Episode 97 — Spotlight: Baseline Configuration (CM-2)
Baseline Configuration (CM-2) establishes the approved, secure starting point for systems and components, defining the specific settings, versions, and controls that must be present before operation. For the exam, recognize that a baseline is not a generic hardening guide; it is a tailored, version-controlled specification mapped to risk tolerance, mission needs, and technology stack. CM-2 requires baselines for operating systems, network devices, applications, and cloud services, including parameters such as encryption requirements, logging levels, and service enablement. The purpose is to reduce variability, prevent configuration drift, and provide a reference against which all changes are measured. Baselines must be documented with enough detail to be reproducible, testable, and auditable, and they must reference inherited controls from providers where applicable to avoid redundant or conflicting settings.
In practice, CM-2 succeeds when baselines live in code and repositories rather than static documents. Infrastructure as code, golden images, and template policies allow rapid, consistent deployment, while automated scans compare running configurations to the approved baseline and report deviations. Governance connects CM-2 to change control (CM-3), so any baseline update follows review and approval workflows and is rolled out with evidence of validation. Metrics track baseline coverage across assets, deviation counts by severity, mean time to remediate drift, and percentage of systems built from approved images. Common pitfalls include stale baselines that lag vendor guidance, one-off exceptions that become shadow standards, and incomplete mappings between baseline items and NIST 800-53 control objectives. When CM-2 is implemented as an engineering practice with clear ownership and telemetry, it provides predictability and accelerates both compliance and incident response.
Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
