Which statement about security baselines is accurate?

Security baselines define a minimum secure configuration standard that organizations apply to systems. They lay out the approved, hardened settings and controls that should be in place to reduce attack surface and ensure consistent security posture across environments. Baselines are used as the benchmark for configuring devices, operating systems, and applications, making it easier to detect drift and verify compliance during audits. They are not about incident response timelines, which belong to how an organization detects and responds to security events. They are not optional for compliance in most frameworks, since many standards require some form of secure configuration baseline to demonstrate consistent protection. And they do not provide encryption keys—baselines specify configurations, not the distribution of cryptographic material.