CM-2: Baseline Configuration
Control Family:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- CM-2: Baseline Configuration
Incorporates the following control from the previous version: CM-2(1): Reviews And Updates.
Control Statement
- Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
- Review and update the baseline configuration of the system:
- [Assignment: organization-defined frequency];
- When required due to [Assignment: organization-defined circumstances]; and
- When system components are installed or upgraded.
Supplemental Guidance
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
Control Enhancements
CM-2(2): Automation Support for Accuracy and Currency
Baseline(s):
- Moderate
- High
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].
CM-2(3): Retention of Previous Configurations
Baseline(s):
- Moderate
- High
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.
CM-2(6): Development and Test Environments
Baseline(s):
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
CM-2(7): Configure Systems and Components for High-risk Areas
Baseline(s):
- Moderate
- High
Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].