CCI-000297

Review and update the baseline configuration of the system when required due to organization-defined circumstances.

Implementation Guidance

Determine if the baseline configuration of the system is reviewed and updated when required due to [CM-02_ODP[02]; the circumstances requiring baseline configuration review and update are defined].

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; configuration management plan; enterprise architecture documentation; system design documentation; system security plan; privacy plan; system architecture and configuration documentation; system configuration settings and associated documentation; system component inventory; change control records; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for managing baseline configurations; mechanisms supporting configuration control of the baseline configuration].

The controls below (if any) were marked by NIST as being related to CCI-000297.