- Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
- Review and update the baseline configuration of the system:
- [Assignment: organization-defined frequency];
- When required due to [Assignment: organization-defined circumstances]; and
- When system components are installed or upgraded.
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].