NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT
CM-2 — Baseline Configuration
Develop, document, and maintain under configuration control, a current baseline configuration of the system; and Review and update the baseline configuration of the system: {{ insert: param, cm-02_odp.01 }}; When required due to {{ insert: param, cm-02_odp.02 }} ; and When system components are installed or upgraded.
Supplemental Guidance
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
Practitioner Notes
A baseline configuration is a documented, approved snapshot of how your system is supposed to be set up. It covers hardware, software, firmware, and settings. If something changes unexpectedly, you can compare against the baseline to spot problems.
Example 1: Use DISA STIGs as your baseline configuration for Windows servers and apply them via Group Policy Objects (GPOs) to enforce consistent settings across all servers.
Example 2: Maintain a documented baseline in a SCCM or Intune configuration profile that defines the approved software, services, and security settings for standard workstations.