FedRAMP Control Certification, Accreditation, & Sec ...
[Pages:2]FedRAMP Control
Quick Guide
Control requirements are identified in the
ID Family
FedRAMP SSP Class
Low Count
Moderate Count
AC Access Control
Technical 11
17 (24)
AT Awareness and Training Operational 4
4
AU Audit and Accountability Technical 10
12 (9)
CA Certification, Accreditation, Management 6 (1) 6 (2) and Security Assessment
CM Configuration Management Operational 6
9 (12)
CP Contingency Planning
Operational 6
9 (15)
IA Identification and Authentication
IR Incident Response
Technical 7 (2) 8 (10)
Operational 7
8 (4)
MA Maintenance
Operational 4
6 (6)
MP Media Protection
Operational 3
6 (5)
PE Physical and Environmental Operational 11 Protection
PL Planning
Management 4
PS Personnel Security
Operational 8
18 (5) 5 8
RA Risk Assessment
Management 4
4 (5)
SA System and Services Acquisition
Management 8
SC System and
Technical
Communications Protection
8 (1)
SI System and Information Integrity
Operational 5
12 (7) 24 (16) 12 (9)
Legend:
Count = # of controls (#of enhancements) Impact Level: L = Low / M = Moderate Enhancements: (#, #) Additional FedRAMP Requirements = FedRAMP Guidance = G
Note: Controls and Enhancements added by FedRAMP are in Bold.
Access Control (AC)
Control #
Control Name
AC-1 AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-10 AC-11
Access Control Policy and Procedures Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts System Use Notification Concurrent Session Control Session Lock
Control Baseline Low Moderate
L
M
L
M (1,2,3,4,7)
L
M (3)
M
M
M (1,2)
L
M
L
M
M
M (1)
AC-14
AC-16 AC-17
Permitted Actions Without Identification/ L Authentication
Security Attributes
Remote Access
L
AC-18 AC-19 AC-20 AC-22
Wireless Access
L
Access Control for Mobile Devices
L
Use of External Information Systems L
Publicly Accessible Content
L
M (1)
M M (1,2,3,4,5, 7,8) M (1,2) M (1,2,3) M (1,2) M
Additional Req.
G G G
G
Awareness and Training (AT)
Control #
Control Name
Control Baseline
Low Moderate
AT-1
Security Awareness and Training Policy L
M
and Procedures
AT-2
Security Awareness
L
M
AT-3
Security Training
L
M
AT-4
Security Training Records
L
M
Additional Req.
Audit and Accountability (AU)
Control #
Control Name
AU-1 AU-2
Audit and Accountability Policy and Procedures Auditable Events
Control Baseline
Low Moderate
L
M
L
M (3,4)
AU-3
Content of Audit Records
L
M (1)
AU-4
Audit Storage Capacity
L
M
AU-5
Response to Audit Processing Failures L
M
AU-6
Audit Review, Analysis, and Reporting L
M (1,3)
AU-7
Audit Reduction and Report Generation
M (1)
AU-8
Time Stamps
L
M (1)
AU-9
Protection of Audit Information
L
M (2)
AU-10 Non-Repudiation
M (5)
AU-11 Audit Record Retention
L
M
AU-12 Audit Generation
L
M
Additional Req.
G G
G
Certification, Accreditation, & Sec. Assessment (CA)
Control #
Control Name
Control Baseline
Low Moderate
CA-1
Security Assessment and Authorization L
M
Policies and Procedures
CA-2
Security Assessments
L (1) M (1)
CA-3
Information System Connections
L
M
CA-5
Plan of Action and Milestones
L
M
CA-6
Security Authorization
L
M
CA-7
Continuous Monitoring
L
M (2)
Additional Req.
