AC.L2-3.4.1[b]

Executive Summary (For Leadership and the Board)

CMMC objective AC.L2-3.4.1[b] sits inside the Configuration Management domain (CM.L2-3.4.1 — System Baselining) and reads: The baseline configuration includes hardware, software, firmware, and documentation.. Ensure baselines comprehensively cover hardware settings, installed software versions, firmware levels, and supporting documentation — not just OS configurations. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.

Under DFARS 252.204-7012, AC.L2-3.4.1[b] will be evaluated during a full third-party CMMC Level 2 assessment, Joint Surveillance Voluntary Assessment, or formal certification gating DoD CUI contract awards. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored? And what is our remediation plan if a C3PAO flags a gap? Failing this objective in isolation may be POA&M-able under CMMC 2.0; failing it in conjunction with related objectives in the same practice is typically not.