CM-2 Baseline Configuration

Description

This Control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems.

Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems.

Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture.

Maintaining baseline configurations requires creating new baselines as organizational information systems change over time.

Baseline configurations of information systems reflect the current enterprise architecture.

Applicability

The intended audience includes information resource owners and custodians; and pertains to information resources considered moderate or high impact.

Implementation

TAMU-CC shall

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the information system.
  2. Ensure all servers on System-owned or -managed networks conform to a baseline security configuration and are security-hardened based on risk. The Primary Custodian of an information resource shall develop, document, and maintain a current baseline configuration of the information resource.
  3. Detail the listing of supported operating systems for servers and workstations. Unsupported operating systems shall have an exception on file with a targeted remediation date and mitigating controls sufficient to reduce the risk to an acceptable level.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events