3.4.1 — Know Your Inventory

The One-Liner

If you can’t produce a current list of every piece of hardware and software in your CUI environment — and what each one’s configuration should be — you fail.

What It Says

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

What It Actually Means

Two things, both required, both current:

1. Baseline configurations. A documented known-good state for each system type in your CUI environment. “This is what a properly configured CUI workstation looks like” — OS version, patch level, security settings, installed software, network configuration. The baseline is your reference point for detecting unauthorized changes and for building new systems consistently.

2. Asset inventory. A complete list of every piece of hardware, software, and firmware in your CUI environment. Not a stale spreadsheet from last year — a living inventory maintained through tooling (MDM, asset management, CMDB). Hardware includes workstations, servers, network devices, printers, phones. Software includes operating systems, applications, and utilities. Firmware includes BIOS/UEFI versions on hardware.

Both must be maintained throughout the system development life cycle — meaning they’re updated when systems are deployed, modified, or decommissioned. A new server goes into the inventory when it’s deployed and comes off when it’s decommissioned. A baseline is updated when a new OS version is approved or a security setting changes.

The assessor will ask to see your inventory, pick a random system, and verify it matches. Then they’ll ask for your baseline, pick a system type, and check whether deployed systems actually match the baseline.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is a baseline configuration established?	Documented baseline per system type — workstations, servers, network devices — specifying OS, patch level, security settings, software
2	Does the baseline include hardware, software, firmware, and documentation?	Baseline covers all four: hardware specs, installed software, firmware versions, and config documentation
3	Is the baseline maintained throughout the system life cycle?	Review and update records — baseline updated when new OS approved, security settings changed, or patches applied
4	Is a system inventory established?	Complete list of all hardware, software, and firmware in the CUI environment
5	Does the inventory include hardware, software, firmware, and documentation?	Inventory covers physical assets, installed applications, firmware versions, and supporting docs
6	Is the inventory maintained throughout the system life cycle?	Additions and removals documented — no ghost assets, no missing new systems

---

What to Have Ready on Assessment Day

Documents they’ll review: Configuration management policy; baseline configuration documentation per system type; system inventory records (hardware, software, firmware); inventory review and update records; system security plan; enterprise architecture documentation; change control records for baseline updates; system component installation and removal records

People they’ll talk to: Personnel with configuration management responsibilities; personnel maintaining the system inventory; information security personnel; system or network administrators

Live demos they’ll ask for: “Show me your asset inventory. Pick a workstation — is it in there?” “Show me your workstation baseline. Does this workstation match it?” “When was your inventory last updated? Show me the record.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your baseline configuration for a CUI workstation. What does it specify?”
• “Does your baseline include software versions, patch levels, and security settings?”
• “When was your baseline last updated? What triggered the update?”
• “Show me your system inventory. Is it current?”
• “I’m looking at this server — is it in your inventory? Does it match the baseline?”
• “How do you handle a new system deployment? Show me the process for adding it to the inventory and applying the baseline.”
• “What about decommissioned systems — how do they come off the inventory?”

Real-World Example

A defense contractor maintains baselines as Intune compliance policies and configuration profiles. The CUI workstation baseline specifies: Windows 11 Enterprise 23H2, latest cumulative update, BitLocker enabled, Defender for Endpoint active, approved application list via AppLocker, and specific Group Policy settings. The hardware and software inventory is pulled from Intune and Microsoft Defender — every enrolled device reports hardware specs, installed software, and OS version automatically. Servers are inventoried in a CMDB with firmware versions and configuration baselines documented per role (file server, domain controller, application server). When a new workstation is deployed, it’s enrolled in Intune, the baseline profile applies automatically, and it appears in the inventory within minutes. When a laptop is decommissioned, it’s wiped via Intune, marked as retired in the CMDB, and removed from the active inventory. Baselines are reviewed quarterly and updated when new CU patches or security settings are approved.

---

Where Companies Trip Up

No baseline. Systems are configured ad-hoc — each admin sets up systems differently. The assessor asks “show me your workstation baseline” and there’s nothing to show. Document what a correctly configured system looks like for each system type.

Stale inventory. The inventory was created a year ago and hasn’t been updated. Three new servers, five new laptops, and two decommissioned desktops don’t match the list. Use automated tooling (MDM, CMDB, asset scanning) to keep the inventory current.

Hardware only, no software. You know every workstation but can’t list the software installed on each one. The requirement explicitly includes software and firmware — use your MDM or an inventory scanner to capture installed applications.

Baseline exists but not enforced. The baseline document says “BitLocker enabled” but three workstations don’t have it. Baselines must be applied, not just documented. Use compliance policies to detect and remediate drift.

---

How to Talk About This

To a CEO or Board

We maintain a current inventory of every piece of hardware and software in our CUI environment. Every system is built from a documented, hardened baseline. We know exactly what’s in our environment and exactly how it should be configured.

To an Engineering Team

Baselines: Intune compliance policies + configuration profiles per system type. Inventory: automated via Intune (endpoints) and CMDB (servers/network). Software inventory from Defender. Firmware tracked in CMDB. Quarterly baseline review tied to patch cycle. Decommissioning workflow removes from inventory. Compliance dashboard for baseline drift detection.

---

Connected Requirements

Requirement	Why it matters here
3.4.2 — Harden Everything	Security settings within your baseline — this establishes it, 3.4.2 enforces it
3.4.3 — Control Every Change	Changes to baselines and inventoried systems go through change management
3.4.6 — Shrink the Attack Surface	Your baseline should include only essential capabilities — least functionality
3.4.8 — Whitelist or Blacklist Software	Software inventory feeds the application control list

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: CM.L2-3.4.1 | SPRS Weight: 5 points | POA&M Eligible: No