CM-02 Baseline Configuration
Control: The organization develops, documents, and maintains a current baseline configuration of the information system.
Supplemental Guidance: This control establishes a baseline configuration for the information system. The baseline configuration provides information about a particular component’s makeup (e.g., the standard software load for a workstation or notebook computer including updated patch information) and the component’s logical placement within the information system architecture. The baseline configuration also provides the organization with a well-defined and documented specification to which the information system is built and deviations, if required, are documented in support of mission needs/objectives. The baseline configuration of the information system is consistent with the Federal Enterprise Architecture. Related security controls: CM-6, CM-8.
Control Enhancements:
(1) The organization updates the baseline configuration of the information system as an integral part of information system component installations.
(2) The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Baseline: LOW CM-2 MOD CM-2 (1) HIGH CM-2 (1) (2)
Family: Configuration Management
Class: Operational
ISO 17799 mapping: 7.1.1, 15.1.2
COBIT 4.1 mapping: PO1.6, PO2.1, DS9.1
PCI-DSS v2 mapping: 2.2, 2.1.1