From f93b99f920c1cab427fb9eefc183ae63e39fbf1e Mon Sep 17 00:00:00 2001 From: Rene Tshiteya Date: Thu, 21 Sep 2023 09:08:01 -0400 Subject: [PATCH 1/4] Add Core Controls and Response Points --- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 9504 ++++++++++++++++- .../xml/FedRAMP_rev5_LOW-baseline_profile.xml | 5370 +++++++++- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 8151 +++++++++++++- 3 files changed, 22542 insertions(+), 483 deletions(-) diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 6df08ba80..2abc9333d 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -1787,7 +1787,7 @@ -

personnel screening criteria – as required by specific information

+

personnel screening criteria - as required by specific information

 @@ -2402,6 +2402,480 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2420,6 +2894,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2431,6 +2953,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2442,6 +3012,17 @@ + + + + + + + + + + + @@ -2457,6 +3038,138 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2468,6 +3181,14 @@ + + + + + + + + @@ -2479,6 +3200,64 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2490,6 +3269,88 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2501,6 +3362,22 @@ + + + + + + + + + + + + + + + + @@ -2524,6 +3401,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2538,8 +3454,339 @@ - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-2 Additional FedRAMP Requirements and Guidance @@ -2553,6 +3800,80 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2564,6 +3885,77 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2575,6 +3967,85 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2586,6 +4057,108 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2597,6 +4170,14 @@ + + + + + + + + @@ -2616,6 +4197,91 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2627,6 +4293,61 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2638,6 +4359,14 @@ + + + + + + + + @@ -2649,6 +4378,59 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2664,6 +4446,22 @@ + + + + + + + + + + + + + + + + @@ -2675,16 +4473,60 @@ - - - - - CA-7 Additional FedRAMP Requirements and Guidance - - -

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

- - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-7 Additional FedRAMP Requirements and Guidance + + +

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

+ +

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

 @@ -2694,6 +4536,113 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2705,6 +4654,24 @@ + + + + + + + + + + + + + + + + + + @@ -2717,6 +4684,165 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2728,6 +4854,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2743,6 +4931,262 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2758,11 +5202,70 @@ -

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

+

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2774,6 +5277,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2785,6 +5327,44 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2796,6 +5376,91 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2804,6 +5469,55 @@

FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2815,6 +5529,40 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2826,6 +5574,13 @@ + + + + + + + @@ -2834,6 +5589,111 @@

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2849,6 +5709,163 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2860,6 +5877,48 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2875,6 +5934,140 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2886,6 +6079,39 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2897,6 +6123,50 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2908,6 +6178,81 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2931,6 +6276,90 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2942,6 +6371,110 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2961,10 +6494,28 @@ -

"Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

+

"Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

 + + + + + + + + + + + + + + + + + + @@ -2984,6 +6535,16 @@ + + + + + + + + + + @@ -3003,6 +6564,28 @@ + + + + + + + + + + + + + + + + + + + + + + @@ -3018,6 +6601,25 @@ + + + + + + + + + + + + + + + + + + + @@ -3029,6 +6631,87 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3044,18 +6727,98 @@ - - - - - IA-5 (1) Additional FedRAMP Requirements and Guidance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IA-5 (1) Additional FedRAMP Requirements and Guidance

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

 -

For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

+

For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

 @@ -3064,6 +6827,98 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3075,6 +6930,13 @@ + + + + + + + @@ -3086,6 +6948,14 @@ + + + + + + + + @@ -3097,6 +6967,14 @@ + + + + + + + + @@ -3115,6 +6993,15 @@ + + + + + + + + + @@ -3126,6 +7013,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3137,6 +7049,196 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3148,6 +7250,27 @@ + + + + + + + + + + + + + + + + + + + + + @@ -3155,7 +7278,7 @@ IR-4 Additional FedRAMP Requirements and Guidance -

The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

+

The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

 @@ -3163,6 +7286,139 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3174,6 +7430,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3189,198 +7508,3584 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - MP-3 Additional FedRAMP Requirements and Guidance - - -

Second parameter not-applicable

- - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - MP-4 Additional FedRAMP Requirements and Guidance - - -

The service provider defines controlled areas within facilities where the information and information system reside.

- - + + + + + + + - - - - MP-5 Additional FedRAMP Requirements and Guidance - - -

The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

- - + + + + + + + - - - - MP-6 (1) Additional FedRAMP Requirements and Guidance - - -

Must comply with NIST SP 800-88

- - + + + + + + + - - - - MP-6 (2) Additional FedRAMP Requirements and Guidance - - -

Equipment and procedures may be tested or validated for effectiveness

- - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - MP-6 (3) Additional FedRAMP Requirements and Guidance - - -

Must comply with NIST SP 800-88

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + MP-3 Additional FedRAMP Requirements and Guidance + + +

Second parameter not-applicable

 + + + + + + + + + + + + + + - - - - PE-14 Additional FedRAMP Requirements and Guidance - + + + + MP-4 Additional FedRAMP Requirements and Guidance + -

The service provider measures temperature at server inlets and humidity levels by dew point.

+

The service provider defines controlled areas within facilities where the information and information system reside.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - PL-8 Additional FedRAMP Requirements and Guidance - - -

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+ + + + MP-5 Additional FedRAMP Requirements and Guidance + + +

The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - PL-10 Additional FedRAMP Requirements and Guidance - + + + + + + + + + + + + + + + + + + + + + + + + MP-6 (1) Additional FedRAMP Requirements and Guidance + -

Select the appropriate FedRAMP Baseline

+

Must comply with NIST SP 800-88

 + + + + + + + - - - - RA-3 Additional FedRAMP Requirements and Guidance - + + + + MP-6 (2) Additional FedRAMP Requirements and Guidance + -

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

- - - -

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+

Equipment and procedures may be tested or validated for effectiveness

 + + + + + + + - - - - RA-5 Additional FedRAMP Requirements and Guidance - - -

See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

- - - -

an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

- - - -

If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

- - - -

to include all Authorizing Officials; for JAB authorizations to include FedRAMP

- - - -

Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

-

Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

-

Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.

+ + + + MP-6 (3) Additional FedRAMP Requirements and Guidance + + +

Must comply with NIST SP 800-88

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PE-14 Additional FedRAMP Requirements and Guidance + + +

The service provider measures temperature at server inlets and humidity levels by dew point.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PL-8 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PL-10 Additional FedRAMP Requirements and Guidance + + +

Select the appropriate FedRAMP Baseline

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

+ + + +

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-5 Additional FedRAMP Requirements and Guidance + + +

See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

+ + + +

an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

+ + + +

If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

+ + + +

to include all Authorizing Officials; for JAB authorizations to include FedRAMP

+ + + +

Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

+

Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

+

Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a "warning" as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on "Tracking of Compliance Scans" in FAQs.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-5(8) Additional FedRAMP Requirement + + +

This enhancement is required for all high (or critical) vulnerability scan findings.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SA-4 Additional FedRAMP Requirements and Guidance + + +

The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

+ + + +

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

+

See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SA-10 Additional FedRAMP Requirements and Guidance + + +

track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SA-11(1) Additional FedRAMP Requirements + + +

The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

+

If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - RA-5(8) Additional FedRAMP Requirement - - -

This enhancement is required for all high (or critical) vulnerability scan findings.

- - + + + + + + + + - - - - SA-4 Additional FedRAMP Requirements and Guidance - - -

The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

- - - -

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

-

See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

- - + + + + + + + + + - - - - SA-10 Additional FedRAMP Requirements and Guidance - - -

track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

- - + + + + + + + + + - - - - SA-11(1) Additional FedRAMP Requirements - - -

The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

-

If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

- - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3393,6 +11098,212 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3404,6 +11315,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3412,7 +11363,7 @@

For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

-

+

For clarity, this control applies to all data in transit. Examples include the following data flows:

  • Crossing the system boundary
    • @@ -3421,9 +11372,9 @@
  • Replication between availability zones
  • Transmission of backups to storage
  • From a load balancer to a compute instance
    • -
  • Flows from management tools required for their work – e.g. log collection, scanning, etc.
    • +
  • Flows from management tools required for their work - e.g. log collection, scanning, etc.
-

+

The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

FedRAMP-Defined Assignment / Selection Parameters

SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

@@ -3432,21 +11383,33 @@

SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

-

+

Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

-

-

Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

-

+

+

Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

+

Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

-

+

CNSSI No.7003 can be accessed here:

https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

-

+

DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

 + + + + + + + + + + + + @@ -3458,7 +11421,7 @@ -

See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

+

See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

 @@ -3471,6 +11434,15 @@ + + + + + + + + + @@ -3490,6 +11462,18 @@ + + + + + + + + + + + + @@ -3505,7 +11489,7 @@
  • Generation of one time passwords (OTPs) for MFA
  • Protocols such as TLS, SSH, and HTTPS
    • -

    +

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

     @@ -3535,6 +11519,26 @@     + + + + + + + + + + + + + + + + + + + +     @@ -3546,6 +11550,23 @@ + + + + + + + + + + + + + + + + + @@ -3573,6 +11594,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + @@ -3604,58 +11649,326 @@ + + + + + + + + + + + + + + + + + SC-28 Additional FedRAMP Requirements and Guidance + + +

    The organization supports the capability to use cryptographic mechanisms to protect information at rest.

    +     + + +

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    +     + + +

    Note that this enhancement requires the use of cryptography in accordance with SC-13.

    +     +     +     + + + + + + + + + + + + +     + + + + SC-28 (1) Additional FedRAMP Requirements and Guidance + + +

    Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

    +

    Examples:

    +

    A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

    +

    B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

    +

    C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

    +     +     +     + + + + + + + + + +     + + + + SC-45(1) Additional FedRAMP Requirements and Guidance + + +

    The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

    +     + + +

    The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

    +     + + +

    Synchronization of system clocks improves the accuracy of log analysis.

    +     +     +     + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - SC-28 Additional FedRAMP Requirements and Guidance - - -

    The organization supports the capability to use cryptographic mechanisms to protect information at rest.

    -     - - -

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    -     - - -

    Note that this enhancement requires the use of cryptography in accordance with SC-13.

    -     -     + + + + + + + + + - - - - SC-28 (1) Additional FedRAMP Requirements and Guidance - - -

    Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

    -

    Examples:

    -

    A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

    -

    B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

    -

    C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

    -     -     + + + + + + + + + + + + + + + + + - - - - SC-45(1) Additional FedRAMP Requirements and Guidance - - -

    The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

    -     - - -

    The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

    -     - - -

    Synchronization of system clocks improves the accuracy of log analysis.

