Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
NIST 800-53 (r4) Supplemental Guidance:
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7.
References: NIST Special Publication 800-128.
NIST 800-53 (r5) Discussion:
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
38North Guidance:
Meets Minimum Requirement:
Develop, document, and maintain under configuration control, a current baseline configuration of all cloud components included in the system inventory.
Maintain the baseline configuration to include the following:
Any changes to the baseline configuration must be approved by the Change Approval Board (CAB) or similar committee.
Any change to the baseline configuration must be recorded in the Change Request (CR) ticketing system via the workflow as referenced in the Configuration Management Plan.
Use the latest Center for Internet Security (CIS) and/or DISA STIG guidelines as a starting point to establish and document configuration settings for the information technology products employed.
Baseline configuration should include any APIs enabled in the production environment.
Best Practice:
Examples of what to include in the baseline:
Code releases (e.g. release label, list of commits)
Image(s) deployed (e.g. name, version, signature)
External dependencies (e.g. crn of the service, reference to DB and its version)
Worker nodes (e.g. operating system, size, version)
Current configuration (e.g. scalability policies and initial configuration, config maps, network configuration; can be extracted from the code release if everything is represented as code)
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Documented configuration baselines for all system components included in the system inventory (OS, DB, application, APIs, and cloud infrastructure) including documented deviations to address operational requirements.
Evidence showing where and how configuration baseline(s) are stored (e.g., GitHub, Bitbucket, etc.).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse