Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options
No items found.
Secure Baseline Configurations (SBC)
$ 2,175.00 USD
The Secure Baseline Configurations (SBC) is a documentation solution to efficiently document what constitutes a "hardened" system in your organization by providing comprehensive hardened baseline configuration documentation to prove that your security is more than just a set of policies and standards. This is applicable to operating systems, applications and services.
Product Category:
Vulnerability & Patch Management
SKU:
P16-SBC
Availability:
Email Delivery Within 1-2 Business Days
ComplianceForge documentation is written to follow industry-recognized secure practices, but you are still expected to tailor the documentation to suit your organization's specific security, compliance & resilience requirements. By providing your company name and your logo (your logo is optional), we tailor the documentation to include this information.
How Do I Request A Quote?
To request a quote, select the "Request a Quote" button beside the "Add To Cart" button. This will direct you to a page where you can request a custom quote.
Can I Pay By Invoice?
Yes. To pay by invoice, add the product to your cart, go through the checkout process, and fill out your billing information. Once you get to the payment method, select "Offline Payment via Invoice / Purchase Order (PO)" and then select "Place Order."
Can I Pay By Wire / ACH?
Yes. To pay by Wire / ACH, you can request an invoice by following the instructions above. Once you have the invoice, it will contain the necessary info for you to finalize payment by Wire / ACH.
No logo uploaded. Maximum file size: 5 MB. Acceptable file types: PNG, JPG, JPEG, GIF, BMP, TIFF, WEBP, SVG.
Request A Quote
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Secure Baseline Configurations (SBC)
  • Cybersecurity-focused to implement a program-level secure baseline configuration governance function.
  • Holistic approach to govern secure baseline configurations for all technology platforms in use.
  • Leverages industry-recognized hardening practices from DISA, CIS & OEM sources.
  • Immense time & cost savings - enables subject matter experts to fill in the details that only they know.
Go To Examples Section
Product Overview

Don't Write It From Scratch.

When an auditor asks for your documented secure baseline configurations, can you produce hardening standards for every platform you run, not just Windows? Most teams harden the obvious operating systems and leave applications, network gear, mobile, VoIP, and OT undocumented, which is exactly where audit findings and breaches start. Building hardening standards for every platform from a blank page is a massive lift, and no single source like CIS or DISA covers all of it. The Secure Baseline Configurations (SBC) gives you a running start: an editable, program-level framework that consolidates hardening guidance from CIS Benchmarks, DISA STIGs, and OEM recommendations across your technology platforms. It gets you roughly 80 to 90 percent of the way there, then your team tailors the baselines to the specific systems in use.

Many IT and cyber professionals mistakenly focus only on hardening the operating system (e.g., Windows 10) and fail to document all the technology platforms that require secure configurations (e.g., applications, HVAC systems, mobile devices, VoIP, etc.). The SBC does not re-invent the wheel, but leverages leading practices such as CIS Benchmarks and DISA STIGs. Unless it is a small organization with just a few laptops and a server, it is not feasible to say "we harden everything according to CIS Benchmarks", since CIS does not contain complete coverage for all technology platforms and the same weakness can be said for using the DISA STIGs. This is where the Secure Baseline Configurations (SBC) brings together a variety of options for hardening and creating technical security standards that include CIS, DISA, OEM recommendations and more!

How do you know if the SBC is right for you? The following are common statutory, regulatory and contractual requirements that expect “secure configurations” or "system hardening" for an organization's technology assets. If your organization is in scope for any of those, you should buy the SBC:  

  • AICPA Trust Services Principles (TSP) SOC2 – CC7.1 & CC8.1
  • Center for Internet Security Critical Security Controls (CIS CSC) – 5.1, 5.2, 5.3, 5.5, 6.2, 8.3, 8.4, 8.5, 8.6, 9.1, 9.2, 11.1, 14.8, 15.6, 15.7, 15.8 & 15.9
  • COBIT 5 - BAI10.02
  • Cloud Security Alliance Cloud Controls Matrix (CSA CCM) – GRM-01 & IVS-07
  • ISO 27002 – 14.1.1
  • Motion Picture Association of America (MPAA) Content Security Program – DS-1.5, DS-1.12, DS-3.3, DS-3.5, DS-3.7, DS-3.8, DS-6.5, DS-6.9, DS-6.10, DS-7.3 & DS-7.8
  • NIST 800-37 - I-2
  • NIST 800-53 / FedRAMP - CM-2, CM-6 & SA-8
  • NIST 800-160 - 3.4.7 & 3.4.8
  • NIST 800-171 – 3.4.1 & 3.4.2
  • NIST Cybersecurity Framework – PR.IP-1 & PR.IP-3
  • Payment Card Industry Data Security Standard (PCI DSS) – 1.1, 1.1.1 & 2.2-2.2.4
  • National Industry Security Program Operating Manual (NISPOM) – 8-202, 8-311 & 8-610
  • Criminal Justice Information Services (CJIS) Security Policy – 5.7.1, 5.7.1.1, 5.7.2 & 5.13.4
  • Cloud Computing Compliance Controls Catalog (C5) – RB-22

The SBC does not re-invent the wheel. It leverages established leading practices such as CIS Benchmarks and DISA STIGs to define the hardening baseline. Unless an organization is small enough to have just a few laptops and a server, it is not feasible to claim "we harden everything according to CIS Benchmarks" without a documented framework that defines which baselines apply to which technology platforms and how exceptions are managed.