G
Configuration Management (CM)
Control #
Control Name
CM-1
CM-2 CM-3 CM-4
Configuration Management Policy and Procedures Baseline Configuration
Configuration Change Control
Security Impact Analysis
Control Baseline
Low Moderate
L
M
L
M (1,3,5)
M (2)
L
M
CM-5 CM-6 CM-7 CM-8
CM-9
Access Restrictions for Change
Configuration Settings
Least Functionality
Information System Component Inventory Configuration Management Plan
M (1,5)
L
M (1,3)
L
M (1)
L
M (1,3,5)
M
Additional Req.
G
G G G
Contingency Planning (CP)
Control #
Control Name
CP-1
CP-2 CP-3 CP-4
CP-6 CP-7 CP-8 CP-9
Contingency Planning Policy and Procedures Contingency Plan
Contingency Training
Contingency Plan Testing and Exercises Alternate Storage Site
Alternate Processing Site
Telecommunications Services
Information System Backup
Control Baseline
Low Moderate
L
M
L
M (1,2)
L
M
L
M (1)
M (1,3)
M (1,2,3,5)
M (1,2)
L
M (1,3)
CP-10 Information System Recovery and
L
Reconstitution
M (2,3)
Additional Req.
Identification and Authentication (IA)
Control #
Control Name
Control Baseline
Low Moderate
IA-1
Identification and Authentication Policy L
M
and Procedures
IA-2
Identification and Authentication
L (1) M (1,2,3,8)
(Organizational Users)
IA-3
Device Identification and Authentication
M
IA-4
Identifier Management
L
M (4)
IA-5
Authenticator Management
L (1) M (1,2,3,6,7)
IA-6
Authenticator Feedback
L
M
IA-7
Cryptographic Module Authentication L
M
IA-8
Identification and Authentication
(Non-Organizational Users)
L
M
Additional Req.
G
Incident Response (IR)
Control #
Control Name
IR-1
Incident Response Policy and
Procedures
IR-2
Incident Response Training
IR-3
Incident Response Testing and
Exercises
IR-4
Incident Handling
IR-5
Incident Monitoring
IR-6
Incident Reporting
IR-7
Incident Response Assistance
IR-8
Incident Response Plan
Control Baseline
Low Moderate
L
M
L
M
M
L
M (1)
L
M
L
M (1)
L
M (1,2)
L
M
Maintenance (MA)
Control #
Control Name
MA-1
MA-2 MA-3 MA-4 MA-5 MA-6
System Maintenance Policy and Procedures Controlled Maintenance Maintenance Tools Non-Local Maintenance Maintenance Personnel Timely Maintenance
Control Baseline
Low Moderate
L
M
L
M (1)
M (1,2,3)
L
M (1,2)
L
M
M
Media Protection (MP)
Control #
Control Name
MP-1
MP-2 MP-3 MP-4 MP-5 MP-6
Media Protection Policy and Procedures Media Access Media Marking Media Storage Media Transport Media Sanitization
Control Baseline
Low Moderate
L
M
L
M (1)
M
M (1)
M (2,4)
L
M (4)
Additional Req.
Planning (PL)
Control #
Control Name
PL-1
PL-2 PL-4 PL-5 PL-6
Security Planning Policy and Procedures System Security Plan
Rules of Behavior
Privacy Impact Assessment
Security-Related Activity Planning
Control Baseline
Low Moderate
L
M
L
M
L
M
L
M
M
Additional Req.
Additional Req.
Personnel Security (PS)
Control #
Control Name
PS-1
PS-2 PS-3 PS-4
Personnel Security Policy and Procedures Position Categorization
Personnel Screening
Personnel Termination
Control Baseline
Low Moderate
L
M
L
M
L
M
L
M
PS-5 PS-6 PS-7 PS-8
Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions
L
M
L
M
L
M
L
M
Additional Req.
Additional Req.
Risk Assessment (RA)
Control #
Control Name
RA-1
RA-2 RA-3 RA-5
Risk Assessment Policy and Procedures Security Categorization
Risk Assessment
Vulnerability Scanning
Control Baseline
Low Moderate
L
M
Additional Req.
