From d23b751fe0ccd9027acd48335ed2a1038f61e478 Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Thu, 16 Jan 2025 12:09:26 -0500 Subject: [PATCH 1/7] add formatting and validation for content generation artifacts --- .github/workflows/content-artifacts.yml | 6 +++ Makefile | 2 +- package-lock.json | 16 +++++++ package.json | 1 + src/content/module.mk | 64 +++++++++++++++++++++++-- 5 files changed, 84 insertions(+), 5 deletions(-) diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml index dd3846475..685645647 100644 --- a/.github/workflows/content-artifacts.yml +++ b/.github/workflows/content-artifacts.yml @@ -51,6 +51,12 @@ jobs: - name: Auto-convert Content run: make build-content working-directory: git-content + - name: Format output Content + run: make format-content + working-directory: git-content + - name: Test output Content + run: make test-dist-content + working-directory: git-content - name: Setup SSH key # Only do this on GSA/master if: github.repository == env.HOME_REPO && github.ref == 'refs/heads/master' diff --git a/Makefile b/Makefile index 3cfca494c..16fe636cf 100644 --- a/Makefile +++ b/Makefile @@ -35,7 +35,7 @@ clean-oci-image: test: build-validations ## Test all -build: init-content test-content build-content ## Build all artifacts and copy into dist directory +build: init-content test-content build-content format-content test-dist-content ## Build all artifacts and copy into dist directory build-oci-image: ## Build OCI image docker build \ diff --git a/package-lock.json b/package-lock.json index 60f071366..969b121bc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,6 +16,7 @@ "js-yaml": "^4.1.0", "jsdom": "^25.0.0", "oscal": "2.0.7", + "prettier": "^3.4.2", "ts-node": "^10.9.2", "xml-formatter": "^3.6.3", "xml2js": "^0.6.2" @@ -2905,6 +2906,21 @@ "integrity": "sha512-anP1Z8qwhkbmu7MFP5iTt+wQKXgwzf7zTyGlcdzabySa9vd0Xt392U0rVmz9poOaBj0uHJKyyo9/upk0HrEQew==", "dev": true }, + "node_modules/prettier": { + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.4.2.tgz", + "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==", + "license": "MIT", + "bin": { + "prettier": "bin/prettier.cjs" + }, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/prettier/prettier?sponsor=1" + } + }, "node_modules/progress": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz", diff --git a/package.json b/package.json index c78d588e4..29ae337b6 100644 --- a/package.json +++ b/package.json @@ -29,6 +29,7 @@ "js-yaml": "^4.1.0", "jsdom": "^25.0.0", "oscal": "2.0.7", + "prettier": "^3.4.2", "ts-node": "^10.9.2", "xml-formatter": "^3.6.3", "xml2js": "^0.6.2" diff --git a/src/content/module.mk b/src/content/module.mk index 7abf19f31..88de7e22c 100644 --- a/src/content/module.mk +++ b/src/content/module.mk @@ -8,12 +8,18 @@ XML_DIR = $(DIST_DIR)/content/rev5/baselines/xml JSON_DIR = $(DIST_DIR)/content/rev5/baselines/json YAML_DIR = $(DIST_DIR)/content/rev5/baselines/yaml +# Format configuration +XML_FILES := $(shell find $(XML_DIR) -type f -name "*.xml" 2>/dev/null) +JSON_FILES := $(shell find $(JSON_DIR) -type f -name "*.json" 2>/dev/null) +YAML_FILES := $(shell find $(YAML_DIR) -type f -name "*.yaml" -o -name "*.yml" 2>/dev/null) + .PHONY: init-content init-content: @npm install $(OSCAL_CLI) use $(OSCAL_CLI_VERSION) $(OSCAL_CLI) server update $(OSCAL_CLI) server start -bg + # Generate content and perform conversions .PHONY: build-content build-content: @@ -42,13 +48,63 @@ build-content: @echo "Converting Profiles to YAML..." $(OSCAL_CLI) convert -f $(XML_DIR) -o $(YAML_DIR) -t YAML -s +# Format files +.PHONY: format-xml +format-xml: + @echo "Formatting XML files..." + @for file in $(XML_FILES); do \ + echo "Formatting $$file..."; \ + xmllint --format --output "$$file" "$$file"; \ + done + +.PHONY: format-json +format-json: + @echo "Formatting JSON files..." + @for file in $(JSON_FILES); do \ + if ! echo "$$file" | grep -q "min"; then \ + echo "Formatting $$file..."; \ + npx prettier --write --parser json "$$file"; \ + fi \ + done +.PHONY: format-yaml +format-yaml: + @echo "Formatting YAML files..." + @for file in $(YAML_FILES); do \ + echo "Formatting $$file..."; \ + npx prettier --write --parser yaml "$$file"; \ + done + +# Combined format target +.PHONY: format-content +format-content: format-xml format-json format-yaml + @echo "All formatting complete!" .PHONY: test-content -test-content: +test-content: @echo "Validating Source files" - @$(OSCAL_CLI) validate -f $(SRC_DIR)/content/rev5/baselines/ -r -s + @$(OSCAL_CLI) validate -f $(SRC_DIR)/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml -s + @$(OSCAL_CLI) validate -f $(SRC_DIR)/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml -s + @$(OSCAL_CLI) validate -f $(SRC_DIR)/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml -s + @$(OSCAL_CLI) validate -f $(SRC_DIR)/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml -s + + +.PHONY: test-dist-content +test-dist-content: + @echo "Validating Output files" + @for file in $(YAML_FILES); do \ + echo "Validating $$file..."; \ + $(OSCAL_CLI) validate -f -s "$$file"; \ + done + @for file in $(JSON_FILES); do \ + echo "Validating $$file..."; \ + $(OSCAL_CLI) validate -f -s "$$file"; \ + done + @for file in $(XML_FILES); do \ + echo "Validating $$file..."; \ + $(OSCAL_CLI) validate -f -s "$$file"; \ + done .PHONY: test-legacy-content -test-legacy-content: +test-legacy-content: format @echo "Validating Source files" - @$(OSCAL_CLI) validate -f $(SRC_DIR)/content/rev4/baselines/ -r -s + @$(OSCAL_CLI) validate -f $(SRC_DIR)/content/rev4/baselines/ -r -s \ No newline at end of file From f544b9faf0ed1160add16c64cbe5d4bbed8d1d45 Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Thu, 16 Jan 2025 12:18:34 -0500 Subject: [PATCH 2/7] use xml lint --- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 12834 +++++++++++++++- .../FedRAMP_rev5_LI-SaaS-baseline_profile.xml | 2715 +++- .../xml/FedRAMP_rev5_LOW-baseline_profile.xml | 7304 ++++++++- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 11177 +++++++++++++- package-lock.json | 11 + src/content/module.mk | 5 +- 6 files changed, 33825 insertions(+), 221 deletions(-) diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 5b833b27f..a7224825a 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -1,75 +1,12763 @@ -FedRAMP Rev 5 High Baseline2024-09-24T02:24:00Z2024-09-24T02:24:00Zfedramp2.1.0-oscal1.0.41.0.4Document creatorThe FedRAMP Program Management Office (PMO)PMOThe FedRAMP Joint Authorization Board (JAB)JABFederal Risk and Authorization Management Program: Program Management OfficeFedRAMP PMOinfo@fedramp.gov
1800 F St. NWWashingtonDC20006US
Federal Risk and Authorization Management Program: Joint Authorization BoardFedRAMP JAB8cc0b8e5-9650-4d5f-9796-316f05fa9a2d8cc0b8e5-9650-4d5f-9796-316f05fa9a2dca9ba80e-1342-4bfd-b32a-abac468c24b4ac-1ac-2ac-2.1ac-2.2ac-2.3ac-2.4ac-2.5ac-2.7ac-2.9ac-2.11ac-2.12ac-2.13ac-3ac-4ac-4.4ac-4.21ac-5ac-6ac-6.1ac-6.2ac-6.3ac-6.5ac-6.7ac-6.8ac-6.9ac-6.10ac-7ac-8ac-10ac-11ac-11.1ac-12ac-14ac-17ac-17.1ac-17.2ac-17.3ac-17.4ac-18ac-18.1ac-18.3ac-18.4ac-18.5ac-19ac-19.5ac-20ac-20.1ac-20.2ac-21ac-22at-1at-2at-2.2at-2.3at-3at-4au-1au-2au-3au-3.1au-4au-5au-5.1au-5.2au-6au-6.1au-6.3au-6.4au-6.5au-6.6au-6.7au-7au-7.1au-8au-9au-9.2au-9.3au-9.4au-10au-11au-12au-12.1au-12.3ca-1ca-2ca-2.1ca-2.2ca-2.3ca-3ca-3.6ca-5ca-6ca-7ca-7.1ca-7.4ca-8ca-8.1ca-8.2ca-9cm-1cm-2cm-2.2cm-2.3cm-2.7cm-3cm-3.1cm-3.2cm-3.4cm-3.6cm-4cm-4.1cm-4.2cm-5cm-5.1cm-5.5cm-6cm-6.1cm-6.2cm-7cm-7.1cm-7.2cm-7.5cm-8cm-8.1cm-8.2cm-8.3cm-8.4cm-9cm-10cm-11cm-12cm-12.1cm-14cp-1cp-2cp-2.1cp-2.2cp-2.3cp-2.5cp-2.8cp-3cp-3.1cp-4cp-4.1cp-4.2cp-6cp-6.1cp-6.2cp-6.3cp-7cp-7.1cp-7.2cp-7.3cp-7.4cp-8cp-8.1cp-8.2cp-8.3cp-8.4cp-9cp-9.1cp-9.2cp-9.3cp-9.5cp-9.8cp-10cp-10.2cp-10.4ia-1ia-2ia-2.1ia-2.2ia-2.5ia-2.6ia-2.8ia-2.12ia-3ia-4ia-4.4ia-5ia-5.1ia-5.2ia-5.6ia-5.7ia-5.8ia-5.13ia-6ia-7ia-8ia-8.1ia-8.2ia-8.4ia-11ia-12ia-12.2ia-12.3ia-12.4ia-12.5ir-1ir-2ir-2.1ir-2.2ir-3ir-3.2ir-4ir-4.1ir-4.2ir-4.4ir-4.6ir-4.11ir-5ir-5.1ir-6ir-6.1ir-6.3ir-7ir-7.1ir-8ir-9ir-9.2ir-9.3ir-9.4ma-1ma-2ma-2.2ma-3ma-3.1ma-3.2ma-3.3ma-4ma-4.3ma-5ma-5.1ma-6mp-1mp-2mp-3mp-4mp-5mp-6mp-6.1mp-6.2mp-6.3mp-7pe-1pe-2pe-3pe-3.1pe-4pe-5pe-6pe-6.1pe-6.4pe-8pe-8.1pe-9pe-10pe-11pe-11.1pe-12pe-13pe-13.1pe-13.2pe-14pe-14.2pe-15pe-15.1pe-16pe-17pe-18pl-1pl-2pl-4pl-4.1pl-8pl-10pl-11ps-1ps-2ps-3ps-3.3ps-4ps-4.2ps-5ps-6ps-7ps-8ps-9ra-1ra-2ra-3ra-3.1ra-5ra-5.2ra-5.3ra-5.4ra-5.5ra-5.8ra-5.11ra-7ra-9sa-1sa-2sa-3sa-4sa-4.1sa-4.2sa-4.5sa-4.9sa-4.10sa-5sa-8sa-9sa-9.1sa-9.2sa-9.5sa-10sa-11sa-11.1sa-11.2sa-15sa-15.3sa-16sa-17sa-21sa-22sc-1sc-2sc-3sc-4sc-5sc-7sc-7.3sc-7.4sc-7.5sc-7.7sc-7.8sc-7.10sc-7.12sc-7.18sc-7.20sc-7.21sc-8sc-8.1sc-10sc-12sc-12.1sc-13sc-15sc-17sc-18sc-20sc-21sc-22sc-23sc-24sc-28sc-28.1sc-39sc-45sc-45.1si-1si-2si-2.2si-2.3si-3si-4si-4.1si-4.2si-4.4si-4.5si-4.10si-4.11si-4.12si-4.14si-4.16si-4.18si-4.19si-4.20si-4.22si-4.23si-5si-5.1si-6si-7si-7.1si-7.2si-7.5si-7.7si-7.15si-8si-8.2si-10si-11si-12si-16sr-1sr-2sr-2.1sr-3sr-5sr-6sr-8sr-9sr-9.1sr-10sr-11sr-11.1sr-11.2sr-12true

