CM-2: Baseline Configuration
Control Family:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- CM-2: Baseline Configuration
Control Statement
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
Supplemental Guidance
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.
Control Enhancements
CM-2(1): Reviews And Updates
Baseline(s):
- Moderate
- High
The organization reviews and updates the baseline configuration of the information system: [Assignment: organization-defined frequency]; When required due to [Assignment organization-defined circumstances]; and As an integral part of information system component installations and upgrades.
CM-2(2): Automation Support For Accuracy / Currency
Baseline(s):
- High
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
CM-2(3): Retention Of Previous Configurations
Baseline(s):
- Moderate
- High
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
CM-2(6): Development And Test Environments
Baseline(s):
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
CM-2(7): Configure Systems, Components, Or Devices For High-Risk Areas
Baseline(s):
- Moderate
- High
The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.