cispec

org.cispec.config-baseline

experimental recommended: any CI subject to a formal configuration baseline or hardening profile

Experimental. This term passes both minting tests — configuration baseline tracking is a real ITIL/CMDB fact and no existing term covers it — but the range of baseline formats and reference schemes across domains (OSCAL baseline templates, DISA STIGs, CIS Benchmarks, vendor hardening guides, pharmaceutical GxP baseline configs) has not been fully reconciled into a single value format. The pointer-to-external- document shape is correct; the question is what reference schemes should be formally documented as valid values. Implementations using this term should treat the value format as advisory. Feedback from real implementations will determine the final format.

org.cispec.config-baseline is a bare reference pointer to the configuration baseline or hardening profile the Change Item is configured against — the template or standard that defines its expected configuration state. This generalises OSCAL’s baseline-template property into a cross-domain term.

The underlying fact is universal: any managed CI has a baseline configuration it should conform to. A server has a CIS Benchmark or DISA STIG. A network device has a hardening guide. A pharmaceutical manufacturing system has a validated baseline configuration under GxP. A medical device has a type-approved reference configuration. A classified workstation has an NSA/CNSS-approved baseline. The term is the same; the reference scheme and the governing authority vary by domain and by organisation.

This is a pointer — the same pattern as custody-chain and contract-ref: the key cites the baseline; the baseline’s content lives in a configuration management or compliance system.

Value format

A baseline identifier — a STIG identifier, CIS Benchmark version, a URI, or an internal baseline reference. The experimental status means the preferred reference scheme is not yet formally mandated.

org.cispec.config-baseline=DISA-STIG-RHEL9-v1r1
org.cispec.config-baseline=CIS-Ubuntu22-L2-v1.0.0
org.cispec.config-baseline=NIST-NCP-USGCB-RHEL7
org.cispec.config-baseline=https://baselines.example.org/prod-server-v3
org.cispec.config-baseline=GXP-VALIDATED-BASELINE-2026-001

Conformance

org.cispec.config-baseline is RECOMMENDED for any CI under a formal configuration baseline or hardening programme. Not REQUIRED for Declared conformance.

Attestation

config-baseline is independently attestable where the referenced baseline is a public standard (DISA STIGs, CIS Benchmarks are publicly verifiable) or an auditable internal document. Configuration compliance against the baseline is a separate assessment concern outside this specification’s scope.

Resolution and relation

“Every CI configured against DISA-STIG-RHEL9-v1r1” is a real fleet-wide compliance query — the set of assets for which a new STIG release requires reassessment.

Document identifier

OID: 1.3.6.1.4.1.42387.2.8.5
GUID: fe80be18-0f77-57cd-b57d-29cc26688589

Related terms