at least annually

at least annually

significant changes

twenty-four (24) hours

eight (8) hours

eight (8) hours

monthly for privileged accessed, every six (6) months for non-privileged access

Selection: disables

no more than 24 hours from last use

24 hours for user accounts

thirty-five (35) days (See additional requirements and guidance.)

inactivity is anticipated to exceed Fifteen (15) minutes

organization-defined need with justification statement that explains why such accounts are necessary

at a minimum, the ISSO and/or similar role within the organization

one (1) hour

intrusion detection mechanisms

all functions not publicly accessible

all security-relevant information not publicly available

all security functions

all privileged commands

at a minimum, annually

all users with privileges

any software except software explicitly documented

see additional Requirements and Guidance

see additional Requirements and Guidance

three (3) sessions for privileged access and two (2) sessions for non-privileged access

fifteen (15) minutes

at least quarterly

at least annually

at least annually

significant changes

at least annually

at least annually

at least annually

at least annually

five (5) years or 5 years after completion of a specific training program

at least annually

at least annually

significant changes

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

annually and whenever there is a change in the threat environment

session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands

overwrite oldest record

75%, or one month before expected negative impact

real-time

service provider personnel with authority to address failed audit events

audit failure events requiring real-time alerts, as defined by organization audit policy

at least weekly

vulnerability scanning information; performance data; information system monitoring information; penetration test data;

information system process; role; user

one second granularity of time measurement

at least weekly

minimum actions including the addition, modification, deletion, approval, sending, or receiving of data

a time period in compliance with M-21-31

all information system and network components where audit capability is deployed/available

all network, data storage, and computing devices

service provider-defined individuals or roles with audit configuration responsibilities

all network, data storage, and computing devices

at least annually

at least annually

significant changes

at least annually

individuals or roles to include FedRAMP PMO

at least annually

any FedRAMP Accredited 3PAO

the conditions of the JAB/AO in the FedRAMP Repository

at least annually and on input from JAB/AO

at least monthly

in accordance with OMB A-130 requirements or when a significant change occurs

to include JAB/AO

at least annually

at least annually

at least annually

at least annually

significant changes

at least annually and when a significant change occurs

to include when directed by the JAB

organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components

organization agreed upon time period

organization defined configuration management approval authorities

Configuration control board (CCB) or similar (as defined in CM-3)

All security safeguards that rely on cryptography

at least quarterly

at least annually

at least quarterly or when there is a change

at least monthly

automated mechanisms with a maximum five-minute delay in detection

continuously

position and role

Continuously (via CM-7 (5))

Federal data and system data that must be protected at the High or Moderate impact levels

at least annually

at least annually

significant changes

at least annually

all

time period defined in service provider and organization SLA

essential

*See Additional Requirements

at least annually

at least annually

at least annually

functional exercises

annually

daily incremental; weekly full

daily incremental; weekly full

daily incremental; weekly full

at least monthly

time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA.

all backup files

time period consistent with the restoration time-periods defined in the service provider and organization SLA

at least annually

at least annually

significant changes

local, network and remote

privileged accounts; non-privileged accounts

FIPS-validated or NSA-approved cryptography

privileged accounts; non-privileged accounts

at a minimum, the ISSO (or similar role within the organization)

at least two (2) years

contractors; foreign nationals

different authenticators in different user authentication domains

at least annually

at least annually

significant changes

ten (10) days for privileged users, thirty (30) days for Incident Response roles

at least annually

at least annually

at least every six (6) months, including functional at least annually

all network, data storage, and computing devices

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

at least annually

see additional FedRAMP Requirements and Guidance

see additional FedRAMP Requirements and Guidance

at least annually

at least annually

at least annually

significant changes

at least annually

the information owner

a timeframe to support advertised uptime and availability

at least annually

at least annually

significant changes

all types of digital and/or non-digital media containing sensitive information

no removable media types

organization-defined security safeguards not applicable

all types of digital and non-digital media with sensitive information

see additional FedRAMP requirements and guidance

all media with sensitive information

prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

at least every six (6) months

at least annually

at least annually

significant changes

at least every ninety (90) days

CSP defined physical access control systems/devices AND guards

in all circumstances within restricted access area where the information system resides

at least annually

at least annually or earlier as required by a security relevant event.

at least monthly

for a minimum of one (1) year

at least monthly

near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off

automatically

service provider building maintenance/physical security personnel

service provider emergency responders with incident response responsibilities

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

continuously

service provider building maintenance/physical security personnel

all information system components

physical and environmental hazards identified during threat assessment

at least annually

at least annually

significant changes

to include chief privacy and ISSO and/or similar role or designees

to include chief privacy and ISSO and/or similar role

at least annually

at least annually

at least annually and when the rules are revised or changed

at least annually and when a significant change occurs

at least annually

at least annually

significant changes

at least annually

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

-

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

personnel screening criteria - as required by specific information

one (1) hour

access control personnel responsible for disabling access to the system

twenty-four (24) hours

including access control personnel responsible for the system

twenty-four (24) hours

at least annually

at least annually and any time there is a change to the user's level of access

including access control personnel responsible for the system and/or facilities, as appropriate

terminations: immediately; transfers: within twenty-four (24) hours

to include the ISSO and/or similar role within the organization

24 hours

at least annually

at least annually

significant changes

security assessment report

at least annually and whenever a significant change occurs

annually

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

within 24 hours prior to running scans

notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions

all components that support authentication

all scans

at least annually

at least annually

significant changes

at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;

-

organization-defined design/implementation information

The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

at a minimum, the ISSO (or similar role within the organization)

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

all external systems where Federal information is processed or stored

information processing, information or data, AND system services

U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction

all High impact data, systems, or services

development, implementation, AND operation

frequency as before first use and annually thereafter

FedRAMP Security Authorization requirements

at least annually

at least annually

significant changes

Protect against

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions

any systems

any network outside of organizational control and any network outside the authorization boundary

Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall

confidentiality AND integrity

prevent unauthorized disclosure of information AND detect changes to information

no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions

In accordance with Federal requirements

FIPS-validated or NSA-approved cryptography

no exceptions for computing devices

confidentiality AND integrity

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

At least hourly

http://tf.nist.gov/tf-cgi/servers.cgi

any difference

at least annually

at least annually

significant changes

within thirty (30) days of release of updates

at least monthly

signature based and non-signature based

at least weekly

to include endpoints and network entry and exit points

to include blocking and quarantining malicious code

administrator or defined security personnel near-realtime

continuously

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

to include system security personnel and administrators with configuration/patch-management responsibilities

to include upon system startup and/or restart

at least monthly

to include system administrators and security personnel

selection to include security relevant event

at least monthly

to include the ISSO and/or similar role within the organization

to include all software and firmware inside the boundary

to include the ISSO and/or similar role within the organization

to include chief privacy and ISSO and/or similar role or designees

at least annually

at least annually

significant changes

at least annually

at least annually

notification of supply chain compromises and results of assessment or audits

all

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

AC-2 (3) Additional FedRAMP Requirements and Guidance

The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

The service provider defines the time period of inactivity for device identifiers.

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

AC-2 (5) Additional FedRAMP Requirements and Guidance

Should use a shorter timeframe than AC-12.

AC-2 (9) Additional FedRAMP Requirements and Guidance

Required if shared/group accounts are deployed.

AC-2 (12) Additional FedRAMP Requirements and Guidance

Required for privileged accounts.

Required for privileged accounts.

AC-4 (4) Additional FedRAMP Requirements and Guidance

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

AC-5 Additional FedRAMP Requirements and Guidance

CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

AC-6 (2) Additional FedRAMP Requirements and Guidance

Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

AC-7 Additional FedRAMP Requirements and Guidance

In alignment with NIST SP 800-63B.

AC-8 Additional FedRAMP Requirements and Guidance

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

AC-20 Additional FedRAMP Requirements and Guidance

The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

-

AC-20 describes system access to and from external systems.

-

CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

-

SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

AU-2 Additional FedRAMP Requirements and Guidance

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

AU-3 (1) Additional FedRAMP Requirements and Guidance

For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

AU-6 Additional FedRAMP Requirements and Guidance

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

AU-6 (6) Additional FedRAMP Requirements and Guidance

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

AU-9 (3) Additional FedRAMP Requirements and Guidance

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

AU-11 Additional FedRAMP Requirements and Guidance

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

The service provider is encouraged to align with M-21-31 where possible

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CA-2 Additional FedRAMP Requirements and Guidance

Reference FedRAMP Annual Assessment Guidance.

CA-2 (1) Additional FedRAMP Requirements and Guidance

For JAB Authorization, must use an accredited 3PAO.

CA-2 (2) Additional FedRAMP Requirements and Guidance

To include ‘announced’, ‘vulnerability scanning’

CA-5 Additional FedRAMP Requirements and Guidance

POA&Ms must be provided at least monthly.

Reference FedRAMP-POAM-Template

CA-6 Additional FedRAMP Requirements and Guidance

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

CA-7 Additional FedRAMP Requirements and Guidance

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

CA-8 Additional FedRAMP Requirements and Guidance

Reference the FedRAMP Penetration Test Guidance.

CA-8(2) Additional FedRAMP Requirements and Guidance

See the FedRAMP Documents page> Penetration Test Guidance

-

https://www.FedRAMP.gov/documents/

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CM-2 Additional FedRAMP Requirements and Guidance

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

CM-3 Additional FedRAMP Requirements and Guidance

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

In accordance with record retention policies and procedures.

CM-6 Additional FedRAMP Requirements and Guidance

The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

-

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

CM-7 Additional FedRAMP Requirements and Guidance

The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

CM-7 (2) Additional FedRAMP Requirements and Guidance

This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

CM-8 Additional FedRAMP Requirements and Guidance

must be provided at least monthly or when there is a change.

FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

CM-12 Additional FedRAMP Requirements and Guidance

According to FedRAMP Authorization Boundary Guidance

CM-12 (1) Additional FedRAMP Requirements and Guidance

According to FedRAMP Authorization Boundary Guidance.

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CP-2 Additional FedRAMP Requirements and Guidance

For JAB authorizations the contingency lists include designated FedRAMP personnel.

CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

CP-3 Additional FedRAMP Requirements and Guidance

Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

CP-4 Additional FedRAMP Requirements and Guidance

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

CP-7 Additional FedRAMP Requirements and Guidance

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

CP-7 (1) Additional FedRAMP Requirements and Guidance

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

CP-8 Additional FedRAMP Requirements and Guidance

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

CP-9 Additional FedRAMP Requirements and Guidance

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

CP-9 (8) Additional FedRAMP Requirements and Guidance

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

IA-2 Additional FedRAMP Requirements and Guidance

For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

Multi-factor authentication must be phishing-resistant.

All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

Phishing-resistant authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

IA-2 (1) Additional FedRAMP Requirements and Guidance

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

Multi-factor authentication must be phishing-resistant.

Multi-factor authentication to subsequent components in the same user domain is not required.

IA-2 (2) Additional FedRAMP Requirements and Guidance

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

Multi-factor authentication must be phishing-resistant.

Multi-factor authentication to subsequent components in the same user domain is not required.

IA-2 (6) Additional FedRAMP Requirements and Guidance

PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

IA-2 (12) Additional FedRAMP Requirements and Guidance

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

IA-5 Additional FedRAMP Requirements and Guidance

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

IA-5 (1) Additional FedRAMP Requirements and Guidance

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

-

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

IA-5 (7) Additional FedRAMP Requirements and Guidance

In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

IA-5 (8) Additional FedRAMP Requirements and Guidance

If a single user authentication domain is used to access multiple systems, such as in single-sign-on, then only a single authenticator is required.

IA-5 (13) Additional FedRAMP Requirements and Guidance

For components subject to configuration baseline(s) (such as STIG or CIS,) the time period should conform to the baseline standard.

IA-11 Additional FedRAMP Requirements and Guidance

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

-
    -
  • AAL3 (high baseline) -
      -
    • 12 hours or
      • -
    • 15 minutes of inactivity
      • -
    + + + + FedRAMP Rev 5 High Baseline + 2024-09-24T02:24:00Z + 2024-09-24T02:24:00Z + fedramp2.1.0-oscal1.0.4 + 1.0.4 + + Document creator + + + The FedRAMP Program Management Office (PMO) + PMO + + + The FedRAMP Joint Authorization Board (JAB) + JAB + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
    + 1800 F St. NW + Washington + DC + 20006 + US +
    +     + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + ca9ba80e-1342-4bfd-b32a-abac468c24b4 + +     + + + ac-1 + ac-2 + ac-2.1 + ac-2.2 + ac-2.3 + ac-2.4 + ac-2.5 + ac-2.7 + ac-2.9 + ac-2.11 + ac-2.12 + ac-2.13 + ac-3 + ac-4 + ac-4.4 + ac-4.21 + ac-5 + ac-6 + ac-6.1 + ac-6.2 + ac-6.3 + ac-6.5 + ac-6.7 + ac-6.8 + ac-6.9 + ac-6.10 + ac-7 + ac-8 + ac-10 + ac-11 + ac-11.1 + ac-12 + ac-14 + ac-17 + ac-17.1 + ac-17.2 + ac-17.3 + ac-17.4 + ac-18 + ac-18.1 + ac-18.3 + ac-18.4 + ac-18.5 + ac-19 + ac-19.5 + ac-20 + ac-20.1 + ac-20.2 + ac-21 + ac-22 + at-1 + at-2 + at-2.2 + at-2.3 + at-3 + at-4 + au-1 + au-2 + au-3 + au-3.1 + au-4 + au-5 + au-5.1 + au-5.2 + au-6 + au-6.1 + au-6.3 + au-6.4 + au-6.5 + au-6.6 + au-6.7 + au-7 + au-7.1 + au-8 + au-9 + au-9.2 + au-9.3 + au-9.4 + au-10 + au-11 + au-12 + au-12.1 + au-12.3 + ca-1 + ca-2 + ca-2.1 + ca-2.2 + ca-2.3 + ca-3 + ca-3.6 + ca-5 + ca-6 + ca-7 + ca-7.1 + ca-7.4 + ca-8 + ca-8.1 + ca-8.2 + ca-9 + cm-1 + cm-2 + cm-2.2 + cm-2.3 + cm-2.7 + cm-3 + cm-3.1 + cm-3.2 + cm-3.4 + cm-3.6 + cm-4 + cm-4.1 + cm-4.2 + cm-5 + cm-5.1 + cm-5.5 + cm-6 + cm-6.1 + cm-6.2 + cm-7 + cm-7.1 + cm-7.2 + cm-7.5 + cm-8 + cm-8.1 + cm-8.2 + cm-8.3 + cm-8.4 + cm-9 + cm-10 + cm-11 + cm-12 + cm-12.1 + cm-14 + cp-1 + cp-2 + cp-2.1 + cp-2.2 + cp-2.3 + cp-2.5 + cp-2.8 + cp-3 + cp-3.1 + cp-4 + cp-4.1 + cp-4.2 + cp-6 + cp-6.1 + cp-6.2 + cp-6.3 + cp-7 + cp-7.1 + cp-7.2 + cp-7.3 + cp-7.4 + cp-8 + cp-8.1 + cp-8.2 + cp-8.3 + cp-8.4 + cp-9 + cp-9.1 + cp-9.2 + cp-9.3 + cp-9.5 + cp-9.8 + cp-10 + cp-10.2 + cp-10.4 + ia-1 + ia-2 + ia-2.1 + ia-2.2 + ia-2.5 + ia-2.6 + ia-2.8 + ia-2.12 + ia-3 + ia-4 + ia-4.4 + ia-5 + ia-5.1 + ia-5.2 + ia-5.6 + ia-5.7 + ia-5.8 + ia-5.13 + ia-6 + ia-7 + ia-8 + ia-8.1 + ia-8.2 + ia-8.4 + ia-11 + ia-12 + ia-12.2 + ia-12.3 + ia-12.4 + ia-12.5 + ir-1 + ir-2 + ir-2.1 + ir-2.2 + ir-3 + ir-3.2 + ir-4 + ir-4.1 + ir-4.2 + ir-4.4 + ir-4.6 + ir-4.11 + ir-5 + ir-5.1 + ir-6 + ir-6.1 + ir-6.3 + ir-7 + ir-7.1 + ir-8 + ir-9 + ir-9.2 + ir-9.3 + ir-9.4 + ma-1 + ma-2 + ma-2.2 + ma-3 + ma-3.1 + ma-3.2 + ma-3.3 + ma-4 + ma-4.3 + ma-5 + ma-5.1 + ma-6 + mp-1 + mp-2 + mp-3 + mp-4 + mp-5 + mp-6 + mp-6.1 + mp-6.2 + mp-6.3 + mp-7 + pe-1 + pe-2 + pe-3 + pe-3.1 + pe-4 + pe-5 + pe-6 + pe-6.1 + pe-6.4 + pe-8 + pe-8.1 + pe-9 + pe-10 + pe-11 + pe-11.1 + pe-12 + pe-13 + pe-13.1 + pe-13.2 + pe-14 + pe-14.2 + pe-15 + pe-15.1 + pe-16 + pe-17 + pe-18 + pl-1 + pl-2 + pl-4 + pl-4.1 + pl-8 + pl-10 + pl-11 + ps-1 + ps-2 + ps-3 + ps-3.3 + ps-4 + ps-4.2 + ps-5 + ps-6 + ps-7 + ps-8 + ps-9 + ra-1 + ra-2 + ra-3 + ra-3.1 + ra-5 + ra-5.2 + ra-5.3 + ra-5.4 + ra-5.5 + ra-5.8 + ra-5.11 + ra-7 + ra-9 + sa-1 + sa-2 + sa-3 + sa-4 + sa-4.1 + sa-4.2 + sa-4.5 + sa-4.9 + sa-4.10 + sa-5 + sa-8 + sa-9 + sa-9.1 + sa-9.2 + sa-9.5 + sa-10 + sa-11 + sa-11.1 + sa-11.2 + sa-15 + sa-15.3 + sa-16 + sa-17 + sa-21 + sa-22 + sc-1 + sc-2 + sc-3 + sc-4 + sc-5 + sc-7 + sc-7.3 + sc-7.4 + sc-7.5 + sc-7.7 + sc-7.8 + sc-7.10 + sc-7.12 + sc-7.18 + sc-7.20 + sc-7.21 + sc-8 + sc-8.1 + sc-10 + sc-12 + sc-12.1 + sc-13 + sc-15 + sc-17 + sc-18 + sc-20 + sc-21 + sc-22 + sc-23 + sc-24 + sc-28 + sc-28.1 + sc-39 + sc-45 + sc-45.1 + si-1 + si-2 + si-2.2 + si-2.3 + si-3 + si-4 + si-4.1 + si-4.2 + si-4.4 + si-4.5 + si-4.10 + si-4.11 + si-4.12 + si-4.14 + si-4.16 + si-4.18 + si-4.19 + si-4.20 + si-4.22 + si-4.23 + si-5 + si-5.1 + si-6 + si-7 + si-7.1 + si-7.2 + si-7.5 + si-7.7 + si-7.15 + si-8 + si-8.2 + si-10 + si-11 + si-12 + si-16 + sr-1 + sr-2 + sr-2.1 + sr-3 + sr-5 + sr-6 + sr-8 + sr-9 + sr-9.1 + sr-10 + sr-11 + sr-11.1 + sr-11.2 + sr-12 + + + + true + + + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    eight (8) hours

    +     +     +     + + + +

    eight (8) hours

    +     +     +     + + + +

    monthly for privileged accessed, every six (6) months for non-privileged access

    +     +     +     + + + +

    Selection: disables

    +     +     +     + + + +

    no more than 24 hours from last use

    +     +     +     + + + +

    24 hours for user accounts

    +     +     +     + + + +

    thirty-five (35) days (See additional requirements and guidance.)

