>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM-2Baseline Configuration

LI-SaaS
Low
Moderate
High

>Control Description

a

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

b

Review and update the baseline configuration of the system:

1.

organization-defined frequency;

2.

When required due to organization-defined circumstances; and

3.

When system components are installed or upgraded.

>FedRAMP Baseline Requirements

Parameter Values

b
1.
at least annually and when a significant change occurs

Additional Requirements and Guidance

CM-2 (b) (1) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

>Discussion

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture.

Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

>Cross-Framework Mappings

SCF

CFG-02
Compare

>Programmatic Queries

Beta

Related Services

AWS Config
Systems Manager
Service Catalog

CLI Commands

List Config rules
aws configservice describe-config-rules
Check compliance status
aws configservice describe-compliance-by-config-rule
Get resource configuration history
aws configservice get-resource-config-history --resource-type AWS::EC2::Instance --resource-id INSTANCE_ID
List SSM documents (baselines)
aws ssm list-documents --filters 'Key=DocumentType,Values=Policy'
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

AWSMicrosoft AzureGoogle Cloud PlatformGitHub ActionsTerraform

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-2 (Baseline Configuration)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-2?
  • How frequently is the CM-2 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-2?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-2 requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-2?
  • How is CM-2 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-2 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-2?
  • What audit logs, records, reports, or monitoring data validate CM-2 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-2 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-2 compliance?

Ask AI

Configure your API key to use AI features.