baseline controls

Baseline controls are a standard, pre-defined set of controls that an organization chooses to apply consistently across a group of systems, processes, or environments. In regulated manufacturing, the term most often refers to cybersecurity or information security controls selected from a broader catalog (such as NIST or corporate policies) and used as a common starting point for similar systems.

What baseline controls include

Baseline controls typically include a minimum set of safeguards that are expected to be in place for all in-scope systems or sites, for example:

• Access control measures (user accounts, roles, authentication)
• System and communications protection (network zoning, firewalls, encryption)
• Configuration and change management requirements
• Logging, monitoring, and incident reporting expectations
• Backup, recovery, and continuity measures
• Basic training and awareness controls for relevant personnel

The exact content of a baseline depends on the organization, risk posture, and applicable regulations, but the intent is to define a consistent minimum level of control.

Role in industrial and regulated environments

In industrial operations and manufacturing, baseline controls commonly apply to:

• OT systems such as PLCs, SCADA, DCS, and plant networks
• IT systems that interface with production, such as MES, LIMS, QMS, and ERP
• Shared infrastructure like identity services, remote access, and data historians

These baselines are often documented in security standards, engineering specifications, or corporate policies and then referenced in project templates, system qualification documents, and supplier requirements. Individual systems can add controls above the baseline when risk or impact requires it.

Relationship to NIST RMF and similar frameworks

Under frameworks such as the NIST Risk Management Framework (RMF), baseline controls commonly refer to the set of controls selected for a particular impact level or system class, which an organization may further tailor. In practice, many manufacturers define:

• A corporate or plant-wide baseline (the default control set)
• System-specific tailoring, where controls are added or justified as not applicable based on risk, mission, and environment

Different systems do not need to have identical controls, but using a documented baseline helps standardize expectations, support audits, and simplify integration across multiple sites and vendors.

Operational use

Operationally, baseline controls appear in:

• Design templates and standard architectures for OT and IT systems
• Vendor and integrator requirements in specifications and contracts
• Commissioning, validation, or qualification checklists
• Periodic security review and hardening procedures

Teams use the baseline as the default set of controls to implement and verify, then document any justified deviations or additional measures.

Common confusion

• Baseline controls vs. control catalog: A control catalog is the full universe of possible controls (for example, all controls in a standard). Baseline controls are the subset an organization chooses as its default minimum.
• Baseline controls vs. system-specific controls: Baseline controls apply broadly across similar systems. System-specific controls are added or modified based on unique risks, technologies, or regulatory requirements of a particular system.
• Baseline controls vs. standard operating procedures (SOPs): Baseline controls describe what safeguards must exist. SOPs describe how people execute tasks and may implement or support those controls, but they are not the controls catalog itself.