    +     +     +     + + + +

    inactivity is anticipated to exceed Fifteen (15) minutes

    +     +     +     + + + +

    organization-defined need with justification statement that explains why such accounts are necessary

    +     +     +     + + + +

    at a minimum, the ISSO and/or similar role within the organization

    +     +     +     + + + +

    one (1) hour

    +     +     +     + + + +

    intrusion detection mechanisms

    +     +     +     + + + +

    all functions not publicly accessible

    +     +     +     + + + +

    all security-relevant information not publicly available

    +     +     +     + + + +

    all security functions

    +     +     +     + + + +

    all privileged commands

    +     +     +     + + + +

    at a minimum, annually

    +     +     +     + + + +

    all users with privileges

    +     +     +     + + + +

    any software except software explicitly documented

    +     +     +     + + + +

    see additional Requirements and Guidance

    +     +     +     + + + +

    see additional Requirements and Guidance

    +     +     +     + + + +

    three (3) sessions for privileged access and two (2) sessions for non-privileged access

    +     +     +     + + + +

    fifteen (15) minutes

    +     +     +     + + + +

    at least quarterly

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    five (5) years or 5 years after completion of a specific training program

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

    +     +     +     + + + +

    organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

    +     +     +     + + + +

    annually and whenever there is a change in the threat environment

    +     +     +     + + + +

    session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands

    +     +     +     + + + +

    overwrite oldest record

    +     +     +     + + + +

    75%, or one month before expected negative impact

    +     +     +     + + + +

    real-time

    +     +     +     + + + +

    service provider personnel with authority to address failed audit events

    +     +     +     + + + +

    audit failure events requiring real-time alerts, as defined by organization audit policy

    +     +     +     + + + +

    at least weekly

    +     +     +     + + + +

    vulnerability scanning information; performance data; information system monitoring information; penetration test data;

    +     +     +     + + + +

    information system process; role; user

    +     +     +     + + + +

    one second granularity of time measurement

    +     +     +     + + + +

    at least weekly

    +     +     +     + + + +

    minimum actions including the addition, modification, deletion, approval, sending, or receiving of data

    +     +     +     + + + +

    a time period in compliance with M-21-31

    +     +     +     + + + +

    all information system and network components where audit capability is deployed/available

    +     +     +     + + + +

    all network, data storage, and computing devices

    +     +     +     + + + +

    service provider-defined individuals or roles with audit configuration responsibilities

    +     +     +     + + + +

    all network, data storage, and computing devices

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    individuals or roles to include FedRAMP PMO

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    any FedRAMP Accredited 3PAO

    +     +     +     + + + +

    the conditions of the JAB/AO in the FedRAMP Repository

    +     +     +     + + + +

    at least annually and on input from JAB/AO

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    in accordance with OMB A-130 requirements or when a significant change occurs

    +     +     +     + + + +

    to include JAB/AO

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually and when a significant change occurs

    +     +     +     + + + +

    to include when directed by the JAB

    +     +     +     + + + +

    organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components

    +     +     +     + + + +

    organization agreed upon time period

    +     +     +     + + + +

    organization defined configuration management approval authorities

    +     +     +     + + + +

    Configuration control board (CCB) or similar (as defined in CM-3)

    +     +     +     + + + +

    All security safeguards that rely on cryptography

    +     +     +     + + + +

    at least quarterly

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least quarterly or when there is a change

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    automated mechanisms with a maximum five-minute delay in detection

    +     +     +     + + + +

    continuously

    +     +     +     + + + +

    position and role

    +     +     +     + + + +

    Continuously (via CM-7 (5))

    +     +     +     + + + +

    Federal data and system data that must be protected at the High or Moderate impact levels

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    all

    +     +     +     + + + +

    time period defined in service provider and organization SLA

    +     +     +     + + + +

    essential

    +     +     +     + + + +

    *See Additional Requirements

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    functional exercises

    +     +     +     + + + +

    annually

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA.

    +     +     +     + + + +

    all backup files

    +     +     +     + + + +

    time period consistent with the restoration time-periods defined in the service provider and organization SLA

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    local, network and remote

    +     +     +     + + + +

    privileged accounts; non-privileged accounts

    +     +     +     + + + +

    FIPS-validated or NSA-approved cryptography

    +     +     +     + + + +

    privileged accounts; non-privileged accounts

    +     +     +     + + + +

    at a minimum, the ISSO (or similar role within the organization)

    +     +     +     + + + +

    at least two (2) years

    +     +     +     + + + +

    contractors; foreign nationals

    +     +     +     + + + +

    different authenticators in different user authentication domains

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    ten (10) days for privileged users, thirty (30) days for Incident Response roles

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least every six (6) months, including functional at least annually

    +     +     +     + + + +

    all network, data storage, and computing devices

    +     +     +     + + + +

    US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    see additional FedRAMP Requirements and Guidance

    +     +     +     + + + +

    see additional FedRAMP Requirements and Guidance

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    the information owner

    +     +     +     + + + +

    a timeframe to support advertised uptime and availability

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    all types of digital and/or non-digital media containing sensitive information

    +     +     +     + + + +

    no removable media types

    +     +     +     + + + +

    organization-defined security safeguards not applicable

    +     +     +     + + + +

    all types of digital and non-digital media with sensitive information

    +     +     +     + + + +

    see additional FedRAMP requirements and guidance

    +     +     +     + + + +

    all media with sensitive information

    +     +     +     + + + +

    prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container

    +     +     +     + + + +

    techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

    +     +     +     + + + +

    at least every six (6) months

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least every ninety (90) days

    +     +     +     + + + +

    CSP defined physical access control systems/devices AND guards

    +     +     +     + + + +

    in all circumstances within restricted access area where the information system resides

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually or earlier as required by a security relevant event.

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    for a minimum of one (1) year

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off

    +     +     +     + + + +

    automatically

    +     +     +     + + + +

    service provider building maintenance/physical security personnel

    +     +     +     + + + +

    service provider emergency responders with incident response responsibilities

    +     +     +     + + + +

    consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

    +     +     +     + + + +

    continuously

    +     +     +     + + + +

    service provider building maintenance/physical security personnel

    +     +     +     + + + +

    all information system components

    +     +     +     + + + +

    physical and environmental hazards identified during threat assessment

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    to include chief privacy and ISSO and/or similar role or designees

    +     +     +     + + + +

    to include chief privacy and ISSO and/or similar role

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually and when the rules are revised or changed

    +     +     +     + + + +

    at least annually and when a significant change occurs

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

    +

    For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

    +     +     +     + + + +

    personnel screening criteria - as required by specific information

    +     +     +     + + + +

    one (1) hour

    +     +     +     + + + +

    access control personnel responsible for disabling access to the system

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    including access control personnel responsible for the system

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually and any time there is a change to the user's level of access

    +     +     +     + + + +

    including access control personnel responsible for the system and/or facilities, as appropriate

    +     +     +     + + + +

    terminations: immediately; transfers: within twenty-four (24) hours

    +     +     +     + + + +

    to include the ISSO and/or similar role within the organization

    +     +     +     + + + +

    24 hours

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    security assessment report

    +     +     +     + + + +

    at least annually and whenever a significant change occurs

    +     +     +     + + + +

    annually

    +     +     +     + + + +

    monthly operating system/infrastructure; monthly web applications (including APIs) and databases

    +     +     +     + + + +

    high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

    +     +     +     + + + +

    within 24 hours prior to running scans

    +     +     +     + + + +

    notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions

    +     +     +     + + + +

    all components that support authentication

    +     +     +     + + + +

    all scans

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;

    +

    organization-defined design/implementation information

    +     +     +     + + + +

    The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

    +     +     +     + + + +

    at a minimum, the ISSO (or similar role within the organization)

    +     +     +     + + + +

    Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

    +     +     +     + + + +

    Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

    +     +     +     + + + +

    all external systems where Federal information is processed or stored

    +     +     +     + + + +

    information processing, information or data, AND system services

    +     +     +     + + + +

    U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction

    +     +     +     + + + +

    all High impact data, systems, or services

    +     +     +     + + + +

    development, implementation, AND operation

    +     +     +     + + + +

    frequency as before first use and annually thereafter

    +     +     +     + + + +

    FedRAMP Security Authorization requirements

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    Protect against

    +     +     +     + + + +

    at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

    +     +     +     + + + +

    at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions

    +     +     +     + + + +

    any systems

    +     +     +     + + + +

    any network outside of organizational control and any network outside the authorization boundary

