Back

Establish, implement, and maintain a Configuration Baseline Documentation Record.


CONTROL ID
02130
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

This Control has the following implementation support Control(s):
  • Document and approve any changes to the Configuration Baseline Documentation Record., CC ID: 12104
  • Create a hardened image of the baseline configuration to be used for building new systems., CC ID: 07063


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The configuration management department should create and maintain network connection diagrams, configuration diagrams, and other required system diagrams. (O66.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The security standards for the FI's hardware and software (e.g. operating systems, databases, network devices and endpoint devices) should outline the configurations that will minimise their exposure to cyber threats. The standards should be reviewed periodically for relevance and effectiveness. (§ 11.3.1, Technology Risk Management Guidelines, January 2021)
  • To facilitate identification of anomalies, the FI should establish a baseline profile of each IT system's routine activities and analyse the system activities against the baseline profiles. The profiles should be regularly reviewed and updated. (§ 12.2.3, Technology Risk Management Guidelines, January 2021)
  • ACSC and vendor guidance is implemented to assist in hardening the configuration of Microsoft Office, web browsers and PDF viewers. (Security Control: 1412; Revision: 2, Australian Government Information Security Manual)
  • The organization should record the configuration information from a trusted environment and not the standard Operating Systems, whenever possible. (Control: 0386 Bullet 5, Australian Government Information Security Manual: Controls)
  • Baselines should be developed for all critical applications and systems. The baselines should be stored on read-only media and should be updated whenever changes are made. (§ 3.5.19, Australian Government ICT Security Manual (ACSI 33))
  • A Configuration baseline is the configuration of a product or system established at a specific point in time, which captures both the structure and details of a configuration. It serves as reference for further activities. An application or software baseline provides the ability to change or to rebu… (§ 7.3.6, OGC ITIL: Service Support)
  • File integrity tools should be used to store baseline configuration data. This data can then be used to detect changes to files, folders, or other objects. (Pg 135, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Novell provides the capability to prepare reports of the server configuration, including all applications that are running. A baseline report should be created and changes should be tracked to ensure the system configuration does not change without proper authority. (§ 3.5, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • The control system shall provide the capability to generate a report listing the currently deployed security settings in a machine-readable format. (11.8.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The application product supplier shall qualify and document which protection from malicious code mechanisms are compatible with the application and note any special configuration requirements. (12.3.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • There shall be mechanisms on host devices that are qualified by the IACS product supplier to provide protection from malicious code. The IACS product supplier shall document any special configuration requirements related to protection from malicious code. (14.4.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Components shall provide the capability to generate a report listing the currently deployed security settings in a machine-readable format. (11.8.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviation… (Control 11.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory and regulatory compliance obligations. Deviations from sta… (GRM-01, Cloud Controls Matrix, v3.0)
  • Establish, document and maintain baseline requirements for securing different applications. (AIS-02, Cloud Controls Matrix, v4.0)
  • Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed… (CIS Control 16: Safeguard 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure, CIS Controls, V8)
  • A master copy of the final version of the product should be identified in the configuration management system. (§ 13.2, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • A configuration baseline shall be developed for all changed Configuration Items before deploying a release into the live environment. (§ 9.1 ¶ 7, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The application product supplier shall qualify and document which protection from malicious code mechanisms are compatible with the application and note any special configuration requirements. (12.3.1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Host devices need to support the use of malicious code protection (against, for example, viruses, worms, Trojan horses and spyware). The product supplier should qualify and document the configuration of protection from malicious code mechanisms so that the primary mission of the control system is ma… (14.4.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • There shall be mechanisms on host devices that are qualified by the IACS product supplier to provide protection from malicious code. The IACS product supplier shall document any special configuration requirements related to protection from malicious code. (14.4.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1)(b), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • [Assignment: organization-defined frequency]; (CM-2(1)(a), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1)(b), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • [Assignment: organization-defined frequency]; (CM-2(1)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • [Assignment: organization-defined frequency]; (CM-2(1)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. (CIP-010-2 Table R1 Part 1.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. (CIP-010-3 Table R1 Part 1.3 Requirements ¶ 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • CSR 10.7.3: The organization must develop, document, and maintain a current information system baseline configuration. This configuration must be consistent with the CMS Architecture and it must document the purpose, technical operations, description, maintenance, technical access, and personnel tra… (CSR 10.7.3, CSR 10.7.