You know every in-scope system and have a documented secure baseline for it.
What it actually means
You can't secure what you haven't inventoried. This control wants a current inventory of the in-scope hardware/software and a documented baseline configuration for your systems — the known-good state you build to and compare against. It's the foundation the rest of configuration management stands on.
Pass or fail — an assessor needs a "yes" to each
- A current inventory of in-scope hardware, software, and firmware exists.
- Documented baseline configurations exist for system types.
- Inventory + baselines are maintained as things change.
What to have ready
- Asset inventory
- Baseline configuration documents / hardening standards (e.g., CIS/STIG-based)
- Change records showing baselines are maintained
Where teams trip up
- No real inventory — 'we mostly know what we have'
- No documented baseline; every machine is a snowflake
- Inventory built once and never updated
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →