Hi everyone,

Our team hopes y’all had a happy holiday season and are ready to kick off the New Year! If one of your resolutions is making sure you're meeting the CJIS requirements, checking over the [Priority 1] or [Existing] controls in the CJISSECPOL is a great start. That’s not to say [Priority 2, 3, & 4] aren’t important, they are, but the primary focus by the auditors will be on P1s and existing controls. You can find the latest Requirements Companion Document outlining priority levels here. 

With all of that being said, let’s talk about a newer requirement from version 6.0, that is marked as [Existing]. CM-2 Baseline Configuration has some “old” parts and some new. The “old” is the requirement for a network diagram and keeping it up to date. Y’all’ve been doing that one for years. The new part is baseline configuration. 

The new requirement is as follows: develop, document, and maintain under configuration control, a current baseline configuration of the system. Some of y’all may have been doing this for years; if so, this won’t be much of a problem. For those who haven’t, I’m sure you're going “Huh?” and that’s where I come in.

A baseline configuration is a set of specifications and settings for a system and its components. It's the bottomline setup required for basic IT operation, security, and management. It focuses on the "what" and "how" of individual components, describing settings, versions, and specific configurations. Think of it as a detailed recipe, listing all the ingredients and instructions for a dish.

It’s different from a network diagram, which shows you how all the pieces of equipment are connected together, while a baseline configuration tells you what the correct settings are for those pieces of equipment. You gotta have both according to the CJISSECPOL.

I know that some of y’all have a headache after reading that; understandable. CJIS ACE is working on a way to help develop your baseline configuration. Keep your eyes peeled for some new and upcoming information on our services.

In the meantime, don’t forget that CJIS ACE is here to help whether it's an assessment to discuss all of the requirements or with CJIS Insight where you can track them. If you’d like to know more, I’d enjoy a chance to talk with you. Gimme a call or send me an email!

Y'all take care,

Larry Coffee

lcoffee@diversecomputing.com