Back

Establish, implement, and maintain a configuration baseline based on the least functionality principle.


CONTROL ID
00862
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867

This Control has the following implementation support Control(s):
  • Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration., CC ID: 13285
  • Include the differences between test environments and production environments in the baseline configuration., CC ID: 13284
  • Include the applied security patches in the baseline configuration., CC ID: 13271
  • Include the installed application software and version numbers in the baseline configuration., CC ID: 13270
  • Include installed custom software in the baseline configuration., CC ID: 13274
  • Include network ports in the baseline configuration., CC ID: 13273
  • Include the operating systems and version numbers in the baseline configuration., CC ID: 13269


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Control procedures and baseline security requirements should be developed to safeguard application programs, operating systems, system software and databases. For example: - access to data and programs should be controlled by appropriate methods of identification and authentication of users together… (3.4.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • A licensed or registered person should have policies and procedures in place to ensure that system access or the use of the systems are granted to users on a need-to-have basis. In addition, a licensed or registered person should review, at least on a yearly basis, the user access list of critical s… (2.2. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • To detect malicious programs, the organization should compare the original library files with the current files being used and properly manage file revision records. (T50.2(4), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In order to allow the system to keep running without shutting down the entire system in the event of a failure even though some operations are interrupted, it is necessary to provide the functions of reducing the capabilities and rearranging the system. (P104.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Secure Configurations/hardening for all hardware and software on Laptops, Workstations, and Servers and Network Devices such as Firewalls, Routers and Switches. Configuration management begins with well-tested and documented security baselines for various systems. There need to be documented securit… (Critical components of information security 24) viii. ¶ 1 b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should record the system configuration for all servers whose functions are critical and ones that are high risk of compromise. (Control: 0386 Bullet 1, Australian Government Information Security Manual: Controls)
  • Baselines should be developed for all critical applications and systems. Baselines should be stored on read-only media and should be updated whenever changes are made. (§ 3.5.19, Australian Government ICT Security Manual (ACSI 33))
  • implementation of secure configuration baselines of all network components; (3.4.4 36(b), Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should maintain an up-to-date inventory of their ICT assets (including ICT systems, network devices, databases, etc.). The ICT asset inventory should store the configuration of the ICT assets and the links and interdependencies between the different ICT assets, to enable a pro… (3.5 53, Final Report EBA Guidelines on ICT and security risk management)
  • Software should run with least necessary privileges, taking account of both security and functionality. (Provision 5.6-7, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • (§ 3.3.1, OGC ITIL: Security Management)
  • The entity has established policies and procedures and technical specifications and requirements for the configuration and credentialing of users and systems prior to granting logical access to information and data about internally and externally managed infrastructure-based platforms, devices and s… (S7.1 Manages credentials for infrastructure and software, Privacy Management Framework, Updated March 1, 2020)
  • A secure baseline is called for. (§ 2.1, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Establish a supporting tool and a central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes.. (DS9.1 Configuration Repository and Baseline, CobiT, Version 4.1)
  • Only required functionality, as documented in the configuration standards, is enabled. (2.2.4.b Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • When selecting a suitable set of baseline controls, the following questions should be considered: "• Do IT policies — including for IT controls — exist? "• Have responsibilities for IT and IT controls been defined, assigned, and accepted? "• Are IT infrastructure equipment and tools logica… (§ 8.5 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Servers should be configured in accordance with documented standards / procedures, which should cover providing standard firmware configurations. (CF.07.02.01a, The Standard of Good Practice for Information Security)
  • Servers should be provided with standard firmware configurations that include pre-configured BIOS settings (e.g., disabling the boot menu and Universal serial bus / Digital Video Disk boot option). (CF.07.02.02a, The Standard of Good Practice for Information Security)
  • Servers should be configured in accordance with documented standards / procedures, which should cover providing standard firmware configurations. (CF.07.02.01a, The Standard of Good Practice for Information Security, 2013)
  • Servers should be provided with standard firmware configurations that include pre-configured BIOS settings (e.g., disabling the boot menu and Universal serial bus / Digital Video Disk boot option). (CF.07.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Servers should be built / configured using a standardized, predetermined server image. (CF.07.02.03, The Standard of Good Practice for Information Security, 2013)
  • The secure image, including workstations and servers, should be updated regularly and be integrated into the Change Management process. (Critical Control 3.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Baseline security requirements shall be established and applied to the design and implementation of (developed or purchased) applications, databases, systems, and network infrastructure and information processing that comply with policies, standards and applicable regulatory requirements. (IS-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). (CIS Control 4: Secure Configuration of Enterprise Assets and Software, CIS Controls, V8)
