can even be candidates for a POA&M. The six five-point requirements must be MET when your results are finalized; there is no conditional pass with one of them still open.
How the score works.Your Level 2 score is recorded in the Supplier Performance Risk System (SPRS). Under the CMMC Scoring Methodology (32 CFR § 170.24), the score starts at 110—one point for each Level 2 requirement—and a weighted value is subtracted for each requirement scored NOT MET: 5 points for the most critical, 3 for some, and 1 for the rest. To be eligible for ConditionalLevel 2—a passing status with a POA&M attached—your score divided by the number of Level 2 requirements must be at least 0.8, which works out to a score of 88(32 CFR § 170.21(a)(2)(i)).
| Point value | CM requirements | Count | Points at stake |
|---|---|---|---|
| 5 points | CM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8 | 6 | 30 |
| 1 point | CM.L2-3.4.3, 3.4.4, 3.4.9 | 3 | 3 |
| Total | 9 | 33 |
There are no three-point requirements in the CM family. That detail matters more than it looks, because of the POA&M rules.
The assessment-ender rule—this is the whole game.Under 32 CFR § 170.21, a POA&M for Conditional Level 2 may hold only one-point requirements (with one narrow, unrelated exception for a CUI-encryption requirement outside this family). Anything worth three or five points must be MET. Applied to configuration management:
- CM.L2-3.4.3, 3.4.4, and 3.4.9 (the one-pointers) can be POA&M candidates. If one is NOT MET, you may still reach Conditional status—provided your overall score is at least 88 and every other § 170.21 condition is met—and fix it later.
- CM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, and 3.4.8 (the five-pointers) cannot. If any one of those six is still NOT MET when results are finalized, no Conditional status is available. The assessment does not pass. You remediate and reassess.
The math that makes it concrete.Suppose you walk in with all nine CM requirements NOT MET and everything else perfect. That is a 33-point loss: 110 − 33 = 77. A 77 is below the 88 threshold, so you fail on the CM family alone. But you would fail before the arithmetic even ran, because one of those six five-pointers being open removes the conditional path outright.
One useful distinction: internal plan vs. assessment POA&M.Before an assessment, you can—and should—track every open gap in an internal remediation plan, no matter its point value. The restrictions above apply to the assessmentPOA&M used to obtain Conditional CMMC status, not to your own project tracker.
And don’t count on an “operational” workaround for a real gap. An Operational Plan of Action (OPA) is a legitimate tool: under § 170.24(b)(1)(ii), a genuine temporarydeficiency that is properly managed in an OPA—with deficiency reviews and demonstrated progress—is assessed MET. But the DoD’s CMMC FAQ draws the line clearly: once an assessor records a requirement as NOT MET, that gap belongs on a POA&M, not relabeled as an OPA. An OPA manages temporary risk on an otherwise-implemented control; it does not rescue a control you never implemented. If that control is a five-point CM requirement, Conditional status is off the table.
If you do land a POA&M on one of the three deferrable CM requirements, the clock is real: you have 180 daysfrom your Conditional CMMC Status Date to remediate and pass a closeout assessment, or the conditional status expires (32 CFR §§ 170.17, 170.21). The practical takeaway: prioritize the six five-pointers first, ruthlessly.
Can you fix a NOT MET requirement before a C3PAO assessment is finalized?
Sometimes—but narrowly. Under 32 CFR § 170.17(c)(2), a C3PAO may re-evaluate a NOT MET requirement during the assessment and for 10 business days after the active assessment period, but only if additional evidence is available, the new evidence doesn’t weaken any already-MET requirement, and the CMMC Assessment Findings Report hasn’t been delivered. It is a window to surface evidence you already have—not to build a control you don’t.
This is a real and underappreciated feature of a Level 2 certification assessment, and it is why “assessment-ender” on this page means a five-point gap that is stillNOT MET when results are finalized—not a gap the assessor flags mid-week. Read the conditions carefully:
- Additional evidence must exist.The rule contemplates producing evidence that was available but not reviewed during the assessment—a log you hadn’t pulled, an approval record in another system. It is not a grace period to go implement a missing control and come back.
- It cannot weaken a MET requirement.New evidence for one requirement can’t undercut another that already passed.
- The Findings Report must not have been delivered. Once that report is issued, scores are locked.
In practice, during the assessment week the C3PAO will tell you which requirements are short on evidence and ask you to produce it. After the active period, that 10-business-day window is your last chance to close the gap with existing proof before the report is finalized. Use it for what it is: an evidence-completeness safety net, not a remediation runway.
Is your CMMC score the same as your SPRS / NIST 800-171 self-assessment score?
Not exactly, and conflating them causes real confusion. CMMC status and scoring are governed by 32 CFR Part 170 and the DFARS 252.204-7021 clause. The older DFARS 252.204-7019 and -7020 clauses concern a separate “NIST SP 800-171 DoD Assessment” (Basic, Medium, or High) that also posts a score to SPRS. Both live in SPRS and use similar subtractive math, but they are distinct regimes—do not treat your legacy 800-171 self-assessment score as your CMMC assessment result.
| Clause | What it does |
|---|---|
| DFARS 252.204-7012 | Safeguarding covered defense information and 72-hour cyber-incident reporting; implements NIST SP 800-171 |
| DFARS 252.204-7019 / -7020 | The NIST SP 800-171 DoD Assessment (Basic/Medium/High) and SPRS-score framework that predates CMMC and may still appear in contracts |
| DFARS 252.204-7021 | Contractual CMMC status, maintenance, annual affirmation, DoD access, and flow-down obligations |
The point for this page: when someone asks “what’s your SPRS score?” they may mean your legacy NIST 800-171 DoD Assessment score oryour CMMC assessment score. They are scored under different authorities. Your CMMC Level 2 score is the one produced under the CMMC Scoring Methodology at § 170.24 and recorded as a CMMC Status.
What evidence do CMMC assessors look for in configuration management?
CMMC does not define a single, universal evidence package for the CM family. Assessments use three methods—Examine, Interview, and Test—so a defensible evidence set connects approved documentation, the people who run each process, and a repeatable demonstration that the process and its technical controls actually work, mapped to every applicable assessment objective. The examples below are evidence-planning guidance drawn from the DoD guide’s potential methods and objects, not a guaranteed checklist; assessors select what fits, and no single artifact makes a requirement MET on its own.
| Method | What it establishes | What it looks like for configuration management |
|---|---|---|
| Examine | The requirement is defined and records exist | Policies, procedures, the SSP, baselines, inventories, settings standards, change tickets, logs, exception records |
| Interview | The responsible people understand and actually perform the process | The system owner, an administrator, the change approver, whoever controls physical access |
| Test | The process or technical control genuinely works | A configuration-drift check, a blocked software-execution attempt, a change traced from request to closure, an installation alert firing |
Under § 170.24, a requirement is MET only when all applicable objectives are satisfied by evidence that is final and approved—working papers, drafts, and unapproved policies don’t count. Assessors are looking for all three legs of the triangle to line up, and to line up with the System Security Plan (SSP).
Looks implemented—still scored NOT MET
| What you show the assessor | Why it may still fail |
|---|---|
| An Intune configuration profile | No approved baseline it maps to, no applicability list, no deviation handling, no enforcement result |
| An asset inventory export | No firmware or documentation coverage; a one-time export with no maintenance process |
| Change tickets | No review or approval before implementation; the person who did the work also closed the ticket |
| Firewall rules | No definition of essential ports and protocols, and nothing covering programs, functions, and services |
| “No local admin for users” | No monitoring of installation activity and no documented exception path |
| An EDR product | No defined execution-policy model and no proof it enforces one |
| A STIG or CIS checklist | Not tied to the actual baseline; unexplained deviations; never shown to be deployed and enforced |
| “Our MSP handles it” | Responsibilities not mapped to objectives; you can’t produce the operating evidence yourself |
| A polished policy document | No evidence the stated procedure is actually running |
| Undated screenshots | No date, no system identity, no scope relationship, no repeatable way to collect them again |
The honest truth about configuration management
You can own every tool CMMC seems to want—Intune, Group Policy, a remote monitoring platform, a ticketing system, EDR—and still be scored NOT MET. Owning a tool is not evidence by itself. An Intune console proves a setting is possible; it does not prove you defined an approved baseline, enforced it across the systems in scope, and can put the records in front of an assessor on demand.
The good news, for a shop already on Microsoft 365 with an admin who can own documentation: this is usually a paperwork-and-discipline problem, not a rip-and-replace problem.You very likely already own the tooling for most of this family. What’s missing is the connective tissue—the approved baseline, the enforcement record, the change trail, the monitoring output—that turns your existing work into evidence. Separate missing proof from missing implementation before you buy or migrate anything.
Get the configuration management evidence checklist
Walk your own environment before an assessor does: our CM readiness checklist runs the nine requirements and their 44 objectives, with the artifact each one expects, the interview it implies, and the test that proves it. No CUI or sensitive configuration details required.
Get the CM Readiness Checklist →What does each CMMC configuration management requirement actually require?
Each of the nine requirements resolves a different piece of configuration control, and passing one does not satisfy the others. The deep dives below give you, for every requirement: what the rule says, its assessment objectives spelled out, what an assessor examines and tests, the failure that sinks it most often, and—just as important—what the requirement does not secretly require.
CM.L2-3.4.1—Establish and maintain baseline configurations and inventories
A system inventory tells you what exists. A baseline tells you what the approved state should be. CMMC 3.4.1 requires both—and requires each to include hardware, software, firmware, and documentation, and to stay maintained over the system’s life. It carries six assessment objectives.
The six objectives, in plain form: [a] a baseline configuration is established; [b] the baseline includes hardware, software, firmware, and documentation; [c] the baseline is maintained; [d] a system inventory is established; [e] the inventory includes hardware, software, firmware, and documentation; [f] the inventory is maintained. In short, two living records—an approved baseline and an inventory—each covering all four component types, each kept current.
What an assessor checks: Examine the baseline records and the inventory, including firmware and documentation coverage; interview the people who own asset management and system configuration; test how a change flows into an updated baseline and inventory.
The failure that sinks it:A device inventory exists—usually an export from a remote monitoring tool—but there is no approved baselineat all, or firmware and documentation are omitted, or the inventory is a one-time snapshot no one maintains. And the deadliest version: the baseline lives in an administrator’s head, or “our MSP knows it.” The objectives require the baseline and inventory to be established and maintained, and § 170.24 requires the evidence to be final and approved—so undocumented is NOT MET.
What it does NOT require:A commercial configuration management database (CMDB). No product is named. A controlled spreadsheet, a repository, or a platform export can support compliance if it is complete, approved, and maintained—though no single artifact, by itself, guarantees a MET finding.
Worth knowing:Baseline configuration (3.4.1) has appeared on DCMA DIBCAC’s published list of the most frequently “Other Than Satisfied” NIST SP 800-171 requirements, drawn from 117 of its historical assessments. If you fix one thing first, fix this: it’s a five-pointer, it can’t go on a POA&M, and it’s where assessors find gaps most often.
CM.L2-3.4.2—Establish and enforce security configuration settings
CMMC 3.4.2 is not satisfied by choosing a hardening benchmark. Your organization must establish its security settings, include them in the baseline, and enforcethem on the products in scope. It has two assessment objectives—and the second, enforcement, is where it comes apart.
The two objectives: [a] security configuration settings for IT products are established and included in the baseline; [b] those settings are enforced. Picking CIS Benchmarks or a Microsoft Security Baseline is a start, not a finish. You have to establish the settings that apply to each product, fold them into your baseline, and enforce them, with a way to identify and handle deviations.
What an assessor checks: Examine the approved settings, the deviations and their approvals, and any compliance or drift reports; interview security or platform engineering; test that the selected settings are actually enforced on live systems.
The failure that sinks it:A hardening spreadsheet or benchmark report exists but isn’t tied to the real baseline, is full of unexplained deviations, or was never deployed and enforced. No approved settings baseline, or settings that aren’t enforced—that’s the classic NOT MET.
What it does NOT require: A named benchmark. CMMC 3.4.2 does not mandate DISA STIGs, CIS Benchmarks, or any single standard. It requires settings established and enforced. Nor does it name a specific enforcement tool: show how settings are enforced and how deviations are identified and handled.
CM.L2-3.4.3—Track, review, approve or disapprove, and log system changes
CMMC 3.4.3 is about the controlled history of changes, not the existence of a ticketing tool. The record has to show four things—that changes are tracked, reviewed, approved or disapproved, and logged—which is exactly its four assessment objectives. This is a one-point requirement and, unlike most of the family, it can be a POA&M candidate.
The four objectives: [a] changes are tracked; [b] changes are reviewed; [c] changes are approved or disapproved; [d] changes are logged. The requirement applies to more than servers—cloud tenant changes, identity-platform changes, and infrastructure-as-code changes are all changes.
What an assessor checks: Examine change tickets, approval records, and the change log; interview the change approver and system owner; test a sample change traced from request through approval to closure.
The failure that sinks it: Tickets document what happened after the work, but show no review or approval before it. A ticket closed by the person who did the work is not, by itself, proof that an authorized review and an approve-or-disapprove decision happened before implementation.
What it does NOT require:A committee formally named a “Change Control Board.” The Level 2 Assessment Guide contemplates a change control board “or similar,” which explicitly leaves room for a right-sized approval process at a smaller company. The record must show an authorized approval decision and a process capableof disapproval—but you don’t have to manufacture a rejected change if none occurred.
CM.L2-3.4.4—Analyze the security impact of changes before implementation
A change working technically is not a change that’s ready. CMMC 3.4.4 requires a security-impact analysis performed beforeimplementation—a check on how the change affects your security requirements, CUI flow, scope, and protections. It is a single assessment objective, one point, and can be a POA&M candidate.
The one objective: [a] the security impact of changes is analyzed prior to implementation. Before a change goes in, someone has to ask and record: does this alter how CUI flows? Does it pull a new system or service into scope? Does it weaken access, logging, encryption, or segmentation? Does it change something the SSP asserts?
What an assessor checks: Examine a security-impact field or attached analysis on change records; interview the security lead or system owner; test that the analysis preceded implementation for real changes.
The failure that sinks it:A generic “risk: low” checkbox, or—the tell assessors catch immediately—a vulnerability scan run afterdeployment offered as the “impact analysis.” The analysis has to come first, and it has to consider security, not just function.
What it does NOT require:A heavyweight formal risk assessment for every routine change. The rule doesn’t prescribe one fixed format or length; the evidence must still show that security impact was analyzed before implementation, in proportion to the change.
CM.L2-3.4.5—Control physical and logical access to make changes
CMMC 3.4.5 goes well beyond limiting domain-admin accounts. You must define, document, approve, and enforce restrictions on both physical and logicalaccess associated with changes—eight assessment objectives, four for each dimension. This is a five-point requirement and cannot go on a POA&M.
The eight objectives double the same four actions across two dimensions. Physical: [a] defined, [b] documented, [c] approved, [d] enforced. Logical: [e] defined, [f] documented, [g] approved, [h] enforced. Logical is the part everyone remembers—privileged groups, admin roles, credential restrictions. Physical is the part that fails assessments: who can physically touch the server, the network closet, the firmware, the removable components through which a change can be made.
What an assessor checks: Examine the privileged-access and change-authority definitions, the approvals, and the physical restrictions on infrastructure; interview identity/security administration and physical security; test that unauthorized actors cannot make changes, logically or physically.
The failure that sinks it: A screenshot of the privileged-users group is offered as the whole answer. It proves logical membership but not approval, not enforcement, and nothing about physical access. Eight objectives, and only two got addressed.
What it does NOT require: A data center with mantraps. A locked server room and an approved access list can contributeevidence for a small office—but they don’t, by themselves, establish all eight objectives. The point is that physical and logical change-access are defined, documented, approved, and enforced in proportion to your environment.
CM.L2-3.4.6—Least functionality
Least functionality means defining the capabilities a system genuinely needs and configuring it to provide only those. CMMC 3.4.6 is the high-level “what should this system be able to do?” requirement, and it has two assessment objectives: essential capabilities defined, and systems configured to provide only those. It is a five-point requirement and cannot go on a POA&M.
