CM-2: Baseline Configuration
- NIST Special Publication 800-53 Revision 4:
- CM-2: Baseline Configuration
Incorporates the following control from the previous version: CM-2(1): Reviews And Updates.
- Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
- Review and update the baseline configuration of the system:
- [Assignment: organization-defined frequency];
- When required due to [Assignment: organization-defined circumstances]; and
- When system components are installed or upgraded.
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
CM-2(2): Automation Support for Accuracy and Currency
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].
CM-2(3): Retention of Previous Configurations
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.
CM-2(6): Development and Test Environments
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
CM-2(7): Configure Systems and Components for High-risk Areas
Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].