Security Baseline

A security baseline is the starting set of security controls recommended for a system based on its impact level (Low, Moderate, or High). NIST SP 800-53 defines three baselines — each one is a curated list of controls and enhancements appropriate for that impact level. Higher impact levels include more controls and more stringent enhancements.

The baseline is a starting point, not the final answer. Organizations tailor the baseline by adding controls for specific threats, removing controls that don't apply, or applying overlays for their specific environment. The tailored baseline becomes the system's security requirements.