The two objectives: [a] essential system capabilities are defined; [b] the system is configured to provide only those defined capabilities. The requirement is conceptual, and that is exactly why people struggle with it. It asks you to write down, per system or role, what the system is for—and then to turn off everything else. A file server doesn’t need a media player. An engineering workstation needs its CAD suite and little else.
What an assessor checks: Examine the essential-capability definitions and the approved build profiles; interview the system owner; test that unnecessary capabilities are actually unavailable.
The failure that sinks it:The team has hardened its systems but can’t explain what “essential” means for each one. Hardening without a written definition of essential capability leaves nothing for the assessor to verify the configuration against.
What it does NOT require:A specific hardening tool. It requires the definition and the resulting configuration. This is the requirement 3.4.7 builds on—so define essential capability well here, and 3.4.7 gets easier.
CM.L2-3.4.7—Restrict nonessential programs, functions, ports, protocols, and services
This is the most granular requirement in the family. CMMC 3.4.7 makes you address five separate categories—programs, functions, ports, protocols, and services—and for each one, define what is essential, define nonessential use, and restrict or disable it. That is 15 assessment objectives, the most of any requirement in the CM family. Five points, and it cannot go on a POA&M.
The reason 3.4.7 carries so many objectives is arithmetic: five categories, each with three determinations—essential use defined, nonessential use defined, nonessential use restricted/disabled/prevented—equals fifteen. Miss any one of the five categories and you’ve missed the requirement.
A definition that saves confusion: a functionis a capability or feature a system or application provides—macro execution, file sharing, remote administration, scripting, browser extensions, print services. It is not a “function” in the programming sense. 3.4.7 is not asking you to catalog every program ever written. It’s asking you to define essential versus nonessential use in your assessed environment, and to restrict the nonessential.
What an assessor checks:Examine your definitions and enforcement across all five categories—installed-program controls, feature/role configurations, firewall and host rules, protocol configurations, service states; interview the endpoint, network, and application owners; test across the categories, not just ports.
The failure that sinks it: A firewall rule set is offered as the answer. Ports are handled; programs, functions, protocols, and services are not defined or restricted. Four of five categories are silent.
What it does NOT require:A single product to cover all five categories. Most environments use a combination—host and network firewalls for ports and protocols, endpoint controls for programs, configuration management for services and functions. The requirement is coverage across all five, however you achieve it.
CM.L2-3.4.8—Apply an application execution policy (allowlisting or denylisting)
CMMC 3.4.8 requires a defined and enforced software-execution policy—but it lets you choose between deny-by-exception (a denylist) and permit-by-exception (an allowlist). Allowlisting is the stronger model, but the requirement text does not make it mandatory. There are three assessment objectives: specify which model you use, specify the software allowed or denied, and implement it as specified. Five points, and it cannot go on a POA&M.
The three objectives: [a] a policy specifying whether allow-all/deny-by-exception or deny-all/permit-by-exception is used is specified; [b] the software allowed to execute (or denied) under that policy is specified; [c] the policy is implemented as specified. “You have to allowlist everything” is a common—and incorrect—reading. The rule permits either approach. What it does not permit is having no defined model at all.
What an assessor checks: Examine the approved execution policy and the allow/deny list; interview endpoint security and IT operations; test with permitted and prohibited software to confirm the model is enforced.
The failure that sinks it:Antivirus, EDR, or a software inventory is presented as an “execution policy.” None of those, by itself, is a defined allow/deny model with enforcement. The policy exists on paper—allowlisting was deemed too disruptive to engineering software—and is silently unenforced.
What it does NOT require:AppLocker, WDAC, or any named product, and it does not require allowlisting specifically. Choose a model that fits your environment, document it, define the software, and enforce it. If permit-by-exception would break your engineers’ toolchain, deny-by-exception, implemented properly, is a compliant choice.
CM.L2-3.4.9—Control and monitor user-installed software
CMMC 3.4.9 has three distinct parts, and that is exactly its three assessment objectives: establish a user-installation policy, control installation under that policy, and monitorit. Removing local-administrator rights can help you control installation, but it does not, by itself, demonstrate monitoring. This is a one-point requirement and can be a POA&M candidate.
The three objectives: [a] a policy for controlling user-installed software is established; [b] installation of software by users is controlled based on the policy; [c] installation of software by users is monitored. The requirement recognizes that users will try to install things, and it wants a policy, a control, and visibility. The control is what everyone does. The monitoring is what everyone forgets.
What an assessor checks: Examine the installation policy, the technical controls, and installation logs or alerts; interview endpoint administration; test that installation is prevented or detected and handled.
The failure that sinks it:“We removed local admin, so users can’t install anything.” That addresses control. It says nothing about a policy or about monitoring—the third objective.
What it does NOT require:A specific endpoint management platform, and it does not prescribe one alert for every attempted installation. It requires the policy, the control, and a way to monitor installation activity and policy compliance—achieved by whatever combination fits your environment, but all three, not two of three.
Realizing you’re short-staffed for this?
If the deep dives made clear you don’t have the hours or in-house depth to build all nine—especially the five-pointers—that’s a category decision, not a failure. Readiness, remediation, and evidence work route to a Registered Provider Organization (RPO), a Managed Security Service Provider (MSSP), or a managed-compliance firm—never to a C3PAO, which assesses and, by rule, cannot also implement. Our tool maps your level, scope, and timeline to the right category.
