GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.4.1: Baseline Configurations & System Inventories

Control 3.4.1 requires you to establish and maintain baseline configurations for all systems—hardware, software, firmware, and documentation—throughout their entire lifecycle. Without documented baselines, you cannot detect unauthorized changes, comply with audits, or manage system risk effectively.

What this means

Baseline configurations are approved, documented snapshots of your systems at specific points in time. They serve as the reference standard against which all changes are measured. This control mandates that you inventory every component of your systems, document their intended state, and maintain this baseline throughout development, deployment, and operations. The baseline must cover hardware specifications, software versions, firmware levels, and supporting documentation so you can detect drift, unauthorized modifications, or compliance violations.

How to comply

  1. 1.Document the current state of all organizational systems, including hardware models, software versions, firmware revisions, and configuration parameters
  2. 2.Create a system inventory that uniquely identifies each asset and its baseline configuration details
  3. 3.Establish configuration management procedures that define how baselines are created, updated, and approved
  4. 4.Implement configuration monitoring to detect deviations from approved baselines
  5. 5.Maintain baseline documentation throughout the system development lifecycle—from design through retirement
  6. 6.Review and update baselines when authorized changes occur, ensuring all modifications are documented and approved
  7. 7.Store baseline configurations in a centralized, version-controlled repository accessible to authorized personnel

Evidence auditors look for

  • System inventory spreadsheet or asset management tool listing all hardware, software, and firmware with versions
  • Baseline configuration documentation for each system component with approved settings and specifications
  • Configuration management plan describing baseline establishment, change control, and review procedures
  • Change log showing baseline updates with approval dates, authorized changes, and technical details
  • Configuration audit reports comparing current system state against approved baselines
  • System development lifecycle documentation linking baselines to design, implementation, and deployment phases
  • Network diagram showing system components and their baseline configurations

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically inventories your systems, tracks baseline configurations in a version-controlled repository, and alerts you to configuration drift—eliminating manual spreadsheets and compliance gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.4.2 — Change Management3.4.3 — Authorized Access3.2.1 — Authorization