    -     -     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3668,6 +11981,243 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3679,6 +12229,15 @@ + + + + + + + + + @@ -3690,6 +12249,17 @@ + + + + + + + + + + + @@ -3699,6 +12269,164 @@

    Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3715,6 +12443,22 @@ + + + + + + + + + + + + + + + + @@ -3726,6 +12470,198 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3737,6 +12673,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3748,6 +12724,14 @@ + + + + + + + + @@ -3759,6 +12743,14 @@ + + + + + + + + @@ -3770,6 +12762,24 @@ + + + + + + + + + + + + + + + + + + @@ -3781,14 +12791,38 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml index 1b73644ba..9e9eed24c 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml @@ -1310,8 +1310,303 @@ - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1323,6 +1618,22 @@ + + + + + + + + + + + + + + + + @@ -1346,6 +1657,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1362,6 +1712,22 @@     + + + + + + + + + + + + + + + +     @@ -1370,6 +1736,272 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1385,6 +2017,114 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1397,6 +2137,33 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -1417,8 +2184,122 @@     + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1430,12 +2311,102 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-5 Additional FedRAMP Requirements and Guidance @@ -1448,6 +2419,22 @@ + + + + + + + + + + + + + + + + @@ -1459,6 +2446,50 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1479,8 +2510,105 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1491,9 +2619,165 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1504,8 +2788,56 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1521,11 +2853,45 @@ -

    Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

    +

    Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

    During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

         + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -1537,6 +2903,24 @@ + + + + + + + + + + + + + + + + + + @@ -1549,8 +2933,122 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1566,6 +3064,104 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1578,6 +3174,37 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -1594,6 +3221,46 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -1617,8 +3284,107 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1633,7 +3399,7 @@ -

    "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

    +

    "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

     @@ -1641,6 +3407,24 @@     + + + + + + + + + + + + + + + + + +     @@ -1660,6 +3444,16 @@ + + + + + + + + + + @@ -1679,6 +3473,16 @@ + + + + + + + + + + @@ -1691,8 +3495,69 @@     + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1708,26 +3573,165 @@ - - - - - IA-5 (1) Additional FedRAMP Requirements and Guidance - - -

    Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

    -     - - -

    For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

    -

    For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

    -     - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + IA-5 (1) Additional FedRAMP Requirements and Guidance + + +

    Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

    +     + + +

    For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

    +

    For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

    +     +

    Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

         + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -1747,16 +3751,188 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance -

    The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

    +

    The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

     @@ -1764,6 +3940,61 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + @@ -1776,6 +4007,37 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1792,6 +4054,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1801,6 +4136,432 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1811,13 +4572,535 @@ + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PL-8 Additional FedRAMP Requirements and Guidance @@ -1826,6 +5109,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1838,85 +5183,1210 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     + + +

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + RA-5 Additional FedRAMP Requirements and Guidance + + +

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    +     + + +

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    +     + + +

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    +     + + +

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    +     + + +

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    +

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    +

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a "warning" as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on "Tracking of Compliance Scans" in FAQs.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SA-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    +     + + +

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    +

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - RA-3 Additional FedRAMP Requirements and Guidance - - -

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    -     - - -

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    -     -     + + + + + + + + + - - - - - - RA-5 Additional FedRAMP Requirements and Guidance - - -

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    -     - - -

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    -     - - -

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    -     - - -

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    -     - - -

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    -

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    -

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.

    -     -     + + + + + + + + + - - - - - - - - SA-4 Additional FedRAMP Requirements and Guidance - - -

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    -     - - -

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    -

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    -     -     + + + + + + + + + + + + + + + - - - - @@ -1927,6 +6397,50 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1944,7 +6458,7 @@
  • Replication between availability zones
  • Transmission of backups to storage
  • From a load balancer to a compute instance
    • -
  • Flows from management tools required for their work – e.g. log collection, scanning, etc.
    • +
  • Flows from management tools required for their work - e.g. log collection, scanning, etc.

    • The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    @@ -1958,7 +6472,7 @@

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    -

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    +

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    @@ -1970,6 +6484,18 @@     + + + + + + + + + + + +     @@ -1981,7 +6507,7 @@ -

    See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

    +

    See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

     @@ -1994,6 +6520,15 @@     + + + + + + + + +     @@ -2013,6 +6548,18 @@ + + + + + + + + + + + + @@ -2059,6 +6606,26 @@     + + + + + + + + + + + + + + + + + + + +     @@ -2070,6 +6637,23 @@ + + + + + + + + + + + + + + + + + @@ -2093,6 +6677,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + @@ -2126,6 +6734,18 @@ + + + + + + + + + + + + @@ -2145,6 +6765,18 @@ + + + + + + + + + + + + @@ -2160,10 +6792,180 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2175,6 +6977,77 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2184,10 +7057,216 @@

    Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2199,8 +7278,48 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2212,6 +7331,14 @@ + + + + + + + + @@ -2225,17 +7352,38 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     - - - - diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index 2c66aa0d8..d8785b6fd 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -1495,7 +1495,7 @@ -

    personnel screening criteria – as required by specific information

    +

    personnel screening criteria - as required by specific information

         @@ -2070,6 +2070,432 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2089,6 +2515,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2101,6 +2575,54 @@     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2112,6 +2634,17 @@ + + + + + + + + + + + @@ -2128,8 +2661,140 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2140,6 +2805,64 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2151,8 +2874,60 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2164,6 +2939,22 @@ + + + + + + + + + + + + + + + + @@ -2187,6 +2978,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2206,6 +3036,22 @@ + + + + + + + + + + + + + + + + @@ -2214,32 +3060,427 @@ - - - - - AU-2 Additional FedRAMP Requirements and Guidance - - -

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

    -     - - -

    Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

    -     -     + + + + + - - - - - AU-3 (1) Additional FedRAMP Requirements and Guidance - - -

    For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

    -     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-2 Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

    +     + + +

    Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-3 (1) Additional FedRAMP Requirements and Guidance + + +

    For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

    +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2252,6 +3493,33 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -2275,8 +3543,187 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2288,6 +3735,61 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2299,10 +3801,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2318,6 +3863,22 @@ + + + + + + + + + + + + + + + + @@ -2329,6 +3890,50 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2349,8 +3954,115 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2362,6 +4074,24 @@ + + + + + + + + + + + + + + + + + + @@ -2374,9 +4104,168 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2388,6 +4277,68 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2404,9 +4355,155 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2422,11 +4519,57 @@ -

    Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

    +

    Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

    During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

         + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + @@ -2438,8 +4581,47 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2450,8 +4632,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2463,8 +4683,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2473,6 +4758,55 @@

    FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -2485,6 +4819,40 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2497,9 +4865,102 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2515,6 +4976,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2527,6 +5116,37 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2543,19 +5163,155 @@ - - - - - CP-7 Additional FedRAMP Requirements and Guidance - - -

    The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    -     -     + + + + + -     - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-7 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + CP-7 (1) Additional FedRAMP Requirements and Guidance @@ -2565,6 +5321,39 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2576,6 +5365,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2599,8 +5427,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2612,8 +5486,102 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2632,10 +5600,28 @@ -

    "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

    +

    "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

         + + + + + + + + + + + + + + + + + +     @@ -2655,6 +5641,16 @@ + + + + + + + + + + @@ -2674,6 +5670,28 @@ + + + + + + + + + + + + + + + + + + + + + + @@ -2689,6 +5707,25 @@ + + + + + + + + + + + + + + + + + + + @@ -2700,8 +5737,89 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2717,6 +5835,86 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2728,7 +5926,7 @@ -

    For cases where technology doesn’t allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

    +

    For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

    For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

     @@ -2737,6 +5935,98 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2748,6 +6038,13 @@ + + + + + + + @@ -2769,6 +6066,15 @@ + + + + + + + + + @@ -2781,6 +6087,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2796,9 +6127,180 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2810,6 +6312,27 @@ + + + + + + + + + + + + + + + + + + + + + @@ -2817,7 +6340,7 @@ IR-4 Additional FedRAMP Requirements and Guidance -

    The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

    +

    The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

     @@ -2825,12 +6348,80 @@     -     - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance @@ -2838,8 +6429,71 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2855,10 +6509,418 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2869,8 +6931,122 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2881,6 +7057,20 @@ + + + + + + + + + + + + + + @@ -2892,6 +7082,42 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2903,6 +7129,43 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2912,52 +7175,1345 @@ - - - - PE-14 Additional FedRAMP Requirements and Guidance - - -

    The service provider measures temperature at server inlets and humidity levels by dew point.

    -     -     + + + + + + + + + + + + + + + + + + - - - - - - - PL-8 Additional FedRAMP Requirements and Guidance - - -

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    -     -     + + + + + + + + + + + + + + + + + + - - - - - PL-10 Additional FedRAMP Requirements and Guidance - - -

    Select the appropriate FedRAMP Baseline

    -     -     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PE-14 Additional FedRAMP Requirements and Guidance + + +

    The service provider measures temperature at server inlets and humidity levels by dew point.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PL-8 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + PL-10 Additional FedRAMP Requirements and Guidance + + +

    Select the appropriate FedRAMP Baseline

    +     +     +     + + + + + + + +     + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2972,45 +8528,631 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-5 Additional FedRAMP Requirements and Guidance + + +

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    +     + + +

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    +     + + +

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    +     + + +

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    +     + + +

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    +

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    +

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a "warning" as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on "Tracking of Compliance Scans" in FAQs.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - RA-5 Additional FedRAMP Requirements and Guidance - - -

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    -     - - -

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    -     - - -

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    -     - - -

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    -     - - -

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    -

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    -

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a “warning” as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on “Tracking of Compliance Scans” in FAQs.

    -     -     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - @@ -3026,6 +9168,93 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3038,6 +9267,47 @@     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     @@ -3050,10 +9320,486 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3064,8 +9810,167 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3076,6 +9981,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3084,7 +10029,7 @@

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    -

    +

    For clarity, this control applies to all data in transit. Examples include the following data flows:

    • Crossing the system boundary
      • @@ -3093,9 +10038,9 @@
    • Replication between availability zones
    • Transmission of backups to storage
    • From a load balancer to a compute instance
      • -
    • Flows from management tools required for their work – e.g. log collection, scanning, etc.
      • +
    • Flows from management tools required for their work - e.g. log collection, scanning, etc.
    -

    +

    The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    FedRAMP-Defined Assignment / Selection Parameters

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    @@ -3104,21 +10049,33 @@

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    -

    +

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    -

    -

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    -

    +

    +

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    +

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    -

    +

    CNSSI No.7003 can be accessed here:

    https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

    -

    +

    DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

    https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

         + + + + + + + + + + + +     @@ -3130,7 +10087,7 @@ -

    See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

    +

    See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

     @@ -3143,6 +10100,15 @@     + + + + + + + + +     @@ -3162,6 +10128,18 @@ + + + + + + + + + + + + @@ -3178,7 +10156,7 @@
  • Generation of one time passwords (OTPs) for MFA
  • Protocols such as TLS, SSH, and HTTPS
    • -

    +

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

    @@ -3208,6 +10186,26 @@     + + + + + + + + + + + + + + + + + + + +     @@ -3219,6 +10217,23 @@ + + + + + + + + + + + + + + + + + @@ -3242,6 +10257,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + @@ -3275,6 +10314,18 @@ + + + + + + + + + + + + @@ -3294,6 +10345,18 @@ + + + + + + + + + + + + @@ -3309,6 +10372,15 @@ + + + + + + + + + @@ -3329,11 +10401,246 @@     + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3345,8 +10652,167 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3357,6 +10823,15 @@ + + + + + + + + + @@ -3369,10 +10844,126 @@

    Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3388,6 +10979,22 @@ + + + + + + + + + + + + + + + + @@ -3400,10 +11007,202 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3415,8 +11214,48 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3428,6 +11267,14 @@ + + + + + + + + @@ -3440,6 +11287,14 @@ + + + + + + + + @@ -3455,16 +11310,38 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - From c4a892ca33b2be3984b34d4207e643b13c918541 Mon Sep 17 00:00:00 2001 From: Rene Tshiteya Date: Thu, 21 Sep 2023 14:18:40 -0400 Subject: [PATCH 2/4] Update oscal version and add prop namespaces --- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 4290 ++++++++--------- .../xml/FedRAMP_rev5_LOW-baseline_profile.xml | 2522 +++++----- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 3768 +++++++-------- 3 files changed, 5290 insertions(+), 5290 deletions(-) diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 2abc9333d..dc56a5fb4 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -2405,44 +2405,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -2466,8 +2466,8 @@ - - + + @@ -2476,13 +2476,13 @@ - - + + - - + + @@ -2494,8 +2494,8 @@ - - + + @@ -2504,8 +2504,8 @@ - - + + @@ -2514,12 +2514,12 @@ - - + + - + @@ -2531,13 +2531,13 @@ - - + + - - + + @@ -2549,8 +2549,8 @@ - - + + @@ -2559,8 +2559,8 @@ - - + + @@ -2572,8 +2572,8 @@ - - + + @@ -2582,27 +2582,27 @@ - - + + - - + + - - + + - - + + - + @@ -2614,13 +2614,13 @@ - - + + - - + + @@ -2632,13 +2632,13 @@ - - + + - - + + @@ -2647,8 +2647,8 @@ - - + + @@ -2657,8 +2657,8 @@ - - + + @@ -2667,13 +2667,13 @@ - - + + - - + + @@ -2682,13 +2682,13 @@ - - + + - - + + @@ -2700,8 +2700,8 @@ - - + + @@ -2710,80 +2710,80 @@ - + - + - - + + - - + + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -2828,8 +2828,8 @@ - - + + @@ -2841,8 +2841,8 @@ - - + + @@ -2854,8 +2854,8 @@ - - + + @@ -2867,7 +2867,7 @@ - + @@ -2896,23 +2896,23 @@ - - + + - - + + - - + + - - + + @@ -2933,8 +2933,8 @@ - - + + @@ -2955,8 +2955,8 @@ - - + + @@ -2968,23 +2968,23 @@ - - + + - - + + - - + + - - + + @@ -3014,8 +3014,8 @@ - - + + @@ -3040,13 +3040,13 @@ - - + + - - + + @@ -3061,13 +3061,13 @@ - - + + - - + + @@ -3079,8 +3079,8 @@ - - + + @@ -3089,13 +3089,13 @@ - - + + - - + + @@ -3107,23 +3107,23 @@ - - + + - - + + - - + + - - + + @@ -3141,8 +3141,8 @@ - - + + @@ -3154,8 +3154,8 @@ - - + + @@ -3164,8 +3164,8 @@ - - + + @@ -3183,8 +3183,8 @@ - - + + @@ -3202,11 +3202,11 @@ - + - + @@ -3218,8 +3218,8 @@ - - + + @@ -3231,13 +3231,13 @@ - - + + - - + + @@ -3249,8 +3249,8 @@ - - + + @@ -3271,8 +3271,8 @@ - - + + @@ -3284,12 +3284,12 @@ - - + + - + @@ -3301,8 +3301,8 @@ - - + + @@ -3314,13 +3314,13 @@ - - + + - - + + @@ -3332,8 +3332,8 @@ - - + + @@ -3345,8 +3345,8 @@ - - + + @@ -3364,13 +3364,13 @@ - - + + - - + + @@ -3403,33 +3403,33 @@ - - + + - + - + - + - + - - + + - + @@ -3456,13 +3456,13 @@ - - + + - - + + @@ -3474,44 +3474,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3538,42 +3538,42 @@ - - + + - - + + - - + + - - + + - - + + - + - - + + - - + + @@ -3591,8 +3591,8 @@ - - + + @@ -3601,8 +3601,8 @@ - - + + @@ -3611,22 +3611,22 @@ - - + + - - + + - + - - + + @@ -3641,12 +3641,12 @@ - - + + - + @@ -3658,44 +3658,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3722,8 +3722,8 @@ - - + + @@ -3735,17 +3735,17 @@ - - + + - - + + - + @@ -3763,8 +3763,8 @@ - - + + @@ -3776,8 +3776,8 @@ - - + + @@ -3802,31 +3802,31 @@ - - + + - - + + - - + + - + - - + + - + @@ -3850,8 +3850,8 @@ - - + + @@ -3887,8 +3887,8 @@ - - + + @@ -3900,8 +3900,8 @@ - - + + @@ -3913,13 +3913,13 @@ - - + + - - + + @@ -3934,8 +3934,8 @@ - - + + @@ -3947,8 +3947,8 @@ - - + + @@ -3969,18 +3969,18 @@ - - + + - - + + - - + + @@ -3998,8 +3998,8 @@ - - + + @@ -4011,8 +4011,8 @@ - - + + @@ -4024,8 +4024,8 @@ - - + + @@ -4037,8 +4037,8 @@ - - + + @@ -4059,8 +4059,8 @@ - - + + @@ -4072,8 +4072,8 @@ - - + + @@ -4085,14 +4085,14 @@ - - - + + + - - + + @@ -4104,8 +4104,8 @@ - - + + @@ -4114,13 +4114,13 @@ - - + + - - + + @@ -4135,13 +4135,13 @@ - - + + - - + + @@ -4153,8 +4153,8 @@ - - + + @@ -4172,8 +4172,8 @@ - - + + @@ -4199,8 +4199,8 @@ - - + + @@ -4212,8 +4212,8 @@ - - + + @@ -4222,44 +4222,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4295,40 +4295,40 @@ - + - - + + - - + + - - + + - - + + - - + + - + - + @@ -4361,8 +4361,8 @@ - - + + @@ -4380,8 +4380,8 @@ - - + + @@ -4390,8 +4390,8 @@ - - + + @@ -4400,17 +4400,17 @@ - - + + - + - - + + @@ -4425,8 +4425,8 @@ - - + + @@ -4448,13 +4448,13 @@ - - + + - - + + @@ -4475,32 +4475,32 @@ - - + + - - + + - - + + - - + + - - + + - + @@ -4538,48 +4538,48 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -4606,8 +4606,8 @@ - - + + @@ -4616,23 +4616,23 @@ - - + + - - + + - - + + - - + + @@ -4656,8 +4656,8 @@ - - + + @@ -4666,8 +4666,8 @@ - - + + @@ -4686,8 +4686,8 @@ - - + + @@ -4699,22 +4699,22 @@ - - + + - + - - + + - - + + @@ -4732,44 +4732,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4796,18 +4796,18 @@ - - + + - - + + - - + + @@ -4822,17 +4822,17 @@ - - + + - - + + - + @@ -4856,22 +4856,22 @@ - + - - + + - - + + - - + + @@ -4883,8 +4883,8 @@ - - + + @@ -4893,7 +4893,7 @@ - + @@ -4902,13 +4902,13 @@ - - + + - - + + @@ -4933,41 +4933,41 @@ - - + + - - + + - - + + - + - + - - + + - - + + - - + + @@ -4994,33 +4994,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -5044,8 +5044,8 @@ - - + + @@ -5054,8 +5054,8 @@ - - + + @@ -5064,8 +5064,8 @@ - - + + @@ -5074,8 +5074,8 @@ - - + + @@ -5084,48 +5084,48 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -5134,8 +5134,8 @@ - - + + @@ -5144,8 +5144,8 @@ - - + + @@ -5157,12 +5157,12 @@ - + - - + + @@ -5174,12 +5174,12 @@ - + - - + + @@ -5209,22 +5209,22 @@ - + - - + + - - + + - - + + @@ -5245,7 +5245,7 @@ - + @@ -5257,8 +5257,8 @@ - - + + @@ -5279,12 +5279,12 @@ - - + + - + @@ -5299,13 +5299,13 @@ - - + + - - + + @@ -5329,7 +5329,7 @@ - + @@ -5341,17 +5341,17 @@ - - + + - + - - + + @@ -5378,33 +5378,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -5419,8 +5419,8 @@ - - + + @@ -5429,8 +5429,8 @@ - - + + @@ -5439,11 +5439,11 @@ - + - + @@ -5455,8 +5455,8 @@ - - + + @@ -5471,37 +5471,37 @@ - + - + - - + + - + - + - + - - + + - + @@ -5531,28 +5531,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -5576,7 +5576,7 @@ - + @@ -5591,8 +5591,8 @@ - - + + @@ -5601,44 +5601,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -5665,9 +5665,9 @@ - - - + + + @@ -5676,9 +5676,9 @@ - - - + + + @@ -5687,9 +5687,9 @@ - - - + + + @@ -5711,78 +5711,78 @@ - + - + - + - + - + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + @@ -5812,8 +5812,8 @@ - - + + @@ -5822,9 +5822,9 @@ - - - + + + @@ -5833,8 +5833,8 @@ - - + + @@ -5843,15 +5843,15 @@ - - - + + + - - - + + + @@ -5860,8 +5860,8 @@ - - + + @@ -5879,28 +5879,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -5912,9 +5912,9 @@ - - - + + + @@ -5936,31 +5936,31 @@ - - - + + + - - - + + + - - - + + + - - + + - - + + @@ -5978,9 +5978,9 @@ - - - + + + @@ -5989,15 +5989,15 @@ - - - + + + - - - + + + @@ -6009,21 +6009,21 @@ - - - + + + - - - + + + - - - + + + @@ -6035,9 +6035,9 @@ - - - + + + @@ -6046,9 +6046,9 @@ - - - + + + @@ -6057,13 +6057,13 @@ - - + + - - + + @@ -6081,27 +6081,27 @@ - - - + + + - - - + + + - - - + + + - - - + + + @@ -6125,8 +6125,8 @@ - - + + @@ -6135,13 +6135,13 @@ - - + + - - + + @@ -6150,8 +6150,8 @@ - - + + @@ -6160,9 +6160,9 @@ - - - + + + @@ -6180,9 +6180,9 @@ - - - + + + @@ -6191,15 +6191,15 @@ - - - + + + - - - + + + @@ -6211,8 +6211,8 @@ - - + + @@ -6221,8 +6221,8 @@ - - + + @@ -6231,18 +6231,18 @@ - - + + - - + + - - + + @@ -6278,26 +6278,26 @@ - - - + + + - - - + + + - - - + + + - - + + @@ -6315,9 +6315,9 @@ - - - + + + @@ -6326,8 +6326,8 @@ - - + + @@ -6336,9 +6336,9 @@ - - - + + + @@ -6347,15 +6347,15 @@ - - - + + + - - - + + + @@ -6373,9 +6373,9 @@ - - - + + + @@ -6384,44 +6384,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -6448,8 +6448,8 @@ - - + + @@ -6458,9 +6458,9 @@ - - - + + + @@ -6469,8 +6469,8 @@ - - + + @@ -6500,15 +6500,15 @@ - - - + + + - - - + + + @@ -6537,7 +6537,7 @@ - + @@ -6566,7 +6566,7 @@ - + @@ -6578,7 +6578,7 @@ - + @@ -6603,13 +6603,13 @@ - - + + - - + + @@ -6633,8 +6633,8 @@ - - + + @@ -6646,8 +6646,8 @@ - - + + @@ -6659,8 +6659,8 @@ - - + + @@ -6669,23 +6669,23 @@ - - + + - - + + - - + + - - + + @@ -6706,8 +6706,8 @@ - - + + @@ -6729,53 +6729,53 