A configuration baseline is the formally approved state of a system at a specific point in time, reflecting the reference point against which all future changes are measured. This is a change management construct, not just a security one. Common configuration baselines include:
The difference between a configuration baseline and a security baseline is worth clarifying. A security baseline defines the minimum security settings that must be present. A configuration baseline tracks what actually exists, when it was approved and who authorized it. The two work in tandem: the security baseline sets requirements; the configuration baseline records whether those requirements are currently met.
In change management terms, every authorized change to a system (e.g., a patch, a new application, a configuration update, etc.) should produce a new approved baseline version. The CMDB (Configuration Management Database) or equivalent system tracks this history. Drift detection tools compare live system state against the last approved baseline and flag unauthorized deviations for investigation or remediation.
Compliance frameworks treat this discipline seriously. NIST SP 800-53 CM-2 requires organizations to maintain documented baseline configurations. CM-3 requires that all changes go through formal change control. Auditors will ask to see both the approved baseline and evidence that deviations were identified and resolved. A system operating outside its approved baseline without a documented exception is an audit finding.
Organizations without formal configuration baselines typically discover the gap during assessments, when they cannot demonstrate what their systems were configured to do and when that configuration was last reviewed and approved.
