CM-2: Baseline Configuration

CSF v1.1 References:

CSF v2.0 References:


Previous Version:

Info icon.

Incorporates the following control from the previous version of the control set: CM-2(1): Reviews And Updates.

Control Statement

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
  2. Review and update the baseline configuration of the system:
    1. [Assignment: organization-defined frequency];
    2. When required due to [Assignment: organization-defined circumstances]; and
    3. When system components are installed or upgraded.

Supplemental Guidance

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

Control Enhancements

CM-2(6): Development and Test Environments


(Not part of any baseline)

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

CM-2(7): Configure Systems and Components for High-risk Areas


  • Moderate
  • High

Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].