CM-2 - Baseline Configuration

Control requirements

CM-2 - 0

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

Additional IBM Cloud for Financial Services specifications

• Baseline configuration must include any APIs enabled in the production environment.

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

• Check whether DevSecOps Toolchain collects software bills of materials (SBOM) to provide transparency in build artifacts
• Check whether DevSecOps Toolchain deployment has approved change documentation including security impact analysis

NIST supplemental guidance

This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.