The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.
The organization reviews and updates the baseline configuration of the information system: [Assignment: organization-defined frequency]; When required due to [Assignment organization-defined circumstances]; and As an integral part of information system component installations and upgrades.
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.