CMMC 2.13
CMMC · Rev 2.132FAMILY CM
CM.L2-3.4.1
System Baselining
Requirement
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Further discussion
An effective cybersecurity program depends on consistent, secure system and component configuration and management. Build and configure systems from a known, secure, and approved configuration baseline. This includes:
• documenting the software and configuration settings of a system;
• placement within the network; and
• other specifications as required by the organization.
Example
You are in charge of upgrading the computer operating systems of your office’s computers. Some of these computers process, store, or transmit CUI. You research how to set up and configure a workstation with the least functionality and highest security and use that as the framework for creating a configuration that minimizes functionality while still allowing users to do their tasks. After testing the new baseline on a single workstation, you document this configuration and apply it to the other computers [a]. You then check to make sure that the software changes are accurately reflected in your master system inventory [e]. Finally, you set a calendar reminder to review the baseline in three months [f].
Potential Assessment Considerations
• Do baseline configurations include software versions and patch level, configuration parameters, network information, and communications with connected systems [a,b]?
• Are baseline configurations updated as needed to accommodate security risks or software changes [c]?
Supporting controls
NIST 800-171 · Rev 21 mapped
Create a free account or log in to view the cross-referenced controls.
Implementation strategies
10 recommended strategies for this practice.
Create a free account or log in to view the implementation strategies.
Source: DoD CIO · https://dodcio.defense.gov/CMMC/