Product Details

What Is The SBC?

The SBC is an editable Microsoft Word document that gives an organization the structured framework to document what constitutes a hardened system across every technology platform it operates. Where most cybersecurity documentation describes what hardening policy should require, the SBC describes how to actually document the approved hardening baseline for each platform, how to handle deviations from industry-recognized baselines, and how to maintain the documentation as new platforms are introduced.

The SBC addresses a common control to reduce risk, the need for ensuring that systems, applications and services are hardened according to recommended practices.

The SBC provides a way to efficiently manage all of these common technology platforms to document and educate system/network admins and other system integrators about what "secure configurations" and "cybersecurity baselines" are at your organization:

Server-class systems
  • Microsoft
  • Linux
  • Unix
  • Other
Workstation-class systems
  • Microsoft
  • Apple
  • Linux
Network devices
  • Firewalls
  • Routers
  • Wireless Access Points (WAPs) & controllers
  • Multi-Function Devices (MFDs)
  • Voice & Video over Internet Protocol (VVoIP)
Mobile devices
  • Apple
  • Google
  • Windows
Databases
  • Microsoft SQL
  • MySQL
  • Oracle
  • PostgreSQL
  • IBM DB2
  • MongoDB
Major applications
  • Microsoft Active Directory (AD)
  • Microsoft Exchange
  • Microsoft SharePoint
  • Microsoft Internet Information Services (IIS)
  • Domain Naming Services (DNS)
  • Apache Tomcat
  • Apache HTTP server
  • VMware
  • Centralized log management (e.g., SIEM)
  • Intrusion Detection / Prevention Systems (IDS/IPS)
Minor applications
  • Microsoft Office
  • Microsoft Internet Explorer (IE)
  • Google Chrome
  • Mozilla Firefox
  • Apple Safari
  • Adobe
  • AJAX
  • .NET
  • WordPress
Cloud-based applications
  • Microsoft Office 365
  • Microsoft Azure
  • Amazon Web Services (AWS)
  • Google Cloud Computing
  • Docker
  • Kubernetes
Embedded technology
  • Microsoft Windows-based devices
  • Heating, Ventilation & Air Conditioning (HVAC)
  • Physical Access Control (PAC)
  • Video surveillance
  • Burglar / fire alarm systems
How It's Delivered

No Software To Install

The SBC is a one-time purchase of editable Microsoft Word-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word files, the SBC is ready to use.

Microsoft Word

Delivered as a fully editable .docx file. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs. The SBC includes built-in styles, tables, and configuration sections that are ready for customization.

Email Delivery

Documentation is delivered via email download link within 1-2 business days of purchase, often the same business day. There is no installer, no license server, and no activation step.

One-Time Purchase

A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as frameworks and hardening baselines evolve.

This deployment model is intentional. Hardening documentation belongs in the organization's own hands, inside its own version control and document management systems, rather than locked inside a vendor's SaaS tool. Once delivered, this product belongs to the buyer.

The Problem

What Problems Does The SBC Solve?

Lack of In House Security Experience

Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CVT is an efficient method to obtain comprehensive system hardening documentation.

Compliance Requirements

There are numerous requirements (several listed at the top of this page) that require secure configurations to be developed and implemented. The SBC is designed with compliance in mind, since it focuses on leading "best practices" for securing systems, applications and services to address reasonably-expected security requirements for hardening.  

Audit Failures

A lack of documented secure hardening requirements is a common audit failure. The SBC covers a wide array of common technologies that can both make an organization secure and compliant.

Vendor Requirements

It is very common for clients and partners to request evidence of a security program, including secure configurations. The SBC provides this evidence!

The Solution

How Does The SBC Solve These Problems?

Clear Documentation

The SBC provides comprehensive hardened baseline configuration documentation to prove that your security is more than just a set of policies and standards.

Time Savings

The SBC can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.

Alignment With Leading Practices

The SBC is written to align your organization with CIS Benchmarks, DISA STIGs and more!

What You Get

What Is Included?

