CM.L2-3.4.1—System Baselining
Level 2
800-171: 3.4.1
>Control Description
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your configuration management policy and governance structure?
- •How do you develop and approve baseline configurations?
- •Who is responsible for maintaining baseline configurations and system inventories?
- •How often do you review and update baseline configurations?
- •What is your process for managing configuration throughout the system lifecycle?
Technical Implementation:
- •What configuration management tools maintain baseline configurations?
- •How do you technically enforce baseline configurations on systems?
- •What tools provide configuration drift detection?
- •How are baseline configurations stored and version controlled?
- •What inventory tools track hardware and software components?
- •What automated scanning verifies systems match baseline configurations?
Evidence & Documentation:
- •What baseline configuration documentation can you provide?
- •What configuration management plan describes your CM processes?
- •What change request records and approvals can you show?
- •What configuration scanning reports show compliance with baselines?
- •What asset inventory documentation lists all system components?
- •What security configuration benchmarks are applied to systems?
- •What evidence shows configuration changes are tracked and logged?
Ask AI
Configure your API key to use AI features.