at least annually
-at least annually or whenever a significant change occurs
-monthly for privileged accessed, every six (6) months for non-privileged access
-Selection: disables
-24 hours from last use
-35 days for user accounts
-organization and/or service provider system owner
-inactivity is anticipated to exceed Fifteen (15) minutes
-disables/revokes access within a organization-specified timeframe
-organization-defined need with justification statement that explains why such accounts are necessary
-at a minimum, the ISSO and/or similar role within the organization
-one (1) hour
-all functions not publicly accessible and all security-relevant information not publicly available
-all security functions
-all privileged commands
-at a minimum, annually
-all users with privileges
-any software except software explicitly documented
-not more than three (3)
-fifteen (15) minutes
-locks the account/node for a minimum of three (3) hours or until unlocked by an administrator
-mobile devices as defined by organization policy
-three (3)
-see additional Requirements and Guidance
-see additional Requirements and Guidance
-three (3) sessions for privileged access and two (2) sessions for non-privileged access
-fifteen (15) minutes
-fifteen (15) minutes
-at least quarterly
-at least annually or whenever a significant change occurs
-at least annually or whenever a significant change occurs
-at least annually
-at least annually
-malicious code indicators as defined by organization incident policy/capability.
-five (5) years or 5 years after completion of a specific training program
-at least annually
-at least annually or whenever a significant change occurs
-successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event
-annually or whenever there is a change in the threat environment
-session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands
-all network, data storage, and computing devices
-organization-defined actions to be taken (overwrite oldest record)
-real-time
-service provider personnel with authority to address failed audit events
-audit failure events requiring real-time alerts, as defined by organization audit policy
-at least weekly
-Possibly to include penetration test data.
-information system process; role; user
-one second granularity of time measurement
-At least hourly
-http://tf.nist.gov/tf-cgi/servers.cgi
-at least weekly
-minimum actions including the addition, modification, deletion, approval, sending, or receiving of data
-at least one (1) year
-all information system and network components where audit capability is deployed/available
-all network, data storage, and computing devices
-service provider-defined individuals or roles with audit configuration responsibilities
-all network, data storage, and computing devices
-at least annually
-at least annually or whenever a significant change occurs
-at least annually
-individuals or roles to include FedRAMP PMO
-at least annually
-any FedRAMP Accredited 3PAO
-any FedRAMP Accredited 3PAO
-the conditions of the JAB/AO in the FedRAMP Repository
-At least annually and on input from FedRAMP
-boundary protections which meet the Trusted Internet Connection (TIC) requirements
-deny-all, permit by exception
-any systems
-at least monthly
-at least every three (3) years or when a significant change occurs
-to meet Federal and FedRAMP requirements (See additional guidance)
-to meet Federal and FedRAMP requirements (See additional guidance)
-at least annually
-at least annually
-at least annually or whenever a significant change occurs
-at least annually or when a significant change occurs
-to include when directed by the JAB
-organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components
-organization agreed upon time period
-organization defined configuration management approval authorities
-Configuration control board (CCB) or similar (as defined in CM-3)
-All security safeguards that rely on cryptography
-at least every thirty (30) days
-at least quarterly
-See CM-6(a) Additional FedRAMP Requirements and Guidance
-United States Government Configuration Baseline (USGCB)
-at least monthly
-at least quarterly or when there is a change
-at least monthly
-Continuously, using automated mechanisms with a maximum five-minute delay in detection.
-position and role
-Continuously (via CM-7 (5))
-at least annually
-at least annually or whenever a significant change occurs
-at least annually
-time period defined in service provider and organization SLA
-ten (10) days
-at least annually
-at least annually
-functional exercises
-annually
-daily incremental; weekly full
-daily incremental; weekly full
-daily incremental; weekly full
-at least monthly
-time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA
-time period consistent with the restoration time-periods defined in the service provider and organization SLA
-at least annually
-at least annually or whenever a significant change occurs
-FIPS 140-2, NIAP Certification, or NSA approval
-at a minimum, the ISSO (or similar role within the organization)
-at least two (2) years
-thirty-five (35) days (See additional requirements and guidance.)
-contractors; foreign nationals]
-at least fifty percent (50%)
-twenty four (24)
-All hardware/biometric (multifactor authenticators)
-in person
-complexity as identified in IA-5 (1) Control Enhancement Part (a)
-different authenticators on different systems
-at least annually
-at least annually or whenever a significant change occurs
-within ten (10) days
-at least annually
-at least every six (6) months, including functional at least annually
-see additional FedRAMP Requirements and Guidance
-all network, data storage, and computing devices
-external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)
-US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-see additional FedRAMP Requirements and Guidance
-at least annually
-see additional FedRAMP Requirements and Guidance
-at least annually
-at least annually
-at least annually or whenever a significant change occurs
-the information owner explicitly authorizing removal of the equipment from the facility
-at least annually
-at least annually or whenever a significant change occurs
-any digital and non-digital media deemed sensitive
-no removable media types
-organization-defined security safeguards not applicable
-all types of digital and non-digital media with sensitive information
-see additional FedRAMP requirements and guidance
-all media with sensitive information
-prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container
-techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations
-at least every six (6) months
-at least annually
-at least annually or whenever a significant change occurs
-at least every ninety (90) days
-CSP defined physical access control systems/devices AND guards
-CSP defined physical access control systems/devices
-in all circumstances within restricted access area where the information system resides
-at least annually
-at least annually
-at least monthly
-for a minimum of one (1) year
-at least monthly
-service provider building maintenance/physical security personnel
-service provider emergency responders with incident response responsibilities
-consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-continuously
-service provider building maintenance/physical security personnel
-all information system components
-physical and environmental hazards identified during threat assessment
-at least annually
-at least annually or whenever a significant change occurs
-at least annually
-annually
-at least annually or when a significant change occurs
-at least annually
-at least annually or whenever a significant change occurs
-at least annually
-for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
-personnel screening criteria - as required by specific information
-eight (8) hours
-access control personnel responsible for disabling access to the system
-twenty-four (24) hours
-twenty-four (24) hours
-at least annually
-at least annually and any time there is a change to the user's level of access
-terminations: immediately; transfers: within twenty-four (24) hours
-at a minimum, the ISSO and/or similar role within the organization
-at least annually
-at least annually or whenever a significant change occurs
-security assessment report
-at least annually or whenever a significant change occurs
-annually
-monthly operating system/infrastructure; monthly web applications and databases
-high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
-prior to a new scan
-notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions
-operating systems / web applications / databases
-all scans
-at least annually
-at least annually or whenever a significant change occurs
-at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information]
-at least the minimum requirement as defined in control CA-7
-at a minimum, the ISSO (or similar role within the organization)
-FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-all external systems where Federal information is processed or stored
-all external systems where Federal information is processed or stored
-information processing, information data, AND information services
-U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction
-all High Impact Data, Systems, or Services
-development, implementation, AND operation
-organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures
-as needed and as dictated by the current threat posture
-organization and service provider- defined security requirements
-at least annually
-at least annually or whenever a significant change occurs
-at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions
-Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall
-confidentiality AND integrity
-prevent unauthorized disclosure of information AND detect changes to information
-a hardened or alarmed carrier Protective Distribution System (PDS)
-no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions
-NIST FIPS-compliant
-FIPS-validated or NSA-approved cryptography
-no exceptions
-confidentiality AND integrity
-all information system components storing customer data deemed sensitive
-at least annually
-at least annually or whenever a significant change occurs
-thirty (30) days of release of updates
-at least monthly
-at least weekly
-to include endpoints
-to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime
-continuously
-to include US-CERT
-to include system security personnel and administrators with configuration/patch-management responsibilities
-to include upon system startup and/or restart
-at least monthly
-to include system administrators and security personnel
-to include notification of system administrators and security personnel
-selection to include security relevant events
-at least monthly
-https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29
-Required if shared/group accounts are deployed
-Required for privileged accounts.
-Required for privileged accounts.
-The service provider defines the time period for non-user accounts (e.g., - accounts associated with devices). The time periods are approved and - accepted by the JAB/AO. Where user management is a function of the - service, reports of activity of consumer users shall be made - available.
-Should use a shorter timeframe than AC-12.
-Required if shared/group accounts are deployed
-Guidance: CSPs have the option to provide a separation of duties matrix - as an attachment to the SSP.
-Examples of security functions include but are not limited to: - establishing system accounts, configuring access authorizations (i.e., - permissions, privileges), setting events to be audited, and setting - intrusion detection parameters, system programming, system and security - administration, other privileged functions.
-The service provider shall determine elements of the cloud environment - that require the System Use Notification control. The elements of the - cloud environment that require System Use Notification are approved and - accepted by the JAB/AO.
-The service provider shall determine how System Use Notification is going - to be verified and provide appropriate periodicity of the check. The - System Use Notification verification and periodicity are approved and - accepted by the JAB/AO.
-If performed as part of a Configuration Baseline - check, then the % of items requiring setting that are checked and that - pass (or fail) check can be provided.
-If not performed as part of a Configuration Baseline check, then there - must be documented agreement on how to provide results of verification - and the necessary periodicity of the verification by the service - provider. The documented agreement on how to provide verification of the - results are approved and accepted by the JAB/AO.
-The service provider retains audit records on-line for at least ninety - days and further preserves audit records off-line for a period that is - in accordance with NARA requirements.
-Coordination between service provider and consumer shall be documented - and accepted by the JAB/AO.
-Annually or whenever changes in the threat environment are communicated - to the service provider by the JAB/AO.
-The service provider defines audit record types [FedRAMP Assignment: - session, connection, transaction, or activity duration; for - client-server transactions, the number of bytes received and bytes - sent; additional informational messages to diagnose or identify the - event; characteristics that describe or identify the object or - resource being acted upon; individual identities of group account - users; full-text of privileged commands]. The audit record - types are approved and accepted by the JAB/AO.
-For client-server transactions, the number of bytes sent and received - gives bidirectional transfer information that can be helpful during an - investigation or inquiry.
-Coordination between service provider and consumer shall be documented - and accepted by the JAB/AO. In multi-tennant environments, capability - and means for providing review, analysis, and reporting to consumer for - data pertaining to consumer shall be documented.
-Coordination between service provider and consumer shall be documented - and accepted by the JAB/AO.
-The service provider selects primary and secondary time servers used by - the NIST Internet time service. The secondary server is selected from a - different geographic region than the primary server.
-The service provider synchronizes the system clocks of network computers - that run operating systems other than Windows to the Windows Server - Domain Controller emulator or to the same time source for that - server.
-Synchronization of system clocks improves the accuracy of log - analysis.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/ -
-For JAB Authorization, must use an accredited Third Party Assessment - Organization (3PAO).
-To include 'announced', 'vulnerability scanning'
-Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference - Architecture document.
-For JAB Authorization, CSPs shall include details of this control in - their Architecture Briefing
-Plan of Action & Milestones (POA&M) must be provided at least - monthly.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Plan of Action & Milestones (POA&M) Template - Completion Guide https://www.fedramp.gov/documents/ -
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F. The service provider describes the types of changes to - the information system or the environment of operations that would - impact the risk posture. The types of changes are approved and accepted - by the JAB/AO.
-Operating System Scans: at least monthly. Database and Web Application - Scans: at least monthly. All scans performed by Independent Assessor: at - least annually.
-CSPs must provide evidence of closure and remediation of high - vulnerabilities within the timeframe for standard POA&M updates.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/ -
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Penetration Test Guidance https://www.FedRAMP.gov/documents/ -
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F, page F-7.
-The service provider establishes a central means of communicating major - changes to or developments in the information system or environment of - operations that may affect its services to the federal government and - associated service consumers (e.g., electronic bulletin board, web - status page). The means of communication are approved and accepted by - the JAB/AO.
-In accordance with record retention policies and procedures.
-If digital signatures/certificates are unavailable, alternative - cryptographic integrity checks (hashes, self-signed certs, etc.) can be - utilized.
-The service provider shall use the Center for Internet Security - guidelines (Level 1) to establish configuration settings or establishes - its own configuration settings if USGCB is not available.
-The service provider shall ensure that checklists for configuration - settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or - SCAP compatible (if validated checklists are not available).
-Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.
-The service provider shall use the Center for Internet Security - guidelines (Level 1) to establish list of prohibited or restricted - functions, ports, protocols, and/or services or establishes its own list - of prohibited or restricted functions, ports, protocols, and/or services - if USGCB is not available.
-Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. - Partially derived from AC-17(8).
-This control shall be implemented in a technical manner on the - information system to only allow programs to run that adhere to the - policy (i.e. white listing). This control is not to be based off of - strictly written policy on what is allowed or not allowed to run.
-Must be provided at least monthly or when there is a change.
-For JAB authorizations the contingency lists include designated FedRAMP - personnel.
-The service provider develops test plans in accordance with NIST Special - Publication 800-34 (as amended); plans are approved by the JAB/AO prior - to initiating testing.
-The service provider defines a time period consistent with the recovery - time objectives and business impact analysis.
-The service provider may determine what is considered a sufficient degree - of separation between the primary and alternate processing sites, based - on the types of threats that are of concern. For one particular type of - threat (i.e., hostile cyber attack), the degree of separation between - sites will be less relevant.
-The service provider defines a time period consistent with the recovery - time objectives and business impact analysis.
-The service provider shall determine what elements of the cloud - environment require the Information System Backup control. The service - provider shall determine how Information System Backup is going to be - verified and appropriate periodicity of the check.
-The service provider maintains at least three backup copies of user-level - information (at least one of which is available online).
-The service provider maintains at least three backup copies of - system-level information (at least one of which is available - online).
-The service provider maintains at least three backup copies of - information system documentation including security information (at - least one of which is available online).
-PIV=separate device. Please refer to NIST SP 800-157 Guidelines for - Derived Personal Identity Verification (PIV) Credentials.
-Include Common Access Card (CAC), i.e., the DoD technical implementation - of PIV/FIPS 201/HSPD-12.
-The service provider defines the time period of inactivity for device - identifiers.
-For DoD clouds, see DoD cloud website for specific DoD requirements that - go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.
-Authenticators must be compliant with NIST SP 800-63-3 Digital Identity - Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3.
-If password policies are compliant with NIST SP 800-63B Memorized Secret - (Section 5.1.1) Guidance, the control may be considered compliant.
-If automated mechanisms which enforce password authenticator strength at - creation are not used, automated mechanisms must be used to audit - strength of created password authenticators.
-The service provider defines tests and/or exercises in accordance with - NIST Special Publication 800-61 (as amended). Functional Testing must occur prior to - testing for initial authorization. Annual functional testing may be concurrent with - required penetration tests (see CA-8). The service provider provides test plans to the - JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test - commencing.
-The service provider ensures that individuals conducting incident - handling meet personnel security requirements commensurate with the - criticality/sensitivity of the information being processed, stored, and - transmitted by the information system.
-Report security incident information according to FedRAMP Incident - Communications Procedure.
-The service provider defines a list of incident response personnel - (identified by name and/or by role) and organizational elements. The - incident response list includes designated FedRAMP personnel.
-The service provider defines a list of incident response personnel - (identified by name and/or by role) and organizational elements. The - incident response list includes designated FedRAMP personnel.
-Second parameter not-applicable
-The service provider defines controlled areas within facilities where the - information and information system reside.
-The service provider defines security measures to protect digital and - non-digital media in transport. The security measures are approved and - accepted by the JAB.
-Equipment and procedures may be tested or validated for effectiveness
-The service provider measures temperature at server inlets and humidity - levels by dew point.
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F, page F-7.
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F
-Include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-An accredited independent assessor scans operating systems/infrastructure, - web applications, and databases once annually.
-To include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-- See the FedRAMP Documents page under Key Cloud Service Provider - (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)
-If multiple tools are not used, this control is not applicable.
-Include in Continuous Monitoring ISSO digest/report to JAB/AO
-This enhancement is required for all high vulnerability scan - findings.
-While scanning tools may label findings as high or critical, the intent - of the control is based around NIST's definition of high - vulnerability.
-For JAB authorizations, track security flaws and flaw resolution within - the system, component, or service and report findings to - organization-defined personnel, to include FedRAMP.
-The service provider documents in the Continuous Monitoring Plan, how - newly developed code for the information system is reviewed.
-The service provider documents in the Continuous Monitoring Plan, how - newly developed code for the information system is reviewed.
-The service provider must comply with Federal Acquisition Regulation - (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense - Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, - which implements Section 889 (as well as any added updates related to FISMA to - address security concerns in the system acquisitions process).
-The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly - preferred. See https://www.niap-ccevs.org/Product/.
-CSP must use the same security standards regardless of where the system - component or information system service is acquired.
-Federally approved and validated cryptography.
-The information system provides disablement (instead of physical - disconnect) of collaborative computing devices in a manner that supports - ease of use.
-The organization supports the capability to use cryptographic mechanisms - to protect information at rest.
-The service provider defines key information security tools, mechanisms, - and support components associated with system and security - administration and isolates those tools, mechanisms, and support - components from other internal information system components via - physically or logically separate subnets.
-Examples include: information security tools, mechanisms, and support - components such as, but not limited to PKI, patching infrastructure, - cyber defense tools, special purpose gateway, vulnerability tracking - systems, internet access points (IAPs); network element and data center - administrative/management traffic; Demilitarized Zones (DMZs), Server - farms/computing centers, centralized audit log servers etc.
-See US-CERT Incident Response Reporting Guidelines.
-In accordance with the incident response plan.
-FedRAMP Logo
-at least quarterly
-organization-defined actions to be taken (overwrite oldest record)
-at least weekly
-at least annually
-individuals or roles to include FedRAMP PMO
-at least annually and on input from FedRAMP
-at least monthly
-at least every three years or when a significant change occurs
-to meet Federal and FedRAMP requirements (See additional guidance)
-to meet Federal and FedRAMP requirements (See additional guidance)
-see CM-6(a) Additional FedRAMP Requirements and Guidance
-at least monthly
-daily incremental; weekly full
-daily incremental; weekly full
-daily incremental; weekly full
-US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-at least annually
-CSP defined physical access control systems/devices AND guards
-in all circumstances within restricted access area where the information system resides
-at least annually
-at least annually
-at least monthly
-for a minimum of one (1) year
-at least monthly
-consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-continuously
-all information system components
-at least annually
-For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.
-security assessment report
-at least every three (3) years or when a significant change occurs
-at least every three (3) years or when a significant change occurs
-monthly operating system/infrastructure; monthly web applications and databases
-[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.
-FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-FIPS-validated or NSA-approved cryptography
-within 30 days of release of updates
-at least weekly
-to include endpoints
-to include alerting administrator or defined security personnel
-Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored - for LI-SaaS.
-Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.
-Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.
-Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.
-Organizational processes for account management on the information system; automated mechanisms for implementing account management.
-Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
-Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; and other relevant documents or records.
-Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; and system developers.
-Automated mechanisms implementing access control policy.
-NSO for non-privileged users. Attestation for privileged users related to - multi-factor identification and authentication.
-FED - This is related to agency data and agency policy solution.
-FED - This is related to agency data and agency policy solution.
-Determine if the organization authorizes remote access to the information system prior to allowing such connections
-Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; security plan; information system configuration settings and associated documentation; remote access authorizations; information system audit records; and other relevant documents or records.
-Organizational personnel with responsibilities for managing remote access connections; system/network administrators; and organizational personnel with information security responsibilities.
-Remote access management capability for the information system.
-NSO - All access to Cloud SaaS are via web services and/or API. The device - accessed from or whether via wired or wireless connection is out of scope. - Regardless of device accessed from, must utilize approved remote access methods - (AC-17), secure communication with strong encryption (SC-13), key management - (SC-12), and multi-factor authentication for privileged access (IA-2[1]).
-NSO - All access to Cloud SaaS are via web service and/or API. The device accessed - from is out of the scope. Regardless of device accessed from, must utilize - approved remote access methods (AC-17), secure communication with strong - encryption (SC-13), key management (SC-12), and multi-factor authentication for - privileged access (IA-2 [1]).
-Determine if the organization designates individuals authorized to post information onto a publicly accessible information system.
-Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs; security awareness training records; other relevant documents or records Interview - Organizational personnel with responsibilities for managing remote access connections; system/network administrators; and organizational personnel with information security responsibilities.
-Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems; and organizational personnel with information security responsibilities.
-Automated mechanisms implementing management of publicly accessible content.
-Determine if the information system:
-Generates audit records containing information that establishes:
-Audit and accountability policy; procedures addressing content of audit records; information system design documentation; information system configuration settings and associated documentation; list of organization-defined auditable events; information system audit records; information system incident reports; and other relevant documents or records.
-Organizational personnel with audit and accountability responsibilities; organizational personnel with information security responsibilities; and system/network administrators.
-Automated mechanisms implementing information system auditing of auditable events.
-NSO - Loss of availability of the audit data has been determined to have little or - no impact to government business/mission needs.
-Determine if the organization defines the personnel or roles to be alerted in the event of an audit processing failure.
-Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; information system audit records; and other relevant documents or records.
-Organizational personnel with responsibilities for managing remote access connections; system/network administrators; and organizational personnel with information security responsibilities.
-Organizational personnel with audit and accountability responsibilities; organizational personnel with information security responsibilities; and system/network administrators; system developers.
-Automated mechanisms implementing information system response to audit processing failures.
-Determine if the organization:
-Audit and accountability policy; procedures addressing audit review, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; and other relevant documents or records.
-Organizational personnel with audit review, analysis, and reporting responsibilities; and organizational personnel with information security responsibilities.
-NSO - Loss of availability of the audit data has been determined as little or no - impact to government business/mission needs.
-Determine if the organization:
-Security assessment and authorization policy; procedures addressing security assessment planning; procedures addressing security assessments; security assessment plan; and other relevant documents or records.
-Organizational personnel with security assessment responsibilities; and organizational personnel with information security responsibilities.
-Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/ -
-Determine if the organization:
-Access control policy; procedures addressing information system connections; system and communications protection policy; security plan; information system design documentation; information system configuration settings and associated documentation; list of components or classes of components authorized as system interconnections; security assessment report; information system audit records; and other relevant documents or records.
-Organizational personnel with responsibility for developing, implementing, or authorizing system interconnections; organizational personnel with information security responsibilities.
-Condition: There are connection(s) to external systems. Connections (if any) shall - be authorized and must: 1) Identify the interface/connection. 2) Detail what data - is involved and its sensitivity. 3) Determine whether the connection is one-way or - bi-directional. 4) Identify how the connection is secured.
-Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring - Requirements.
-Determine if the organization:
-Security assessment and authorization policy; procedures addressing security authorization; security authorization package (including security plan; security assessment report; plan of action and milestones; authorization statement); and other relevant documents or records.
-Organizational personnel with security authorization responsibilities; and organizational personnel with information security responsibilities.
-Automated mechanisms that facilitate security authorizations and updates.
-Significant change is defined in NIST Special Publication 800-37 Revision 1, - Appendix F. The service provider describes the types of changes to the - information system or the environment of operations that would impact the risk - posture. The types of changes are approved and accepted by the Authorizing - Official.
-Determine if the organization:
-Security assessment and authorization policy; procedures addressing continuous monitoring of information system security controls; procedures addressing configuration management; security plan; security assessment report; plan of action and milestones; information system monitoring records; configuration management records, security impact analyses; status reports; and other relevant documents or records.
-Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security responsibilities; and system/network administrators.
-Mechanisms implementing continuous monitoring.
-CSPs must provide evidence of closure and remediation of high vulnerabilities - within the timeframe for standard POA&M updates.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/ -
-Determine if the organization:
-Access control policy; procedures addressing information system connections; system and communications protection policy; security plan; information system design documentation; information system configuration settings and associated documentation; list of components or classes of components authorized as internal system connections; security assessment report; information system audit records; and other relevant documents or records.
-9.a.2 only: Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections; organizational personnel with information security responsibilities.
-Condition: There are connection(s) to external systems. Connections (if any) shall - be authorized and must: 1) Identify the interface/connection. 2) Detail what data - is involved and its sensitivity. 3) Determine whether the connection is one-way or - bi-directional. 4) Identify how the connection is secured.
-Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
-Configuration management policy; procedures addressing security impact analysis for changes to the information system; configuration management plan; security impact analysis documentation; analysis tools and associated outputs; change control records; information system audit records; and other relevant documents or records.
-Organizational personnel with responsibility for conducting security impact analysis; organizational personnel with information security responsibilities; and system/network administrators.
-Organizational processes for security impact analysis.
-Determine if the organization:
-Configuration management policy; procedures addressing configuration settings for the information system; configuration management plan; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; evidence supporting approved deviations from established configuration settings; change control records; information system audit records; and other relevant documents or records.
-Organizational personnel with security configuration management responsibilities; organizational personnel with information security responsibilities; and system/network administrators.
-Organizational processes for managing configuration settings; automated mechanisms that implement, monitor, and/or control information system configuration settings; and automated mechanisms that identify and/or document deviations from established configuration settings.
-Required - Specifically include details of least functionality.
-The service provider shall use the Center for Internet Security guidelines - (Level 1) to establish configuration settings or establishes its own - configuration settings if USGCB is not available.
-The service provider shall ensure that checklists for configuration settings - are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP - compatible (if validated checklists are not available).
-Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.
-Determine if the organization:
-Configuration management policy; procedures addressing information system component inventory; configuration management plan; security plan; information system inventory records; inventory reviews and update records; and other relevant documents or records.
-Organizational personnel with responsibilities for information system component inventory; organizational personnel with information security responsibilities; and system/network administrators.
-Organizational processes for developing and documenting an inventory of information system components; automated mechanisms supporting and/or implementing the information system component inventory.
-Must be provided at least monthly or when there is a change.
-NSO- Not directly related to protection of the data.
-NSO - Boundary is specific to SaaS environment; all access is via web services; - users' machine or internal network are not contemplated. External services (SA-9), - internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and - SC-13), and privileged authentication (IA-2[1]) are considerations.
-NSO - Loss of availability of the SaaS has been determined as little or no impact - to government business/mission needs.
-NSO - Loss of availability of the SaaS has been determined as little or no impact - to government business/mission needs.
-NSO - Loss of availability of the SaaS has been determined as little or no impact - to government business/mission needs.
-Determine if the organization:
-Contingency planning policy; procedures addressing information system backup; contingency plan; backup storage location(s);information system backup logs or records; and other relevant documents or records.
-Organizational personnel with information system backup responsibilities; and organizational personnel with information security responsibilities.
-Organizational processes for conducting information system backups; automated mechanisms supporting and/or implementing information system backups.
-The service provider shall determine what elements of the cloud environment - require the Information System Backup control. The service provider shall - determine how Information System Backup is going to be verified and appropriate - periodicity of the check.
-The service provider maintains at least three backup copies of user-level - information (at least one of which is available online).
-The service provider maintains at least three backup copies of system-level - information (at least one of which is available online).
-The service provider maintains at least three backup copies of information - system documentation including security information (at least one of which is - available online).
-NSO - Loss of availability of the SaaS has been determined as little or no impact - to government business/mission needs.
-NSO for non-privileged users. Attestation for privileged users related to - multi-factor identification and authentication - specifically include description - of management of service accounts.
-Determine if the organization implements multifactor authentication for network access to privileged accounts.
-Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; and other relevant documents or records.
-Organizational personnel with information system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; and system/network administrators; system developer.
-Automated mechanisms supporting and/or implementing multifactor authentication capability.
-Determine if the information system:
-Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; PIV verification records; evidence of PIV credentials; PIV credential authorizations; and other relevant documents or records.
-Organizational personnel with information system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; and system developers.
-Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials.
-Condition: Must document and assess for privileged users. May attest to this - control for non-privileged users. FedRAMP requires a minimum of multi-factor - authentication for all Federal privileged users, if acceptance of PIV credentials - is not supported. The implementation status and details of how this control is - implemented must be clearly defined by the CSP.
-Include Common Access Card (CAC), i.e., the DoD technical implementation of - PIV/FIPS 201/HSPD-12.
-Determine if, for hardware token-based authentication, the organization:
-Identification and authentication policy; procedures addressing authenticator management; security plan; information system design documentation; automated mechanisms employing hardware token-based authentication for the information system; list of token quality requirements; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records.
-Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; and system developers.
-Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability.
-FED - for Federal privileged users. Condition - Must document and assess for - privileged users. May attest to this control for non-privileged users.
-Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
-Identification and authentication policy; procedures addressing authenticator feedback; information system design documentation; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records.
-Organizational personnel with information security responsibilities; system/network administrators; and system developers.
-Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication.
-Determine if the information system:
-Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; PIV verification records; evidence of PIV credentials; PIV credential authorizations; and other relevant documents or records.
-Organizational personnel with information system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; and organizational personnel with account management responsibilities.
-Automated mechanisms supporting and/or implementing identification and authentication capability; automated mechanisms that accept and verify PIV credentials.
-Condition: Must document and assess for privileged users. May attest to this - control for non-privileged users. FedRAMP requires a minimum of multi-factor - authentication for all Federal privileged users, if acceptance of PIV credentials - is not supported. The implementation status and details of how this control is - implemented must be clearly defined by the CSP.
-Determine if the information system accepts only FICAM-approved third-party credentials.
-Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization; third-party credential verification records; evidence of FICAM-approved third-party credentials; third-party credential authorizations; and other relevant documents or records.
-Organizational personnel with information system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; and organizational personnel with account management responsibilities.
-Automated mechanisms supporting and/or implementing identification and authentication capability; automated mechanisms that accept FICAM-approved credentials.
-Condition: Must document and assess for privileged users. May attest to this - control for non-privileged users. FedRAMP requires a minimum of multi-factor - authentication for all Federal privileged users, if acceptance of PIV credentials - is not supported. The implementation status and details of how this control is - implemented must be clearly defined by the CSP.
-Determine if the organization:
-Incident response policy; contingency planning policy; procedures addressing incident handling; incident response plan; contingency plan; security plan; and other relevant documents or records.
-Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities; and organizational personnel with information security responsibilities.
-Incident handling capability for the organization
-The service provider ensures that individuals conducting incident handling meet - personnel security requirements commensurate with the criticality/sensitivity - of the information being processed, stored, and transmitted by the information - system.
-Determine if the organization:
-Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; incident response plan; security plan; and other relevant documents or records.
-Organizational personnel with incident reporting responsibilities; organizational personnel with information security responsibilities; personnel who have/should have reported incidents; and personnel (authorities) to whom incident information is to be reported.
-Organizational processes for incident reporting; automated mechanisms supporting and/or implementing incident reporting.
-Report security incident information according to FedRAMP Incident - Communications Procedure.
-Attestation - Specifically attest to US-CERT compliance.
-Attestation - Specifically describe information spillage response processes.
-Determine if the organization:
-Information system maintenance policy; procedures addressing controlled information system maintenance; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; other relevant documents or records.
-Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators.
-Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system; organizational processes for sanitizing information system components; automated mechanisms supporting and/or implementing controlled maintenance; automated mechanisms implementing sanitization of information system components.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; other relevant documents or records.
-Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities.
-Organizational processes for authorizing and managing maintenance personnel; automated mechanisms supporting and/or implementing authorization of maintenance personnel.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Information system media protection policy; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; other relevant documents or records.
-Organizational personnel with information system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators.
-Organizational processes for restricting information media; automated mechanisms supporting and/or implementing media access restrictions.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Information system media protection policy; procedures addressing media sanitization and disposal; applicable federal standards and policies addressing media sanitization; media sanitization records; audit records; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records.
-Organizational personnel with information system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators.
-Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Information system media protection policy; procedures addressing media sanitization and disposal; applicable federal standards and policies addressing media sanitization; media sanitization records; audit records; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records.
-Organizational personnel with information system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators.
-Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/ or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-The service provider measures temperature at server inlets and humidity levels - by dew point.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records.
-Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities.
-Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations.
-Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
-Determine if the organization:
-Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan for the information system; records of security plan reviews and updates; and other relevant documents or records.
-Organizational personnel with security planning and plan implementation responsibilities; and organizational personnel with information security responsibilities.
-Organizational processes for security plan development/review/update/approval; automated mechanisms supporting the information system security plan.
-Determine if the organization:
-Personnel security policy; procedures addressing personnel screening; records of screened personnel; security plan; and other relevant documents or records.
-Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities.
-Organizational processes for personnel screening.
-Attestation - Specifically stating that any third-party security personnel are - treated as CSP employees.
-Determine if the organization:
-Risk assessment policy; security planning policy and procedures; procedures addressing security categorization of organizational information and information systems; security plan; security categorization documentation; and other relevant documents or records.
-Organizational personnel with security categorization and risk assessment responsibilities; and organizational personnel with information security responsibilities.
-Organizational processes for security categorization.
-Determine if the organization:
-Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; and other relevant documents or records.
-Organizational personnel with risk assessment responsibilities; and organizational personnel with information security responsibilities.
-Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment.
-Significant change is defined in NIST Special Publication 800-37 Revision 1, - Appendix F
-Include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-Determine if the organization:
-Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; and other relevant documents or records.
-Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with vulnerability remediation responsibilities; organizational personnel with information security responsibilities; system/network administrators.
-Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.
-An accredited independent assessor scans operating systems/infrastructure, web - applications, and databases once annually.
-To include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-- See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)
-Determine if the organization:
-System and services acquisition policy; procedures addressing external information system services; procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services; acquisition contracts, service-level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; and other relevant documents or records.
-Organizational personnel with system and services acquisition responsibilities; external providers of information system services; organizational personnel with information security responsibilities.
-Organizational processes for monitoring security control compliance by external service providers on an ongoing basis; automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis.
-Determine if the organization:
-System and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks; list of security safeguards protecting against or limiting the effects of denial of service attacks; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records.
-System/network administrators; organizational personnel with information security responsibilities; organizational personnel with incident response responsibilities; system developer.
-Automated mechanisms protecting against or limiting the effects of denial of service attacks.
-Condition: If availability is a requirement, define protections in place as per - control requirement.
-Determine if the organization:
-System and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the information system; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; enterprise security architecture documentation; information system audit records; and other relevant documents or records.
-System/network administrators; and organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities.
-Automated mechanisms implementing boundary protection capability.
-Determine if the organization:
-System and communications protection policy; procedures addressing cryptographic key establishment and management; information system design documentation; cryptographic mechanisms; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records.
-System/network administrators; organizational personnel with information security responsibilities; and organizational personnel with responsibilities for cryptographic key establishment and/or management.
-Automated mechanisms supporting and/or implementing cryptographic key establishment and management.
-Federally approved cryptography.
-Determine if the organization:
-System and communications protection policy; procedures addressing cryptographic protection; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS validated cryptographic modules; information system audit records; and other relevant documents or records.
-System/network administrators; organizational personnel with information security responsibilities; system developer; and organizational personnel with responsibilities for cryptographic protection.
-Automated mechanisms supporting and/or implementing cryptographic protection.
-Condition: If implementing need to detail how they meet it or don't meet it.
-NSO - Not directly related to the security of the SaaS.
-Determine if the organization:
-System and information integrity policy; procedures addressing flaw remediation; procedures addressing configuration management; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software and firmware updates to correct information system flaws; installation/change control records for security-relevant software and firmware updates; and other relevant documents or records.
-System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation; and organizational personnel with configuration management responsibility.
-Organizational processes for identifying, reporting, and correcting information system flaws; organizational process for installing software and firmware updates; automated mechanisms supporting and/or implementing reporting, and correcting information system flaws; and automated mechanisms supporting an/or implementing testing software and firmware updates.
-Determine if the organization:
-System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; information system design documentation; information system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; information system audit records; and other relevant documents or records.
-System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection; and organizational personnel with configuration management responsibility.
-Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms; automated mechanisms supporting and/or implementing malicious code scanning and subsequent act.
-Determine if the organization:
-Continuous monitoring strategy; system and information integrity policy; procedures addressing information system monitoring tools and techniques; facility diagram/layout; information system design documentation; information system monitoring tools and techniques documentation; locations within information system where monitoring devices are deployed; information system configuration settings and associated documentation; and other relevant documents or records.
-System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; and organizational personnel with responsibility monitoring the information system.
-Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing information system monitoring capability.
-Attestation - Specifically related to US-CERT and FedRAMP communications - procedures.
