03.04.01: Baseline Configuration

Control Familly: Configuration Management

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

SP 800-124 [28]
SP 800-128 [41]
IR 8011-2 [42]
IR 8011-3 [43]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.04.01

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

CM-02

a. Develop and maintain under configuration control, a current baseline configuration of the system.

b. Review and update the baseline configuration of the system [Assignment: organization-defined frequency] and when system components are installed or modified.

Discussion:

Baseline configurations for the system and system components include aspects of connectivity, operation, and communications. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for the system or configuration items within the system. Baseline configurations serve as a basis for future builds, releases, or changes to the system and include information about system components, operational procedures, network topology, and the placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as the system changes over time. Baseline configurations of the system reflect the current enterprise architecture.

Assessment Methods and Objectives

Examine [SELECT FROM: configuration management policy and procedures; procedures for the baseline system configuration; configuration management plan; enterprise architecture; system design documentation; system architecture; system configuration settings; system component inventory; change control records; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with configuration management responsibilities; personnel with information security responsibilities; system administrators]

Test [SELECT FROM: processes for managing baseline configurations; mechanisms for supporting configuration control of the baseline configuration]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.04.01.ODP[01]: the frequency of baseline configuration review and update is defined.

A.03.04.01.a[01]: a current baseline configuration of the system is developed.

A.03.04.01.a[02]: a current baseline configuration of the system is maintained under configuration control.

A.03.04.01.b[01]: the baseline configuration of the system is reviewed <A.03.04.01.ODP[01]: frequency>.

A.03.04.01.b[02]: the baseline configuration of the system is updated <A.03.04.01.ODP[01]: frequency>.

A.03.04.01.b[03]: the baseline configuration of the system is reviewed when system components are installed or modified.

A.03.04.01.b[04]: the baseline configuration of the system is updated when system components are installed or modified.

The Security Requirements

3.1. Access Control

3.2. Awareness and Training

3.3. Audit and Accountability

3.4. Configuration Management

3.5. Identification and Authentication

3.6. Incident Response

3.7. Maintenance

3.8. Media Protection

3.9. Personnel Security

3.10. Physical Protection

3.11. Risk Assessment

3.12. Security Assessment and Monitoring

3.13. System and Communications Protection

3.14. System and Information Integrity

3.15. Planning

3.16. System and Services Acquisition

3.17. Supply Chain Risk Management

03.04.01: Baseline Configuration

Discussion:

NIST SP 800-171A r3 Determining Statements Determine if:

Peaches.Cloud

Quick Links

Contact

Support Our Research