Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
NIST 800-53 (r4) Supplemental Guidance:
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5.
NIST 800-53 (r5) Discussion:
Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.
38North Guidance:
Meets Minimum Requirement:
Maintain a baseline configuration for the information system that consists of automated mechanisms (e.g., tooling such as Ansible, Chef, Puppet, Terraform, Salt, Helm Charts, AWS CloudFormation, AWS Config, Cloud-Init, Python Script, Jenkins, etc.) to facilitate information system and information system component baseline management.
Document how each automated mechanism is utilized to maintain an up-to-date, complete, accurate, and readily available baseline configuration(s).
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Automated mechanisms/tools (e.g., tooling such as Ansible, Jenkins, etc.) used to facilitate information system component baseline management. Evidence showing where and how configuration baseline is stored (e.g., GitHub, Bitbucket, etc.)
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse