What does a baseline deviation mean in RMF and how is it justified?

In RMF, a baseline deviation occurs when a control from the defined baseline is not implemented as specified. The justification for this deviation is documented in the System Security Plan (SSP) and tracked in the Plan of Actions and Milestones (POA&M). The SSP explains which controls are in place and the rationale for departing from the baseline, while the POA&M records the actions, timelines, and any risk acceptance or compensating controls needed to address the deficiency. This formal documentation ensures authorities to operate understand the residual risk and the path to remediation. A deviation does not mean the system is fully compliant, and it must be documented and managed rather than simply changing the system boundary, which isn’t the standard method for handling baseline deviations.