Find My CMMC Path →3.4.6 vs 3.4.7 vs 3.4.8 vs 3.4.9: what’s the difference?
These four requirements overlap in theme but ask genuinely different questions. CM.L2-3.4.6 defines what capabilities a system should have. 3.4.7 restricts five specific categories of nonessential functionality. 3.4.8 controls what software is allowed to execute. 3.4.9 controls and monitors what users install. Treating them as one requirement is the fastest way to fail three of them.
| Requirement | The core question | Main object | What proves it |
|---|---|---|---|
| 3.4.6 — Least functionality | What capabilities should this system provide? | Overall system capability | An essential-capability definition plus the configured state |
| 3.4.7 — Nonessential functions | Which programs, functions, ports, protocols, and services are essential or restricted? | Five named categories | Definitions, restrictions, configurations, and tests across all five |
| 3.4.8 — Execution policy | What software is allowed or denied execution? | Software execution | A defined allow/deny model, the software list, and an enforcement mechanism |
| 3.4.9 — User-installed software | What may users install, and how is that monitored? | User installation activity | A policy, a control on installation, and monitoring/logs |
A single example ties them together
Take a controlled engineering workstation:
- 3.4.6—You define that CAD, document access, an approved browser, endpoint security, and printing are the essential capabilities, and you configure the machine to provide only those.
- 3.4.7—You disable the unnecessary services, close the nonessential ports, block the disallowed protocols, and turn off optional features and programs across all five categories.
- 3.4.8—You enforce your chosen execution policy so only approved applications, scripts, and installers can run.
- 3.4.9—You restrict users from installing software and you monitor for attempts.
Does CMMC require DISA STIGs or CIS Benchmarks?
No. CMMC 3.4.2 requires you to establish and enforce security configuration settings, but it does not name DISA STIGs, CIS Benchmarks, or any single standard as mandatory. A benchmark is a strong, defensible way to prove your settings are “established”—but the requirement is about establishing and enforcing settings, not about which catalog you started from. A separate contract clause, prime, customer, or platform may impose a specific standard; CMMC 3.4.2 itself does not.
Here is the flexibility, plainly stated, and then the catch: because the rule does not choose the benchmark for you, you carry the burden of explaining what settings you selected, why they fit, how deviations are approved, how they’re enforced, and how drift is caught. Flexibility is not a free pass. It’s a documentation obligation.
| Approach to settings | Can it supply a settings source? | What you still have to demonstrate |
|---|---|---|
| DISA STIGs | Yes, if tailored, approved, deployed, and evidenced | Applicability, tailoring, approved deviations, deployment, enforcement, monitoring |
| CIS Benchmarks | Yes, if tailored, approved, deployed, and evidenced | The same |
| Microsoft Security Baselines | Yes, if tailored, approved, deployed, and evidenced | Source, approval, completeness, tailoring, enforcement |
| Internally developed baseline | Potentially | A defensible rationale, approval, full requirement coverage, enforcement |
| Vendor default settings, undocumented | No defensible basis | Nothing—there are no approved settings or repeatable enforcement to show |
So: pick a recognized benchmark if you can—it makes “established” easy to defend—tailor it to your environment, document what you changed and why, and prove enforcement. If a contract or prime requires a specific standard, that requirement is real and separate from CMMC; follow it. But don’t let anyone tell you CMMC mandates STIGs across the board. It doesn’t.
Which systems and assets must your CM evidence cover?
Your configuration management evidence has to cover every asset inside your CMMC Assessment Scope—and scope is defined by asset category, not by a vague sense of “our network.” Under 32 CFR § 170.19, Level 2 sorts assets into five categories, and the category determines how the nine CM requirements apply. Get scoping wrong and you either fail on assets you didn’t know were in scope, or you spend money hardening assets that never needed it.
Scope comes before everything. You cannot evaluate readiness against the CM family until you know where CUI lives, how it flows, and which systems are in the boundary. Here are the five categories, from the CMMC scoping framework at § 170.19.
| Asset category | What it is | How CM applies |
|---|---|---|
| CUI Assets | Assets that process, store, or transmit CUI | Full scope. All nine CM requirements apply. Must be in the asset inventory and network diagram, with treatment documented in the SSP |
| Security Protection Assets (SPA) | Assets that provide security functions to the scope (e.g., SIEM, firewall management, identity providers) | In scope for the requirements relevant to the protection they provide; documented in the SSP |
| Contractor Risk Managed Assets (CRMA) | Assets that can, but are not intended to, process/store/transmit CUI because of your security policies, procedures, and practices | Must be in the asset inventory, network diagram, and SSP treatment; assessment treatment follows § 170.19(c)(1) |
| Specialized Assets | IoT, OT, government property, test equipment, restricted information systems | Managed per your risk-based approach and documented; assessed against a limited set, not the full CM family |
| Out-of-Scope Assets | Assets that cannot process, store, or transmit CUI and are appropriately separated | No CMMC requirements apply—if the separation genuinely holds |
The category that catches people is CRMA. Assets there are not exempt: they still have to appear in your inventory, network diagram, and SSP treatment, and their handling is assessed. And the boundary between “out of scope” and “in scope” is only as strong as the separation you can prove.
The scoping lever that actually changes your CM workload isn’t a trick of counting—it’s reducing the number and diversity of in-scope assets. A tightly scoped CUI enclave means fewer systems, fewer platforms, and fewer variations to baseline, harden, and monitor. Building the asset inventory is where scope gets formalized.
How do MSPs, MSSPs, CSPs, and other external service providers affect CM scope?