-FedRAMP Logo
-at least every 3 years
-at least annually
-at least annually
-not more than three (3)
-fifteen (15) minutes
-thirty (30) minutes
-see additional Requirements and Guidance
-see additional Requirements and Guidance
-at least quarterly
-at least every 3 years
-at least annually
-at least annually
-at least annually
-At least one year
-at least every 3 years
-at least annually
-Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event
-organization-defined actions to be taken (overwrite oldest record)
-at least weekly
-at least ninety days
-all information system and network components where audit capability is deployed/available
-at least every 3 years
-at least annually
-at least annually
-individuals or roles to include FedRAMP PMO
-at least annually and on input from FedRAMP
-at least monthly
-at least every three years or when a significant change occurs
-to meet Federal and FedRAMP requirements (See additional guidance)
-to meet Federal and FedRAMP requirements (See additional guidance)
-at least every 3 years
-at least annually
-United States Government Configuration Baseline (USGCB)
-United States Government Configuration Baseline (USGCB)
-at least monthly
-Continuously (via CM-7 (5))
-at least every 3 years
-at least annually
-at least annually
-ten (10) days
-at least annually
-at least every three years
-classroom exercises/table top written tests
-daily incremental; weekly full
-daily incremental; weekly full
-daily incremental; weekly full
-at least every 3 years
-at least annually
-IA-4 (d) [at least two years]
-ninety days for user identifiers (See additional requirements and guidance)
-at least one
-twenty four
-at least every 3 years
-at least annually
-at least annually
-US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-see additional FedRAMP Requirements and Guidance
-at least annually
-see additional FedRAMP Requirements and Guidance
-at least every 3 years
-at least annually
-at least every 3 years
-at least annually
-at least every 3 years
-at least annually
-at least annually
-CSP defined physical access control systems/devices AND guards
-CSP defined physical access control systems/devices
-in all circumstances within restricted access area where the information system resides
-at least annually
-at least annually
-at least monthly
-for a minimum of one (1) year
-at least monthly
-consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-continuously
-all information system components
-at least every 3 years
-at least annually
-at least annually
-At least every 3 years
-at least every 3 years
-at least annually
-at least every three years
-For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.
-same day
-five days of the time period following the formal transfer action (DoD 24 hours)
-at least annually
-at least annually
-organization-defined time period - same day
-at least every 3 years
-at least annually
-security assessment report
-at least every three (3) years or when a significant change occurs
-at least every three (3) years or when a significant change occurs
-monthly operating system/infrastructure; monthly web applications and databases
-[high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery.
-at least every 3 years
-at least annually
-FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-at least every 3 years
-at least annually
-FIPS-validated or NSA-approved cryptography
-no exceptions
-at least every 3 years
-at least annually
-within 30 days of release of updates
-at least weekly
-to include endpoints
-to include alerting administrator or defined security personnel
-to include US-CERT
-to include system security personnel and administrators with configuration/patch-management responsibilities
-The service provider shall determine elements of the cloud environment - that require the System Use Notification control. The elements of the - cloud environment that require System Use Notification are approved and - accepted by the JAB/AO.
-The service provider shall determine how System Use Notification is going - to be verified and provide appropriate periodicity of the check. The - System Use Notification verification and periodicity are approved and - accepted by the JAB/AO.
-If performed as part of a Configuration Baseline - check, then the % of items requiring setting that are checked and that - pass (or fail) check can be provided.
-If not performed as part of a Configuration Baseline check, then there - must be documented agreement on how to provide results of verification - and the necessary periodicity of the verification by the service - provider. The documented agreement on how to provide verification of the - results are approved and accepted by the JAB/AO.
-The service provider retains audit records on-line for at least ninety - days and further preserves audit records off-line for a period that is - in accordance with NARA requirements.
-Coordination between service provider and consumer shall be documented - and accepted by the JAB/AO.
-Coordination between service provider and consumer shall be documented - and accepted by the JAB/AO. In multi-tennant environments, capability - and means for providing review, analysis, and reporting to consumer for - data pertaining to consumer shall be documented.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/ -
-For JAB Authorization, must use an accredited Third Party Assessment - Organization (3PAO).
-Plan of Action & Milestones (POA&M) must be provided at least - monthly.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Plan of Action & Milestones (POA&M) Template - Completion Guide https://www.fedramp.gov/documents/ -
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F. The service provider describes the types of changes to - the information system or the environment of operations that would - impact the risk posture. The types of changes are approved and accepted - by the JAB/AO.
-Operating System Scans: at least monthly. Database and Web Application - Scans: at least monthly. All scans performed by Independent Assessor: at - least annually.
-CSPs must provide evidence of closure and remediation of high - vulnerabilities within the timeframe for standard POA&M updates.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/ -
-The service provider shall use the Center for Internet Security - guidelines (Level 1) to establish configuration settings or establishes - its own configuration settings if USGCB is not available.
-The service provider shall ensure that checklists for configuration - settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or - SCAP compatible (if validated checklists are not available).
-Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.
-The service provider shall use the Center for Internet Security - guidelines (Level 1) to establish list of prohibited or restricted - functions, ports, protocols, and/or services or establishes its own list - of prohibited or restricted functions, ports, protocols, and/or services - if USGCB is not available.
-Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc - Partially derived from AC-17(8).
-Must be provided at least monthly or when there is a change.
-For JAB authorizations the contingency lists include designated FedRAMP - personnel.
-The service provider develops test plans in accordance with NIST Special - Publication 800-34 (as amended); plans are approved by the JAB/AO prior - to initiating testing.
-The service provider shall determine what elements of the cloud - environment require the Information System Backup control. The service - provider shall determine how Information System Backup is going to be - verified and appropriate periodicity of the check.
-The service provider maintains at least three backup copies of user-level - information (at least one of which is available online).
-The service provider maintains at least three backup copies of - system-level information (at least one of which is available - online).
-The service provider maintains at least three backup copies of - information system documentation including security information (at - least one of which is available online).
-Include Common Access Card (CAC), i.e., the DoD technical implementation - of PIV/FIPS 201/HSPD-12.
-The service provider defines the time period of inactivity for device - identifiers.
-For DoD clouds, see DoD cloud website for specific DoD requirements that - go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.
-Authenticators must be compliant with NIST SP 800-63-3 Digital Identity - Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3.
-If password policies are compliant with NIST SP 800-63B Memorized Secret - (Section 5.1.1) Guidance, the control may be considered compliant.
-The service provider ensures that individuals conducting incident - handling meet personnel security requirements commensurate with the - criticality/sensitivity of the information being processed, stored, and - transmitted by the information system.
-Report security incident information according to FedRAMP Incident - Communications Procedure.
-The service provider defines a list of incident response personnel - (identified by name and/or by role) and organizational elements. The - incident response list includes designated FedRAMP personnel.
-The service provider defines a list of incident response personnel - (identified by name and/or by role) and organizational elements. The - incident response list includes designated FedRAMP personnel.
-The service provider measures temperature at server inlets and humidity - levels by dew point.
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F
-Include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-An accredited independent assessor scans operating systems/infrastructure, - web applications, and databases once annually.
-To include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-- See the FedRAMP Documents page under Key Cloud Service Provider - (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)
-The service provider must comply with Federal Acquisition Regulation - (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense - Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, - which implements Section 889 (as well as any added updates related to FISMA to - address security concerns in the system acquisitions process).
-The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly - preferred. See https://www.niap-ccevs.org/Product/.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents> Continuous Monitoring Strategy Guide https://www.FedRAMP.gov/documents -
-Independent Assessors should assess the risk associated with the use of - external services. See the FedRAMP page under Key Cloud Service Provider - (CSP) Documents>FedRAMP Authorization Boundary Guidance
-Federally approved and validated cryptography.