    +     +     +     + + + +

    Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall

    +     +     +     + + + +

    confidentiality AND integrity

    +     +     +     + + + +

    prevent unauthorized disclosure of information AND detect changes to information

    +     +     +     + + + +

    no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions

    +     +     +     + + + +

    In accordance with Federal requirements

    +     +     +     + + + +

    FIPS-validated or NSA-approved cryptography

    +     +     +     + + + +

    no exceptions for computing devices

    +     +     +     + + + +

    confidentiality AND integrity

    +     +     +     + + + +

    all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

    +     +     +     + + + +

    At least hourly

    +     +     +     + + + +

    http://tf.nist.gov/tf-cgi/servers.cgi

    +     +     +     + + + +

    any difference

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    within thirty (30) days of release of updates

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    signature based and non-signature based

    +     +     +     + + + +

    at least weekly

    +     +     +     + + + +

    to include endpoints and network entry and exit points

    +     +     +     + + + +

    to include blocking and quarantining malicious code

    +     +     +     + + + +

    administrator or defined security personnel near-realtime

    +     +     +     + + + +

    continuously

    +     +     +     + + + +

    to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

    +     +     +     + + + +

    to include system security personnel and administrators with configuration/patch-management responsibilities

    +     +     +     + + + +

    to include upon system startup and/or restart

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    to include system administrators and security personnel

    +     +     +     + + + +

    selection to include security relevant event

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    to include the ISSO and/or similar role within the organization

    +     +     +     + + + +

    to include all software and firmware inside the boundary

    +     +     +     + + + +

    to include the ISSO and/or similar role within the organization

    +     +     +     + + + +

    to include chief privacy and ISSO and/or similar role or designees

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    notification of supply chain compromises and results of assessment or audits

    +     +     +     + + + +

    all

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-2 (3) Additional FedRAMP Requirements and Guidance + + +

    The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

    +     + + +

    The service provider defines the time period of inactivity for device identifiers.

    +     + + +

    For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + AC-2 (5) Additional FedRAMP Requirements and Guidance + + +

    Should use a shorter timeframe than AC-12.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-2 (9) Additional FedRAMP Requirements and Guidance + + +

    Required if shared/group accounts are deployed.

    +     +     +     + + + + + + + + + + + +     + + + + AC-2 (12) Additional FedRAMP Requirements and Guidance + + +

    Required for privileged accounts.

    +     + + +

    Required for privileged accounts.

    +     +     +     + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-4 (4) Additional FedRAMP Requirements and Guidance + + +

    The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

    +     +     +     + + + + + + + + +     + + + + AC-5 Additional FedRAMP Requirements and Guidance + + +

    CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

    +     +     +     + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-6 (2) Additional FedRAMP Requirements and Guidance + + +

    Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-7 Additional FedRAMP Requirements and Guidance + + +

    In alignment with NIST SP 800-63B.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + AC-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

    +     + + +

    The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

    +     + + +

    If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

    +     + + +

    If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + AC-20 Additional FedRAMP Requirements and Guidance + + +

    The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

    +

    AC-20 describes system access to and from external systems.

    +

    CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

    +

    SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-2 Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

    +     + + +

    Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-3 (1) Additional FedRAMP Requirements and Guidance + + +

    For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-6 Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-6 (6) Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-9 (3) Additional FedRAMP Requirements and Guidance + + +

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    +     +     +     + + + + + + + + +     + + + + AU-11 Additional FedRAMP Requirements and Guidance + + +

    The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

    +     + + +

    The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

    +     + + +

    The service provider is encouraged to align with M-21-31 where possible

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + CA-2 Additional FedRAMP Requirements and Guidance + + +

    Reference FedRAMP Annual Assessment Guidance.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CA-2 (1) Additional FedRAMP Requirements and Guidance + + +

    For JAB Authorization, must use an accredited 3PAO.

    +     +     +     + + + + + + + + +     + + + + CA-2 (2) Additional FedRAMP Requirements and Guidance + + +

    To include ‘announced’, ‘vulnerability scanning’

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-5 Additional FedRAMP Requirements and Guidance + + +

    POA&Ms must be provided at least monthly.

    +     + + +

    Reference FedRAMP-POAM-Template

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + CA-6 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CA-7 Additional FedRAMP Requirements and Guidance + + +

    Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

    +     + + +

    CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

    +     + + +

    FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-8 Additional FedRAMP Requirements and Guidance + + +

    Reference the FedRAMP Penetration Test Guidance.

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + CA-8(2) Additional FedRAMP Requirements and Guidance + + +

    See the FedRAMP Documents page> Penetration Test Guidance

    +

    https://www.FedRAMP.gov/documents/

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-2 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-3 Additional FedRAMP Requirements and Guidance + + +

    The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

    +     + + +

    In accordance with record retention policies and procedures.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-6 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

    +     + + +

    The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

    +     + + +

    Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

    +

    During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-7 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

    +     +     +     + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + CM-7 (2) Additional FedRAMP Requirements and Guidance + + +

    This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

    +     +     +     + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-8 Additional FedRAMP Requirements and Guidance + + +

    must be provided at least monthly or when there is a change.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

    +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CM-12 Additional FedRAMP Requirements and Guidance + + +

    According to FedRAMP Authorization Boundary Guidance

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CM-12 (1) Additional FedRAMP Requirements and Guidance + + +

    According to FedRAMP Authorization Boundary Guidance.

    +     +     +     + + + + + + + +     + + + + +

    If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

    +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-2 Additional FedRAMP Requirements and Guidance + + +

    For JAB authorizations the contingency lists include designated FedRAMP personnel.

    +     + + +

    CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-3 Additional FedRAMP Requirements and Guidance + + +

    Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + CP-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

    +     + + +

    The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-7 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CP-7 (1) Additional FedRAMP Requirements and Guidance + + +

    The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    +     +     +     + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-9 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

    +     + + +

    The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

    +     + + +

    The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

    +     + + +

    The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-9 (8) Additional FedRAMP Requirements and Guidance + + +

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    +     +     +     + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IA-2 Additional FedRAMP Requirements and Guidance + + +

    For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

    +     + + +

    Phishing-resistant authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

    +     +     +     + + + + + + + + + + + + + + + + + + +     + + + + IA-2 (1) Additional FedRAMP Requirements and Guidance + + +

    According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    Multi-factor authentication to subsequent components in the same user domain is not required.

    +     +     +     + + + + + + + + + + +     + + + + IA-2 (2) Additional FedRAMP Requirements and Guidance + + +

    According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    Multi-factor authentication to subsequent components in the same user domain is not required.

    +     +     +     + + + + + + + + + + +     + + + + + + + + + + + + + + + + IA-2 (6) Additional FedRAMP Requirements and Guidance + + +

    PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

    +     + + +

    See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

    +     +     +     + + + + + + + + + + + + + + + + + + + +     + + + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + +

    Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IA-5 Additional FedRAMP Requirements and Guidance + + +

    Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3

    +     + + +

    SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + IA-5 (1) Additional FedRAMP Requirements and Guidance + + +

    Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

    +     + + +

    For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

    +

    For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

    +     + + +

    Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IA-5 (7) Additional FedRAMP Requirements and Guidance + + +

    In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

    +     +     +     + + + + + + + +     + + + + IA-5 (8) Additional FedRAMP Requirements and Guidance + + +

    If a single user authentication domain is used to access multiple systems, such as in single-sign-on, then only a single authenticator is required.

    +     +     +     + + + + + + + + +     + + + + IA-5 (13) Additional FedRAMP Requirements and Guidance + + +

    For components subject to configuration baseline(s) (such as STIG or CIS,) the time period should conform to the baseline standard.

    +     +     +     + + + + + + + + +     + + + + IA-11 Additional FedRAMP Requirements and Guidance + + +

    The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

    +
      +
    • AAL3 (high baseline) +
      • 12 hours or
      • 15 minutes of inactivity
      • -
    IA-12 Additional FedRAMP Requirements and Guidance

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    IA-12 (5) Additional FedRAMP Requirements and Guidance

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    IR-3-2 Additional FedRAMP Requirements and Guidance

    The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

    IR-4 Additional FedRAMP Requirements and Guidance

    The FISMA definition of incident shall be used: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    IR-6 Additional FedRAMP Requirements and Guidance

    Reports security incident information according to FedRAMP Incident Communications Procedure.

    IR-8 Additional FedRAMP Requirements and Guidance

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    MP-3 Additional FedRAMP Requirements and Guidance

    Second parameter not-applicable

    MP-4 Additional FedRAMP Requirements and Guidance

    The service provider defines controlled areas within facilities where the information and information system reside.

    MP-5 Additional FedRAMP Requirements and Guidance

    The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

    MP-6 (1) Additional FedRAMP Requirements and Guidance

    Must comply with NIST SP 800-88

    MP-6 (2) Additional FedRAMP Requirements and Guidance

    Equipment and procedures may be tested or validated for effectiveness

    MP-6 (3) Additional FedRAMP Requirements and Guidance

    Must comply with NIST SP 800-88

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    PE-14 Additional FedRAMP Requirements and Guidance

    The service provider measures temperature at server inlets and humidity levels by dew point.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    PL-8 Additional FedRAMP Requirements and Guidance

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    PL-10 Additional FedRAMP Requirements and Guidance

    Select the appropriate FedRAMP Baseline

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    RA-3 Additional FedRAMP Requirements and Guidance

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    RA-5 Additional FedRAMP Requirements and Guidance

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    -

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    -

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a warning as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on Tracking of Compliance Scans in FAQs.

    RA-5(8) Additional FedRAMP Requirement

    This enhancement is required for all high (or critical) vulnerability scan findings.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SA-4 Additional FedRAMP Requirements and Guidance

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    -

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    SA-10 Additional FedRAMP Requirements and Guidance

    track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

    SA-11(1) Additional FedRAMP Requirements

    The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

    -

    If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SC-7 Additional FedRAMP Requirements and Guidance

    SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

    SC-7 (5) Additional FedRAMP Requirements and Guidance

    For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

    SC-8 Additional FedRAMP Requirements and Guidance

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    -

    For clarity, this control applies to all data in transit. Examples include the following data flows:

    -
      -
    • Crossing the system boundary
      • -
    • Between compute instances - including containers
      • -
    • From a compute instance to storage
      • -
    • Replication between availability zones
      • -
    • Transmission of backups to storage
      • -
    • From a load balancer to a compute instance
      • -
    • Flows from management tools required for their work - e.g. log collection, scanning, etc.
      • -
    -

    The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    -

    FedRAMP-Defined Assignment / Selection Parameters

    -

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    -

    SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    -

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    -

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    -

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    -

    CNSSI No.7003 can be accessed here:

    -

    https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

    -

    DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

    -

    https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

    SC-8 (1) Additional FedRAMP Requirements and Guidance

    Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

    See M-22-09, including Agencies encrypt all DNS requests and HTTP traffic within their environment

    -

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    SC-12 Additional FedRAMP Requirements and Guidance

    See references in NIST 800-53 documentation.

