The security control baseline is established by determining specific controls required to protect the system based on the security categorization of the system. The baseline is tailored and supplemented in accordance with an organizational assessment of risk and local parameters. The security control baseline, as well as the plan for monitoring it, is documented in the security plan.
Certified Authorization Professional (CAP®) Candidate Information Bulletin, November 2010
As a Certified Authorization Professional (CAP®), you are expected to ...