-The information system provides disablement (instead of physical - disconnect) of collaborative computing devices in a manner that supports - ease of use.
-See US-CERT Incident Response Reporting Guidelines.
-FedRAMP Logo
-at least every 3 years
-at least annually
-at least annually
-no more than 30 days for temporary and emergency account types
-90 days for user accounts
-all security functions
-not more than three (3)
-fifteen (15) minutes
-locks the account/node for thirty minutes
-see additional Requirements and Guidance
-see additional Requirements and Guidance]
-three (3) sessions for privileged access and two (2) sessions for non-privileged access
-fifteen (15) minutes
-fifteen 15 minutes
-at least quarterly
-at least every 3 years
-at least annually
-at least annually
-at least annually
-At least one year
-at least every 3 years
-at least annually
-successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
-organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event
-annually or whenever there is a change in the threat environment
-session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon
-organization-defined actions to be taken (overwrite oldest record)
-at least weekly
-At least hourly
-http://tf.nist.gov/tf-cgi/servers.cgi
-at least weekly
-at least ninety days
-all information system and network components where audit capability is deployed/available
-at least every 3 years
-at least annually
-at least annually
-individuals or roles to include FedRAMP PMO
-at least annually
-any FedRAMP Accredited 3PAO
-any FedRAMP Accredited 3PAO
-the conditions of the JAB/AO in the FedRAMP Repository
-at least annually and on input from FedRAMP
-Boundary Protections which meet the Trusted Internet Connection (TIC) requirements
-at least monthly
-at least every three (3) years or when a significant change occurs
-to meet Federal and FedRAMP requirements (See additional guidance)
-to meet Federal and FedRAMP requirements (See additional guidance)
-at least annually
-at least every 3 years
-at least annually
-at least annually or when a significant change occurs
-to include when directed by the JAB
-at least quarterly
-See CM-6(a) Additional FedRAMP Requirements and Guidance
-United States Government Configuration Baseline (USGCB)
-at least monthly
-at least Annually or when there is a change
-at least monthly
-Continuously, using automated mechanisms with a maximum five-minute delay in detection
-Continuously (via CM-7 (5))
-at least every 3 years
-at least annually
-at least annually
-ten (10) days
-at least annually
-at least annually
-functional exercises
-daily incremental; weekly full
-daily incremental; weekly full
-daily incremental; weekly full
-at least annually
-at least every 3 years
-at least annually
-FIPS 140-2, NIAP Certification, or NSA approval
-IA-4 (d) [at least two years]
-ninety days for user identifiers (See additional requirements and guidance)
-contractors; foreign nationals
-at least one
-twenty four (24)
-All hardware/biometric (multifactor authenticators)
-in person
-at least every 3 years
-at least annually
-at least annually
-at least annually
-see additional FedRAMP Requirements and Guidance
-US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
-see additional FedRAMP Requirements and Guidance
-at least annually
-see additional FedRAMP Requirements and Guidance
-at least every 3 years
-at least annually
-the information owner explicitly authorizing removal of the equipment from the facility
-at least every 3 years
-at least annually
-no removable media types
-all types of digital and non-digital media with sensitive information
-see additional FedRAMP requirements and guidance
-all media with sensitive information
-prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digitital media, secured in locked container
-at least annually
-at least every 3 years
-at least annually
-at least annually
-CSP defined physical access control systems/devices AND guards
-CSP defined physical access control systems/devices
-in all circumstances within restricted access area where the information system resides
-at least annually
-at least annually
-at least monthly
-for a minimum of one (1) year
-at least monthly
-consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
-continuously
-all information system components
-at least every 3 years
-at least annually
-at least annually
-At least every 3 years
-At least annually or when a significant change occurs
-at least every 3 years
-at least annually
-at least every three years
-for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
-personnel screening criteria - as required by specific information
-same day
-five days of the time period following the formal transfer action (DoD 24 hours)
-at least annually
-at least annually
-organization-defined time period - same day
-at least every 3 years
-at least annually
-security assessment report
-at least every three (3) years or when a significant change occurs
-at least every three (3) years or when a significant change occurs
-monthly operating system/infrastructure; monthly web applications and databases
-high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
-prior to a new scan
-operating systems / web applications / databases
-all scans
-at least every 3 years
-at least annually
-to include security-relevant external system interfaces and high-level design
-at least the minimum requirement as defined in control CA-7
-FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system
-Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
-all external systems where Federal information is processed or stored
-all external systems where Federal information is processed or stored
-information processing, information data, AND information services
-development, implementation, AND operation
-at least every 3 years
-at least annually
-at least annually
-confidentiality AND integrity
-prevent unauthorized disclosure of information AND detect changes to information
-a hardened or alarmed carrier Protective Distribution System (PDS)
-no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions
-NIST FIPS-compliant
-FIPS-validated or NSA-approved cryptography
-no exceptions
-confidentiality AND integrity
-at least every 3 years
-at least annually
-within 30 days of release of updates
-at least monthly
-at least weekly
-to include endpoints
-to include alerting administrator or defined security personnel
-continuously
-to include US-CERT
-to include system security personnel and administrators with configuration/patch-management responsibilities
-to include upon system startup and/or restart
-at least monthly
-to include system administrators and security personnel
-to include notification of system administrators and security personnel
-Selection to include security relevant events
-at least monthly
-Required if shared/group accounts are deployed
-Required for privileged accounts.
-Required for privileged accounts.
-Should use a shorter timeframe than AC-12.
-Required if shared/group accounts are deployed
-Guidance: CSPs have the option to provide a separation of duties matrix - as an attachment to the SSP.
-Examples of security functions include but are not limited to: - establishing system accounts, configuring access authorizations (i.e., - permissions, privileges), setting events to be audited, and setting - intrusion detection parameters, system programming, system and security - administration, other privileged functions.
-The service provider shall determine elements of the cloud environment - that require the System Use Notification control. The elements of the - cloud environment that require System Use Notification are approved and - accepted by the JAB/AO.
-The service provider shall determine how System Use Notification is going - to be verified and provide appropriate periodicity of the check. The - System Use Notification verification and periodicity are approved and - accepted by the JAB/AO.
-If performed as part of a Configuration Baseline - check, then the % of items requiring setting that are checked and that - pass (or fail) check can be provided.
-If not performed as part of a Configuration Baseline check, then there - must be documented agreement on how to provide results of verification - and the necessary periodicity of the verification by the service - provider. The documented agreement on how to provide verification of the - results are approved and accepted by the JAB/AO.
-The service provider retains audit records on-line for at least ninety - days and further preserves audit records off-line for a period that is - in accordance with NARA requirements.
-Coordination between service provider and consumer shall be documented - and accepted by the JAB/AO.
-Annually or whenever changes in the threat environment are communicated - to the service provider by the JAB/AO.
-The service provider defines audit record types [FedRAMP Assignment: - session, connection, transaction, or activity duration; for - client-server transactions, the number of bytes received and bytes - sent; additional informational messages to diagnose or identify the - event; characteristics that describe or identify the object or - resource being acted upon; individual identities of group account - users; full-text of privileged commands]. The audit record - types are approved and accepted by the JAB/AO.
-For client-server transactions, the number of bytes sent and received - gives bidirectional transfer information that can be helpful during an - investigation or inquiry.