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -6829,38 +6829,38 @@ - - + + - - + + - + - + - + - + - + - - + + @@ -6890,19 +6890,19 @@ - + - + - + - + @@ -6914,7 +6914,7 @@ - + @@ -6932,7 +6932,7 @@ - + @@ -6950,8 +6950,8 @@ - - + + @@ -6969,8 +6969,8 @@ - - + + @@ -6995,9 +6995,9 @@ - - - + + + @@ -7015,19 +7015,19 @@ - - - + + + - - + + - - + + @@ -7051,8 +7051,8 @@ - - + + @@ -7061,7 +7061,7 @@ - + @@ -7070,9 +7070,9 @@ - - - + + + @@ -7081,7 +7081,7 @@ - + @@ -7090,7 +7090,7 @@ - + @@ -7099,12 +7099,12 @@ - + - - + + @@ -7116,9 +7116,9 @@ - - - + + + @@ -7127,44 +7127,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -7191,28 +7191,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -7224,8 +7224,8 @@ - - + + @@ -7234,7 +7234,7 @@ - + @@ -7252,8 +7252,8 @@ - - + + @@ -7265,8 +7265,8 @@ - - + + @@ -7288,33 +7288,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -7335,8 +7335,8 @@ - - + + @@ -7348,13 +7348,13 @@ - - + + - - + + @@ -7363,8 +7363,8 @@ - - + + @@ -7376,8 +7376,8 @@ - - + + @@ -7389,8 +7389,8 @@ - - + + @@ -7402,8 +7402,8 @@ - - + + @@ -7412,9 +7412,9 @@ - - - + + + @@ -7432,13 +7432,13 @@ - - + + - - + + @@ -7450,9 +7450,9 @@ - - - + + + @@ -7461,8 +7461,8 @@ - - + + @@ -7471,13 +7471,13 @@ - - + + - - + + @@ -7486,9 +7486,9 @@ - - - + + + @@ -7510,61 +7510,61 @@ - + - + - + - + - + - + - + - + - + - + - + - - + + - - + + - + @@ -7585,38 +7585,38 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -7643,7 +7643,7 @@ - + @@ -7652,7 +7652,7 @@ - + @@ -7661,7 +7661,7 @@ - + @@ -7670,44 +7670,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -7734,32 +7734,32 @@ - - - + + + - - + + - - + + - - + + - + - + @@ -7783,13 +7783,13 @@ - - + + - - + + @@ -7801,15 +7801,15 @@ - - - + + + - - - + + + @@ -7821,9 +7821,9 @@ - - - + + + @@ -7832,9 +7832,9 @@ - - - + + + @@ -7846,9 +7846,9 @@ - - - + + + @@ -7866,31 +7866,31 @@ - - + + - - + + - + - - - + + + - + - + @@ -7911,20 +7911,20 @@ - - + + - + - + - + @@ -7936,19 +7936,19 @@ - + - - - + + + - - - + + + @@ -7963,19 +7963,19 @@ - - + + - - + + - - - + + + @@ -7987,9 +7987,9 @@ - - - + + + @@ -7998,44 +7998,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -8062,15 +8062,15 @@ - - - + + + - - - + + + @@ -8088,11 +8088,11 @@ - + - + @@ -8113,33 +8113,33 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -8160,28 +8160,28 @@ - - - + + + - - - + + + - + - - + + - + @@ -8199,15 +8199,15 @@ - - - + + + - - - + + + @@ -8228,7 +8228,7 @@ - + @@ -8246,7 +8246,7 @@ - + @@ -8264,8 +8264,8 @@ - - + + @@ -8274,15 +8274,15 @@ - - - + + + - - - + + + @@ -8294,44 +8294,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -8358,17 +8358,17 @@ - - + + - + - - + + @@ -8383,8 +8383,8 @@ - - + + @@ -8393,13 +8393,13 @@ - - + + - - + + @@ -8408,19 +8408,19 @@ - + - + - + - + @@ -8429,33 +8429,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -8464,17 +8464,17 @@ - + - - + + - - + + @@ -8483,22 +8483,22 @@ - + - - + + - - + + - - + + @@ -8519,13 +8519,13 @@ - - + + - - + + @@ -8537,12 +8537,12 @@ - + - - + + @@ -8551,23 +8551,23 @@ - - + + - - + + - - + + - - + + @@ -8576,12 +8576,12 @@ - + - - + + @@ -8590,28 +8590,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -8623,23 +8623,23 @@ - - + + - - + + - - + + - - + + @@ -8657,8 +8657,8 @@ - - + + @@ -8667,20 +8667,20 @@ - - + + - + - + - + @@ -8698,47 +8698,47 @@ - + - - + + - - + + - + - + - - + + - + - - + + - + - + @@ -8768,11 +8768,11 @@ - + - + @@ -8781,8 +8781,8 @@ - - + + @@ -8791,7 +8791,7 @@ - + @@ -8800,26 +8800,26 @@ - - + + - + - + - - + + - - + + @@ -8834,7 +8834,7 @@ - + @@ -8843,7 +8843,7 @@ - + @@ -8852,17 +8852,17 @@ - - + + - + - - + + @@ -8877,12 +8877,12 @@ - - + + - + @@ -8891,7 +8891,7 @@ - + @@ -8900,44 +8900,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -8964,8 +8964,8 @@ - - + + @@ -8974,132 +8974,132 @@ - - + + - - + + - - + + - - + + - - + + - - + + - + - + - + - + - + - + - - + + - + - + - + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -9120,23 +9120,23 @@ - - + + - - + + - - + + - - + + @@ -9154,18 +9154,18 @@ - - + + - - + + - - + + @@ -9189,56 +9189,56 @@ - - + + - - + + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -9262,7 +9262,7 @@ - + @@ -9271,44 +9271,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -9335,18 +9335,18 @@ - - + + - - + + - - + + @@ -9361,13 +9361,13 @@ - - + + - - + + @@ -9379,13 +9379,13 @@ - - + + - - + + @@ -9397,26 +9397,26 @@ - + - + - - + + - - + + - - + + @@ -9437,8 +9437,8 @@ - - + + @@ -9447,22 +9447,22 @@ - - + + - - + + - + - - + + @@ -9480,22 +9480,22 @@ - + - - + + - - + + - - + + @@ -9510,27 +9510,27 @@ - - + + - - + + - + - - + + - - + + @@ -9551,13 +9551,13 @@ - - + + - - + + @@ -9569,7 +9569,7 @@ - + @@ -9578,44 +9578,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -9642,16 +9642,16 @@ - + - + - - + + @@ -9679,42 +9679,42 @@ - - + + - - + + - - + + - - + + - + - - + + - - + + - - + + @@ -9738,13 +9738,13 @@ - - + + - - + + @@ -9783,48 +9783,48 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -9851,8 +9851,8 @@ - - + + @@ -9861,8 +9861,8 @@ - - + + @@ -9874,8 +9874,8 @@ - - + + @@ -9887,13 +9887,13 @@ - - + + - - + + @@ -9902,8 +9902,8 @@ - - + + @@ -9921,8 +9921,8 @@ - - + + @@ -9931,8 +9931,8 @@ - - + + @@ -9941,8 +9941,8 @@ - - + + @@ -9951,44 +9951,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -10015,47 +10015,47 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - + + - - + + @@ -10076,73 +10076,73 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -10160,39 +10160,39 @@ - - + + - - + + - - + + - - + + - - - + + + - - + + - - + + @@ -10204,8 +10204,8 @@ - - + + @@ -10217,8 +10217,8 @@ - - + + @@ -10227,33 +10227,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -10268,33 +10268,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -10309,13 +10309,13 @@ - - + + - - + + @@ -10327,13 +10327,13 @@ - - + + - - + + @@ -10345,43 +10345,43 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -10413,63 +10413,63 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -10511,29 +10511,29 @@ - - + + - - - + + + - - + + - - + + - - + + @@ -10564,8 +10564,8 @@ - - + + @@ -10577,8 +10577,8 @@ - - + + @@ -10587,8 +10587,8 @@ - - + + @@ -10597,8 +10597,8 @@ - - + + @@ -10607,13 +10607,13 @@ - - + + - - + + @@ -10625,8 +10625,8 @@ - - + + @@ -10635,88 +10635,88 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -10734,53 +10734,53 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -10789,30 +10789,30 @@ - - + + - - + + - + - + - + - - + + @@ -10830,13 +10830,13 @@ - - + + - - + + @@ -10848,8 +10848,8 @@ - - + + @@ -10858,8 +10858,8 @@ - - + + @@ -10868,44 +10868,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -10932,9 +10932,9 @@ - - - + + + @@ -10943,8 +10943,8 @@ - - + + @@ -10953,14 +10953,14 @@ - - + + - - - + + + @@ -10972,12 +10972,12 @@ - + - - + + @@ -10989,8 +10989,8 @@ - - + + @@ -10999,9 +10999,9 @@ - - - + + + @@ -11010,9 +11010,9 @@ - - - + + + @@ -11021,9 +11021,9 @@ - - - + + + @@ -11032,8 +11032,8 @@ - - + + @@ -11042,9 +11042,9 @@ - - - + + + @@ -11053,8 +11053,8 @@ - - + + @@ -11063,9 +11063,9 @@ - - - + + + @@ -11074,12 +11074,12 @@ - - + + - + @@ -11100,35 +11100,35 @@ - - + + - - + + - - + + - - + + - - - + + + - - - + + + @@ -11146,14 +11146,14 @@ - - - + + + - - + + @@ -11165,9 +11165,9 @@ - - - + + + @@ -11179,9 +11179,9 @@ - - - + + + @@ -11193,9 +11193,9 @@ - - - + + + @@ -11207,9 +11207,9 @@ - - - + + + @@ -11221,9 +11221,9 @@ - - - + + + @@ -11235,47 +11235,47 @@ - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + @@ -11317,9 +11317,9 @@ - - - + + + @@ -11331,9 +11331,9 @@ - - - + + + @@ -11345,9 +11345,9 @@ - - - + + + @@ -11400,9 +11400,9 @@ - - - + + + @@ -11436,9 +11436,9 @@ - - - + + + @@ -11464,9 +11464,9 @@ - - - + + + @@ -11521,14 +11521,14 @@ - - + + - - - + + + @@ -11552,14 +11552,14 @@ - - + + - - - + + + @@ -11596,21 +11596,21 @@ - - - + + + - - - + + + - - - + + + @@ -11651,9 +11651,9 @@ - - - + + + @@ -11682,9 +11682,9 @@ - - - + + + @@ -11709,9 +11709,9 @@ - - - + + + @@ -11737,12 +11737,12 @@ - - + + - + @@ -11757,44 +11757,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -11821,11 +11821,11 @@ - + - + @@ -11837,8 +11837,8 @@ - - + + @@ -11847,8 +11847,8 @@ - - + + @@ -11857,24 +11857,24 @@ - - - + + + - - + + - - + + - - + + @@ -11892,9 +11892,9 @@ - - - + + + @@ -11903,14 +11903,14 @@ - - - + + + - - + + @@ -11922,38 +11922,38 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -11983,53 +11983,53 @@ - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - + + - - + + - - + + - - - + + + @@ -12056,13 +12056,13 @@ - - + + - - + + @@ -12074,9 +12074,9 @@ - - - + + + @@ -12085,9 +12085,9 @@ - - - + + + @@ -12096,8 +12096,8 @@ - - + + @@ -12106,8 +12106,8 @@ - - + + @@ -12119,8 +12119,8 @@ - - + + @@ -12129,8 +12129,8 @@ - - + + @@ -12142,9 +12142,9 @@ - - - + + + @@ -12156,9 +12156,9 @@ - - - + + + @@ -12170,14 +12170,14 @@ - - - + + + - - + + @@ -12189,9 +12189,9 @@ - - - + + + @@ -12203,14 +12203,14 @@ - - + + - - - + + + @@ -12231,9 +12231,9 @@ - - - + + + @@ -12251,8 +12251,8 @@ - - + + @@ -12271,25 +12271,25 @@ - - - + + + - - + + - - - + + + - - + + @@ -12307,8 +12307,8 @@ - - + + @@ -12317,23 +12317,23 @@ - - + + - - + + - - + + - - + + @@ -12354,13 +12354,13 @@ - - + + - - + + @@ -12375,9 +12375,9 @@ - - - + + + @@ -12389,8 +12389,8 @@ - - + + @@ -12399,9 +12399,9 @@ - - - + + + @@ -12410,9 +12410,9 @@ - - - + + + @@ -12421,8 +12421,8 @@ - - + + @@ -12445,13 +12445,13 @@ - - + + - - + + @@ -12472,7 +12472,7 @@ - + @@ -12484,8 +12484,8 @@ - - + + @@ -12494,44 +12494,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -12558,8 +12558,8 @@ - - + + @@ -12568,8 +12568,8 @@ - - + + @@ -12578,8 +12578,8 @@ - - + + @@ -12588,8 +12588,8 @@ - - + + @@ -12598,50 +12598,50 @@ - - + + - + - + - + - + - + - + - + - + - - + + - - + + @@ -12656,8 +12656,8 @@ - - + + @@ -12675,23 +12675,23 @@ - - + + - - + + - - + + - - + + @@ -12706,9 +12706,9 @@ - - - + + + @@ -12726,8 +12726,8 @@ - - + + @@ -12745,8 +12745,8 @@ - - + + @@ -12764,8 +12764,8 @@ - - + + @@ -12774,8 +12774,8 @@ - - + + @@ -12793,28 +12793,28 @@ - - + + - - + + - - + + - - + + - - + + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml index 9e9eed24c..a71f4dcc3 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml @@ -1313,44 +1313,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -1374,12 +1374,12 @@ - - + + - + @@ -1391,13 +1391,13 @@ - - + + - - + + @@ -1409,13 +1409,13 @@ - - + + - - + + @@ -1427,13 +1427,13 @@ - - + + - - + + @@ -1445,80 +1445,80 @@ - + - + - - + + - - + + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -1563,23 +1563,23 @@ - - + + - - + + - - + + - - + + @@ -1597,8 +1597,8 @@ - - + + @@ -1620,13 +1620,13 @@ - - + + - - + + @@ -1659,33 +1659,33 @@ - - + + - + - + - + - + - - + + - + @@ -1714,13 +1714,13 @@ - - + + - - + + @@ -1739,44 +1739,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -1803,42 +1803,42 @@ - - + + - - + + - - + + - - + + - - + + - + - - + + - - + + @@ -1856,8 +1856,8 @@ - - + + @@ -1866,22 +1866,22 @@ - - + + - - + + - + - - + + @@ -1896,12 +1896,12 @@ - - + + - + @@ -1913,44 +1913,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -1977,17 +1977,17 @@ - - + + - - + + - + @@ -2019,31 +2019,31 @@ - - + + - - + + - - + + - + - - + + - + @@ -2067,8 +2067,8 @@ - - + + @@ -2095,8 +2095,8 @@ - - + + @@ -2108,13 +2108,13 @@ - - + + - - + + @@ -2139,18 +2139,18 @@ - - + + - - + + - - + + @@ -2186,8 +2186,8 @@ - - + + @@ -2200,13 +2200,13 @@ - - + + - - + + @@ -2221,13 +2221,13 @@ - - + + - - + + @@ -2239,44 +2239,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -2313,40 +2313,40 @@ - + - - + + - - + + - - + + - - + + - - + + - + - + @@ -2372,8 +2372,8 @@ - - + + @@ -2382,17 +2382,17 @@ - - + + - + - - + + @@ -2421,13 +2421,13 @@ - - + + - - + + @@ -2448,32 +2448,32 @@ - - + + - - + + - - + + - - + + - - + + - + @@ -2512,48 +2512,48 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -2581,23 +2581,23 @@ - - + + - - + + - - + + - - + + @@ -2621,8 +2621,8 @@ - - + + @@ -2633,22 +2633,22 @@ - - + + - + - - + + - - + + @@ -2666,44 +2666,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -2730,18 +2730,18 @@ - - + + - - + + - - + + @@ -2756,17 +2756,17 @@ - - + + - - + + - + @@ -2790,22 +2790,22 @@ - + - - + + - - + + - - + + @@ -2818,8 +2818,8 @@ - - + + @@ -2828,8 +2828,8 @@ - - + + @@ -2860,22 +2860,22 @@ - + - - + + - - + + - - + + @@ -2905,12 +2905,12 @@ - - + + - + @@ -2935,33 +2935,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -2977,44 +2977,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3041,9 +3041,9 @@ - - - + + + @@ -3066,77 +3066,77 @@ - + - + - + - + - + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + @@ -3176,28 +3176,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -3223,31 +3223,31 @@ - - - + + + - - - + + + - - - + + + - - + + - - + + @@ -3286,26 +3286,26 @@ - - - + + + - - - + + + - - - + + + - - + + @@ -3324,44 +3324,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3409,15 +3409,15 @@ - - - + + + - - - + + + @@ -3446,7 +3446,7 @@ - + @@ -3475,7 +3475,7 @@ - + @@ -3497,8 +3497,8 @@ - - + + @@ -3511,8 +3511,8 @@ - - + + @@ -3524,23 +3524,23 @@ - - + + - - + + - - + + - - + + @@ -3575,53 +3575,53 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -3675,38 +3675,38 @@ - - + + - - + + - + - + - + - + - + - - + + @@ -3753,9 +3753,9 @@ - - - + + + @@ -3766,7 +3766,7 @@ - + @@ -3775,9 +3775,9 @@ - - - + + + @@ -3786,7 +3786,7 @@ - + @@ -3795,7 +3795,7 @@ - + @@ -3804,12 +3804,12 @@ - + - - + + @@ -3821,9 +3821,9 @@ - - - + + + @@ -3832,44 +3832,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3896,28 +3896,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -3942,33 +3942,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -3989,8 +3989,8 @@ - - + + @@ -4009,13 +4009,13 @@ - - + + - - + + @@ -4027,13 +4027,13 @@ - - + + - - + + @@ -4056,61 +4056,61 @@ - + - + - + - + - + - + - + - + - + - + - + - - + + - - + + - + @@ -4139,44 +4139,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4203,32 +4203,32 @@ - - - + + + - - + + - - + + - - + + - + - + @@ -4252,31 +4252,31 @@ - - + + - - + + - + - - - + + + - + - + @@ -4297,19 +4297,19 @@ - + - - - + + + - - - + + + @@ -4324,44 +4324,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4388,15 +4388,15 @@ - - - + + + - - - + + + @@ -4405,15 +4405,15 @@ - - - + + + - - - + + + @@ -4425,15 +4425,15 @@ - - - + + + - - - + + + @@ -4445,44 +4445,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4509,19 +4509,19 @@ - + - + - + - + @@ -4530,33 +4530,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -4574,13 +4574,13 @@ - - + + - - + + @@ -4595,23 +4595,23 @@ - - + + - - + + - - + + - - + + @@ -4620,28 +4620,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -4653,20 +4653,20 @@ - - + + - + - + - + @@ -4684,55 +4684,55 @@ - + - - + + - - + + - + - + - - + + - + - + - + - - + + - + - + @@ -4762,26 +4762,26 @@ - - + + - + - + - - + + - - + + @@ -4796,17 +4796,17 @@ - - + + - + - - + + @@ -4821,44 +4821,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4885,8 +4885,8 @@ - - + + @@ -4895,132 +4895,132 @@ - - + + - - + + - - + + - - + + - - + + - - + + - + - + - + - + - + - + - - + + - + - + - + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -5041,23 +5041,23 @@ - - + + - - + + - - + + - - + + @@ -5075,18 +5075,18 @@ - - + + - - + + - - + + @@ -5111,56 +5111,56 @@ - - + + - - + + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -5185,7 +5185,7 @@ - + @@ -5202,44 +5202,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -5266,18 +5266,18 @@ - - + + - - + + - - + + @@ -5292,18 +5292,18 @@ - - + + - - + + - - + + @@ -5315,26 +5315,26 @@ - + - + - - + + - - + + - - + + @@ -5355,22 +5355,22 @@ - - + + - - + + - + - - + + @@ -5388,22 +5388,22 @@ - + - - + + - - + + - - + + @@ -5418,27 +5418,27 @@ - - + + - - + + - + - - + + - - + + @@ -5459,13 +5459,13 @@ - - + + - - + + @@ -5477,7 +5477,7 @@ - + @@ -5486,44 +5486,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -5550,16 +5550,16 @@ - + - + - - + + @@ -5587,42 +5587,42 @@ - - + + - - + + - - + + - - + + - + - - + + - - + + - - + + @@ -5647,13 +5647,13 @@ - - + + - - + + @@ -5693,48 +5693,48 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -5765,8 +5765,8 @@ - - + + @@ -5775,8 +5775,8 @@ - - + + @@ -5788,8 +5788,8 @@ - - + + @@ -5798,44 +5798,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -5862,33 +5862,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -5903,13 +5903,13 @@ - - + + - - + + @@ -5921,43 +5921,43 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -5989,63 +5989,63 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -6082,8 +6082,8 @@ - - + + @@ -6092,88 +6092,88 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -6191,53 +6191,53 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -6246,30 +6246,30 @@ - - + + - - + + - + - + - + - - + + @@ -6287,44 +6287,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -6351,9 +6351,9 @@ - - - + + + @@ -6362,9 +6362,9 @@ - - - + + + @@ -6373,12 +6373,12 @@ - - + + - + @@ -6399,35 +6399,35 @@ - - + + - - + + - - + + - - + + - - - + + + - - - + + + @@ -6486,9 +6486,9 @@ - - - + + + @@ -6522,9 +6522,9 @@ - - - + + + @@ -6550,9 +6550,9 @@ - - - + + + @@ -6608,14 +6608,14 @@ - - + + - - - + + + @@ -6639,14 +6639,14 @@ - - + + - - - + + + @@ -6679,21 +6679,21 @@ - - - + + + - - - + + + - - - + + + @@ -6736,9 +6736,9 @@ - - - + + + @@ -6767,9 +6767,9 @@ - - - + + + @@ -6794,9 +6794,9 @@ - - - + + + @@ -6808,44 +6808,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -6872,8 +6872,8 @@ - - + + @@ -6882,24 +6882,24 @@ - - - + + + - - + + - - + + - - + + @@ -6917,38 +6917,38 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -6979,53 +6979,53 @@ - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - + + - - + + - - + + - - - + + + @@ -7059,25 +7059,25 @@ - - - + + + - - + + - - - + + + - - + + @@ -7098,44 +7098,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -7162,8 +7162,8 @@ - - + + @@ -7172,8 +7172,8 @@ - - + + @@ -7182,8 +7182,8 @@ - - + + @@ -7192,8 +7192,8 @@ - - + + @@ -7202,50 +7202,50 @@ - - + + - + - + - + - + - + - + - + - + - - + + - - + + @@ -7260,8 +7260,8 @@ - - + + @@ -7280,23 +7280,23 @@ - - + + - - + + - - + + - - + + @@ -7312,9 +7312,9 @@ - - - + + + @@ -7333,8 +7333,8 @@ - - + + @@ -7354,28 +7354,28 @@ - - + + - - + + - - + + - - + + - - + + diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index d8785b6fd..edc4f1207 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -2073,44 +2073,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -2134,13 +2134,13 @@ - - + + - - + + @@ -2152,8 +2152,8 @@ - - + + @@ -2162,8 +2162,8 @@ - - + + @@ -2172,12 +2172,12 @@ - - + + - + @@ -2189,13 +2189,13 @@ - - + + - - + + @@ -2207,8 +2207,8 @@ - - + + @@ -2217,8 +2217,8 @@ - - + + @@ -2230,8 +2230,8 @@ - - + + @@ -2240,27 +2240,27 @@ - - + + - - + + - - + + - - + + - + @@ -2272,13 +2272,13 @@ - - + + - - + + @@ -2290,13 +2290,13 @@ - - + + - - + + @@ -2305,8 +2305,8 @@ - - + + @@ -2315,13 +2315,13 @@ - - + + - - + + @@ -2333,8 +2333,8 @@ - - + + @@ -2343,80 +2343,80 @@ - + - + - - + + - - + + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -2461,8 +2461,8 @@ - - + + @@ -2474,8 +2474,8 @@ - - + + @@ -2487,7 +2487,7 @@ - + @@ -2517,23 +2517,23 @@ - - + + - - + + - - + + - - + + @@ -2554,8 +2554,8 @@ - - + + @@ -2577,8 +2577,8 @@ - - + + @@ -2590,23 +2590,23 @@ - - + + - - + + - - + + - - + + @@ -2636,8 +2636,8 @@ - - + + @@ -2663,13 +2663,13 @@ - - + + - - + + @@ -2685,13 +2685,13 @@ - - + + - - + + @@ -2703,8 +2703,8 @@ - - + + @@ -2713,13 +2713,13 @@ - - + + - - + + @@ -2731,23 +2731,23 @@ - - + + - - + + - - + + - - + + @@ -2765,8 +2765,8 @@ - - + + @@ -2778,8 +2778,8 @@ - - + + @@ -2788,8 +2788,8 @@ - - + + @@ -2807,11 +2807,11 @@ - + - + @@ -2823,8 +2823,8 @@ - - + + @@ -2836,13 +2836,13 @@ - - + + - - + + @@ -2854,8 +2854,8 @@ - - + + @@ -2876,8 +2876,8 @@ - - + + @@ -2890,8 +2890,8 @@ - - + + @@ -2903,13 +2903,13 @@ - - + + - - + + @@ -2921,8 +2921,8 @@ - - + + @@ -2941,13 +2941,13 @@ - - + + - - + + @@ -2980,33 +2980,33 @@ - - + + - + - + - + - + - - + + - + @@ -3038,13 +3038,13 @@ - - + + - - + + @@ -3063,44 +3063,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3127,42 +3127,42 @@ - - + + - - + + - - + + - - + + - - + + - + - - + + - - + + @@ -3180,8 +3180,8 @@ - - + + @@ -3190,8 +3190,8 @@ - - + + @@ -3200,22 +3200,22 @@ - - + + - - + + - + - - + + @@ -3230,12 +3230,12 @@ - - + + - + @@ -3247,44 +3247,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3311,17 +3311,17 @@ - - + + - - + + - + @@ -3353,31 +3353,31 @@ - - + + - - + + - - + + - + - - + + - + @@ -3401,8 +3401,8 @@ - - + + @@ -3438,8 +3438,8 @@ - - + + @@ -3451,8 +3451,8 @@ - - + + @@ -3464,13 +3464,13 @@ - - + + - - + + @@ -3495,18 +3495,18 @@ - - + + - - + + - - + + @@ -3545,8 +3545,8 @@ - - + + @@ -3559,8 +3559,8 @@ - - + + @@ -3572,8 +3572,8 @@ - - + + @@ -3585,14 +3585,14 @@ - - - + + + - - + + @@ -3604,8 +3604,8 @@ - - + + @@ -3614,13 +3614,13 @@ - - + + - - + + @@ -3635,13 +3635,13 @@ - - + + - - + + @@ -3653,8 +3653,8 @@ - - + + @@ -3663,44 +3663,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -3737,40 +3737,40 @@ - + - - + + - - + + - - + + - - + + - - + + - + - + @@ -3803,8 +3803,8 @@ - - + + @@ -3816,8 +3816,8 @@ - - + + @@ -3826,17 +3826,17 @@ - - + + - + - - + + @@ -3865,13 +3865,13 @@ - - + + - - + + @@ -3892,32 +3892,32 @@ - - + + - - + + - - + + - - + + - - + + - + @@ -3956,48 +3956,48 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -4025,8 +4025,8 @@ - - + + @@ -4035,23 +4035,23 @@ - - + + - - + + - - + + - - + + @@ -4076,8 +4076,8 @@ - - + + @@ -4086,8 +4086,8 @@ - - + + @@ -4106,8 +4106,8 @@ - - + + @@ -4121,22 +4121,22 @@ - - + + - + - - + + - - + + @@ -4154,44 +4154,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4218,18 +4218,18 @@ - - + + - - + + - - + + @@ -4244,17 +4244,17 @@ - - + + - - + + - + @@ -4279,22 +4279,22 @@ - + - - + + - - + + - - + + @@ -4306,8 +4306,8 @@ - - + + @@ -4316,7 +4316,7 @@ - + @@ -4325,13 +4325,13 @@ - - + + - - + + @@ -4357,41 +4357,41 @@ - - + + - - + + - - + + - + - + - - + + - - + + - - + + @@ -4420,8 +4420,8 @@ - - + + @@ -4430,8 +4430,8 @@ - - + + @@ -4440,8 +4440,8 @@ - - + + @@ -4450,8 +4450,8 @@ - - + + @@ -4460,8 +4460,8 @@ - - + + @@ -4473,12 +4473,12 @@ - + - - + + @@ -4490,12 +4490,12 @@ - + - - + + @@ -4526,22 +4526,22 @@ - + - - + + - - + + - - + + @@ -4562,7 +4562,7 @@ - + @@ -4583,12 +4583,12 @@ - - + + - + @@ -4604,13 +4604,13 @@ - - + + - - + + @@ -4634,7 +4634,7 @@ - + @@ -4647,17 +4647,17 @@ - - + + - + - - + + @@ -4685,33 +4685,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -4727,8 +4727,8 @@ - - + + @@ -4737,11 +4737,11 @@ - + - + @@ -4760,37 +4760,37 @@ - + - + - - + + - + - + - + - - + + - + @@ -4821,28 +4821,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -4867,7 +4867,7 @@ - + @@ -4878,44 +4878,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -4942,9 +4942,9 @@ - - - + + + @@ -4953,9 +4953,9 @@ - - - + + + @@ -4978,77 +4978,77 @@ - + - + - + - + - + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - - + + + @@ -5078,8 +5078,8 @@ - - + + @@ -5088,8 +5088,8 @@ - - + + @@ -5098,8 +5098,8 @@ - - + + @@ -5118,28 +5118,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -5165,31 +5165,31 @@ - - - + + + - - - + + + - - - + + + - - + + - - + + @@ -5207,9 +5207,9 @@ - - - + + + @@ -5218,21 +5218,21 @@ - - - + + + - - - + + + - - - + + + @@ -5244,9 +5244,9 @@ - - - + + + @@ -5255,13 +5255,13 @@ - - + + - - + + @@ -5279,27 +5279,27 @@ - - - + + + - - - + + + - - - + + + - - - + + + @@ -5323,8 +5323,8 @@ - - + + @@ -5333,13 +5333,13 @@ - - + + - - + + @@ -5348,8 +5348,8 @@ - - + + @@ -5367,9 +5367,9 @@ - - - + + + @@ -5378,15 +5378,15 @@ - - - + + + - - - + + + @@ -5398,8 +5398,8 @@ - - + + @@ -5429,26 +5429,26 @@ - - - + + + - - - + + + - - - + + + - - + + @@ -5467,9 +5467,9 @@ - - - + + + @@ -5488,9 +5488,9 @@ - - - + + + @@ -5500,44 +5500,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -5564,8 +5564,8 @@ - - + + @@ -5574,9 +5574,9 @@ - - - + + + @@ -5606,15 +5606,15 @@ - - - + + + - - - + + + @@ -5643,7 +5643,7 @@ - + @@ -5672,7 +5672,7 @@ - + @@ -5684,7 +5684,7 @@ - + @@ -5709,13 +5709,13 @@ - - + + - - + + @@ -5739,8 +5739,8 @@ - - + + @@ -5753,8 +5753,8 @@ - - + + @@ -5766,8 +5766,8 @@ - - + + @@ -5776,23 +5776,23 @@ - - + + - - + + - - + + - - + + @@ -5813,8 +5813,8 @@ - - + + @@ -5837,53 +5837,53 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -5937,38 +5937,38 @@ - - + + - - + + - + - + - + - + - + - - + + @@ -5998,19 +5998,19 @@ - + - + - + - + @@ -6022,7 +6022,7 @@ - + @@ -6040,7 +6040,7 @@ - + @@ -6068,9 +6068,9 @@ - - - + + + @@ -6089,19 +6089,19 @@ - - - + + + - - + + - - + + @@ -6129,8 +6129,8 @@ - - + + @@ -6141,7 +6141,7 @@ - + @@ -6150,9 +6150,9 @@ - - - + + + @@ -6161,7 +6161,7 @@ - + @@ -6170,7 +6170,7 @@ - + @@ -6179,12 +6179,12 @@ - + - - + + @@ -6196,9 +6196,9 @@ - - - + + + @@ -6207,44 +6207,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -6271,28 +6271,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -6314,8 +6314,8 @@ - - + + @@ -6327,8 +6327,8 @@ - - + + @@ -6350,33 +6350,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -6398,8 +6398,8 @@ - - + + @@ -6411,8 +6411,8 @@ - - + + @@ -6431,13 +6431,13 @@ - - + + - - + + @@ -6450,9 +6450,9 @@ - - - + + + @@ -6461,8 +6461,8 @@ - - + + @@ -6471,13 +6471,13 @@ - - + + - - + + @@ -6486,9 +6486,9 @@ - - - + + + @@ -6511,61 +6511,61 @@ - + - + - + - + - + - + - + - + - + - + - + - - + + - - + + - + @@ -6589,38 +6589,38 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -6647,7 +6647,7 @@ - + @@ -6656,7 +6656,7 @@ - + @@ -6665,7 +6665,7 @@ - + @@ -6674,44 +6674,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -6738,32 +6738,32 @@ - - - + + + - - + + - - + + - - + + - + - + @@ -6787,15 +6787,15 @@ - - - + + + - - - + + + @@ -6807,9 +6807,9 @@ - - - + + + @@ -6818,9 +6818,9 @@ - - - + + + @@ -6832,9 +6832,9 @@ - - - + + + @@ -6852,31 +6852,31 @@ - - + + - - + + - + - - - + + + - + - + @@ -6897,19 +6897,19 @@ - + - - - + + + - - - + + + @@ -6933,19 +6933,19 @@ - - + + - - + + - - - + + + @@ -6958,9 +6958,9 @@ - - - + + + @@ -6969,44 +6969,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -7033,15 +7033,15 @@ - - - + + + - - - + + + @@ -7059,11 +7059,11 @@ - + - + @@ -7084,33 +7084,33 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -7131,28 +7131,28 @@ - - - + + + - - - + + + - + - - + + - + @@ -7178,15 +7178,15 @@ - - - + + + - - - + + + @@ -7198,15 +7198,15 @@ - - - + + + - - - + + + @@ -7218,44 +7218,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -7282,17 +7282,17 @@ - - + + - + - - + + @@ -7307,8 +7307,8 @@ - - + + @@ -7317,19 +7317,19 @@ - + - + - + - + @@ -7338,33 +7338,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -7373,17 +7373,17 @@ - + - - + + - - + + @@ -7392,22 +7392,22 @@ - + - - + + - - + + - - + + @@ -7428,13 +7428,13 @@ - - + + - - + + @@ -7448,23 +7448,23 @@ - - + + - - + + - - + + - - + + @@ -7473,28 +7473,28 @@ - - + + - - + + - - + + - - + + - - + + @@ -7506,23 +7506,23 @@ - - + + - - + + - - + + - - + + @@ -7540,20 +7540,20 @@ - - + + - + - + - + @@ -7571,55 +7571,55 @@ - + - - + + - - + + - + - + - - + + - + - + - + - - + + - + - + @@ -7649,8 +7649,8 @@ - - + + @@ -7659,7 +7659,7 @@ - + @@ -7668,26 +7668,26 @@ - - + + - + - + - - + + - - + + @@ -7702,7 +7702,7 @@ - + @@ -7711,17 +7711,17 @@ - - + + - + - - + + @@ -7736,7 +7736,7 @@ - + @@ -7745,44 +7745,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -7809,8 +7809,8 @@ - - + + @@ -7819,132 +7819,132 @@ - - + + - - + + - - + + - - + + - - + + - - + + - + - + - + - + - + - + - - + + - + - + - + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -7965,23 +7965,23 @@ - - + + - - + + - - + + - - + + @@ -7999,18 +7999,18 @@ - - + + - - + + - - + + @@ -8035,56 +8035,56 @@ - - + + - - + + - + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -8109,7 +8109,7 @@ - + @@ -8127,44 +8127,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -8191,18 +8191,18 @@ - - + + - - + + - - + + @@ -8217,18 +8217,18 @@ - - + + - - + + - - + + @@ -8240,13 +8240,13 @@ - - + + - - + + @@ -8258,26 +8258,26 @@ - + - + - - + + - - + + - - + + @@ -8298,22 +8298,22 @@ - - + + - - + + - + - - + + @@ -8331,22 +8331,22 @@ - + - - + + - - + + - - + + @@ -8361,27 +8361,27 @@ - - + + - - + + - + - - + + - - + + @@ -8402,13 +8402,13 @@ - - + + - - + + @@ -8420,7 +8420,7 @@ - + @@ -8429,44 +8429,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -8493,16 +8493,16 @@ - + - + - - + + @@ -8530,42 +8530,42 @@ - - + + - - + + - - + + - - + + - + - - + + - - + + - - + + @@ -8590,13 +8590,13 @@ - - + + - - + + @@ -8636,48 +8636,48 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -8711,8 +8711,8 @@ - - + + @@ -8721,8 +8721,8 @@ - - + + @@ -8734,8 +8734,8 @@ - - + + @@ -8747,8 +8747,8 @@ - - + + @@ -8757,8 +8757,8 @@ - - + + @@ -8767,8 +8767,8 @@ - - + + @@ -8777,44 +8777,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -8841,47 +8841,47 @@ - - - + + + - - - + + + - - - + + + - - - + + + - - + + - - + + - - + + - - + + @@ -8902,73 +8902,73 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -8986,39 +8986,39 @@ - - + + - - + + - - + + - - + + - - - + + + - - + + - - + + @@ -9030,8 +9030,8 @@ - - + + @@ -9043,33 +9043,33 @@ - - + + - - + + - - + + - - + + - - + + - - + + @@ -9084,13 +9084,13 @@ - - + + - - + + @@ -9102,43 +9102,43 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -9170,63 +9170,63 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -9269,29 +9269,29 @@ - - + + - - - + + + - - + + - - + + - - + + @@ -9322,8 +9322,8 @@ - - + + @@ -9338,8 +9338,8 @@ - - + + @@ -9348,8 +9348,8 @@ - - + + @@ -9358,8 +9358,8 @@ - - + + @@ -9368,8 +9368,8 @@ - - + + @@ -9378,88 +9378,88 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -9477,53 +9477,53 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -9532,30 +9532,30 @@ - - + + - - + + - + - + - + - - + + @@ -9573,13 +9573,13 @@ - - + + - - + + @@ -9591,8 +9591,8 @@ - - + + @@ -9601,8 +9601,8 @@ - - + + @@ -9611,44 +9611,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -9675,9 +9675,9 @@ - - - + + + @@ -9686,14 +9686,14 @@ - - + + - - - + + + @@ -9705,12 +9705,12 @@ - + - - + + @@ -9722,8 +9722,8 @@ - - + + @@ -9732,9 +9732,9 @@ - - - + + + @@ -9743,9 +9743,9 @@ - - - + + + @@ -9754,9 +9754,9 @@ - - - + + + @@ -9765,8 +9765,8 @@ - - + + @@ -9775,9 +9775,9 @@ - - - + + + @@ -9786,12 +9786,12 @@ - - + + - + @@ -9812,35 +9812,35 @@ - - + + - - + + - - + + - - + + - - - + + + - - - + + + @@ -9859,9 +9859,9 @@ - - - + + + @@ -9873,9 +9873,9 @@ - - - + + + @@ -9887,9 +9887,9 @@ - - - + + + @@ -9901,47 +9901,47 @@ - - - + + + - - + + - - + + - - + + - - + + - - - + + + - - - + + + - - - + + + @@ -9983,9 +9983,9 @@ - - - + + + @@ -9997,9 +9997,9 @@ - - - + + + @@ -10011,9 +10011,9 @@ - - - + + + @@ -10066,9 +10066,9 @@ - - - + + + @@ -10102,9 +10102,9 @@ - - - + + + @@ -10130,9 +10130,9 @@ - - - + + + @@ -10188,14 +10188,14 @@ - - + + - - - + + + @@ -10219,14 +10219,14 @@ - - + + - - - + + + @@ -10259,21 +10259,21 @@ - - - + + + - - - + + + - - - + + + @@ -10316,9 +10316,9 @@ - - - + + + @@ -10347,9 +10347,9 @@ - - - + + + @@ -10374,9 +10374,9 @@ - - - + + + @@ -10403,12 +10403,12 @@ - - + + - + @@ -10427,44 +10427,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -10491,11 +10491,11 @@ - + - + @@ -10507,8 +10507,8 @@ - - + + @@ -10517,8 +10517,8 @@ - - + + @@ -10527,24 +10527,24 @@ - - - + + + - - + + - - + + - - + + @@ -10562,9 +10562,9 @@ - - - + + + @@ -10573,14 +10573,14 @@ - - - + + + - - + + @@ -10592,38 +10592,38 @@ - - + + - - + + - - + + - - + + - - + + - - + + - - + + @@ -10654,53 +10654,53 @@ - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - + + - - + + - - + + - - - + + + @@ -10728,13 +10728,13 @@ - - + + - - + + @@ -10746,8 +10746,8 @@ - - + + @@ -10759,8 +10759,8 @@ - - + + @@ -10769,9 +10769,9 @@ - - - + + + @@ -10783,9 +10783,9 @@ - - - + + + @@ -10797,14 +10797,14 @@ - - + + - - - + + + @@ -10825,9 +10825,9 @@ - - - + + + @@ -10846,25 +10846,25 @@ - - - + + + - - + + - - - + + + - - + + @@ -10885,23 +10885,23 @@ - - + + - - + + - - + + - - + + @@ -10922,13 +10922,13 @@ - - + + - - + + @@ -10943,9 +10943,9 @@ - - - + + + @@ -10957,8 +10957,8 @@ - - + + @@ -10981,13 +10981,13 @@ - - + + - - + + @@ -11009,7 +11009,7 @@ - + @@ -11024,8 +11024,8 @@ - - + + @@ -11034,44 +11034,44 @@ - - + + - - + + - + - + - + - + - - + + - - + + - - + + @@ -11098,8 +11098,8 @@ - - + + @@ -11108,8 +11108,8 @@ - - + + @@ -11118,8 +11118,8 @@ - - + + @@ -11128,8 +11128,8 @@ - - + + @@ -11138,50 +11138,50 @@ - - + + - + - + - + - + - + - + - + - + - - + + - - + + @@ -11196,8 +11196,8 @@ - - + + @@ -11216,23 +11216,23 @@ - - + + - - + + - - + + - - + + @@ -11248,9 +11248,9 @@ - - - + + + @@ -11269,8 +11269,8 @@ - - + + @@ -11289,8 +11289,8 @@ - - + + @@ -11312,28 +11312,28 @@ - - + + - - + + - - + + - - + + - - + + From 67a3e48c017076e91a511adffc62b87723a999d8 Mon Sep 17 00:00:00 2001 From: Rene Tshiteya Date: Thu, 21 Sep 2023 21:31:10 -0400 Subject: [PATCH 3/4] Update LI-SaaS profile --- .../FedRAMP_rev5_LI-SaaS-baseline_profile.xml | 384 +++++++++--------- 1 file changed, 195 insertions(+), 189 deletions(-) diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml index e8e100ac2..2a9e79210 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml @@ -1316,7 +1316,7 @@ - + @@ -1336,28 +1336,28 @@ - + - - - + + +

    Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.

     - +

    Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.

         - +

    Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.

         - +

    Organizational processes for account management on the information system; automated mechanisms for implementing account management.

     @@ -1370,7 +1370,7 @@     - +     @@ -1380,8 +1380,8 @@     - - + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

     @@ -1392,7 +1392,7 @@ - +

    FED - This is related to agency data and agency policy solution.

     @@ -1403,7 +1403,7 @@ - +

    FED - This is related to agency data and agency policy solution.

     @@ -1415,7 +1415,7 @@     - +     @@ -1424,7 +1424,7 @@ - +

    NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

     @@ -1436,7 +1436,7 @@ - +

    NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

     @@ -1447,7 +1447,7 @@ - +     @@ -1457,7 +1457,7 @@     - +     @@ -1466,7 +1466,7 @@ - +     @@ -1475,7 +1475,7 @@ - +     @@ -1484,7 +1484,7 @@ - +     @@ -1493,7 +1493,7 @@ - +     @@ -1502,7 +1502,7 @@ - +     @@ -1511,7 +1511,7 @@ - +     @@ -1520,7 +1520,7 @@ - +     @@ -1529,7 +1529,7 @@     - +     @@ -1537,7 +1537,7 @@ - +

    NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

     @@ -1549,7 +1549,7 @@     - +     @@ -1559,7 +1559,7 @@     - +     @@ -1567,7 +1567,7 @@ - +     @@ -1575,7 +1575,7 @@ - +     @@ -1584,7 +1584,7 @@ - +

    NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

     @@ -1595,7 +1595,7 @@ - +     @@ -1604,7 +1604,7 @@ - +     @@ -1614,7 +1614,7 @@     - +     @@ -1622,7 +1622,7 @@ - +     @@ -1632,8 +1632,8 @@     - - + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

     @@ -1645,7 +1645,7 @@ - +

    Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

     @@ -1657,7 +1657,7 @@     - +     @@ -1667,7 +1667,7 @@     - +     @@ -1677,7 +1677,7 @@     - +     @@ -1687,7 +1687,7 @@     - +     @@ -1697,8 +1697,8 @@     - - + +

    Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

     @@ -1710,7 +1710,7 @@ - +     @@ -1718,7 +1718,7 @@ - +     @@ -1727,7 +1727,7 @@     - +     @@ -1737,7 +1737,7 @@     - +     @@ -1747,7 +1747,7 @@     - +

    Required - Specifically include details of least functionality.

     @@ -1773,7 +1773,7 @@ - +     @@ -1783,7 +1783,7 @@     - +     @@ -1791,7 +1791,7 @@ - +

    NSO- Not directly related to protection of the data.

     @@ -1802,7 +1802,7 @@ - +

    NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

     @@ -1814,7 +1814,7 @@ - +     @@ -1823,7 +1823,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1835,7 +1835,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1847,7 +1847,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1859,7 +1859,7 @@     - +     @@ -1867,7 +1867,7 @@ - +

    NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

     @@ -1879,7 +1879,7 @@ - +     @@ -1887,8 +1887,8 @@ - - + +

    NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

     @@ -1900,7 +1900,7 @@     - + IA-2(1) Additional FedRAMP Requirements and Guidance @@ -1913,9 +1913,12 @@ - + + + + - + @@ -1925,7 +1928,7 @@ - +     @@ -1934,13 +1937,13 @@     - - + + - - - + + +

    Determine if the information system:

    • Accepts PIV credentials.
      • @@ -1955,7 +1958,7 @@ - + @@ -1964,7 +1967,7 @@ - + @@ -1973,7 +1976,7 @@ - + @@ -1982,15 +1985,18 @@ - + + + + - + @@ -1998,7 +2004,7 @@ - + @@ -2007,8 +2013,8 @@ - - + +

      Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

       @@ -2020,8 +2026,8 @@       - - + +

      Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

       @@ -2032,7 +2038,7 @@ - + @@ -2041,7 +2047,7 @@ - + @@ -2050,7 +2056,7 @@ - + @@ -2059,7 +2065,7 @@ - + @@ -2068,7 +2074,7 @@       - + @@ -2076,7 +2082,7 @@ - + @@ -2086,7 +2092,7 @@ - + @@ -2094,7 +2100,7 @@ - + @@ -2103,7 +2109,7 @@ - +

      Attestation - Specifically attest to US-CERT compliance.

       @@ -2115,7 +2121,7 @@ - + @@ -2124,8 +2130,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2137,7 +2143,7 @@ - + @@ -2146,8 +2152,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2159,7 +2165,7 @@ - + @@ -2168,8 +2174,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2181,8 +2187,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2194,8 +2200,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2207,7 +2213,7 @@ - + @@ -2217,8 +2223,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2231,8 +2237,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2245,8 +2251,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2259,8 +2265,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2272,8 +2278,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2285,8 +2291,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2298,8 +2304,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2320,8 +2326,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2333,8 +2339,8 @@       - - + +

      Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

       @@ -2346,7 +2352,7 @@ - + @@ -2356,7 +2362,7 @@       - + @@ -2364,7 +2370,7 @@ - + @@ -2373,7 +2379,7 @@ - + @@ -2383,7 +2389,7 @@ - + @@ -2392,7 +2398,7 @@ - + @@ -2401,7 +2407,7 @@ - + @@ -2410,7 +2416,7 @@ - + @@ -2418,7 +2424,7 @@ - + @@ -2427,7 +2433,7 @@ - + @@ -2436,7 +2442,7 @@ - + @@ -2445,7 +2451,7 @@ - + @@ -2454,7 +2460,7 @@ - + @@ -2463,7 +2469,7 @@ - +

      Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

       @@ -2474,7 +2480,7 @@ - + @@ -2483,7 +2489,7 @@ - + @@ -2492,7 +2498,7 @@ - + @@ -2503,7 +2509,7 @@       - + @@ -2512,7 +2518,7 @@ - + @@ -2521,7 +2527,7 @@ - + @@ -2531,7 +2537,7 @@ - + @@ -2541,7 +2547,7 @@ - + @@ -2551,7 +2557,7 @@ - + @@ -2561,7 +2567,7 @@ - + @@ -2570,7 +2576,7 @@ - + @@ -2578,7 +2584,7 @@ - + @@ -2586,7 +2592,7 @@ - + @@ -2594,7 +2600,7 @@ - + @@ -2603,7 +2609,7 @@ - + @@ -2611,7 +2617,7 @@ - + @@ -2620,7 +2626,7 @@ - + @@ -2629,7 +2635,7 @@ - + @@ -2639,7 +2645,7 @@ - + @@ -2648,7 +2654,7 @@ - + @@ -2657,8 +2663,8 @@ - - + +

      Condition: If availability is a requirement, define protections in place as per control requirement.

       @@ -2670,7 +2676,7 @@       - + @@ -2680,7 +2686,7 @@ - + @@ -2690,7 +2696,7 @@ - + @@ -2699,7 +2705,7 @@ - + @@ -2709,8 +2715,8 @@ - - + +

      Condition: If implementing need to detail how they meet it or don't meet it.

       @@ -2721,7 +2727,7 @@ - +

      NSO - Not directly related to the security of the SaaS.

       @@ -2732,7 +2738,7 @@ - + @@ -2740,7 +2746,7 @@ - + @@ -2748,7 +2754,7 @@ - + @@ -2758,7 +2764,7 @@       - + @@ -2768,7 +2774,7 @@       - + @@ -2776,7 +2782,7 @@ - + @@ -2785,7 +2791,7 @@ - + @@ -2795,7 +2801,7 @@ - + @@ -2805,7 +2811,7 @@ - + @@ -2815,7 +2821,7 @@ - + @@ -2823,7 +2829,7 @@ - + @@ -2831,7 +2837,7 @@ - +

      Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

       @@ -2843,7 +2849,7 @@ - + @@ -2852,7 +2858,7 @@ - + @@ -2861,7 +2867,7 @@ - + @@ -2870,7 +2876,7 @@ - + @@ -2879,7 +2885,7 @@ - + @@ -2888,7 +2894,7 @@ - + @@ -2897,7 +2903,7 @@ - + @@ -2906,7 +2912,7 @@ - + @@ -2915,7 +2921,7 @@ - + @@ -2924,7 +2930,7 @@ - + @@ -2933,7 +2939,7 @@ - + From 74862111d974e21d1ff37b535ad26a1f08d3a232 Mon Sep 17 00:00:00 2001 From: Rene Tshiteya Date: Thu, 7 Dec 2023 21:20:45 -0500 Subject: [PATCH 4/4] Update response points --- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 361 ++++++------------ .../xml/FedRAMP_rev5_LOW-baseline_profile.xml | 361 ++++++------------ ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 361 ++++++------------ 3 files changed, 330 insertions(+), 753 deletions(-) diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index dc56a5fb4..f4783909d 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -2444,23 +2444,18 @@       - - - - - - - - + + +

      This response must address all control sub-statement requirements.

       +       - - - - - + + +

      This response must address all control sub-statement requirements.

       +       @@ -3514,25 +3509,17 @@       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -3698,25 +3685,17 @@       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4262,25 +4241,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4772,25 +4743,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -5641,25 +5604,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -6424,25 +6379,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -7167,25 +7114,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -7710,25 +7649,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -8038,25 +7969,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -8334,25 +8257,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -8940,25 +8855,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -9311,25 +9218,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -9618,25 +9517,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -9991,25 +9882,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -10908,25 +10791,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -11797,25 +11672,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -12534,25 +12401,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml index a71f4dcc3..dcde518af 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml @@ -1352,23 +1352,18 @@ - - - - - - - - + + +

      This response must address all control sub-statement requirements.

       +       - - - - - + + +

      This response must address all control sub-statement requirements.

       +       @@ -1779,25 +1774,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -1953,25 +1940,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -2279,25 +2258,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -2706,25 +2677,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -3017,25 +2980,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -3364,25 +3319,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -3872,25 +3819,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4179,25 +4118,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4364,25 +4295,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4485,25 +4408,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4861,25 +4776,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -5242,25 +5149,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -5526,25 +5425,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -5838,25 +5729,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -6327,25 +6210,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -6848,25 +6723,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -7138,25 +7005,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index edc4f1207..58b9850c8 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -2112,23 +2112,18 @@ - - - - - - - - + + +

      This response must address all control sub-statement requirements.

       +       - - - - - + + +

      This response must address all control sub-statement requirements.

       +       @@ -3103,25 +3098,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -3287,25 +3274,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -3703,25 +3682,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4194,25 +4165,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -4918,25 +4881,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -5540,25 +5495,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -6247,25 +6194,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -6714,25 +6653,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -7009,25 +6940,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -7258,25 +7181,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -7785,25 +7700,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -8167,25 +8074,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -8469,25 +8368,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -8817,25 +8708,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -9651,25 +9534,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -10467,25 +10342,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       @@ -11074,25 +10941,17 @@ - - - - - - - + +

      This response must address all control sub-statement requirements.

       +       - - - - - - - + +

      This response must address all control sub-statement requirements.

       +