    Must meet applicable Federal Cryptographic Requirements. See References Section of control.

    Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

    SC-13 Additional FedRAMP Requirements and Guidance

    This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

    -
      -
    • Encryption of data
      • -
    • Decryption of data
      • -
    • Generation of one time passwords (OTPs) for MFA
      • -
    • Protocols such as TLS, SSH, and HTTPS
      • -
    -

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    -

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

    For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

    -

    https://www.niap-ccevs.org/Product/index.cfm

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    Moving to non-FIPS CM or product is acceptable when:

    -
      -
    • FIPS validated version has a known vulnerability
      • -
    • Feature with vulnerability is in use
      • -
    • Non-FIPS version fixes the vulnerability
      • -
    • Non-FIPS version is submitted to NIST for FIPS validation
      • -
    • POA&M is added to track approval, and deployment when ready
      • -

    At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

    SC-15 Additional FedRAMP Requirements and Guidance

    The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

    SC-20 Additional FedRAMP Requirements and Guidance

    Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

    Authoritative DNS servers must be geolocated in accordance with SA-9 (5).

    SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

    External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

    CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

    SC-21 Additional FedRAMP Requirements and Guidance

    Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

    -
      -
    • If the reply is signed, and fails DNSSEC, do not use the reply
      • -
    • If the reply is unsigned: -
        -
      • CSP chooses the policy to apply
        • -
      +
    +     +     +     + + + + + + + + + +     + + + + IA-12 Additional FedRAMP Requirements and Guidance + + +

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + IA-12 (5) Additional FedRAMP Requirements and Guidance + + +

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-3-2 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance + + +

    The FISMA definition of incident shall be used: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    +     + + +

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance + + +

    Reports security incident information according to FedRAMP Incident Communications Procedure.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    +     + + +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + MP-3 Additional FedRAMP Requirements and Guidance + + +

    Second parameter not-applicable

    +     +     +     + + + + + + + + + + + + + + +     + + + + MP-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines controlled areas within facilities where the information and information system reside.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + MP-5 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + MP-6 (1) Additional FedRAMP Requirements and Guidance + + +

    Must comply with NIST SP 800-88

    +     +     +     + + + + + + + +     + + + + MP-6 (2) Additional FedRAMP Requirements and Guidance + + +

    Equipment and procedures may be tested or validated for effectiveness

    +     +     +     + + + + + + + +     + + + + MP-6 (3) Additional FedRAMP Requirements and Guidance + + +

    Must comply with NIST SP 800-88

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PE-14 Additional FedRAMP Requirements and Guidance + + +

    The service provider measures temperature at server inlets and humidity levels by dew point.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PL-8 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + PL-10 Additional FedRAMP Requirements and Guidance + + +

    Select the appropriate FedRAMP Baseline

    +     +     +     + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     + + +

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + RA-5 Additional FedRAMP Requirements and Guidance + + +

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    +     + + +

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    +     + + +

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    +     + + +

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    +     + + +

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    +

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    +

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a warning as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on Tracking of Compliance Scans in FAQs.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-5(8) Additional FedRAMP Requirement + + +

    This enhancement is required for all high (or critical) vulnerability scan findings.

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SA-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    +     + + +

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    +

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SA-10 Additional FedRAMP Requirements and Guidance + + +

    track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SA-11(1) Additional FedRAMP Requirements + + +

    The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

    +

    If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SC-7 Additional FedRAMP Requirements and Guidance + + +

    SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SC-7 (5) Additional FedRAMP Requirements and Guidance + + +

    For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

    +     +     +     + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SC-8 Additional FedRAMP Requirements and Guidance + + +

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    +

    For clarity, this control applies to all data in transit. Examples include the following data flows:

    +
      +
    • Crossing the system boundary
      • +
    • Between compute instances - including containers
      • +
    • From a compute instance to storage
      • +
    • Replication between availability zones
      • +
    • Transmission of backups to storage
      • +
    • From a load balancer to a compute instance
      • +
    • Flows from management tools required for their work - e.g. log collection, scanning, etc.
      • +
    +

    The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    +

    FedRAMP-Defined Assignment / Selection Parameters

    +

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    +

    SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

    +     + + +

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    +

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    +

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    +

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    +

    CNSSI No.7003 can be accessed here:

    +

    https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

    +

    DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

    +

    https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

    +     +     +     + + + + + + + + + + + + +     + + + + SC-8 (1) Additional FedRAMP Requirements and Guidance + + +

    Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

    +     + + +

    See M-22-09, including Agencies encrypt all DNS requests and HTTP traffic within their environment

    +

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

    +     + + +

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    +     + + +

    When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    +     +     +     + + + + + + + + + +     + + + + SC-12 Additional FedRAMP Requirements and Guidance + + +

    See references in NIST 800-53 documentation.

    +     + + +

    Must meet applicable Federal Cryptographic Requirements. See References Section of control.

    +     + + +

    Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

    +     +     +     + + + + + + + + + + + + +     + + + + SC-13 Additional FedRAMP Requirements and Guidance + + +

    This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

    +
      +
    • Encryption of data
      • +
    • Decryption of data
      • +
    • Generation of one time passwords (OTPs) for MFA
      • +
    • Protocols such as TLS, SSH, and HTTPS
      • +
    +

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    +

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

    +     + + +

    For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

    +

    https://www.niap-ccevs.org/Product/index.cfm

    +     + + +

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    +     + + +

    Moving to non-FIPS CM or product is acceptable when:

    +
      +
    • FIPS validated version has a known vulnerability
      • +
    • Feature with vulnerability is in use
      • +
    • Non-FIPS version fixes the vulnerability
      • +
    • Non-FIPS version is submitted to NIST for FIPS validation
      • +
    • POA&M is added to track approval, and deployment when ready
      • +
    +     + + +

    At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

    +     +     +     + + + + + + + + + + + + + + + + + + + + +     + + + + SC-15 Additional FedRAMP Requirements and Guidance + + +

    The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

    +     +     +     + + + + + + + + + + + + + + + + + +     + + + + SC-20 Additional FedRAMP Requirements and Guidance + + +

    Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

    +     + + +

    Authoritative DNS servers must be geolocated in accordance with SA-9 (5).

    +     + + +

    SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

    +     + + +

    External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

    +     + + +

    CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SC-21 Additional FedRAMP Requirements and Guidance + + +

    Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

    +
      +
    • If the reply is signed, and fails DNSSEC, do not use the reply
      • +
    • If the reply is unsigned: +
      • CSP chooses the policy to apply
      • -

    Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

    Accepting an unsigned reply is acceptable

    SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

    -
      -
    • DNSSEC resolution to access a component inside the boundary is excluded.
      • -
    SC-28 Additional FedRAMP Requirements and Guidance

    The organization supports the capability to use cryptographic mechanisms to protect information at rest.

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    Note that this enhancement requires the use of cryptography in accordance with SC-13.

    SC-28 (1) Additional FedRAMP Requirements and Guidance

    Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

    -

    Examples:

    -

    A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

    -

    B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

    -

    C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

    SC-45(1) Additional FedRAMP Requirements and Guidance

    The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

    The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

    Synchronization of system clocks improves the accuracy of log analysis.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SI-4 Additional FedRAMP Requirements and Guidance

    See US-CERT Incident Response Reporting Guidelines.

    SI-4 (5) Additional FedRAMP Requirements and Guidance

    In accordance with the incident response plan.

    SI-4 (10) Additional FedRAMP Requirements and Guidance

    The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

    SI-5 Additional FedRAMP Requirements and Guidance

    Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

    SI-8 Additional FedRAMP Requirements and Guidance

    When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

    -

    https://cyber.dhs.gov/bod/18-01/

    CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

    SI-10 Additional FedRAMP Requirements and Guidance

    Validate all information inputs and document any exceptions

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SR-3 Additional FedRAMP Requirements and Guidance

    CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

    SR-6 Additional FedRAMP Requirements and Guidance

    CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

    SR-8 Additional FedRAMP Requirements and Guidance

    CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

    SR-9 Additional FedRAMP Requirements and Guidance

    CSOs must ensure vendors provide authenticity of software and patches supplied to the service provider including documenting the safeguards in place.

    SR-11 Additional FedRAMP Requirements and Guidance

    CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

    FedRAMP Applicable Laws and Regulations

    FedRAMP Logo

    NIST Special Publication (SP) 800-53 revision 5     \ No newline at end of file +
+ + + +

Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

+ + + +

Accepting an unsigned reply is acceptable

+ + + +

SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

+
    +
  • DNSSEC resolution to access a component inside the boundary is excluded.
    • +
+ + + + + + + + + + + + + + + + + + + + SC-28 Additional FedRAMP Requirements and Guidance + + +

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

+ + + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+ + + +

Note that this enhancement requires the use of cryptography in accordance with SC-13.

+ + + + + + + + + + + + + + + + + + + + SC-28 (1) Additional FedRAMP Requirements and Guidance + + +

Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

+

Examples:

+

A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

+

B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

+

C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

+ + + + + + + + + + + + + + + + + SC-45(1) Additional FedRAMP Requirements and Guidance + + +

The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

+ + + +

The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

+ + + +

Synchronization of system clocks improves the accuracy of log analysis.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-4 Additional FedRAMP Requirements and Guidance + + +

See US-CERT Incident Response Reporting Guidelines.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-4 (5) Additional FedRAMP Requirements and Guidance + + +

In accordance with the incident response plan.

+ + + + + + + + + + + + + + + + + SI-4 (10) Additional FedRAMP Requirements and Guidance + + +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

+ + + + + + + + + + + + + + + + + + + SI-5 Additional FedRAMP Requirements and Guidance + +

Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-8 Additional FedRAMP Requirements and Guidance + + +

When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

+

https://cyber.dhs.gov/bod/18-01/

+ + + +

CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

+ + + + + + + + + + + + + + + + + + + + + + + + SI-10 Additional FedRAMP Requirements and Guidance + + +

Validate all information inputs and document any exceptions

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SR-3 Additional FedRAMP Requirements and Guidance + + +

CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SR-6 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

+ + + + + + + + + + + + + + + + SR-8 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

+ + + + + + + + + + + + + + + + SR-9 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure vendors provide authenticity of software and patches supplied to the service provider including documenting the safeguards in place.