  • The organization shall verify configuration baseline changes are identified, evaluated, recorded, approved, and incorporated. (§ 6.3.5.3(b)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The master copy of the product should be identifiable in the configuration management system. (§ 13.2, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • Before deployment of a release into the live environment, a baseline of the affected CIs shall be taken. (§ 8.5.3 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. (§ 8.9 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • A baseline configuration of IT and control systems is created and maintained. (CC8.1 ¶ 3 Bullet 12 Creates Baseline Configuration of IT Technology, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g., concept of least functionality). (PR.IP-1, CRI Profile, v1.2)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A baseline configuration of IT and control systems is created and maintained. (CC8.1 Creates Baseline Configuration of IT Technology, Trust Services Criteria)
  • A baseline configuration of IT and control systems is created and maintained. (CC8.1 ¶ 2 Bullet 12 Creates Baseline Configuration of IT Technology, Trust Services Criteria, (includes March 2020 updates))
  • Develop a baseline configuration, individually or by group, which shall include the following items: (CIP-010-2 Table R1 Part 1.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Develop a baseline configuration, individually or by group, which shall include the following items: (CIP-010-3 Table R1 Part 1.1 Requirements ¶ 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • For cloud computing services, is a default hardened base virtual image available to clients? (§ V.1.49, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • CSR 1.9.4: The organization must document the current system configuration, including links to other systems, and the security configuration. CSR 10.7.3: The organization must develop, document, and maintain a current information system baseline configuration. This configuration must be consistent … (CSR 1.9.4, CSR 10.7.3, CSR 10.7.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. (CM.2.062, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Establish and enforce security configuration settings for information technology products employed in organizational systems. (CM.2.064, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Establish and enforce security configuration settings for information technology products employed in organizational systems. (CM.2.064, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. (CM.2.062, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. (CM.2.062, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Establish and enforce security configuration settings for information technology products employed in organizational systems. (CM.2.064, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.2.061, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. (CM.2.062, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Establish and enforce security configuration settings for information technology products employed in organizational systems. (CM.2.064, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. (CM.L2-3.4.6 Least Functionality, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (CM.L2-3.4.1 System Baselining, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Establish and enforce security configuration settings for information technology products employed in organizational systems. (CM.L2-3.4.2 Security Configuration Enforcement, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Determine whether management uses standard builds, allowing one documented configuration to be applied to multiple computers in a controlled manner, to create hardware and software inventories, update or patch systems, restore systems, investigate anomalies, and audit configurations. (App A Objective 6.14, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following: - Configuration management of IT systems and applications. - Hardening of systems and applications. - Use of standard builds. - Patch management. (II.C.10 Change Management Within the IT Environment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The configuration management standards should include the production of a baseline and evaluation, approval, documentation, and dissemination all changes to it. (Pg 9, Pg 31, Pg 51, FFIEC IT Examination Handbook - Development and Acquisition)
  • The joint authorization board must approve and accept the configuration settings of the service provider. (Column F: CM-6a, FedRAMP Baseline Security Controls)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., FedRAMP Security Controls High Baseline, Version 5)
  • Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. (CM-2(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., FedRAMP Security Controls Low Baseline, Version 5)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. (CM-2(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must document and maintain a configuration baseline of the system(s). (§ 5.6.5, Exhibit 4 CM-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are commented, offline copies of all router configurations maintained and consistent with the actual configuration that is running on the routers, if the router is maintained by a third party? (IT - Routers Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are commented, offline copies of all router configurations maintained? (IT - Routers Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. (CM-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. (CM-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. (CM-8(6) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enf… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure a baseline configuration has been developed and is being maintained; the organization identifies when updates are made, who made the updates, and provides a summary of the updates; a baseline configuration log is maintained and is up … (CM-2, CM-2(1), CM-2(2), CM-2.10, CM-7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Current configuration information for all components. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 1 Bullet 8, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop a system security context, a preliminary system security Concept of Operations (CONOPS), and define baseline system security requirements in accordance with applicable cybersecurity requirements. (T0314, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Document changes to planned security control implementation and establish the configuration baseline for a system. (T0950, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality). (PR.PO-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Organizations should automate compliance with container runtime configuration standards. Documented technical implementation guidance, such as the Center for Internet Security Docker Benchmark, provides details on options and recommended settings, but operationalizing this guidance depends on automa… (4.4.3 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services. (PW.9.1, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • The organization should develop, document, and maintain a current baseline configuration. (SG.CM-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms to maintain the baseline configuration. (SG.CM-2 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Establish and enforce security configuration settings for information technology products employed in organizational information systems. (3.4.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Employ the principle of least functionality by configuring the information system to provide only essential capabilities. (3.4.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (3.4.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (3.4.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Establish and enforce security configuration settings for information technology products employed in organizational systems. (3.4.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. (3.4.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Establish and enforce security configuration settings for information technology products employed in organizational systems. (3.4.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. (3.4.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. (3.4.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should use automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration. (App F § CM-2(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and maintain a current baseline configuration of the Information System under configuration control. (App F § CM-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should review and update the baseline configuration at predetermined frequencies. (App F § CM-2(1)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should develop a security control baseline that contains the minimum set of security controls needed for the Information System. The baseline is a starting point and will most likely need to be supplemented to achieve adequate risk mitigation. The controls must be documented in the … (§ 2.2 ¶ 2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • An appropriate set of baseline controls from appendix d must be selected based on the determined impact level. After selection, the organization should initiate a tailoring process to modify and align the controls to the organization's specific conditions. (§ 3.3 ¶ Selecting the Initial Baseline Security Controls, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • This table contains the minimum recommended baseline set of security controls and priorities for low-impact systems, moderate-impact systems, and high-impact systems. (Table D-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should review and update the baseline configuration when required due to predetermined circumstances. (App F § CM-2(1)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should maintain the operational baseline configuration separate from the baseline configuration for the test environment and the development environment. (App F § CM-2(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Document changes to planned security control implementation and establish the configuration baseline for a system. (T0950, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop a system security context, a preliminary system security Concept of Operations (CONOPS), and define baseline system security requirements in accordance with applicable cybersecurity requirements. (T0314, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop a strategy for monitoring security control effectiveness; coordinate the system-level strategy with the organization and mission/business process-level monitoring strategy. (T0947, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system. (CM-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system {organizationally documented frequency}. (CM-2(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system when required due to {organizationally documented circumstances}. (CM-2(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system. (CM-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system {organizationally documented frequency}. (CM-2(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system when required due to {organizationally documented circumstances}. (CM-2(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system. (CM-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system {organizationally documented frequency}. (CM-2(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system when required due to {organizationally documented circumstances}. (CM-2(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. (CM-8(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. (CM-8(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. (CM-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. (CM-8(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop, document, and maintain under configuration control, a current baseline configuration of the system; and (CM-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. (CM-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. (CM-8(6) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, TX-RAMP Security Controls Baseline Level 1)
  • The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. (CM-2 Control, TX-RAMP Security Controls Baseline Level 2)
  • The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. (CM-2(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)