What is a security baseline?
A “security baseline” is commonly known as a secure baseline configuration, which is a set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time and which can be changed only through change control procedures. A secure baseline configuration is used as a basis for future builds, releases, and/or changes (e.g., approved Windows 11 build for an organization).
Secure baseline configurations:
- Serve as the basis for implementing consistent security controls;
- Implement recommendations from CIS benchmarks, DISA STIGs, or vendor hardening guides;
- Require exceptions and deviations to undergo formal change controls; and
- Enable understandable monitoring by comparing systems to baseline configurations.