Mechanisms exist to review and update baseline configurations: (1) At least annually; (2) When required due to so; or (3) As part of system component installations and upgrades.

Does the organization review and update baseline configurations: (1) At least annually; (2) When required due to so; or (3) As part of system component installations and upgrades?

- updated mapping CMMC Level 2