Back

Include the operating systems and version numbers in the baseline configuration.


CONTROL ID
13269
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a configuration baseline based on the least functionality principle., CC ID: 00862

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • SOEs are used for workstations and servers. (Security Control: 1406; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Where supported, 64-bit versions of operating systems are used. (Control: ISM-1408; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Where supported, 64-bit versions of operating systems are used. (Control: ISM-1408; Revision: 5, Australian Government Information Security Manual, September 2023)
  • operating system, network, and firewall configuration; (§ 7.11 Bullet 9, SS2/21 Outsourcing and third party risk management, March 2021)
  • Operating system(s) (including version) or firmware where no independent operating system exists; (CIP-010-4 Table R1 Part 1.1 Requirements 1.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Operating system(s) (including version) or firmware where no independent operating system exists; (CIP-010-2 Table R1 Part 1.1 Requirements 1.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Operating system(s) (including version) or firmware where no independent operating system exists; (CIP-010-3 Table R1 Part 1.1 Requirements 1.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Host OSs should be operated in an immutable manner with no data or state stored uniquely and persistently on the host and no application-level dependencies provided by the host. Instead, all app components and dependencies should be packaged and deployed in containers. This enables the host to be op… (4.5.3 ¶ 2, NIST SP 800-190, Application Container Security Guide)