An MSP, MSSP, cloud service provider, or other External Service Provider (ESP) can pull itself into your assessment through the CUI it handles, the Security Protection Data it holds, or the security functions it performs for you. “Our MSP handles it” does not remove your obligation; it just means part of your evidence lives with someone else.
- If your MSP/MSSP handles CUI, provides security functions, or holds Security Protection Data, apply the ESP and asset-category rules, document the service in your SSP, a service description, and a customer responsibility matrix (CRM), and assess the shared responsibilities.
- If you use a cloud service to process, store, or transmit CUI, that CSP offering must be FedRAMP Moderate (or higher) Authorized—or meet the FedRAMP Moderate equivalency requirement (32 CFR § 170.17(c)(5)).
- Whatever the provider owns, you still have to be able to produce, or point to, the CM evidence for the assets in your scope.
The reason this matters for configuration management specifically: half of what fails an assessment is unclear ownership. If nobody can say whether you or your MSP maintains the baseline, enforces the settings, or monitors installations, that ambiguity becomes both a technical gap and an evidence gap. Write the split down before the assessor asks.
Where to start: implementing the nine in the right order
Do not implement the CM family in numerical order. Implement it in dependency order, because several requirements depend on the output of others: your inventory and baseline (3.4.1) feed your settings (3.4.2), which feed change control (3.4.3), and your definition of essential capability (3.4.6) is the foundation the functionality and execution requirements (3.4.7, 3.4.8) build on. Building out of order can force rework.
- Confirm scope first.Know which assets are in the boundary (§ 170.19). Everything downstream is defined against this.
- CM.L2-3.4.1—Inventory and baseline. You cannot secure, monitor, or control what you have not inventoried and defined an approved state for. This is the keystone.
- CM.L2-3.4.6—Least functionality. Define what each system is forbefore you configure settings—it tells you what “secure” even means here.
- CM.L2-3.4.2—Security settings. Establish and enforce settings against the baseline and the essential-capability definition.
- CM.L2-3.4.7—Nonessential functions. Restrict the five categories, using the least-functionality definition as your guide.
- CM.L2-3.4.8—Execution policy. Decide allow- or deny-by-exception and enforce it against your known software inventory.
- CM.L2-3.4.9—User-installed software. Layer the policy, control, and monitoring on top.
- CM.L2-3.4.5—Access to change. Lock down who can change the now-defined state, physically and logically.
- CM.L2-3.4.3—Change control. Put the review-approve-log process around all of it.
- CM.L2-3.4.4—Impact analysis. Add the pre-implementation security-impact step to the change process.
Are the CM requirements different for a self-assessment vs a C3PAO assessment?
No—the nine requirements, the 44 objectives, and the scoring criteria are identical whether you self-assess or a C3PAO certifies you. What changes is the assessor, the system your results are reported through, the formal re-evaluation you’re entitled to, the artifact-integrity mechanics, and the resulting status path. The bar is the same; the process and the paperwork around it differ.
This matters because contractors sometimes assume a self-assessment is a softer standard for configuration management. It is not. Your Intune baseline, your change log, and your execution policy have to satisfy the same objectives either way. The differences are procedural—but they’re real, and worth knowing before you choose or prepare for your path.
| Dimension | Level 2 (Self) | Level 2 (C3PAO) |
|---|---|---|
| Who assesses | Your organization | An authorized or accredited C3PAO |
| CM requirements & scoring | All 9, 44 objectives, § 170.24 scoring | Identical |
| Results submission | Entered directly in SPRS | Entered in CMMC eMASS, transmitted to SPRS |
| Formal re-evaluation | No C3PAO 10-business-day process | Limited re-evaluation during the assessment and for 10 business days after (§ 170.17(c)(2)) |
| Assessment artifacts | Retain supporting artifacts | Hash artifacts (NIST-approved algorithm), give the C3PAO the hash list, retain artifacts for six years (§ 170.17(c)(4)) |
| Conditional status | ≤ 180 days when all conditions are met | ≤ 180 days when all conditions are met |
| Final status | Current up to 3 years, annual affirmation | Current up to 3 years, annual affirmation |
Two things to keep in view regardless of path
The Affirming Official.Both paths require a senior company official to submit an affirmation of compliance in SPRS at the time of assessment and annually thereafter (32 CFR §§ 170.17, 170.22). That affirmation is a formal representation to the government, and the Affirming Official bears the legal and contractual risk for its accuracy. An inaccurate affirmation can carry False Claims Act exposure—the Department of Justice’s Civil Cyber-Fraud Initiative has already pursued cases tied to misrepresented cybersecurity compliance. This is not a signature to hand to a junior admin.
DIBCAC can still look.Even after a C3PAO certification, the DoD reserves the right to have DCMA DIBCAC assess you; if a later DIBCAC assessment finds the requirements weren’t met or maintained, those results take precedence over your existing CMMC status (§ 170.17).
One correction to a common assumption: the solicitation, contract, or prime-contractor flow-down specifies Level 2 (Self) or Level 2 (C3PAO)—read the clause, don’t infer it.
Who should own CMMC configuration management—and when do you need outside help?
Configuration management is not a one-person job, and unclear ownership causes as many failures as missing technology. Someone has to own the baseline and inventory, someone has to own settings and enforcement, someone has to own the change process, and someone has to own the evidence. On small teams these collapse into one or two people—which is fine, as long as it’s deliberate and documented, not accidental.
| CM area | Typical owner | Accountable for |
|---|---|---|
| Inventory & baseline (3.4.1) | IT / systems administration | Complete, approved, maintained inventory and baseline |
| Settings & enforcement (3.4.2, 3.4.6, 3.4.7) | Security engineering / IT | Approved settings, least functionality, enforced and evidenced |
| Execution & installation (3.4.8, 3.4.9) | Endpoint / security operations | Execution policy and user-install control plus monitoring |
| Change control & impact (3.4.3, 3.4.4, 3.4.5) | Change manager / IT lead | Review-approve-log process, impact analysis, change-access control |
| Evidence & SSP | Compliance / security lead | Mapping every objective to current, approved evidence |
When outside help makes sense.If you have the technical depth, the hours, and the evidence discipline in-house, much of this family can be built internally—it is not exotic work. But if the deep dives made clear you’re short on any of those, that’s a category decision, not a personal failing:
- Missing process and evidence discipline → a Registered Provider Organization (RPO) or managed-compliance firm.
- Missing operational capacity (someone to actually run settings, monitoring, change control) → a Managed Security Service Provider (MSSP).
- Missing a compliant environment → a CUI enclave or a FedRAMP-authorized cloud platform.
The one rule you cannot break: keep readiness and assessment separate.The Cyber AB Code of Professional Conduct—which C3PAOs must comply with alongside the impartiality, conflict-of-interest, and ISO/IEC 17020 obligations in § 170.9—bars a firm from both preparing an organization for its assessment and participating in that assessment. Route implementation and remediation to an RPO, MSSP, or managed-compliance provider—never to the C3PAO you intend to hire for the certification.
When you do vet a C3PAO, use the Cyber AB Marketplace to confirm the firm’s current authorized or accredited C3PAO listing—that’s the authoritative check on whether it can legally certify you.
Not sure which category you need—or whether a firm creates a conflict?
The decision turns on your level, your CUI scope, your assessment type, your environment, and your timeline. Our tool maps those to the right provider category and flags the readiness-vs-assessment separation, so you don’t accidentally hire yourself into a conflict.
Find My CMMC Path →How do you keep configuration management compliant after the assessment?
Passing is a moment; compliance is a state. Configuration management is one of the most operationally demanding families to maintain, because your systems change constantly and every significant change can affect a CM requirement. After the assessment, your baseline, your settings, your change log, and your monitoring all have to keep running—and a significant change can pull something new into scope or knock an implemented control out of compliance.
The significant-change trap.A “significant change” isn’t only a big migration—it can be a change that makes a previously not-applicablerequirement suddenly applicable. Stand up a wireless network you didn’t have before, and wireless-related requirements that were N/A are now in play, with new configuration and evidence obligations. Your Affirming Official is responsible for judging whether a change is significant enough to warrant reassessment, and for the continuing accuracy of your affirmation.
OPA vs. Change Record vs. POA&M—which artifact when
| Artifact | When it applies | Deadline |
|---|---|---|
| Change Record | Routine, ongoing change management under 3.4.3 | Per your change process |
| Operational Plan of Action (OPA) | A temporary deficiency or vulnerability that arises after the system was compliant; documents how it’ll be corrected. May support a MET finding when § 170.24(b)(1)(ii) is satisfied. Not the same as a POA&M | No CMMC 180-day closeout clock |
| POA&M | A requirement recorded NOT MET at an assessment (only for eligible requirements) | 180 days from the Conditional CMMC Status Date |
The distinction the DoD FAQ draws: if a significant change introduces a temporary deficiency after you were compliant, an OPA may document the remediation plan. But if a change is identified duringan assessment and results in a requirement being scored NOT MET, that goes on a POA&M with the 180-day clock—and if it’s a five-point CM requirement, it can’t go on a POA&M at all.
A sustainable maintenance rhythm looks like this: before a change, run the 3.4.4 impact analysis and route it through 3.4.3 approval; during the change, update the baseline (3.4.1) and settings (3.4.2) so your approved state stays true; after the change, confirm monitoring (3.4.9) still sees what it should and log the whole thing. Do that consistently and your next assessment is a review of a living system, not an archaeology dig.
And mind the clock on your status itself: Final Level 2 status is current for up to three years, subject to annual affirmation; Conditional Level 2 status is current for no more than 180 days. Configuration management, done as ongoing operations rather than a pre-assessment sprint, is what keeps that status intact.
What we verified, and how
We hold this page to the standard we hold providers to. Here is the boundary between what the regulations say, what we calculated, and what is our editorial judgment.
Verified against primary sources ():
- The nine CM requirements and their 44 objectives—NIST SP 800-171 Rev. 2 (family 3.4) and the DoD CMMC Assessment Guide for Level 2. Objective counts are our tally from the Assessment Guide.
- The point values—confirmed against the CMMC Scoring Methodology at 32 CFR § 170.24, which lists CM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, and 3.4.8 among the five-point requirements. These are CMMC point values, not “SPRS points.”
- The 88 / Conditional threshold, POA&M eligibility, and the 180-day closeout—32 CFR §§ 170.21 and 170.17.
- The 10-business-day re-evaluation window—32 CFR § 170.17(c)(2).
- Level mapping to NIST SP 800-171 Rev. 2, and the Rev. 3 / SP 800-172 status—32 CFR §§ 170.2, 170.14; NIST publication records.
- Asset categories and ESP/CSP treatment—32 CFR § 170.19 and § 170.17(c)(5).
Our calculations, labeled as such:the 33-point family exposure, the 313-point total possible deduction and −203 theoretical floor (summed from the § 170.24 values), and the 77-point all-CM-NOT-MET scenario.
Our editorial judgment, labeled as such:the “where it usually breaks down” commentary and the failure patterns in each deep dive. These reflect our reading of the assessment objectives and publicly reported assessment experience—not a measured, dated frequency dataset. Our editorial approach is documented in our Editorial Methodology and Standards, and we correct errors under our Corrections Policy.
Frequently asked questions about CMMC configuration management requirements
- How many configuration management requirements are there in CMMC?
- Nine at Level 2—CM.L2-3.4.1 through CM.L2-3.4.9—from NIST SP 800-171 Rev. 2. Level 3 adds three enhanced CM requirements from NIST SP 800-172. Level 1 has none.
- Which CM requirements can’t go on a POA&M?
- The six five-point requirements: CM.L2-3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, and 3.4.8. If any one of them is still NOT MET when results are finalized, there is no Conditional pass. Only the three one-point requirements— 3.4.3, 3.4.4, 3.4.9—can be POA&M candidates, and only if your overall score is at least 88 and the other § 170.21 conditions are met.
- Does CMMC Level 2 use NIST SP 800-171 Revision 2 or Revision 3?
- Revision 2. NIST published Revision 3 in May 2024 and later withdrew Revision 2 from its current set, but CMMC still uses Revision 2 (and the June 2018 SP 800-171A objectives) because 32 CFR Part 170 incorporates them by reference. Build to Rev. 2 for your assessment.
- Does CMMC require DISA STIGs or CIS Benchmarks?
- No. CM.L2-3.4.2 requires you to establish and enforce security configuration settings; it does not mandate any specific benchmark. A benchmark is a defensible way to show settings are “established,” but you still have to tailor, approve, deploy, enforce, and evidence it. A separate contract or prime may require a specific standard.
- Is a CMDB required for CM.L2-3.4.1?
- No specific product is required. A controlled spreadsheet, repository, or platform export can support compliance if it’s complete, approved, maintained, and covers hardware, software, firmware, and documentation—though no single artifact guarantees a MET finding.
- Does CM.L2-3.4.8 require application allowlisting?
- No. It requires a defined, enforced execution policy and lets you choose deny-by-exception or permit-by-exception. Allowlisting is stronger, but denylisting done properly is compliant.
- Can I fix a NOT MET requirement during a C3PAO assessment?
- Within limits. Under § 170.17(c)(2), a NOT MET requirement can be re-evaluated during the assessment and for 10 business days after, if additional existing evidence is available, no MET requirement is weakened, and the Findings Report hasn’t been delivered. It’s a window to surface evidence you already have—not to build a missing control.
- Is my SPRS score the same as my CMMC score?
- Not necessarily. Your legacy NIST SP 800-171 DoD Assessment score (under DFARS 252.204-7019/-7020) and your CMMC assessment score both post to SPRS but are scored under different authorities. Your CMMC Level 2 score comes from the CMMC Scoring Methodology at § 170.24.
- Can an Operational Plan of Action rescue a requirement the assessor marks NOT MET?
- No. An OPA can support a MET finding for a genuine temporary deficiency on an implemented control (§ 170.24(b)(1)(ii)), but once an assessor records a requirement as NOT MET, that gap goes on a POA&M—and a five-point CM requirement can’t go on a POA&M at all.
- Are the CM requirements different for a self-assessment?
- No. The nine requirements, 44 objectives, and scoring are identical. What differs is the assessor, the reporting system (SPRS directly vs. eMASS), the 10-day re-evaluation, artifact hashing, and the status path.
- How long does a CMMC status last?
- Final Level 2 is current for up to three years, subject to annual affirmation. Conditional Level 2 is current for no more than 180 days, within which you must close your POA&M.
- Where do the 44 objectives come from?
- NIST SP 800-171A (June 2018), which 32 CFR § 170.2 incorporates by reference as the assessment objectives and methods for Level 2.
- Does using an MSP remove my CM obligations?
- No. If your MSP handles CUI, provides security functions, or holds Security Protection Data, it enters your scope as an External Service Provider; you document the split in your SSP, a service description, and a customer responsibility matrix, and you still have to produce or point to the evidence.
When you’re ready to act
Configuration management is where a lot of otherwise-solid contractors lose points they didn’t have to—usually because they treated nine unequal requirements as one flat checklist. You now have the map: the six that can end an assessment, the three you can defer, the 44 objectives underneath them, and the evidence that actually holds up.
The next expensive decision isn’t whether to comply. It’s who, if anyone, you bring in to help—and getting that wrong (hiring a firm that can’t then certify you, or buying tools you didn’t need) costs more than the CM work itself.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Related reading
Primary sources
- 32 CFR Part 170—CMMC Program rule (§§ 170.2, 170.14, 170.15, 170.17, 170.18, 170.19, 170.21, 170.22, 170.24)
- NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, family 3.4
- NIST SP 800-171A (June 2018)—assessment objectives and methods (incorporated by reference at 32 CFR § 170.2)
- NIST SP 800-172 (Feb 2021) and SP 800-172A (Mar 2022)—Level 3 enhanced requirements
- DoD CMMC Assessment Guide—Level 2 (DoD CIO)
- DFARS 252.204-7012, 252.204-7019/-7020, and 252.204-7021 (Acquisition.gov)
- DoD CMMC Program FAQ (DoD CIO)
- DCMA DIBCAC public assessment data (Top “Other Than Satisfied” requirements)