>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PL-10Baseline Selection

LI-SaaS
Low
Moderate
High

>Control Description

Select a control baseline for the system.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

PL-10 Requirement: Select the appropriate FedRAMP Baseline

>Discussion

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals' privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11).

Federal control baselines are provided in SP 800-53B. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization's operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

>Cross-Framework Mappings

SCF

CFG-02
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing, reviewing, and approving baseline configurations for organizational systems?
  • How does the organization ensure baseline configurations align with security requirements and risk tolerance?
  • Who approves baseline configurations, and what is the review frequency?
  • How are baseline configuration changes managed and documented?
  • What governance exists for ensuring baseline configurations remain secure and current?

Technical Implementation:

  • What systems or tools manage and document baseline configurations?
  • How are baseline configurations technically enforced on systems?
  • What configuration management tools validate systems against baselines?
  • How are baseline configurations version-controlled and distributed?
  • What automation detects deviations from baseline configurations?

Evidence & Documentation:

  • Provide baseline configuration documentation for organizational systems.
  • Provide evidence of baseline configuration review and approval.
  • Provide configuration management records showing baseline enforcement.
  • Provide documentation of baseline updates and change control.
  • Provide evidence of deviation detection and remediation.

Ask AI

Configure your API key to use AI features.