+ + + + + + + + + + + + + + + + + + + + + + + + + + SR-11 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + FedRAMP Applicable Laws and Regulations + + + + +

FedRAMP Logo

+ + + + + + NIST Special Publication (SP) 800-53 revision 5 + + + + + diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml index 0e97bb407..2bde2a339 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LI-SaaS-baseline_profile.xml @@ -1,6 +1,2709 @@ -FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline2024-09-24T02:24:00Z2024-09-24T02:24:00Zfedramp2.1.0-oscal1.0.41.0.4Document creatorThe FedRAMP Program Management Office (PMO)PMOThe FedRAMP Joint Authorization Board (JAB)JABFederal Risk and Authorization Management Program: Program Management OfficeFedRAMP PMOinfo@fedramp.gov
1800 F St. NWWashingtonDC20006US
Federal Risk and Authorization Management Program: Joint Authorization BoardFedRAMP JAB8cc0b8e5-9650-4d5f-9796-316f05fa9a2d8cc0b8e5-9650-4d5f-9796-316f05fa9a2dca9ba80e-1342-4bfd-b32a-abac468c24b4ac-1ac-2ac-3ac-7ac-8ac-14ac-17ac-18ac-19ac-20ac-22at-1at-2at-2.2at-3at-4au-1au-2au-3au-4au-5au-6au-8au-9au-11au-12ca-1ca-2ca-2.1ca-3ca-5ca-6ca-7ca-7.4ca-8ca-9cm-1cm-2cm-4cm-5cm-6cm-7cm-8cm-10cm-11cp-1cp-2cp-3cp-4cp-9cp-10ia-1ia-2ia-2.1ia-2.2ia-2.8ia-2.12ia-4ia-5ia-5.1ia-6ia-7ia-8ia-8.1ia-8.2ia-8.4ia-11ir-1ir-2ir-4ir-5ir-6ir-7ir-8ma-1ma-2ma-4ma-5mp-1mp-2mp-6mp-7pe-1pe-2pe-3pe-6pe-8pe-12pe-13pe-14pe-15pe-16pl-1pl-2pl-4pl-4.1pl-8pl-10pl-11ps-1ps-2ps-3ps-4ps-5ps-6ps-7ps-8ps-9ra-1ra-2ra-3ra-3.1ra-5ra-5.2ra-5.11ra-7sa-1sa-2sa-3sa-4sa-4.10sa-5sa-8sa-9sa-22sc-1sc-5sc-7sc-8sc-8.1sc-12sc-13sc-15sc-20sc-21sc-22sc-28sc-28.1sc-39si-1si-2si-3si-4si-5si-12sr-1sr-2sr-2.1sr-3sr-5sr-8sr-10sr-11sr-11.1sr-11.2sr-12true

at least every 3 years

at least annually

significant changes

twenty-four (24) hours

eight (8) hours

eight (8) hours

at least annually

see additional Requirements and Guidance

see additional Requirements and Guidance

at least quarterly

at least every 3 years

at least annually

significant changes

at least annually

at least annually

at least annually

at least annually

at least one (1) year or 1 year after completion of a specific training program

at least every 3 years

at least annually

significant changes

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

annually and whenever there is a change in the threat environment

overwrite oldest record

at least weekly

one second granularity of time measurement

a time period in compliance with M-21-31

all information system and network components where audit capability is deployed/available

at least every 3 years

at least annually

significant changes

at least annually

individuals or roles to include FedRAMP PMO

at least annually and on input from JAB/AO

at least monthly

in accordance with OMB A-130 requirements or when a significant change occurs

to include JAB/AO

at least annually

at least every 3 years

at least annually

significant changes

at least annually and when a significant change occurs

to include when directed by the JAB

at least monthly

Continuously (via CM-7 (5))

at least every 3 years

at least annually

significant changes

at least annually

*See Additional Requirements

at least annually

at least annually

at least every 3 years

classroom exercise/table top written tests

daily incremental; weekly full

daily incremental; weekly full

daily incremental; weekly full

at least every 3 years

at least annually

significant changes

at a minimum, the ISSO (or similar role within the organization)

at least two (2) years

at least every 3 years

at least annually

significant changes

ten (10) days for privileged users, thirty (30) days for Incident Response roles

at least annually

at least annually

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

at least annually

see additional FedRAMP Requirements and Guidance

see additional FedRAMP Requirements and Guidance

at least every 3 years

at least annually

significant changes

at least every 3 years

at least annually

significant changes

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

at least every 3 years

at least annually

significant changes

at least annually

CSP defined physical access control systems/devices AND guards

in all circumstances within restricted access area where the information system resides

at least annually

at least annually

at least monthly

for a minimum of one (1) year

at least monthly

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

continuously

all information system components

at least every 3 years

at least annually

significant changes

at least annually

at least every 3 years

at least annually and when the rules are revised or changed

at least annually and when a significant change occurs

at least every 3 years

at least annually

significant changes

at least every three years

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

-

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

four (4) hours

twenty-four (24) hours

twenty-four (24) hours

at least annually

at least annually and any time there is a change to the user's level of access

including access control personnel responsible for the system and/or facilities, as appropriate

within twenty-four (24) hours

at a minimum, the ISSO and/or similar role within the organization

at least every 3 years

at least annually

significant changes

security assessment report

at least every three (3) years and when a significant change occurs

at least every three (3) years

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

prior to a new scan

at least every 3 years

at least annually

significant changes

at a minimum, the ISSO (or similar role within the organization)

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

at least every 3 years

at least annually

significant changes

Protect against

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

In accordance with Federal requirements

FIPS-validated or NSA-approved cryptography

no exceptions for computing devices

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

at least every 3 years

at least annually

significant changes

within thirty (30) days of release of updates

signature based and non-signature based

at least weekly

to include endpoints and network entry and exit points

to include blocking and quarantining malicious code

administrator or defined security personnel near-realtime

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

to include system security personnel and administrators with configuration/patch-management responsibilities

to include chief privacy and ISSO and/or similar role or designees

at least every 3 years

at least annually

significant changes

at least annually

notification of supply chain compromises and results of assessment or audits

all

Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.

Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.

Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.

Organizational processes for account management on the information system; automated mechanisms for implementing account management.

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

FED - This is related to agency data and agency policy solution.

FED - This is related to agency data and agency policy solution.

NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

Required - Specifically include details of least functionality.

CM-6(a) Additional FedRAMP Requirements and Guidance

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

NSO- Not directly related to protection of the data.

NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

IA-2(1) Additional FedRAMP Requirements and Guidance

FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

Determine if the information system:

-
    -
  • Accepts PIV credentials.
    • -
  • Electronically verifies PIV credentials.
    • -

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

Attestation - Specifically attest to US-CERT compliance.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

PE-14(a) Additional FedRAMP Requirements and Guidance

The service provider measures temperature at server inlets and humidity levels by dew point.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

Condition: If availability is a requirement, define protections in place as per control requirement.

Condition: If implementing need to detail how they meet it or don't meet it.

NSO - Not directly related to the security of the SaaS.

Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

FedRAMP Applicable Laws and Regulations

FedRAMP Logo

NIST Special Publication (SP) 800-53 revision 5 \ No newline at end of file + + + + FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline + 2024-09-24T02:24:00Z + 2024-09-24T02:24:00Z + fedramp2.1.0-oscal1.0.4 + 1.0.4 + + Document creator + + + The FedRAMP Program Management Office (PMO) + PMO + + + The FedRAMP Joint Authorization Board (JAB) + JAB + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
+ 1800 F St. NW + Washington + DC + 20006 + US +
+ + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + ca9ba80e-1342-4bfd-b32a-abac468c24b4 + + + + + ac-1 + ac-2 + ac-3 + ac-7 + ac-8 + ac-14 + ac-17 + ac-18 + ac-19 + ac-20 + ac-22 + at-1 + at-2 + at-2.2 + at-3 + at-4 + au-1 + au-2 + au-3 + au-4 + au-5 + au-6 + au-8 + au-9 + au-11 + au-12 + ca-1 + ca-2 + ca-2.1 + ca-3 + ca-5 + ca-6 + ca-7 + ca-7.4 + ca-8 + ca-9 + cm-1 + cm-2 + cm-4 + cm-5 + cm-6 + cm-7 + cm-8 + cm-10 + cm-11 + cp-1 + cp-2 + cp-3 + cp-4 + cp-9 + cp-10 + ia-1 + ia-2 + ia-2.1 + ia-2.2 + ia-2.8 + ia-2.12 + ia-4 + ia-5 + ia-5.1 + ia-6 + ia-7 + ia-8 + ia-8.1 + ia-8.2 + ia-8.4 + ia-11 + ir-1 + ir-2 + ir-4 + ir-5 + ir-6 + ir-7 + ir-8 + ma-1 + ma-2 + ma-4 + ma-5 + mp-1 + mp-2 + mp-6 + mp-7 + pe-1 + pe-2 + pe-3 + pe-6 + pe-8 + pe-12 + pe-13 + pe-14 + pe-15 + pe-16 + pl-1 + pl-2 + pl-4 + pl-4.1 + pl-8 + pl-10 + pl-11 + ps-1 + ps-2 + ps-3 + ps-4 + ps-5 + ps-6 + ps-7 + ps-8 + ps-9 + ra-1 + ra-2 + ra-3 + ra-3.1 + ra-5 + ra-5.2 + ra-5.11 + ra-7 + sa-1 + sa-2 + sa-3 + sa-4 + sa-4.10 + sa-5 + sa-8 + sa-9 + sa-22 + sc-1 + sc-5 + sc-7 + sc-8 + sc-8.1 + sc-12 + sc-13 + sc-15 + sc-20 + sc-21 + sc-22 + sc-28 + sc-28.1 + sc-39 + si-1 + si-2 + si-3 + si-4 + si-5 + si-12 + sr-1 + sr-2 + sr-2.1 + sr-3 + sr-5 + sr-8 + sr-10 + sr-11 + sr-11.1 + sr-11.2 + sr-12 + + + + true + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

twenty-four (24) hours

+ + + + + + +

eight (8) hours

+ + + + + + +

eight (8) hours

+ + + + + + +

at least annually

+ + + + + + +

see additional Requirements and Guidance

+ + + + + + +

see additional Requirements and Guidance

+ + + + + + +

at least quarterly

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least annually

+ + + + + + +

at least annually

+ + + + + + +

at least annually

+ + + + + + +

at least annually

+ + + + + + +

at least one (1) year or 1 year after completion of a specific training program

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

+ + + + + + +

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

+ + + + + + +

annually and whenever there is a change in the threat environment

+ + + + + + +

overwrite oldest record

+ + + + + + +

at least weekly

+ + + + + + +

one second granularity of time measurement

+ + + + + + +

a time period in compliance with M-21-31

+ + + + + + +

all information system and network components where audit capability is deployed/available

