CFG-02.9: Baseline Tailoring
Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: (1) Mission / business functions; (2) Operational environment; (3) Specific threats or vulnerabilities; or (4) Other conditions or situations that could affect mission / business success.
Control Question: Does the organization allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: (1) Mission / business functions; (2) Operational environment; (3) Specific threats or vulnerabilities; or (4) Other conditions or situations that could affect mission / business success?
General (21)
| Framework | Mapping Values |
|---|---|
| CSA CCM 4 | AIS-02 IVS-03 |
| ISO/SAE 21434 2021 | PM-06-13 RQ-06-14 |
| NIST 800-37 R2 | P-4 |
| NIST 800-53 R5 (source) | PL-11 |
| NIST 800-53B R5 (low) (source) | PL-11 |
| NIST 800-53B R5 (moderate) (source) | PL-11 |
| NIST 800-53B R5 (high) (source) | PL-11 |
| NIST 800-82 R3 LOW OT Overlay | PL-11 |
| NIST 800-82 R3 MODERATE OT Overlay | PL-11 |
| NIST 800-82 R3 HIGH OT Overlay | PL-11 |
| NIST 800-171 R2 (source) | 3.3.3 |
| NIST 800-171 R3 (source) | 03.04.01.b 03.04.02.b |
| NIST 800-171A R3 (source) | A.03.04.01.ODP[01] A.03.04.01.b[01] A.03.04.01.b[02] A.03.04.01.b[03] A.03.04.01.b[04] A.03.04.06.c |
| NIST 800-207 | NIST Tenet 5 |
| NIST CSF 2.0 (source) | PR.PS |
| PCI DSS 4.0.1 (source) | 12.4.2 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.4.2 |
| Shared Assessments SIG 2025 | N.11 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | CFG-02.9 |
| SCF CORE ESP Level 2 Critical Infrastructure | CFG-02.9 |
| SCF CORE ESP Level 3 Advanced Threats | CFG-02.9 |
US (12)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-3.D.MIL2 ASSET-3.E.MIL3 |
| US CMMC 2.0 Level 2 (source) | AU.L2-3.3.3 |
| US FedRAMP R5 (source) | PL-11 |
| US FedRAMP R5 (low) (source) | PL-11 |
| US FedRAMP R5 (moderate) (source) | PL-11 |
| US FedRAMP R5 (high) (source) | PL-11 |
| US FedRAMP R5 (LI-SaaS) (source) | PL-11 |
| US HIPAA HICP Small Practice | 1.S.A |
| US HIPAA HICP Medium Practice | 1.M.A |
| US HIPAA HICP Large Practice | 1.M.A |
| US NERC CIP 2024 (source) | CIP-010-4 1.4.1 CIP-010-4 1.6.1 CIP-010-4 1.6.1 CIP-010-4 1.6.2 |
| US - CA CCPA 2025 | 7123(c)(11) 7123(c)(5)(B) |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA Israel CDMO 1.0 | 10.7 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3-1-7 |
| EMEA UK DEFSTAN 05-138 | 2418 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC New Zealand NZISM 3.6 | 16.1.50.C.01 16.1.50.C.02 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.03.02.B 03.04.01.A 03.04.02.A 03.04.02.B 03.04.06.A 03.04.08.A 03.04.12.A 03.13.11 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: (1) Mission / business functions; (2) Operational environment; (3) Specific threats or vulnerabilities; or (4) Other conditions or situations that could affect mission / business success.
Level 1 — Performed Informally
Configuration Management (CFG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Standardized across the organization. o Consistently aligned with industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
- IT personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments.
- Secure configurations are not:
Level 2 — Planned & Tracked
Configuration Management (CFG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Configuration management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for configuration management.
- Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
- Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
- Apart from workstation and server operating system baselines, configuration management is decentralized.
- Cybersecurity personnel use a structured process to design, build and maintain secure configurations for test, development, staging and production environments.
- Deviations to baseline configurations are required to have a risk assessment and the business process owner acceptance of the risk(s) associated with the deviation.
- Unauthorized configuration changes are investigated to determine if the unauthorized configuration is malicious in nature.
- Logical Access Control (LAC) is enforced to prohibit non-administrative users from being able to install unauthorized software.
Level 3 — Well Defined
Configuration Management (CFG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- The configuration management function is formally assigned with defined roles and responsibilities.
- An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
- Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
- Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
- Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
- Deviations to baseline configurations are required to have a risk assessment and business process owner approval of the risk(s) associated with the deviation.
- Special baseline configurations are created for higher-risk environments or for systems, applications and services that store, process or transmit sensitive/regulated data.
- An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
- Logical Access Control (LAC) is used to limit the ability of non-administrators from making configuration changes to systems, applications and services, including the of installation of unauthorized software.
- A Security Incident Event Manager (SIEM), or similar automated tool, monitors for unauthorized activities, accounts, connections, devices and software.
- Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the unauthorized configuration is malicious in nature.
Level 4 — Quantitatively Controlled
Configuration Management (CFG) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Configuration Management (CFG) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- CFG-02.9_A01 the selected control baseline is tailored by applying specified tailoring actions.
- CFG-02.9_A02 additional information for audit records is provided, as needed.
Technology Recommendations
Micro/Small
- Secure Baseline Configurations (SBC)
- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
- Center for Internet Security (CIS) Benchmarks
- Original Equipment Manufacturer (OEM) security guides
- ManageEngine Vulnerability Manager Plus (https://manageengine.com)
Small
- Secure Baseline Configurations (SBC)
- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
- Center for Internet Security (CIS) Benchmarks
- Original Equipment Manufacturer (OEM) security guides
- ManageEngine Vulnerability Manager Plus (https://manageengine.com)
Medium
- Secure Baseline Configurations (SBC)
- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
- Center for Internet Security (CIS) Benchmarks
- Original Equipment Manufacturer (OEM) security guides
- ManageEngine Vulnerability Manager Plus (https://manageengine.com)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
- Netwrix Auditor (https://netrix.com)
Large
- Secure Baseline Configurations (SBC)
- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
- Center for Internet Security (CIS) Benchmarks
- Original Equipment Manufacturer (OEM) security guides
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
- Netwrix Auditor (https://netrix.com)
Enterprise
- Secure Baseline Configurations (SBC)
- Defense Information Security Agency (DISA) Secure Technology Implementation Guides (STIGs)
- Center for Internet Security (CIS) Benchmarks
- Original Equipment Manufacturer (OEM) security guides
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
- Netwrix Auditor (https://netrix.com)