Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization reviews and updates the baseline configuration of the information system:
(a) [FedRAMP Assignment: (M)(H) at least annually or when a significant change occurs];
(b) When required due to [FedRAMP Assignment: (M)(H) to include when directed by the JAB]; and
(c) As an integral part of information system component installations and upgrades.
CM-2 (1) (a) Additional FedRAMP Requirements and Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.
NIST 800-53 (r4) Supplemental Guidance:
Related control: CM-5.
NIST 800-53 (r5) Discussion:
Withdrawn: Incorporated into CM-2.
38North Guidance:
Meets Minimum Requirement:
Review and update the system baseline configuration at least annually and whenever there is a significant change to existing configurations.
Define and implement circumstances that require the baseline configuration of the information system to be reviewed and updated that includes when directed by the JAB, CSP, and/or customer.
Review and update the system baseline, as an integral part of information system component installations and upgrades.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Records of information system baseline configuration reviews and updates:
annually and whenever a significant change occurs;
as directed by the JAB, CSP and/or customer; and
as an integral part of information system component installations and upgrades.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse