FedRAMP Control Certification, Accreditation, & Sec ...

[Pages:2]FedRAMP Control

Quick Guide

Control requirements are identified in the

ID Family

FedRAMP SSP Class

Low Count

Moderate Count

AC Access Control

Technical 11

17 (24)

AT Awareness and Training Operational 4

4

AU Audit and Accountability Technical 10

12 (9)

CA Certification, Accreditation, Management 6 (1) 6 (2) and Security Assessment

CM Configuration Management Operational 6

9 (12)

CP Contingency Planning

Operational 6

9 (15)

IA Identification and Authentication

IR Incident Response

Technical 7 (2) 8 (10)

Operational 7

8 (4)

MA Maintenance

Operational 4

6 (6)

MP Media Protection

Operational 3

6 (5)

PE Physical and Environmental Operational 11 Protection

PL Planning

Management 4

PS Personnel Security

Operational 8

18 (5) 5 8

RA Risk Assessment

Management 4

4 (5)

SA System and Services Acquisition

Management 8

SC System and

Technical

Communications Protection

8 (1)

SI System and Information Integrity

Operational 5

12 (7) 24 (16) 12 (9)

Legend:

Count = # of controls (#of enhancements) Impact Level: L = Low / M = Moderate Enhancements: (#, #) Additional FedRAMP Requirements = FedRAMP Guidance = G

Note: Controls and Enhancements added by FedRAMP are in Bold.

Access Control (AC)

Control #

Control Name

AC-1 AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-10 AC-11

Access Control Policy and Procedures Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts System Use Notification Concurrent Session Control Session Lock

Control Baseline Low Moderate

L

M

L

M (1,2,3,4,7)

L

M (3)

M

M

M (1,2)

L

M

L

M

M

M (1)

AC-14

AC-16 AC-17

Permitted Actions Without Identification/ L Authentication

Security Attributes

Remote Access

L

AC-18 AC-19 AC-20 AC-22

Wireless Access

L

Access Control for Mobile Devices

L

Use of External Information Systems L

Publicly Accessible Content

L

M (1)

M M (1,2,3,4,5, 7,8) M (1,2) M (1,2,3) M (1,2) M

Additional Req.

G G G

G

Awareness and Training (AT)

Control #

Control Name

Control Baseline

Low Moderate

AT-1

Security Awareness and Training Policy L

M

and Procedures

AT-2

Security Awareness

L

M

AT-3

Security Training

L

M

AT-4

Security Training Records

L

M

Additional Req.

Audit and Accountability (AU)

Control #

Control Name

AU-1 AU-2

Audit and Accountability Policy and Procedures Auditable Events

Control Baseline

Low Moderate

L

M

L

M (3,4)

AU-3

Content of Audit Records

L

M (1)

AU-4

Audit Storage Capacity

L

M

AU-5

Response to Audit Processing Failures L

M

AU-6

Audit Review, Analysis, and Reporting L

M (1,3)

AU-7

Audit Reduction and Report Generation

M (1)

AU-8

Time Stamps

L

M (1)

AU-9

Protection of Audit Information

L

M (2)

AU-10 Non-Repudiation

M (5)

AU-11 Audit Record Retention

L

M

AU-12 Audit Generation

L

M

Additional Req.

G G

G

Certification, Accreditation, & Sec. Assessment (CA)

Control #

Control Name

Control Baseline

Low Moderate

CA-1

Security Assessment and Authorization L

M

Policies and Procedures

CA-2

Security Assessments

L (1) M (1)

CA-3

Information System Connections

L

M

CA-5

Plan of Action and Milestones

L

M

CA-6

Security Authorization

L

M

CA-7

Continuous Monitoring

L

M (2)

Additional Req.

G

Configuration Management (CM)

Control #

Control Name

CM-1

CM-2 CM-3 CM-4

Configuration Management Policy and Procedures Baseline Configuration

Configuration Change Control

Security Impact Analysis

Control Baseline

Low Moderate

L

M

L

M (1,3,5)

M (2)

L

M

CM-5 CM-6 CM-7 CM-8

CM-9

Access Restrictions for Change

Configuration Settings

Least Functionality

Information System Component Inventory Configuration Management Plan

M (1,5)

L

M (1,3)

L

M (1)

L

M (1,3,5)

M

Additional Req.

G

G G G

Contingency Planning (CP)

Control #

Control Name

CP-1

CP-2 CP-3 CP-4

CP-6 CP-7 CP-8 CP-9

Contingency Planning Policy and Procedures Contingency Plan

Contingency Training

Contingency Plan Testing and Exercises Alternate Storage Site

Alternate Processing Site

Telecommunications Services

Information System Backup

Control Baseline

Low Moderate

L

M

L

M (1,2)

L

M

L

M (1)

M (1,3)

M (1,2,3,5)

M (1,2)

L

M (1,3)

CP-10 Information System Recovery and

L

Reconstitution

M (2,3)

Additional Req.

Identification and Authentication (IA)

Control #

Control Name

Control Baseline

Low Moderate

IA-1

Identification and Authentication Policy L

M

and Procedures

IA-2

Identification and Authentication

L (1) M (1,2,3,8)

(Organizational Users)

IA-3

Device Identification and Authentication

M

IA-4

Identifier Management

L

M (4)

IA-5

Authenticator Management

L (1) M (1,2,3,6,7)

IA-6

Authenticator Feedback

L

M

IA-7

Cryptographic Module Authentication L

M

IA-8

Identification and Authentication

(Non-Organizational Users)

L

M

Additional Req.