The SBC is delivered as an editable Microsoft Word document. Purchase includes a single-entity license and the first year of product updates. The package contains the framework for documenting approved hardening baselines, deviation guidance, and framework mapping content.

SBC Document

Editable Microsoft Word document covering the hardening baseline for operating systems, applications, network equipment, mobile devices, and infrastructure to document and educate system/network admins and other system integrators about what "secure configurations" and "cybersecurity baselines" are at your organization.

Supplemental Documentation

Along with the core SBC document, it also comes with diagrams and graphics.

Beyond Operating Systems

Most hardening documentation stops at the operating system. The SBC is different: it extends the hardening discipline to applications, network equipment, mobile devices, and even non-traditional IT systems such as HVAC controllers and VoIP. This broader coverage is exactly where audit findings and gaps tend to surface, so the SBC fills the missing layer between OS-level hardening and a defensible enterprise hardening program.

Your ROI

Cost Savings Estimate

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SBC from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

Internal Staff Cost

For your internal staff to generate comparable documentation, it would take them an estimated 100 internal staff work hours, which equates to a cost of approximately $7,500 in staff-related expenses. This is about 2 to 4 months of development time where your senior cybersecurity and operations staff would be diverted from operational duties.

The SBC is approximately 22% of the cost for your internal staff to generate equivalent documentation.

External Consultant Cost

If you hire a consultant to generate this documentation, it would take them an estimated 60 consultant work hours, which equates to a cost of approximately $17,000. This is about 1 to 2 months of development time for a contractor to provide you with the deliverable.

The SBC is approximately 11% of the cost for an external consultant to generate equivalent documentation.

See It First

Product Examples

The SBC is built to be evaluated before purchase. The PDF example below shows representative content from the SBC, including the structured hardening framework, the references to CIS Benchmarks and DISA STIGs, and the deviation and exception process used by asset owners and asset custodians.

Coverage spans operating systems, applications, network equipment, mobile devices, and non-traditional IT systems such as HVAC and VoIP, regardless of whether the organization's primary framework is NIST, ISO, SCF, or another framework.

Policies & Standards

Below is a PDF example containing a sample of the policies & standards you would receive upon purchasing the SBC.

Your Effort

How Much Customization Remains?

Given the difficult nature of writing templated hardening documentation, ComplianceForge aims for approximately an 80% solution because it is impossible to write a 100% cookie-cutter document that can be equally applied across every organization. Hardening depends on the specific technology platforms in use, the business requirements, the regulatory environment, and the existing operational practices, so the remaining work is fine-tuning the SBC with the specific information that only the organization knows.

In practice, customization is filling in the blanks and following the guidance provided to identify the who, what, when, where, why, and how for the specific organization. Typical customization tasks include adding the company name and logo, naming actual role owners (asset owners, asset custodians, cybersecurity, operations), selecting the specific CIS Benchmarks and DISA STIGs that apply to the organization's technology stack, documenting approved deviations, and integrating the SBC with existing change management and configuration management workflows.

Need A Hand?

Professional Services

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:

Contact Us

We offer the following professional service bundles:

5-Hour Bundle

This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.

10-Hour Bundle

This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.

20-Hour Bundle

This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.

Important Details About Professional Services

Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.

View Options
Risk Drivers

Why Hardening Matters

Documented secure configurations have become a baseline expectation across regulatory, contractual, insurance, and customer due-diligence contexts. NIST 800-53, NIST 800-171, PCI DSS, HIPAA, FedRAMP, CMMC, ISO 27002, and SOC 2 all expect organizations to define and document hardening baselines for the systems they operate. Cyber insurance underwriters increasingly require evidence of documented secure configurations as a precondition for coverage. Customer due-diligence reviews routinely include questions about hardening baselines and exception management.

Without documented secure configurations, organizations face audit findings, lost contracts, denied insurance claims, and the operational reality that hardening decisions are made informally by individual administrators with no defensible documentation trail. The SBC provides the documented hardening baseline that makes secure configurations demonstrable to auditors, regulators, customers, and insurers as one defensible program rather than a collection of disconnected administrator decisions.

Testimonials

What Are Some Of Our Testimonials?

❛❛
Excellent Starting Point
ComplianceForge's SCF-based policy documentation offers consolidated coverage of security and privacy controls requirements in a single, cohesive package. Because it's built on the Secure Controls Framework, a metaframework that tracks security and privacy standards globally and releases quarterly updates, it gives organizations confidence that their documentation stays current as requirements evolve. For any organization standing up a security and privacy program from scratch, it's provides an excellent starting point.
Would You Like To Share Your Experiences?
If you are satisfied with your product and would like to leave a review, please fill out our testimonial form and share your experiences with our documentation! We enjoy hearing from satisfied customers, and we are always open to constructive feedback so that we can continue improving our products.
Fill Out Testimonial