Question 34
Domain 4 — Technology, Security, and Resilience ControlsWhat is the purpose of control baselines?
Correct answer: B
Explanation
Control baselines set a standard starting point for security by defining the minimum controls each system type must meet. They are used to establish "minimum security requirements" so organizations can apply consistent protections based on system impact and risk.
Why each option is right or wrong
A. To eliminate the need for monitoring
B. To establish minimum security requirements for different types of systems
Control baselines are the starting point for selecting safeguards in a risk-based security program: NIST SP 800-53 Rev. 5, §2.5 and FIPS 200 require organizations to apply a baseline of minimum security controls to information systems according to impact level. In practice, this means the baseline defines the floor of required protection for each system category, before any tailoring or additional controls are added based on mission or risk.
C. To increase risk tolerance
D. To avoid risk assessment