L
M
L
M
G
L
M (1,2,3,5,6,9) G
System and Communication Protection (SC)
Control #
Control Name
SC-1
SC-2 SC-4 SC-5 SC-6 SC-7
System and Communications Protection Policy and Procedures Application Partitioning Information in Shared Resources Denial of Service Protection Resource Priority
Boundary Protection
SC-8 SC-9 SC-10 SC-11 SC-12
SC-13 SC-14
Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path Cryptographic Key Establishment and Management Use of Cryptography Public Access Protections
Control Baseline
Low Moderate
L
M
Additional Req.
M
M
L
M
M
L
M (1,2,3,4,5,7,
8, 12,13,18)
M (1)
M (1)
M
G
M
L
M (2,5)
L
M (1)
L
M
SC-15 Collaborative Computing Devices
L
M
SC-17 Public Key Infrastructure Certificates
M
SC-18 Mobile Code
M
SC-19 Voice Over Internet Protocol
M
SC-20 SC-21
SC-22 SC-23 SC-28 SC-30 SC-32
Secure Name /Address Resolution
L (1)
Service (Authoritative Source)
Secure Name/ Address Resolution
Service (Recursive or Caching
Resolver)
Architecture and Provisioning for Name/
Address Resolution Service
Session Authenticity
Protection of Information at Rest
Virtualization Techniques
Information System Partitioning
M (1) M
M M M M M
Physical and Environmental Protection (PE)
Control #
Control Name
PE-1
PE-2 PE-3 PE-4
PE-5 PE-6 PE-7 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18
Physical and environmental protection policy and procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Visitor Control Access Records Power Equipment and Power Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components
Control Baseline
Low Moderate
L
M
L
M
L
M
M
M
L
M (1)
L
M (1)
L
M
M
M
M
L
M
L
M (1,2,3)
L
M
L
M
L
M
M
M
Additional Req.
System and Services Acquisition (SA)
Control #
Control Name
Control Baseline
Low Moderate
SA-1
System and Services Acquisition Policy L
M
and Procedures
SA-2
Allocation of Resources
L
M
SA-3
Life Cycle Support
L
M
SA-4
Acquisitions
L
M (1,4,7)
SA-5 SA-6 SA-7
Information System Documentation
L
Software Usage Restrictions
L
User-Installed Software
L
M (1,3) M M
SA-8 SA-9 SA-10
Security Engineering Principles External Information System Services L Developer Configuration Management
M M (1) M
SA-11 SA-12
Developer Security Testing Supply Chain Protection
M (1) M
Additional Req.
G
System and Information Integrity (SI)
Control #
SI-1
SI-2 SI-3 SI-4
Control Name
System and Information Integrity Policy and Procedures Flaw Remediation Malicious Code Protection Information System Monitoring
Control Baseline
Low Moderate
L
M
L
M (2)
L
M (1,2,3)
M (2,4,5,6)
SI-5
Security Alerts, Advisories, and
L
M
Directives
SI-6
Security functionality verification
M
SI-7
Software and Information Integrity
SI-8
Spam Protection
SI-9
Information Input Restrictions
SI-10
Information Input Validation
SI-11
Error Handling
SI-12
Information Output Handling and
L
Retention
M (1) M M M M M
Additional Req.
G
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- role based risk management framework nist
- docusign envelope id 47e92340 69a8 41e6 acf5
- j of sp 800 nist
- fedramp control certification accreditation sec
- control baselines for information nist
- information security access control procedure
- strategic account manager job description sales management
- security control standards catalog v1
- nist 800 53 compliance controls guide
- nist control family access controls
Related searches
- department of education accreditation lookup
- college accreditation bodies
- us dept of education accreditation search
- department of education accreditation list
- school accreditation lookup
- 6 regional accreditation bodies
- accreditation search department of educa
- department of education accreditation se
- department of education accreditation search
- dept of education accreditation search
- doe accreditation search
- penn foster college accreditation reviews