G

Incident Response (IR)

Control #

Control Name

IR-1

Incident Response Policy and

Procedures

IR-2

Incident Response Training

IR-3

Incident Response Testing and

Exercises

IR-4

Incident Handling

IR-5

Incident Monitoring

IR-6

Incident Reporting

IR-7

Incident Response Assistance

IR-8

Incident Response Plan

Control Baseline

Low Moderate

L

M

L

M

M

L

M (1)

L

M

L

M (1)

L

M (1,2)

L

M

Maintenance (MA)

Control #

Control Name

MA-1

MA-2 MA-3 MA-4 MA-5 MA-6

System Maintenance Policy and Procedures Controlled Maintenance Maintenance Tools Non-Local Maintenance Maintenance Personnel Timely Maintenance

Control Baseline

Low Moderate

L

M

L

M (1)

M (1,2,3)

L

M (1,2)

L

M

M

Media Protection (MP)

Control #

Control Name

MP-1

MP-2 MP-3 MP-4 MP-5 MP-6

Media Protection Policy and Procedures Media Access Media Marking Media Storage Media Transport Media Sanitization

Control Baseline

Low Moderate

L

M

L

M (1)

M

M (1)

M (2,4)

L

M (4)

Additional Req.

Planning (PL)

Control #

Control Name

PL-1

PL-2 PL-4 PL-5 PL-6

Security Planning Policy and Procedures System Security Plan

Rules of Behavior

Privacy Impact Assessment

Security-Related Activity Planning

Control Baseline

Low Moderate

L

M

L

M

L

M

L

M

M

Additional Req.

Additional Req.

Personnel Security (PS)

Control #

Control Name

PS-1

PS-2 PS-3 PS-4

Personnel Security Policy and Procedures Position Categorization

Personnel Screening

Personnel Termination

Control Baseline

Low Moderate

L

M

L

M

L

M

L

M

PS-5 PS-6 PS-7 PS-8

Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions

L

M

L

M

L

M

L

M

Additional Req.

Additional Req.

Risk Assessment (RA)

Control #

Control Name

RA-1

RA-2 RA-3 RA-5

Risk Assessment Policy and Procedures Security Categorization

Risk Assessment

Vulnerability Scanning

Control Baseline

Low Moderate

L

M

Additional Req.

L

M

L

M

G

L

M (1,2,3,5,6,9) G

System and Communication Protection (SC)

Control #

Control Name

SC-1

SC-2 SC-4 SC-5 SC-6 SC-7

System and Communications Protection Policy and Procedures Application Partitioning Information in Shared Resources Denial of Service Protection Resource Priority

Boundary Protection

SC-8 SC-9 SC-10 SC-11 SC-12

SC-13 SC-14

Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path Cryptographic Key Establishment and Management Use of Cryptography Public Access Protections

Control Baseline

Low Moderate

L

M

Additional Req.

M

M

L

M

M

L

M (1,2,3,4,5,7,

8, 12,13,18)

M (1)

M (1)

M

G

M

L

M (2,5)

L

M (1)

L

M

SC-15 Collaborative Computing Devices

L

M

SC-17 Public Key Infrastructure Certificates

M

SC-18 Mobile Code

M

SC-19 Voice Over Internet Protocol

M

SC-20 SC-21

SC-22 SC-23 SC-28 SC-30 SC-32

Secure Name /Address Resolution

L (1)

Service (Authoritative Source)

Secure Name/ Address Resolution

Service (Recursive or Caching

Resolver)

Architecture and Provisioning for Name/

Address Resolution Service

Session Authenticity

Protection of Information at Rest

Virtualization Techniques

Information System Partitioning

M (1) M

M M M M M

Physical and Environmental Protection (PE)

Control #

Control Name

PE-1

PE-2 PE-3 PE-4

PE-5 PE-6 PE-7 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18

Physical and environmental protection policy and procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Visitor Control Access Records Power Equipment and Power Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components

Control Baseline

Low Moderate

L

M

L

M

L

M

M

M

L

M (1)

L

M (1)

L

M

M

M

M

L

M

L

M (1,2,3)

L

M

L

M

L

M

M

M

Additional Req.

System and Services Acquisition (SA)

Control #

Control Name

Control Baseline

Low Moderate

SA-1

System and Services Acquisition Policy L

M

and Procedures

SA-2

Allocation of Resources

L

M

SA-3

Life Cycle Support

L

M

SA-4

Acquisitions

L

M (1,4,7)

SA-5 SA-6 SA-7

Information System Documentation

L

Software Usage Restrictions

L

User-Installed Software

L

M (1,3) M M

SA-8 SA-9 SA-10

Security Engineering Principles External Information System Services L Developer Configuration Management

M M (1) M

SA-11 SA-12

Developer Security Testing Supply Chain Protection

M (1) M

Additional Req.

G

System and Information Integrity (SI)

Control #

SI-1

SI-2 SI-3 SI-4

Control Name

System and Information Integrity Policy and Procedures Flaw Remediation Malicious Code Protection Information System Monitoring

Control Baseline

Low Moderate

L

M

L

M (2)

L

M (1,2,3)

M (2,4,5,6)

SI-5

Security Alerts, Advisories, and

L

M

Directives

SI-6

Security functionality verification

M

SI-7

Software and Information Integrity

SI-8

Spam Protection

SI-9

Information Input Restrictions

SI-10

Information Input Validation

SI-11

Error Handling

SI-12

Information Output Handling and

L

Retention

M (1) M M M M M

Additional Req.

G

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download