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • A baseline database should be created each time changes, additions, or deletions are made to any suid or sgid files, and when changes are made to any system library or binary files. The integrity of the system files should be checked weekly by comparing the current baseline with the original baselin… (§ 2.5.3.1, § 6.2, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • System files (*.exe, *.dll, *.bat, *.com, and *.cmd) should be compared on a weekly basis against a baseline. (§ 3.13, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • This examination procedure may be performed in coordination with the examination procedures in Objective 4 (ITAM). Determine whether management documents and maintains a current inventory of network and telecommunications hardware and software and the standard network configuration for them. Additio… (App A Objective 13:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Regularly assesses and documents compliance with the entity's baseline configuration. (App A Objective 13:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Documents the network's baseline configuration, including processes to review and approve changes. (App A Objective 13:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually or when a significant change occurs]; (CM-2(1)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required due to [FedRAMP Assignment: to include when directed by the JAB]; and (CM-2(1)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually or when a significant change occurs]; (CM-2(1)(a) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required due to [FedRAMP Assignment: to include when directed by the JAB]; and (CM-2(1)(b) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Review and update the baseline configuration of the system: (CM-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2b.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Assignment: organization-defined frequency]; (CM-2b.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • When system components are installed or upgraded. (CM-2b.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and update the baseline configuration of the system: (CM-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Assignment: organization-defined frequency]; (CM-2b.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • When system components are installed or upgraded. (CM-2b.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2b.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review and update the baseline configuration of the system: (CM-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • When system components are installed or upgraded. (CM-2b.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2b.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Assignment: organization-defined frequency]; (CM-2b.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Assignment: organization-defined frequency]; (CM-2b.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review and update the baseline configuration of the system: (CM-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2b.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • When system components are installed or upgraded. (CM-2b.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality) (PR.IP-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • A baseline configuration of information technology/industrial control systems is created and maintained. (PR.IP-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure a baseline configuration has been developed and is being maintained; the organization identifies when updates are made, who made the updates, and provides a summary of the updates; a baseline configuration log is maintained and is up … (CM-2, CM-2(1), CM-2(2), CM-2.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency]; (CM-2(1) ¶ 1(a) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency]; (CM-2(1) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1) ¶ 1(b) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1) ¶ 1(b) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • As an integral part of information system component installations and upgrades. (CM-2(1) ¶ 1(c) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • As an integral part of information system component installations and upgrades. (CM-2(1) ¶ 1(c) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should review and update the baseline configuration when new components are installed. (SG.CM-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop a security control baseline that contains the minimum set of security controls needed for the Information System. The baseline is a starting point and will most likely need to be supplemented to achieve adequate risk mitigation. The controls must be documented in the … (§ 2.2 ¶ 2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should review and update the baseline configuration as a part of installations and upgrades. (App F § CM-2(1)(c), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Automated mechanisms should be used to implement changes to the baseline and deploy the updated baseline. (App F § CM-3(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades. (CM-2(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base. (CM-3(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades. (CM-2(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades. (CM-2(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency]; (CM-2(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency]; (CM-2(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Assignment: organization-defined frequency]; (CM-2(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base. (CM-3(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]. (CM-3(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Assignment: organization-defined frequency]; (CM-2b.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and update the baseline configuration of the system: (CM-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2b.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • When system components are installed or upgraded. (CM-2b.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • [Assignment: organization-defined frequency]; (CM-2(1) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • As an integral part of information system component installations and upgrades. (CM-2(1) ¶ 1(c), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1) ¶ 1(b), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • When required due to [Assignment organization-defined circumstances]; and (CM-2(1)(b), TX-RAMP Security Controls Baseline Level 2)
  • The organization reviews and updates the baseline configuration of the information system: (CM-2(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • As an integral part of information system component installations and upgrades. (CM-2(1)(c), TX-RAMP Security Controls Baseline Level 2)
  • [TX-RAMP Assignment: at least annually or when a significant change occurs]; (CM-2(1)(a), TX-RAMP Security Controls Baseline Level 2)