CM-02 Baseline Configuration
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system:
1. cm-02_odp.01;
2. When required due to cm-02_odp.02 ; and
3. When system components are installed or upgraded.
| Parameter ID | Definition |
|---|---|
| cm-02_odp.01 | frequency |
| cm-02_odp.02 | circumstances |
Baselines
- L
- M
- H
- P
Guidance
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
References 2
- SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
- SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
Control Enhancements 7
- CM-02(01) Reviews and Updates
- CM-02(02) Automation Support for Accuracy and Currency L M H P
- CM-02(03) Retention of Previous Configurations L M H P
- CM-02(04) Unauthorized Software
- CM-02(05) Authorized Software
- CM-02(06) Development and Test Environments L M H P
- CM-02(07) Configure Systems and Components for High-risk Areas L M H P
Related controls 19
- AC-19 Access Control for Mobile Devices L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- CA-09 Internal System Connections L M H P
- CM-01 Policy and Procedures L M H P
- CM-03 Configuration Change Control L M H P
- CM-05 Access Restrictions for Change L M H P
- CM-06 Configuration Settings L M H P
- CM-08 System Component Inventory L M H P
- CM-09 Configuration Management Plan L M H P
- CP-09 System Backup L M H P
- CP-10 System Recovery and Reconstitution L M H P
- CP-12 Safe Mode L M H P
- MA-02 Controlled Maintenance L M H P
- PL-08 Security and Privacy Architectures L M H P
- PM-05 System Inventory L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-10 Developer Configuration Management L M H P
- SA-15 Development Process, Standards, and Tools L M H P
- SC-18 Mobile Code L M H P