Hi guys, I'm working on making my company compliant with NIST 800-171 r2, and as I'm working through the requirements I'm a little confused about the 3.4.1 about creating a baseline.

How should I create a baseline? and what should it entail?
My understanding is to:

For example networking devices:

1- Create the network diagrams for each network and showing our devices as well as the IP addresses and what type of security we have on each site

2- Show the admin accounts and level access the admins have to those networking devices

Servers:

1- listing our servers and the operating systems

2-Listing the maintenance and update windows we created for each server

Laptops:

1-Mentioning the type of devices we use for the users

2-Level of access that the users per department get to each laptop

Applications:

1-Allow by exception for applications, meaning that we have a list of the apps that can be installed on user devices, servers and laptops

2-Making sure to remove any other apps than the whitelisted, and only allow install by submitting tickets (Falls under change management)

Am I on the right path? or am I just going out to a fairytale?

​

Please enlighten me LOL