CM-2: Baseline Configuration

NIST Baseline:  Low 

DIR Required By:  07/20/2023 

Review Date:  06/26/2024 

  • The information resource owner, or designee shall develop, document, and maintain a current baseline configuration for information resources. 
  • Each type of platform or device can have its own baseline security configuration and maintenance protocols.  Custodians of information resources shall seek and implement recommended configurations (based on manufacturer recommendations or industry best practices) for securing the system platforms under their control. 
  • Baseline configurations must be reviewed and updated as appropriate when there are significant changes to information resources.   
  • Up-to-date security patches must be applied before an information resource is deployed. 
  • Information resource custodians shall ensure that vendor supplied security patches are routinely acquired, systematically tested prior to implementation where practical, and installed promptly. 
    • All security patches must be installed within 30 days of release. 
  • Information resource custodians shall remove unnecessary software, system services, and drivers where feasible. 
  • Information resource custodians shall remove or disable nonessential software, system services, ports, and protocols, where feasible.  
  • Information resource custodians shall enable recommended security features included in vendor-supplied systems including, but not limited to, firewalls, virus scanning and malicious code protections, and other file protections. 
  • Information resource custodians shall disable or change the password of default accounts before placing the resource on the network. 

References/Additional Resources

None.  See any applicable internal procedures.