A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles.

The organization shall develop, document, and maintain a baseline configuration for its business-critical systems.
Guidance
- This control includes the concept of least functionality.
- Baseline configurations include for example, information about organization's business critical
systems, current version numbers and patch information on operating systems and applications,
configuration settings/parameters, network topology, and the logical placement of those
components within the system architecture.
- Network topology should include the nerve points of the IT/OT environment (external connections,
servers hosting data and/or sensitive functions, DNS services security, etc.).

The organization shall configure its business-critical systems to provide only essential capabilities.
Therefore, the baseline configuration shall be reviewed, and unnecessary capabilities shall be disabled.
Guidance
- Configuration of a system to provide only organization-defined mission essential capabilities is known
as the “concept of least functionality”.
- Capabilities include functions, ports, protocols, software, and/or services.