home || catalog: SP800-53rev3 / class: Operational / family: (CM) Configuration Management ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM

CM-01
CM-02 *
CM-03
CM-04
CM-05
CM-06
CM-07
CM-08
CM-09

CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CM-02: Baseline Configuration  

base control objective:
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

supplemental objective information:
This control establishes a baseline configuration for the information system and its constituent components including communications and connectivity-related aspects of the system. The baseline configuration provides information about the components of an information system (e.g., the standard software load for a workstation, server, network component, or mobile device including operating system/installed applications with current version numbers and patch information), network topology, and the logical placement of the component within the system architecture. The baseline configuration is a well-defined, documented, and up-to-date specification to which the information system is built. Maintaining the baseline configuration involves creating new baselines as the information system changes over time. The baseline configuration of the information system is consistent with the organization’s enterprise architecture.

enhancements to the base objective:

(1) The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades.

(2) The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Enhancement Supplemental Guidance: Software inventory tools are examples of automated mechanisms that help organizations maintain consistent baseline configurations for information systems. Software inventory tools can be deployed for each operating system in use within the organization (e.g., on workstations, servers, network components, mobile devices) and used to track operating system version numbers, applications and types of software installed on the operating systems, and current patch levels. Software inventory tools can also scan information systems for unauthorized software to validate organization-defined lists of authorized and unauthorized software programs.

(3) The organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.

(4) The organization:
(a) Develops and maintains [Assignment: organization-defined list of software programs authorized to execute on organizational information systems];
(b) Employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on organizational information systems.

(5) The organization:
(a) Develops and maintains [Assignment: organization-defined list of software programs not authorized to execute on organizational information systems];
(b) Employs an explicit-deny authorization policy to identify software allowed to execute on organizational information systems.

(6) The organization retains older versions of baseline configurations as deemed necessary to support rollback.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (5) (6)     HIGH: base (1) (2) (3) (4) (6)  

related (regimented) controls:

CM-03   Configuration Change Control
CM-06   Configuration Settings
CM-08   Information System Component Inventory
CM-09   Configuration Management Plan

documents referenced in SP800-53rev3 for CM-02:

Document Date Status Title
NIST SP800-35 October, 2003 current   Guide to Information Technology Security Services
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program

Search SP800-53rev3 catalog: