Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration.  Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location.  [SP 800-28] provides guidance on security-focused configuration management.   

Priority: High   

Category Baseline Security Configurations 

Services Associated with AWS:   

  • AWS Config
  • AWS Config, AWS Systems Manager Inventory
  • AWS Config, AWS Systems Manager

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settingsTechnical: screenshot of ITAM console 

Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Configuration Management Database (CMDB) 

What needs to be answered :  

Are baseline configurations developed, documented, and maintained for each information system type? Do baseline configurations include software versions and patch level, configuration parameters, network information including topologies, and communications with connected systems? Are deviations from baseline configurations documented and tested to be secure? 

  • Establish and Maintain Baseline Configurations
    Description: This check ensures that organizations establish and maintain baseline configurations of their systems throughout the system development life cycles. Baseline configurations serve as the documented, reviewed, and agreed-upon specifications for system components, software, firmware, and documentation. They include information about hardware and software components, network topology, and system architecture. Organizations create new baselines as systems change and update them based on security risks and deviations from the established configurations.
  • Maintain System Component Inventories
    Description: This check verifies that organizations maintain inventories of system components, including hardware, software, and firmware. The inventories include relevant information such as manufacturer, device type, model, serial number, physical location, software version numbers, and software license information. By maintaining accurate inventories, organizations can effectively manage and account for system components and ensure proper accountability.
  • Conduct Regular Reviews and Updates of Baseline Configurations
    Description: This check emphasizes the importance of conducting regular reviews and updates of baseline configurations. Organizations review and update the baseline configurations when changes occur in the systems based on security risks and deviations from the established baselines. Regular reviews ensure that baseline configurations remain accurate and up to date, reflecting the current state of the systems and their components.

More Details:   

Monitoring support software collects inventory of hardware and software for all devices on company network.