-Coordination between service provider and consumer shall be documented - and accepted by the JAB/AO. In multi-tennant environments, capability - and means for providing review, analysis, and reporting to consumer for - data pertaining to consumer shall be documented.
-The service provider selects primary and secondary time servers used by - the NIST Internet time service. The secondary server is selected from a - different geographic region than the primary server.
-The service provider synchronizes the system clocks of network computers - that run operating systems other than Windows to the Windows Server - Domain Controller emulator or to the same time source for that - server.
-Synchronization of system clocks improves the accuracy of log - analysis.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/ -
-For JAB Authorization, must use an accredited Third Party Assessment - Organization (3PAO).
-To include 'announced', 'vulnerability scanning'
-Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference - Architecture document.
-For JAB Authorization, CSPs shall include details of this control in - their Architecture Briefing
-Plan of Action & Milestones (POA&M) must be provided at least - monthly.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Plan of Action & Milestones (POA&M) Template - Completion Guide https://www.fedramp.gov/documents/ -
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F. The service provider describes the types of changes to - the information system or the environment of operations that would - impact the risk posture. The types of changes are approved and accepted - by the JAB/AO.
-Operating System Scans: at least monthly. Database and Web Application - Scans: at least monthly. All scans performed by Independent Assessor: at - least annually.
-CSPs must provide evidence of closure and remediation of high - vulnerabilities within the timeframe for standard POA&M updates.
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/ -
-See the FedRAMP Documents page under Key Cloud Service Provider (CSP) - Documents, Penetration Test Guidance https://www.FedRAMP.gov/documents/ -
-The service provider establishes a central means of communicating major - changes to or developments in the information system or environment of - operations that may affect its services to the federal government and - associated service consumers (e.g., electronic bulletin board, web - status page). The means of communication are approved and accepted by - the JAB/AO.
-In accordance with record retention policies and procedures.
-If digital signatures/certificates are unavailable, alternative - cryptographic integrity checks (hashes, self-signed certs, etc.) can be - utilized.
-The service provider shall use the Center for Internet Security - guidelines (Level 1) to establish configuration settings or establishes - its own configuration settings if USGCB is not available.
-The service provider shall ensure that checklists for configuration - settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or - SCAP compatible (if validated checklists are not available).
-Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.
-The service provider shall use the Center for Internet Security - guidelines (Level 1) to establish list of prohibited or restricted - functions, ports, protocols, and/or services or establishes its own list - of prohibited or restricted functions, ports, protocols, and/or services - if USGCB is not available.
-Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. - Partially derived from AC-17(8).
-This control shall be implemented in a technical manner on the - information system to only allow programs to run that adhere to the - policy (i.e. white listing). This control is not to be based off of - strictly written policy on what is allowed or not allowed to run.
-Must be provided at least monthly or when there is a change.
-For JAB authorizations the contingency lists include designated FedRAMP - personnel.
-The service provider develops test plans in accordance with NIST Special - Publication 800-34 (as amended); plans are approved by the JAB/AO prior - to initiating testing.
-The service provider defines a time period consistent with the recovery - time objectives and business impact analysis.
-The service provider may determine what is considered a sufficient degree - of separation between the primary and alternate processing sites, based - on the types of threats that are of concern. For one particular type of - threat (i.e., hostile cyber attack), the degree of separation between - sites will be less relevant.
-The service provider defines a time period consistent with the recovery - time objectives and business impact analysis.
-The service provider shall determine what elements of the cloud - environment require the Information System Backup control. The service - provider shall determine how Information System Backup is going to be - verified and appropriate periodicity of the check.
-The service provider maintains at least three backup copies of user-level - information (at least one of which is available online).
-The service provider maintains at least three backup copies of - system-level information (at least one of which is available - online).
-The service provider maintains at least three backup copies of - information system documentation including security information (at - least one of which is available online).
-PIV=separate device. Please refer to NIST SP 800-157 Guidelines for - Derived Personal Identity Verification (PIV) Credentials.
-Include Common Access Card (CAC), i.e., the DoD technical implementation - of PIV/FIPS 201/HSPD-12.
-The service provider defines the time period of inactivity for device - identifiers.
-For DoD clouds, see DoD cloud website for specific DoD requirements that - go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.
-Authenticators must be compliant with NIST SP 800-63-3 Digital Identity - Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3.
-If password policies are compliant with NIST SP 800-63B Memorized Secret - (Section 5.1.1) Guidance, the control may be considered compliant.
-If automated mechanisms which enforce password authenticator strength at - creation are not used, automated mechanisms must be used to audit - strength of created password authenticators.
-The service provider defines tests and/or exercises in accordance with - NIST Special Publication 800-61 (as amended). Functional Testing must occur prior to - testing for initial authorization. Annual functional testing may be concurrent with - required penetration tests (see CA-8). The service provider provides test plans to the - JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test - commencing.
-The service provider ensures that individuals conducting incident - handling meet personnel security requirements commensurate with the - criticality/sensitivity of the information being processed, stored, and - transmitted by the information system.
-Report security incident information according to FedRAMP Incident - Communications Procedure.
-The service provider defines a list of incident response personnel - (identified by name and/or by role) and organizational elements. The - incident response list includes designated FedRAMP personnel.
-The service provider defines a list of incident response personnel - (identified by name and/or by role) and organizational elements. The - incident response list includes designated FedRAMP personnel.
-Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline
-Second parameter not-applicable
-The service provider defines controlled areas within facilities where the - information and information system reside.
-The service provider defines security measures to protect digital and - non-digital media in transport. The security measures are approved and - accepted by the JAB.
-Equipment and procedures may be tested or validated for effectiveness
-The service provider measures temperature at server inlets and humidity - levels by dew point.
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F, page F-7.
-Significant change is defined in NIST Special Publication 800-37 Revision - 1, Appendix F
-Include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-An accredited independent assessor scans operating systems/infrastructure, - web applications, and databases once annually.
-To include all Authorizing Officials; for JAB authorizations to include - FedRAMP.
-- See the FedRAMP Documents page under Key Cloud Service Provider - (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)
-Include in Continuous Monitoring ISSO digest/report to JAB/AO
-This enhancement is required for all high vulnerability scan - findings.
-While scanning tools may label findings as high or critical, the intent - of the control is based around NIST's definition of high - vulnerability.
-For JAB authorizations, track security flaws and flaw resolution within - the system, component, or service and report findings to - organization-defined personnel, to include FedRAMP.
-The service provider documents in the Continuous Monitoring Plan, how - newly developed code for the information system is reviewed.
-The service provider documents in the Continuous Monitoring Plan, how - newly developed code for the information system is reviewed.
-The service provider must comply with Federal Acquisition Regulation - (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense - Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, - which implements Section 889 (as well as any added updates related to FISMA to - address security concerns in the system acquisitions process).
-The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly - preferred. See https://www.niap-ccevs.org/Product/.
-CSP must use the same security standards regardless of where the system - component or information system service is acquired.
-Federally approved and validated cryptography.
-The information system provides disablement (instead of physical - disconnect) of collaborative computing devices in a manner that supports - ease of use.
-The organization supports the capability to use cryptographic mechanisms - to protect information at rest.
-The service provider defines key information security tools, mechanisms, - and support components associated with system and security - administration and isolates those tools, mechanisms, and support - components from other internal information system components via - physically or logically separate subnets.
-See US-CERT Incident Response Reporting Guidelines.
-In accordance with the incident response plan.
-FedRAMP Logo
-