PL-10 Baseline Selection

Description

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in SP 800-53B. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA [PDF] and PRIVACT [PDF]. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 [PDF] provides guidance on control baselines for national security systems.

Applicability

The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.

Implementation

  1. The default baseline for an information system shall be the controls contained in the Security Controls Catalog.
  2. The agency head may employ standards for the cost-effective information security of information, information resources, and applications within or under the supervision of that state agency that are more stringent than the standards the department prescribes under this section if the more stringent standards:
    1. contain at least the applicable standards issued by the department; and/or
    2. are consistent with applicable federal law, policies, and guidelines issued under state rule, industry standards, best practices, or deemed necessary to adequately protect the information held by the state agency.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events