What is CM-2 Baseline Configuration in NIST 800-53?

CM-2 is about having a known and approved state of your system that you can reference at any time. I describe it as a stable, consistent reference point for the system or project—your “this is what approved looks like.” It becomes the basis for managing changes and for configuration audits to verify the real system matches the approved baseline.

Is CM-2 required for Low, Moderate, and High baselines?

Yes—CM-2 is selected across all three baselines: Low, Moderate, and High. I call that out because it tells you right away this control is foundational. No matter the impact level, you’re expected to have baseline configuration under control.

How often do you have to review and update a baseline configuration?

The frequency is organization-defined, meaning you choose what makes sense for your environment. I say it directly: yearly, every two years—however you decide, that’s your discretion. The key is you define it and you actually follow it.

What events should trigger a baseline configuration update?

Any major change that affects the system should trigger a review and update. In the video I give examples like major upgrades, changing your source code repository (GitLab to GitHub, Azure DevOps to something else), and installing or upgrading system components. If the system changes, the baseline needs to reflect that current enterprise architecture.

What documentation should I check when assessing CM-2?

I start with the configuration management policy and procedures (the CM-1 “dash one” controls), because that tells you how the control is designed. Then I check the SSP implementation statements for discrepancies, and I also look for a configuration management plan if the org has one. After that, I want to see the documented baseline configuration settings themselves.

How do auditors test CM-2 Baseline Configuration during an assessment?

I validate that baselines are created and updated according to the defined frequency and circumstances. Then I look at the source code repository (GitHub, GitLab, Azure DevOps) and have admins/devs walk me through version history, commits, and who reviews changes before they’re committed. Finally, I confirm production is actually running the documented baseline version.

Why is retaining previous baseline configurations important?

Because you need the ability to roll back if something goes wrong with the latest release. I explain it like release 1.0, 1.1, 1.3—you don’t delete the older ones. Keeping prior baselines supports recordkeeping and makes recovery practical when changes introduce issues.

Episode 2 BASELINE CONFIGURATION (CM-2)

Name: Episode 2 BASELINE CONFIGURATION (CM-2)
Uploaded: 2023-11-29 00:15:00
Duration: 13 min 47 s

🛍️ Products Mentioned (4)

In this second episode of the NIST SP 800-53 Security Control explanations for CM. We reviewed the CM-2 Baseline Configuration as well as looking at simplifying what the control requirements are all about and how best to assess/test this control. Computer Security Resource Center https://csrc.nist.gov/publications The free way to help the channel grow is by subscribing using the link below: https://www.youtube.com/c/KamilSec?su... *************Patreon & Channel Support******************* https://www.patreon.com/kamilSec?fan_landing=true ********Order your KamilSec (KS) Designs Merch:********** https://kamilsec.creator-spring.com/ ************************************************************** CashApp: $Kamilzak Zelle: kaamilzak@gmail.com Paypal: https://paypal.me/MZakari Thank You!!! ************************************************************* **I ALSO CONDUCT INDIVIDUALIZED RESUME AND INTERVIEW PREP SESSION** ****Connect with me on Social Media***: Twitter: https://twitter.com/Kamilzak_1 Instagram: @Kamilzak1 E-Mail: Kaamilzak@gmail.com

About This Video

In Episode 2 of my Configuration Management series, I break down NIST SP 800-53 CM-2: Baseline Configuration. I explain baseline configuration in plain terms: it’s your stable, approved reference point for what the system is supposed to look like—components, settings, and how it’s put together. And it matters because baselines are what you use to manage change, support configuration audits, and keep compliance, quality assurance, and risk management grounded in something real. I also walk through the CM-2 control requirements in Rev. 5: develop, document, and maintain the current baseline under configuration control, then review and update it on an organization-defined frequency, when certain circumstances require it (like major upgrades or moving repositories), and when components are installed or upgraded. I touch on the discussion points (connectivity, operational/communication aspects, topology, logical placement) and the enhancements—like automation support, retention of previous configurations for rollback, separating dev/test from operational baselines, and configuring for high-risk areas. Finally, I give you my assessment/testing approach: start with policy and procedures (CM-1), then the SSP implementation statements, then any configuration management plan, and the documented baseline settings. From there, I validate the baseline in the repo (GitHub/GitLab/Azure DevOps), do walkthroughs with admins/devs, review version history and approvals, and confirm production is actually running the documented version.

Episode 2 BASELINE CONFIGURATION (CM-2)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec