fedramp baseline security controls v1.0

8/3/2019 FedRAMP Baseline Security Controls v1.0

1/24

Control Baseline

Low

AC-1 AC-1 AC-1 None.

AC-2 AC-2 AC-2

AC-2 (1)

AC-2 (2)

AC-2 (3)

AC-2 (4)

AC-2 (7)

AC-3 AC-3 AC-3

AC-3 (3)

AC-4 AC-4 None. None.


AC-6 AC-6

AC-6 (1)

AC-6 (2)

FedRAMP Security Controls BaselineVersion 1.0

Control Number andName

Control ParameterRequirements

Additional Requirementsand Guidance

Moderat

1.1. Access Control (AC)AccessControlPolicy andProcedures

AC-1[Assignment: organization-defined frequency]Parameter: [at least annually]

AccountManagement

AC-2j.[Assignment: organization-defined frequency]Parameter: [at least annually]

AC-2 (2)[Assignment: organization-defined time period for eachtype of account (temporary

and emergency)]Parameter: [no more thanninety days for temporaryand emergency accountAC-2 (3)[Assignment: organization-defined time period]Parameter: [ninety days foruser accounts]

AC-2 (3)Requirement: The service provider defines the time period for non-useraccounts (e.g., accounts associated with devices). The time periods areapproved and accepted by the JAB.

AccessEnforcement

AC-3 (3)[Assignment: organization-

defined nondiscretionaryaccess control policies]Parameter: [role-basedaccess control][Assignment: organization-defined set of users andresources]Parameter: [all users andresources]

AC-3 (3)Requirement: The service provider:

a. Assigns user accounts and authenticators in accordance within serviceprovider's role-based access control policies;b. Configures the information system to request user ID and authenticatorprior to system access; andc. Configures the databases containing federal information in accordancewith service provider's security administration guide to provide role-basedaccess controls enforcing assigned privileges and permissions at the file,table, row, column, or cell level, as appropriate.

InformationFlowEnforcement

NotSelected

Separationof Duties

NotSelected

LeastPrivilege

NotSelected

AC-6 (1)[Assignment: organization-defined list of securityfunctions (deployed inhardware, software, andfirmware and security-relevant information]Parameter: See additionalrequirements and guidance.

AC-6 (1)Requirement: The service provider defines the list of security functions.The list of functions is approved and accepted by the JAB.

AC-6 (2)[Assignment: organization-

defined list of securityfunctions or security-relevantinformation]Parameter: [all security

AC-6 (2)Guidance: Examples of security functions include but are not limited to:

establishing system accounts, configuring access authorizations (i.e.,permissions, privileges), setting events to be audited, and settingintrusion detection parameters, system programming, system andsecurity administration, other privileged functions.


2/24

Control Baseline

Low




Moderat

AC-7 AC-7 None.


AC-10 AC-10 None.

AC-11 AC-11

AC-11 (1)


AC-14 (1)

AC-16 AC-16

AC-17 AC-17 AC-17

AC-17 (1)

AC-17 (2)

AC-17 (3)

AC-17 (4)

Unsuccessful LoginAttempts

AC-7 AC-7a.[Assignment: organization-defined number]Parameter: [not more than

three]AC-7a.[Assignment: organization-defined time period]Parameter: [fifteen minutes]AC-7b.[Selection: locks theaccount/node for an[Assignment: organization-defined time period]; locksthe account/node untilreleased by an administrator;delays next login promptaccording to [Assignment:organization-defined delayalgorithm]]Parameter: [locks the

account/node for thirtyminutes]

System UseNotification

AC-8Requirement: The service provider shall determine elements of the cloudenvironment that require the System Use Notification control. Theelements of the cloud environment that require System Use Notificationare approved and accepted by the JAB.Requirement: The service provider shall determine how System UseNotification is going to be verified and provide appropriate periodicity ofthe check. The System Use Notification verification and periodicity areapproved and accepted by the JAB.Guidance: If performed as part of a Configuration Baseline check, thenthe % of items requiring setting that are checked and that pass (or fail)check can be provided.Requirement: If not performed as part of a Configuration Baseline check,then there must be documented agreement on how to provide results of

verification and the necessary periodicity of the verification by the serviceprovider. The documented agreement on how to provide verification ofthe results are approved and accepted by the JAB.

ConcurrentSessionControl

NotSelected

AC-10[Assignment: organization-defined number]Parameter: [one session]

SessionLock

NotSelected

AC-11a.[Assignment: organization-defined time period]Parameter: [fifteen minutes]

AC-11 (1)Guidance: For IaaS and PaaS.

PermittedActionsWithoutIdentification/Authentication

AC-14

SecurityAttributes

NotSelected

AC-16Assignment: organization-defined security attributes]Parameter: See additionalrequirements and guidance.

AC-16Requirement: If the service provider offers the capability of definingsecurity attributes, then the security attributes need to be approved andaccepted by JAB.

RemoteAccess


3/24

Control Baseline

Low




Moderat

AC-17 (5)

AC-17 (7)

AC-17 (8)

AC-17 (5)[Assignment: organization-defined frequency]Parameter: [continuously,

real time]AC-17 (7)[Assignment: organization-defined list of securityfunctions and security-relevant information]Parameter: See additionalrequirements and guidance.

AC-17 (7)Requirement: The service provider defines the list of security functionsand security relevant information. Security functions and theimplementation of such functions are approved and accepted by the JAB.Guidance: Security functions include but are not limited to: establishingsystem accounts; configuring access authorizations; performing systemadministration functions; and auditing system events or accessing eventlogs; SSH, and VPN.

AC-17 (8)[Assignment: organization-defined networking protocolswithin the information systemdeemed to be non-secure]Parameter: [tftp, (trivial ftp);X-Windows, Sun OpenWindows; FTP; TELNET;

IPX/SPX; NETBIOS;Bluetooth; RPC-services, likeNIS or NFS; rlogin, rsh,rexec; SMTP (Simple MailTransfer Protocol); RIP(Routing InformationProtocol); DNS (DomainName Services); UUCP(Unix-Unix Copy Protocol);NNTP (Network NewsTransfer Protocol); NTP(Network Time Protocol);Peer-to-Peer]

AC-17 (8)Requirement: Networking protocols implemented by the service providerare approved and accepted by JAB.Guidance: Exceptions to restricted networking protocols are granted forexplicitly identified information system components in support of specificoperational requirements.


4/24

Control Baseline

Low




Moderat


AC-18 (1)

AC-18 (2)

AC-19 AC-19 AC-19

AC-19 (1)

AC-19 (2)

AC-19 (3)AC-20 AC-20 AC-20 None. None.

AC-20 (1)

AC-20 (2)


AT-1 AT-1 AT-1 None.




AU-1 AU-1 AU-1 None.

WirelessAccess

AC-18 (2)[Assignment: organization-defined frequency]Parameter: [at least quarterly]

AccessControl forMobileDevices

AC-19g.[Assignment: organization-defined inspection andpreventative measures]Parameter: See additionalrequirements and guidance.

AC-19g.Requirement: The service provider defines inspection and preventativemeasures. The measures are approved and accepted by JAB.

Use ofExternalInformationSystems

PubliclyAccessibleContent

AC-22d.[Assignment: organization-defined frequency]Parameter: [at least quarterly]

1.2. Awareness and Training (AT)

SecurityAwarenessand TrainingPolicy andProcedures

AT-1[Assignment: organization-defined frequency]Parameter: [at least annually]

SecurityAwareness

AT-2[Assignment: organization-defined frequency]Parameter: [at least annually]

SecurityTraining

AT-3[Assignment: organization-defined frequency]Parameter: [at least everythree years]

SecurityTrainingRecords

AT-4b.[Assignment: organization-defined frequency]Parameter: [At least threeyears]

1.3. Audit and Accountability (AU)Audit andAccountability Policy andProcedures

AU-1[Assignment: organization-defined frequency]Parameter: [at least annually]


5/24

Control Baseline

Low




Moderat

AU-2 AU-2 None.

AU-2 (3)

AU-2 (4)

AuditableEvents

AU-2 AU-2a.[Assignment: organization-defined list of auditableevents]

Parameter: [Successful andunsuccessful account logonevents, account managementevents, object access, policychange, privilege functions,process tracking, and systemevents. For Webapplications: all administratoractivity, authenticationchecks, authorization checks,data deletions, data access,data changes, andpermission changes]

AU-2d.[Assignment: organization-defined subset of the

auditable events defined inAU-2 a. to be audited]Parameter: See additionalrequirements and guidance.AU-2d.[Assignment: organization-defined frequency of (orsituation requiring) auditingfor each identified event].Parameter: [continually]

AU-2d.Requirement: The service provider defines the subset of auditable eventsfrom AU-2a to be audited. The events to be audited are approved and

accepted by JAB.

AU-2 (3)[Assignment: organization-defined frequency]Parameter: [annually orwhenever there is a changein the threat environment]

AU-2 (3)Guidance: Annually or whenever changes in the threat environment arecommunicated to the service provider by the JAB.

AU-2 (4)

Requirement: The service provider configures the auditing features ofoperating systems, databases, and applications to record security-relatedevents, to include logon/logoff and all failed access attempts.


6/24

Control Baseline

Low




Moderat

AU-3 AU-3 AU-3

AU-3 (1)

AU-4 AU-4 AU-4 None. None.



AU-7 AU-7 None. None.

AU-7 (1)

AU-8 AU-8 AU-8

AU-8 (1)


AU-10 AU-10

Content ofAuditRecords

AU-3 (1)[Assignment: organization-defined additional, moredetailed information]Parameter: [session,connection, transaction, oractivity duration; for client-server transactions, thenumber of bytes received andbytes sent; additionalinformational messages todiagnose or identify theevent; characteristics thatdescribe or identify the objector resource being actedupon]

AU-3 (1)Requirement: The service provider defines audit record types. The auditrecord types are approved and accepted by the JAB.Guidance: For client-server transactions, the number of bytes sent andreceived gives bidirectional transfer information that can be helpful duringan investigation or inquiry.

Audit

Storage

Response toAuditProcessingFailures

AU-5b[Assignment: Organization-defined actions to be taken]Parameter: [low-impact:overwrite oldest auditrecords; moderate-impact:shut down]

AuditReview,Analysis,andReporting

AU-6a.[Assignment: organization-defined frequency]Parameter: [at least weekly]

AU-6(1)

AU-6(3)AuditReductionand ReportGeneration

NotSelected

TimeStamps

AU-8 (1)[Assignment: organization-definedfrequency]Parameter: [at least hourly]

AU-8 (1)Requirement: The service provider selects primary and secondary timeservers used by the NIST Internet time service. The secondary server isselected from a different geographic region than the primary server.Requirement: The service provider synchronizes the system clocks ofnetwork computers that run operating systems other than Windows to theWindows Server Domain Controller emulator or to the same time sourcefor that server.Guidance: Synchronization of system clocks improves the accuracy of loganalysis.

AU-8 (1)[Assignment: organization-defined authoritative timesource]Parameter:[http://tf.nist.gov/tf-

Protection ofAuditInformation

AU-9(2) AU-9 (2)[Assignment: organization-defined frequency]Parameter: [at least weekly]

Non-Repudiation

NotSelected


7/24

Control Baseline

Low




Moderat

AU-10 (5)

AU-11 AU-11 AU-11


CA-1 CA-1 CA-1 None.


CA-2 (1)

CA-3 CA-3 CA-3 None. None.


CA-6 CA-6 CA-6

CA-7 CA-7 CA-7

AU-10 (5)[Selection: FIPS-validated;NSA-approved]Parameter: See additional

requirements and guidance.

AU-10 (5)Requirement: The service provider implements FIPS-140-2 validatedcryptography (e.g., DOD PKI Class 3 or 4 tokens) for service offeringsthat include Software-as-a-Service (SaaS) with email.

AuditRecordRetention

AU-11[Assignment: organization-defined time periodconsistent with recordsretention policy]Parameter: [at least ninety

AU-11Requirement: The service provider retains audit records on-line for atleast ninety days and further preserves audit records off-line for a periodthat is in accordance with NARA requirements.

AuditGeneration

AU-12a.[Assignment: organization-defined information systemcomponents]Parameter: [all informationsystem components whereaudit capability is deployed]

1.4. Assessment and Authorization (CA)SecurityAssessmentandAuthorization PoliciesandProcedures

CA-1[Assignment: organization-defined frequency]Parameter: [at least annually]

SecurityAssessments

CA-2b.[Assignment: organization-defined frequency]Parameter: [at least annually]

CA-2(1)

Information

SystemConnections

Plan ofAction andMilestones

CA-5b.[Assignment: organization-defined frequency]Parameter: [at least quarterly]

SecurityAuthorization

CA-6c.[Assignment: organization-defined frequency]Parameter: [at least everythree years or when asignificant change occurs]

CA-6c.Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types ofchanges to the information system or the environment of operations thatwould require a reauthorization of the information system. The types ofchanges are approved and accepted by the JAB.

ContinuousMonitoring

CA-7d.[Assignment: organization-defined frequency]Parameter: [monthly]

None.

CA-7(2) CA-7 (2)[Assignment: organization-defined frequency]Parameter: [annually][Selection: announced;unannounced]Parameter: [unannounced][Selection: in-depthmonitoring; malicious usertesting; penetration testing;red team exercises]Parameter: [penetration

testing][Assignment: organization-defined other forms ofsecurity assessment]Parameter: [in-depthmonitoring]

1.5. Configuration Management (CM)


8/24

Control Baseline

Low




Moderat

CM-1 CM-1 CM-1 None.

CM-2 CM-2 CM-2

CM-2 (1)

CM-2 (3)

CM-2 (5)

CM-3 CM-3

CM-3 (2)

CM-4 CM-4 None. None.

CM-5 CM-5 None.

ConfigurationManagement Policy and

Procedures

CM-1[Assignment: organization-defined frequency]Parameter: [at least annually]

BaselineConfiguration

CM-2 (1) (a)[Assignment: organization-defined frequency]Parameter: [annually]CM-2 (1) (b)[Assignment: organization-defined circumstances]Parameter: [a significantchange]

CM-2 (1) (b)Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types ofchanges to the information system or the environment of operations thatwould require a review and update of the baseline configuration. Thetypes of changes are approved and accepted by the JAB.

CM-2 (5) (a)[Assignment: organization-defined list of software

programs authorized toexecute on the informationsystem]Parameter: See additionalrequirements and guidance.

CM-2 (5) (a)Requirement: The service provider defines and maintains a list ofsoftware programs authorized to execute on the information system. The

list of authorized programs is approved and accepted by the JAB.

Configuration ChangeControl

NotSelected

CM-3f.[Assignment: organization-defined configuration changecontrol element]Parameter: See additionalrequirements and guidance.[Selection (one or more):[Assignment: organization-defined frequency];[Assignment: organization-defined configuration change

conditions]]Parameter: See additionalrequirements and guidance.

CM-3f.Requirement: The service provider defines the configuration changecontrol element and the frequency or conditions under which it isconvened. The change control element and frequency/conditions of useare approved and accepted by the JAB.Requirement: The service provider establishes a central means ofcommunicating major changes to or developments in the informationsystem or environment of operations that may affect its services to thefederal government and associated service consumers (e.g., electronicbulletin board, web status page). The means of communication areapproved and accepted by the JAB.

SecurityImpactAnalysis

CM-4

AccessRestrictionsfor Change

NotSelected

CM-5(1)

CM-5(5) CM-5 (5) (b)[Assignment: organization-defined frequency]Parameter: [at least quarterly]


9/24

Control Baseline

Low




Moderat

CM-6 CM-6

CM-6 (1)

CM-7 CM-7 CM-7

CM-7 (1)

CM-8 CM-8

CM-8 (1)

CM-8 (3)

CM-8 (5)

Configuration Settings

CM-6 CM-6a.[Assignment: organization-defined security configurationchecklists]

Parameter: [United StatesGovernment ConfigurationBaseline (USGCB)]

CM-6a.Requirement: The service provider shall use the Center for InternetSecurity guidelines (Level 1) to establish configuration settings orestablishes its own configuration settings if USGCB is not available.

Configuration settings are approved and accepted by the JAB.CM-6aRequirement: The service provider shall ensure that checklists forconfiguration settings are Security Content Automation Protocol (SCAP)validated or SCAP compatible (if validated checklists are not available).CM-6a.Guidance: Information on the USGCB checklists can be found at:http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc .

CM-6(3)

LeastFunctionality

CM-7[Assignment: organization-defined list of prohibited orrestricted functions, ports,protocols, and/or services]

Parameter: [United StatesGovernment ConfigurationBaseline (USGCB)]

CM-7Requirement: The service provider shall use the Center for InternetSecurity guidelines (Level 1) to establish list of prohibited or restrictedfunctions, ports, protocols, and/or services or establishes its own list ofprohibited or restricted functions, ports, protocols, and/or services if

USGCB is not available. The list of prohibited or restricted functions,ports, protocols, and/or services are approved and accepted by the JAB.CM-7Guidance: Information on the USGCB checklists can be found at:http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.

CM-7 (1)[Assignment: organization-defined frequency]Parameter: [at least quarterly]

InformationSystemComponentInventory

CM-8 CM-8d.[Assignment: organization-defined information deemednecessary to achieveeffective propertyaccountability]Parameter: See additionalrequirements and guidance.

CM-8d.Requirement: The service provider defines information deemednecessary to achieve effective property accountability. Propertyaccountability information are approved and accepted by the JAB.Guidance: Information deemed necessary to achieve effective propertyaccountability may include hardware inventory specifications(manufacturer, type, model, serial number, physical location), softwarelicense information, information system/component owner, and for anetworked component/device, the machine name and network address.

CM-8 (3) (a)[Assignment: organization-defined frequency]Parameter: [Continuously,using automatedmechanisms with a maximumfive-minute delay in


10/24

Control Baseline

Low




Moderat

CM-9 CM-9 None. None.

CP-1 CP-1 CP-1 None.

CP-2 CP-2 CP-2

CP-2 (1)

CP-2 (2)

CP-3 CP-3 CP-3 None.

CP-4 CP-4 CP-4

CP-4 (1)

CP-6 CP-6 None. None.

CP-6 (1)

CP-6 (3)

CP-7 CP-7

CP-7 (1)

CP-7 (2)

CP-7 (3)

CP-7 (5)

CP-8 CP-8

CP-8 (1)

CP-8 (2)

ConfigurationManagement Plan

NotSelected

1.6. Contingency Planning (CP)ContingencyPlanningPolicy andProcedures

CP-1[Assignment: organization-defined frequency]Parameter: [at least annually]

ContingencyPlan

CP-2b.[Assignment: organization-defined list of keycontingency personnel(identified by name and/or byrole) and organizationalelements]Parameter: See additional

CP-2b.Requirement: The service provider defines a list of key contingencypersonnel (identified by name and/or by role) and organizationalelements. The contingency list includes designated FedRAMPpersonnel.

CP-2d.[Assignment: organization-

defined frequency]Parameter: [at least annually]

CP-2f.[Assignment: organization-defined list of keycontingency personnel(identified by name and/or byrole) and organizationalelements]Parameter: See additionalrequirements and guidance.

CP-2f.Requirement: The service provider defines a list of key contingencypersonnel (identified by name and/or by role) and organizationalelements. The contingency list includes designated FedRAMPpersonnel.

ContingencyTraining

CP-3[Assignment: organization-


ContingencyPlan TestingandExercises

CP-4a.[Assignment: organization-defined frequency]Parameter: [at least annuallyfor moderate impact systems;at least every three years forlow impact systems][Assignment: organization-defined tests and/orexercises]Parameter: [functionalexercises for moderateimpact systems; classroomexercises/table top written

tests for low impact systems]

CP-4a.Requirement: The service provider develops test plans in accordancewith NIST Special Publication 800-34 (as amended) and provides plansto FedRAMP prior to initiating testing. Test plans are approved andaccepted by the JAB.

AlternateStorage Site

NotSelected

AlternateProcessingSite

NotSelected

CP-7a.[Assignment: organization-defined time periodconsistent with recovery timeobjectives]Parameter: See additional

CP-7a.Requirement: The service provider defines a time period consistent withthe recovery time objectives and business impact analysis. The timeperiod is approved and accepted by the JAB.

TelecommunicationsServices

NotSelected

CP-8[Assignment: organization-defined time period]Parameter: See additionalrequirements and guidance.

CP-8Requirement: The service provider defines a time period consistent withthe business impact analysis. The time period is approved and acceptedby the JAB.


11/24

Control Baseline

Low




Moderat

CP-9 CP-9 CP-9

CP-9 (1)

CP-9 (3)

CP-10 CP-10 CP-10

CP-10 (2)

CP-10 (3)

InformationSystemBackup

CP-9a.[Assignment: organization-defined frequency consistentwith recovery time and

recovery point objectives]Parameter: [dailyincremental; weekly full]

CP-9Requirement: The service provider shall determine what elements of thecloud environment require the Information System Backup control. Thecloud environment elements requiring Information System Backup are

approved and accepted by the JAB.Requirement: The service provider shall determine how InformationSystem Backup is going to be verified and appropriate periodicity of thecheck. The verification and periodicity of the Information System Backupare approved and accepted by the JAB.

CP-9a.Requirement: The service provider maintains at least three backupcopies of user-level information (at least one of which is available online)or provides an equivalent alternative. The backup storage capability isapproved and accepted by the JAB.

CP-9b.[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives]

Parameter: [dailyincremental; weekly full]

CP-9b.Requirement: The service provider maintains at least three backupcopies of system-level information (at least one of which is availableonline) or provides an equivalent alternative. The backup storagecapability is approved and accepted by the JAB.

CP-9c.[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives]Parameter: [dailyincremental; weekly full]

CP-9c.Requirement: The service provider maintains at least three backupcopies of information system documentation including securityinformation (at least one of which is available online) or provides anequivalent alternative. The backup storage capability is approved andaccepted by the JAB.

CP-9 (1)[Assignment: organization-defined frequency]Parameter: [at least annually]

InformationSystemRecoveryandReconstitution

CP-10 (3)[Assignment: organization-defined circumstances thatcan inhibit recovery andreconstitution to a knownstate]Parameter: See additionalrequirements and guidance.

CP-10 (3)Requirement: The service provider defines circumstances that can inhibitrecovery and reconstitution to a known state in accordance with thecontingency plan for the information system and business impactanalysis.


12/24

Control Baseline

Low




Moderat

IA-1 IA-1 IA-1 None.

IA-2 IA-2 IA-2

IA-2 (1) IA-2 (1)

IA-2 (2)

IA-2 (3)

IA-2 (8)

IA-3 IA-3

IA-4 IA-4 IA-4

IA-4 (4)

IA-5 IA-5 IA-5

IA-5 (1) IA-5 (1)

1.7. Identification and Authentication (IA)Identificationand

Authentication PolicyandProcedures

IA-1[Assignment: organization-


IdentificationandAuthentication(Organizational Users)

IA-2 (8)[Assignment: organization-defined replay-resistantauthentication mechanisms]Parameter: See additionalrequirements and guidance.

IA-2 (8)Requirement: The service provider defines replay-resistant authenticationmechanisms. The mechanisms are approved and accepted by the JAB.

DeviceIdentificationandAuthentication

NotSelected

IA-3[Assignment: organization-defined list of specific and/ortypes of devices]Parameter: See additionalrequirements and guidance.

IA-3Requirement: The service provider defines a list a specific devices and/ortypes of devices. The list of devices and/or device types is approved andaccepted by the JAB.

IdentifierManagement

IA-4d.[Assignment: organization-defined time period]Parameter: [at least twoyears]

IA-4e.[Assignment: organization-defined time period ofinactivity]Parameter: [ninety days foruser identifiers]Parameter: See additionalrequirements and guidance.

IA-4e.Requirement: The service provider defines time period of inactivity fordevice identifiers. The time period is approved and accepted by JAB.

IA-4 (4)[Assignment: organization-defined characteristicidentifying user status]Parameter: [contractors;foreign nationals]

AuthenticatorManagement

IA-5g.[Assignment: organization-defined time period byauthenticator type]Parameter: [sixty days]

IA-5 (1) (a)[Assignment: organization-defined requirements forcase sensitivity, number ofcharacters, mix of upper-caseletters, lower-case letters,numbers, and specialcharacters, includingminimum requirements foreach type]Parameter: [case sensitive,minimum of twelvecharacters, and at least oneeach of upper-case letters,lower-case letters, numbers,and special characters]

IA-5 (1) (a)Guidance: Mobile devices are excluded from the password complexityrequirement.

IA-5 (1) (b)

[Assignment: organization-defined number of changedcharacters]Parameter: [at least one or asdetermined by theinformation system (whereIA-5 (1) (d)[Assignment: organization-defined numbers for lifetimeminimum, lifetime maximum]Parameter: [one dayminimum, sixty day


13/24

Control Baseline

Low




Moderat

IA-5 (2)

IA-5 (3)

IA-5 (6)

IA-5 (7)

IA-6 IA-6 IA-6 None. None.



IR-1 IR-1 IR-1 None.


IR-3 IR-3

IA-5 (1) (e)[Assignment: organization-defined number]Parameter: [twenty four]

IA-5 (3)[Assignment: organization-defined types of and/orspecific authenticators]Parameter: [HSPD12 smartcards]

Authenticator Feedback

Cryptographic ModuleAuthenticationIdentificationandAuthentication (Non-Organizational Users)

1.8. Incident Response (IR)IncidentResponsePolicy andProcedures

IR-1[Assignment: organization-defined frequency]Parameter: [at least annually]

IncidentResponseTraining

IR-2b.[Assignment: organization-defined frequency]Parameter: [at least annually]

IncidentResponseTesting andExercises

NotSelected

IR-3[Assignment: organization-defined frequency]Parameter: [annually][Assignment: organization-defined tests and/orexercises]Parameter: See additionalrequirements and guidance.

IR-3Requirement: The service provider defines tests and/or exercises inaccordance with NIST Special Publication 800-61 (as amended).Requirement: The service provider provides test plans to FedRAMPannually. Test plans are approved and accepted by the JAB prior to testcommencing.


14/24

Control Baseline

Low




Moderat


IR-4 (1)


IR-6 IR-6 IR-6

IR-6 (1)

IR-7 IR-7 IR-7 None. None.

IR-7 (1)

IR-7 (2)

IR-8 IR-8 IR-8

MA-1 MA-1 MA-1 None.

MA-2 MA-2 MA-2 None. None.

MA-2 (1)

MA-3 MA-3 None. None.

MA-3 (1)

MA-3 (2)

MA-3 (3)


MA-4 (1)

MA-4 (2)


MA-6 MA-6

IncidentHandling

IR-4Requirement: The service provider ensures that individuals conductingincident handling meet personnel security requirements commensuratewith the criticality/sensitivity of the information being processed, stored,

and transmitted by the information system.

IncidentMonitoring

None

IncidentReporting

IR-6a.[Assignment: organization-defined time period]Parameter: [US-CERTincident reporting timelinesas specified in NIST SpecialPublication 800-61 (asamended)]

None

IncidentResponseAssistance

IncidentResponsePlan

IR-8b.[Assignment: organization-defined list of incidentresponse personnel(identified by name and/or byrole) and organizationalelements]Parameter: See additional

IR-8b.Requirement: The service provider defines a list of incident responsepersonnel (identified by name and/or by role) and organizationalelements. The incident response list includes designated FedRAMPpersonnel.

IR-8c.[Assignment: organization-defined frequency]Parameter: [at least annually]

IR-8e.[Assignment: organization-defined list of incidentresponse personnel(identified by name and/or byrole) and organizationalelements]Parameter: See additionalre uirements and uidance.

IR-8e.Requirement: The service provider defines a list of incident responsepersonnel (identified by name and/or by role) and organizationalelements. The incident response list includes designated FedRAMPpersonnel.

1.9. Maintenance (MA)SystemMaintenancePolicy andProcedures

MA-1[Assignment: organization-defined frequency]Parameter: [at least annually]

Controlled

Maintenance

MaintenanceTools

NotSelected

Non-LocalMaintenance

MaintenancePersonnel

TimelyMaintenance

NotSelected

MA-6[Assignment: organization-

defined list of security-criticalinformation systemcomponents and/or keyinformation technologycomponents]Parameter: See additionalrequirements and guidance.[Assignment: organization-defined time period]Parameter: See additionalrequirements and guidance.

MA-6Requirement: The service provider defines a list of security-critical

information system components and/or key information technologycomponents. The list of components is approved and accepted by theJAB.Requirement: The service provider defines a time period to obtainmaintenance and spare parts in accordance with the contingency plan forthe information system and business impact analysis. The time period isapproved and accepted by the JAB.


15/24

Control Baseline

Low




Moderat

MP-1 MP-1 MP-1 None.

MP-2 MP-2 MP-2

MP-2 (1)

MP-3 MP-3 None.

MP-4 MP-4

MP-4 (1)

MP-5 MP-5

MP-5 (2)

MP-5 (4)

MP-6 MP-6 MP-6 None. None.

1.10. Media Protection (MP)MediaProtection

Policy andProcedures

MP-1[Assignment: organization-


MediaAccess

MP-2[Assignment: organization-defined types of digital andnon-digital media]Parameter: See additionalrequirements and guidance.[Assignment: organization-defined list of authorizedindividuals]Parameter: See additionalrequirements and guidance.[Assignment: organization-

defined security measures]Parameter: See additionalrequirements and guidance.

MP-2Requirement: The service provider defines types of digital and non-digital media. The media types are approved and accepted by the JAB.Requirement: The service provider defines a list of individuals withauthorized access to defined media types. The list of authorizedindividuals is approved and accepted by the JAB.Requirement: The service provider defines the types of securitymeasures to be used in protecting defined media types. The securitymeasures are approved and accepted by the JAB.

MediaMarking

NotSelected

MP-3b.[Assignment: organization-defined list of removablemedia types]Parameter: [no removablemedia types][Assignment: organization-defined controlled areas]Parameter: [not applicable]

MediaStorage

NotSelected

MP-4a.[Assignment: organization-

defined types of digital andnon-digital media]Parameter: [magnetic tapes,external/removable harddrives, flash/thumb drives,diskettes, compact disks anddigital video disks][Assignment: organization-defined controlled areas]Parameter: See additionalrequirements and guidance.[Assignment: organization-defined security measures]Parameter: [for digital media,encryption using a FIPS 140-2 validated encryptionmodule; for non-digital media,

secure storage in lockedcabinets or safes]

MP-4a.Requirement: The service provider defines controlled areas within

facilities where the information and information system reside.

MediaTransport

NotSelected

MP-5a.[Assignment: organization-defined types of digital andnon-digital media]Parameter: [magnetic tapes,external/removable harddrives, flash/thumb drives,diskettes, compact disks anddigital video disks][Assignment: organization-defined security measures]Parameter: [for digital media,encryption using a FIPS 140-2 validated encryption

module]

MP-5a.Requirement: The service provider defines security measures to protectdigital and non-digital media in transport. The security measures areapproved and accepted by the JAB.

MediaSanitization

MP-6(4)

1.11. Physical and Environmental Protection (PE)


16/24

Control Baseline

Low




Moderat

PE-1 PE-1 PE-1 None.



PE-4 PE-4 None. None.



PE-6 (1)

PE-7 PE-7 PE-7 None. None.

PE-7 (1)


PE-9 None. None.

PE-10 PE-10




PE-13 (1)

PE-13 (2)

PE-13 (3)

PE-14 PE-14 PE-14

Physical andenvironmental protectionpolicy and

procedures

PE-1[Assignment: organization-defined frequency]Parameter: [at least annually]

PhysicalAccessAuthorizations

PE-2c.[Assignment: organization-defined frequency]Parameter: [at least annually]

PhysicalAccessControl

PE-3f.[Assignment: organization-defined frequency]Parameter: [at least annually]

PE-3g.[Assignment: organization-defined frequency]

Parameter: [at least annually]

AccessControl forTransmission Medium

NotSelected

AccessControl forOutputDevices

NotSelected

MonitoringPhysicalAccess

PE-6b.[Assignment: organization-defined frequency]Parameter: [at least semi-annually]

VisitorControl

AccessRecords

PE-8b.[Assignment: organization-defined frequency]Parameter: [at least monthly]

PowerEquipmentand PowerCablin

NotSelected

PE-9

EmergencyShutoff

NotSelected

PE-10b.[Assignment: organizationdefined location by

information system or systemcomponent]Parameter: See additionalrequirements and guidance.

PE-10b.Requirement: The service provider defines emergency shutoff switchlocations. The locations are approved and accepted by the JAB.

EmergencyPower

NotSelected

EmergencyLighting

FireProtection

Temperature

andHumidityControls

PE-14a.

[Assignment: organization-defined acceptable levels]Parameter: [consistent withAmerican Society of Heating,Refrigerating and Air-conditioning Engineers(ASHRAE) document entitledThermal Guidelines for DataProcessing Environments]

PE-14a.

Requirements: The service provider measures temperature at serverinlets and humidity levels by dew point.

PE-14b.[Assignment: organization-defined frequency]Parameter: [continuously]


17/24

Control Baseline

Low




Moderat



PE-17 PE-17


PL-1 PL-1 PL-1 None.

PL-2 PL-2 PL-2 None.

PL-4 PL-4 PL-4 None. None.

PL-5 PL-5 PL-5 None. None.

PL-6 PL-6 None. None.

PS-1 PS-1 PS-1 None.

PS-2 PS-2 PS-2


WaterDamage

Delivery andRemoval

PE-16[Assignment: organization-defined types of informationsystem components]Parameter: [all informationsystem

AlternateWork Site

NotSelected

PE-17a.[Assignment: organization-defined management,operational, and technicalinformation system securitycontrols]Parameter: See additionalrequirements and guidance.

PE-17a.Requirement: The service provider defines management, operational,and technical information system security controls for alternate worksites. The security controls are approved and accepted by the JAB.

Location ofInformationSystem

Components

NotSelected

1.12. Planning (PL)SecurityPlanningPolicy andProcedures

PL-1[Assignment: organization-defined frequency]Parameter: [at least annually]

SystemSecurityPlan

PL-2b.[Assignment: organization-defined frequency]Parameter: [at least annually]

Rules ofBehavior

Privacy

Impact

Security-RelatedActivityPlanning

NotSelected

1.13. Personnel Security (PS)PersonnelSecurityPolicy andProcedures

PS-1[Assignment: organization-defined frequency]Parameter: [at least annually]

PositionCategorization

PS-2c.[Assignment: organization-defined frequency]

Parameter: [at least everythree years]

None.

PersonnelScreening

PS-3b.[Assignment: organization-defined list of conditionsrequiring rescreening and,where re-screening is soindicated, the frequency ofsuch rescreening]Parameter: [for nationalsecurity clearances; areinvestigation is requiredduring the 5th year for topsecret security clearance, the10th year for secret securityclearance, and 15th year for

confidential securityclearance.For moderate risk lawenforcement and high impactpublic trust level, areinvestigation is requiredduring the 5th year. There isno reinvestigation for othermoderate risk positions orany low risk positions]


18/24

Control Baseline

Low




Moderat

PS-4 PS-4 PS-4 None. None.

PS-5 PS-5 PS-5




RA-1 RA-1 RA-1 None.

RA-2 RA-2 RA-2 None. None.

RA-3 RA-3 RA-3

RA-5 RA-5 RA-5

RA-5 (1)

RA-5 (2)

RA-5 (3)

RA-5 (6)

RA-5 (9)

PersonnelTermination

PersonnelTransfer

PS-5[Assignment: organization-defined transfer orreassignment actions]Parameter: See additionalrequirements and guidance.[Assignment: organization-defined time period followingthe formal transfer action]Parameter: [within five days]

PS-5Requirement: The service provider defines transfer or reassignmentactions. Transfer or reassignment actions are approved and accepted bythe JAB.

AccessAgreements

PS-6b.[Assignment: organization-defined frequency]Parameter: [at least annually]

Third-PartyPersonnel

Security

PersonnelSanctions

1.14. Risk Assessment (RA)RiskAssessmentPolicy andProcedures

RA-1[Assignment: organization-defined frequency]Parameter: [at least annually]

SecurityCategorizati

RiskAssessment

RA-3b.[Selection: security plan; riskassessment report;

[Assignment: organization-defined document]]Parameter: [securityassessment report]RA-3c.[Assignment: organization-defined frequency]Parameter: [at least everythree years or when asignificant change occurs]

RA-3c.Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.

RA-3d.[Assignment: organization-defined frequency]Parameter: [at least everythree years or when asignificant change occurs]

RA-3d.Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.

VulnerabilityScanning

RA-5a.[Assignment: organization-defined frequency and/orrandomly in accordance withorganization-defined process]Parameter: [quarterlyoperating system, webapplication, and databasescans (as applicable)]

None.

RA-5d.Assignment: organization-defined response times]Parameter: [high-riskvulnerabilities mitigatedwithin thirty days; moderate

risk vulnerabilities mitigatedwithin ninety days]

RA-5 (2)[Assignment: organization-defined frequency]Parameter: [continuously,before each scan]


19/24

Control Baseline

Low




Moderat

SA-1 SA-1 SA-1 None.

SA-2 SA-2 SA-2 None. None.


SA-4 Acquisitions SA-4 SA-4 None.

SA-4 (1)

SA-4 (4)

SA-4 (7)SA-5 SA-5 SA-5 None. None.

SA-5 (1)

SA-5 (3)



SA-8 SA-8 None. None.

SA-9 SA-9 SA-9

SA-10 SA-10 None. None.

SA-11 SA-11 None.

SA-12 SA-12

SC-1 SC-1 SC-1 None.

SC-2 SC-2 None. None.


1.15. System and Services Acquisition (SA)System andServicesAcquisitionPolicy andProcedures

SA-1[Assignment: organization-defined frequency]Parameter: [at least annually]

Allocation ofResources

Life CycleSupport

SA-4Guidance: The use of Common Criteria (ISO/IEC 15408) evaluatedproducts is strongly preferred.See http://www.niap-ccevs.org/vpl orhttp://www.commoncriteriaportal.org/products.html.

InformationSystemDocumentation

SoftwareUsageRestrictions

User-Installed

SecurityEngineeringPrinciples

NotSelected

External

InformationSystemServices

SA-9(1) SA-9 (1) (b)[Assignment: organization-defined senior organizationalofficial].Parameter: [JointAuthorization Board (JAB)]

SA-9 (1)Requirement: The service provider documents all existing outsourcedsecurity services and conducts a risk assessment of future outsourcedsecurity services. Future, planned outsourced services are approved andaccepted by the JAB.

DeveloperConfigurationMana emen

NotSelected

DeveloperSecurityTesting

Not

SA-11(1) SA-11 (1)Requirement: The service provider submits a code analysis report as partof the authorization package and updates the report in anyreauthorization actions.

Requirement: The service provider documents in the ContinuousMonitoring Plan, how newly developed code for the information system is

SupplyChainProtection

NotSelected

SA-12[Assignment: organization-defined list of measures toprotect against supply chainthreats]Parameter: See additionalrequirements and guidance.

SA-12Requirement: The service provider defines a list of measures to protectagainst supply chain threats. The list of protective measures is approvedand accepted by JAB.

1.16. System and Communications Protection (SC)System andCommunicationsProtectionPolicy and

Procedures

SC-1[Assignment: organization-defined frequency]Parameter: [at least annually]

ApplicationPartitioning

NotSelected

Informationin SharedResources

NotSelected


20/24

Control Baseline

Low




Moderat

SC-5 SC-5 SC-5

SC-6 SC-6 None None.

SC-7 SC-7 SC-7 SC-7

SC-7 (1)

SC-7 (2)

SC-7 (3)

SC-7 (4)

SC-7 (5)

SC-7 (7)

SC-7 (8)

SC-7 (12)

SC-7 (13)

SC-7 (18)


SC-8 (1)

SC-9 SC-9

SC-9 (1)

SC-10 SC-10

SC-11 Trusted Path SC-11

SC-12 SC-12 SC-12

Denial ofServiceProtection

SC-5[Assignment: organization-defined list of types of denialof service attacks or

reference to source forcurrent list]Parameter: See additionalrequirements and guidance.

SC-5Requirement: The service provider defines a list of types of denial ofservice attacks (including but not l imited to flooding attacks andsoftware/logic attacks) or provides a reference to source for current list.

The list of denial of service attack types is approved and accepted byJAB.

ResourcePriority

NotSelected

BoundaryProtection

None.

SC-7 (1)Requirement: The service provider and service consumer ensure thatfederal information (other than unrestricted information) being transmittedfrom federal government entities to external entities using informationsystems providing cloud services is inspected by TIC processes.

SC-7 (4) [Assignment: organization-defined frequency]Parameter: [at least annually]

SC-7 (8)[Assignment: organization-defined internalcommunications traffic]Parameter: See additionalrequirements and guidance.[Assignment: organization-defined external networks]

Parameter: See additionalrequirements and guidance.

SC-7 (8)Requirements: The service provider defines the internal communicationstraffic to be routed by the information system through authenticated proxyservers and the external networks that are the prospective destination ofsuch traffic routing. The internal communications traffic and externalnetworks are approved and accepted by JAB.

SC-7 (13)[Assignment: organization-defined key informationsecurity tools, mechanisms,and support components]Parameter: See additionalrequirements and guidance.

SC-7 (13)Requirement: The service provider defines key information security tools,mechanisms, and support components associated with system andsecurity administration and isolates those tools, mechanisms, andsupport components from other internal information system componentsvia physically or logically separate subnets.

Transmission Integrity

NotSelected

Transmission

Confidentiality

NotSelected

SC-9 (1)[Assignment: organization-defined alternative physicalmeasures]Parameter: See additionalrequirements and guidance

SC-9 (1)Requirement: The service provider must implement a hardened oralarmed carrier Protective Distribution System (PDS) when transmissionconfidentiality cannot be achieved through cryptographic mechanisms.

NetworkDisconnect

NotSelected

SC-10[Assignment: organization-defined time period]Parameter: [thirty minutes forall RAS-based sessions;thirty to sixty minutes for non-interactive users]

SC-10Guidance: Long running batch jobs and other operations are not subjectto this time limit.

NotSelected

SC-11[Assignment: organization-defined security functions toinclude at a minimum,information systemauthentication and re-authentication]Parameter: See additionalrequirements and guidance

SC-11Requirement: The service provider defines the security functions thatrequire a trusted path, including but not limited to system authentication,re-authentication, and provisioning or de-provisioning of services (i.e.allocating additional bandwidth to a cloud user). The list of securityfunctions requiring a trusted path is approved and accepted by JAB.

Cryptographi


21/24

Control Baseline

Low




Moderat

SC-12 (2) None.


SC-13 (1)

SC-14 SC-14 SC-14 None. None.

SC-15 SC-15 SC-15

SC-17 SC-17

SC-18 Mobile Code SC-18 None. None.


SC-20 SC-20 SC-20 None. None.

SC-20 (1) SC-20 (1)




SC-28 None.

SC-30 SC-30 None None.


SI-1 SI-1 SI-1 None.

c eyEstablishment andManagement

SC-12 (2)[Selection: NIST-approved,NSA-approved]Parameter: [NIST-approved]

SC-12 (5) SC-12(5)Requirement: The service provider supports the capability to produce,control, and distribute asymmetric cryptographic keys.

Use ofCryptography

SC-13

PublicAccess

Collaborative ComputingDevices

SC-15a.[Assignment: organization-defined exceptions whereremote activation is to beallowed]Parameter: [no exceptions]

SC-15Requirement: The information system provides disablement (instead ofphysical disconnect) of collaborative computing devices in a manner thatsupports ease of use.

Public KeyInfrastructureCertificates

NotSelected

SC-17[Assignment: organization-defined certificate policy]Parameter: See additionalrequirements and guidance.

SC-17Requirement: The service provider defines the public key infrastructurecertificate policy. The certificate policy is approved and accepted by theJAB.

Not

Voice OverInternetProtocol

NotSelected

SecureName/AddressResolutionService(Authoritative Source)

SecureName/AddressResolutionService(Recursiveor CachingResolver)

NotSelected

ArchitectureandProvisioning

forName/AddressResolutionService

NotSelected

SessionAuthenticity

NotSelected

Protection ofInformationat Rest

NotSelected

SC-28 Requirement: The organization supports the capability to usecryptographic mechanisms to protect information at rest

VirtualizationTechniques

NotSelected

InformationSystemPartitioning

NotSelected

1.17. System and Information Integrity (SI)System andInformationIntegrityPolicy andProcedures

SI-1[Assignment: organization-defined frequency]Parameter: [at least annually]


22/24

Control Baseline

Low




Moderat

SI-2 None.

SI-2 (2)

SI-3 SI-3 SI-3 None.

SI-3 (1)

SI-3 (2)

SI-3 (3)

SI-4 SI-4

SI-4 (2)

SI-4 (4)

FlawRemediation

SI-2 SI-2

SI-2 (2)

[Assignment: organization-defined frequency]Parameter: [at least monthly]

MaliciousCodeProtection

SI-3c.[Assignment: organization-defined frequency]Parameter: [at least weekly][Selection (one or more):block malicious code;quarantine malicious code;send alert to administrator;[Assignment: organization-defined action]]Parameter: [block orquarantine malicious code,send alert to administrator,

send alert to FedRAMP}

InformationSystemMonitoring

NotSelected

SI-4a.[Assignment: organization-defined monitoringobjectives]Parameter: [ensure theproper functioning of internalprocesses and controls infurtherance of regulatory andcompliance requirements;examine system records toconfirm that the system isfunctioning in an optimal,resilient, and secure state;identify irregularities oranomalies that are indicatorsof a system malfunction or


23/24

Control Baseline

Low




Moderat

SI-4 (5)

SI-4 (6)

SI-5 SI-5 SI-5

SI-6 SI-6 None.

SI-7 SI-7 None.

SI-7 (1)

SI-8 SI-8 None. None.

SI-4 (5)[Assignment: organization-defined list of compromiseindicators]

Parameter: [protectedinformation system files ordirectories have beenmodified without notificationfrom the appropriatechange/configurationmanagement channels;information systemperformance indicatesresource consumption that isinconsistent with expectedoperating conditions; auditingfunctionality has beendisabled or modified toreduce audit visibility; audit orlog records have beendeleted or modified without

explanation; informationsystem is raising alerts orfaults in a manner thatindicates the presence of anabnormal condition; resourceor service requests areinitiated from clients that areoutside of the expected clientmembership set; informationsystem reports failed loginsor password changes foradministrative or key serviceaccounts; processes andservices are running that areoutside of the baselinesystem profile; utilities, tools,or scripts have been saved or

installed on productionsystems without clear

SI-4(5)Requirement: The service provider defines additional compromiseindicators as needed.Guidance: Alerts may be generated from a variety of sources including

but not limited to malicious code protection mechanisms, intrusiondetection or prevention mechanisms, or boundary protection devicessuch as firewalls, gateways, and routers.

SecurityAlerts,Advisories,andDirectives

SI-5c.[Assignment: organization-defined list of personnel(identified by name and/or byrole)]Parameter: [All staff withsystem administration,monitoring, and/or securityresponsibilities including butnot limited to FedRAMP]

SI-5c.Requirement: The service provider defines a list of personnel (identifiedby name and/or by role) with system administration, monitoring, and/orsecurity responsibilities who are to receive security alerts, advisories, anddirectives. The list also includes designated FedRAMP personnel.

Securityfunctionalityverification

NotSelected

SI-6[Selection (one or more):[Assignment: organization-

defined system transitionalstates]; upon command byuser with appropriateprivilege; periodically every[Assignment: organization-defined time-period]]Parameter: [upon systemstartup and/or restart andperiodically every ninetydays][Selection (one or more):notifies system administrator;shuts the system down;restarts the system;[Assignment: organization-defined alternative action(s)]]Parameter: [notifies system

administrator]

SoftwareandInformationIntegrity

NotSelected

SI-7 (1)[Assignment: organization-defined frequency]Parameter: [at least monthly]

SpamProtection

NotSelected


24/24

Control Baseline

Low




Moderat



SI-11 SI-11 None.

SI-12 SI-12 SI-12 None. None.

InformationInputRestrictions

NotSelected

InformationInput NotSelected

ErrorHandling

NotSelected

SI-11b.[Assignment: organization-defined sensitive orpotentially harmfulinformation]Parameter: [user name andpassword combinations;attributes used to validate apassword reset request (e.g.security questions);personally identifiableinformation (excluding uniqueuser name identifiersprovided as a normal part ofa transactional record);

biometric data or personalcharacteristics used toauthenticate identity;sensitive financial records(e.g. account numbers,access codes); contentrelated to internal securityfunctions (i.e., privateencryption keys, white list orblacklist rules, objectpermission attributes andsettings)].

InformationOutputHandlingand

Retention

fedramp baseline security controls v1.0

Documents