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least annually

+ + + + + + +

individuals or roles to include FedRAMP PMO

+ + + + + + +

at least annually and on input from JAB/AO

+ + + + + + +

at least monthly

+ + + + + + +

in accordance with OMB A-130 requirements or when a significant change occurs

+ + + + + + +

to include JAB/AO

+ + + + + + +

at least annually

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least annually and when a significant change occurs

+ + + + + + +

to include when directed by the JAB

+ + + + + + +

at least monthly

+ + + + + + +

Continuously (via CM-7 (5))

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least annually

+ + + + + + +

*See Additional Requirements

+ + + + + + +

at least annually

+ + + + + + +

at least annually

+ + + + + + +

at least every 3 years

+ + + + + + +

classroom exercise/table top written tests

+ + + + + + +

daily incremental; weekly full

+ + + + + + +

daily incremental; weekly full

+ + + + + + +

daily incremental; weekly full

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at a minimum, the ISSO (or similar role within the organization)

+ + + + + + +

at least two (2) years

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

ten (10) days for privileged users, thirty (30) days for Incident Response roles

+ + + + + + +

at least annually

+ + + + + + +

at least annually

+ + + + + + +

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

+ + + + + + +

at least annually

+ + + + + + +

see additional FedRAMP Requirements and Guidance

+ + + + + + +

see additional FedRAMP Requirements and Guidance

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least annually

+ + + + + + +

CSP defined physical access control systems/devices AND guards

+ + + + + + +

in all circumstances within restricted access area where the information system resides

+ + + + + + +

at least annually

+ + + + + + +

at least annually

+ + + + + + +

at least monthly

+ + + + + + +

for a minimum of one (1) year

+ + + + + + +

at least monthly

+ + + + + + +

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

+ + + + + + +

continuously

+ + + + + + +

all information system components

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least annually

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually and when the rules are revised or changed

+ + + + + + +

at least annually and when a significant change occurs

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least every three years

+ + + + + + +

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

+

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

+ + + + + + +

four (4) hours

+ + + + + + +

twenty-four (24) hours

+ + + + + + +

twenty-four (24) hours

+ + + + + + +

at least annually

+ + + + + + +

at least annually and any time there is a change to the user's level of access

+ + + + + + +

including access control personnel responsible for the system and/or facilities, as appropriate

+ + + + + + +

within twenty-four (24) hours

+ + + + + + +

at a minimum, the ISSO and/or similar role within the organization

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

security assessment report

+ + + + + + +

at least every three (3) years and when a significant change occurs

+ + + + + + +

at least every three (3) years

+ + + + + + +

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

+ + + + + + +

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

+ + + + + + +

prior to a new scan

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at a minimum, the ISSO (or similar role within the organization)

+ + + + + + +

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

+ + + + + + +

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

Protect against

+ + + + + + +

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

+ + + + + + +

In accordance with Federal requirements

+ + + + + + +

FIPS-validated or NSA-approved cryptography

+ + + + + + +

no exceptions for computing devices

+ + + + + + +

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

within thirty (30) days of release of updates

+ + + + + + +

signature based and non-signature based

+ + + + + + +

at least weekly

+ + + + + + +

to include endpoints and network entry and exit points

+ + + + + + +

to include blocking and quarantining malicious code

+ + + + + + +

administrator or defined security personnel near-realtime

+ + + + + + +

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

+ + + + + + +

to include system security personnel and administrators with configuration/patch-management responsibilities

+ + + + + + +

to include chief privacy and ISSO and/or similar role or designees

+ + + + + + +

at least every 3 years

+ + + + + + +

at least annually

+ + + + + + +

significant changes

+ + + + + + +

at least annually

+ + + + + + +

notification of supply chain compromises and results of assessment or audits

+ + + + + + +

all

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.

+ + + + +

Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.

+ + + + + +

Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.

+ + + + + +

Organizational processes for account management on the information system; automated mechanisms for implementing account management.

+ + + + + + + + + + + + + + + + + + + + +

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

+ + + + + + + + + +

FED - This is related to agency data and agency policy solution.

+ + + + + + + + + +

FED - This is related to agency data and agency policy solution.

+ + + + + + + + + + + + + + + + + +

NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

+ + + + + + + + + +

NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

+ + + + + + + + + +

Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Required - Specifically include details of least functionality.

+ + + CM-6(a) Additional FedRAMP Requirements and Guidance + + +

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

+ + + +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

+ + + +

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

+ + + + + + + + + + + + + + + + + + + + + + + + + +

NSO- Not directly related to protection of the data.

+ + + + + + + + + +

NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

+ + + + + + + + + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+ + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+ + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+ + + + + + + + + + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

+ + + + + + + + + + + + + + + + + +

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

+ + + + + + + + + + + IA-2(1) Additional FedRAMP Requirements and Guidance + +

FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Determine if the information system:

+
    +
  • Accepts PIV credentials.
    • +
  • Electronically verifies PIV credentials.
    • +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

+ + + + + + + + + + + +

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Attestation - Specifically attest to US-CERT compliance.

+ + + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + PE-14(a) Additional FedRAMP Requirements and Guidance + + +

The service provider measures temperature at server inlets and humidity levels by dew point.

+ + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Condition: If availability is a requirement, define protections in place as per control requirement.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Condition: If implementing need to detail how they meet it or don't meet it.

+ + + + + + + + + +

NSO - Not directly related to the security of the SaaS.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + FedRAMP Applicable Laws and Regulations + + + + +

FedRAMP Logo

+ + + + + + NIST Special Publication (SP) 800-53 revision 5 + + + + + diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml index 41e0ba869..f35396d08 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_LOW-baseline_profile.xml @@ -1,71 +1,7237 @@ -FedRAMP Rev 5 Low Baseline2024-09-24T02:24:00Z2024-09-24T02:24:00Zfedramp2.1.0-oscal1.0.41.0.4Document creatorThe FedRAMP Program Management Office (PMO)PMOThe FedRAMP Joint Authorization Board (JAB)JABFederal Risk and Authorization Management Program: Program Management OfficeFedRAMP PMOinfo@fedramp.gov
1800 F St. NWWashingtonDC20006US
Federal Risk and Authorization Management Program: Joint Authorization BoardFedRAMP JAB8cc0b8e5-9650-4d5f-9796-316f05fa9a2d8cc0b8e5-9650-4d5f-9796-316f05fa9a2dca9ba80e-1342-4bfd-b32a-abac468c24b4ac-1ac-2ac-3ac-7ac-8ac-14ac-17ac-18ac-19ac-20ac-22at-1at-2at-2.2at-3at-4au-1au-2au-3au-4au-5au-6au-8au-9au-11au-12ca-1ca-2ca-2.1ca-3ca-5ca-6ca-7ca-7.4ca-8ca-9cm-1cm-2cm-4cm-5cm-6cm-7cm-8cm-10cm-11cp-1cp-2cp-3cp-4cp-9cp-10ia-1ia-2ia-2.1ia-2.2ia-2.8ia-2.12ia-4ia-5ia-5.1ia-6ia-7ia-8ia-8.1ia-8.2ia-8.4ia-11ir-1ir-2ir-4ir-5ir-6ir-7ir-8ma-1ma-2ma-4ma-5mp-1mp-2mp-6mp-7pe-1pe-2pe-3pe-6pe-8pe-12pe-13pe-14pe-15pe-16pl-1pl-2pl-4pl-4.1pl-8pl-10pl-11ps-1ps-2ps-3ps-4ps-5ps-6ps-7ps-8ps-9ra-1ra-2ra-3ra-3.1ra-5ra-5.2ra-5.11ra-7sa-1sa-2sa-3sa-4sa-4.10sa-5sa-8sa-9sa-22sc-1sc-5sc-7sc-8sc-8.1sc-12sc-13sc-15sc-20sc-21sc-22sc-28sc-28.1sc-39si-1si-2si-3si-4si-5si-12sr-1sr-2sr-2.1sr-3sr-5sr-8sr-10sr-11sr-11.1sr-11.2sr-12true

at least every 3 years

at least annually

significant changes

twenty-four (24) hours

eight (8) hours

eight (8) hours

at least annually

see additional Requirements and Guidance

see additional Requirements and Guidance

at least quarterly

at least every 3 years

at least annually

significant changes

at least annually

at least annually

at least annually

at least annually

at least one (1) year or 1 year after completion of a specific training program

at least every 3 years

at least annually

significant changes

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

annually and whenever there is a change in the threat environment

overwrite oldest record

at least weekly

one second granularity of time measurement

a time period in compliance with M-21-31

all information system and network components where audit capability is deployed/available

at least every 3 years

at least annually

significant changes

at least annually

individuals or roles to include FedRAMP PMO

at least annually and on input from JAB/AO

at least monthly

in accordance with OMB A-130 requirements or when a significant change occurs

to include JAB/AO

at least annually

at least every 3 years

at least annually

significant changes

at least annually and when a significant change occurs

to include when directed by the JAB

at least monthly

Continuously (via CM-7 (5))

at least every 3 years

at least annually

significant changes

at least annually

*See Additional Requirements

at least annually

at least annually

at least every 3 years

classroom exercise/table top written tests

daily incremental; weekly full

daily incremental; weekly full

daily incremental; weekly full

at least every 3 years

at least annually

significant changes

at a minimum, the ISSO (or similar role within the organization)

at least two (2) years

at least every 3 years

at least annually

significant changes

ten (10) days for privileged users, thirty (30) days for Incident Response roles

at least annually

at least annually

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

at least annually

see additional FedRAMP Requirements and Guidance

see additional FedRAMP Requirements and Guidance

at least every 3 years

at least annually

significant changes

at least every 3 years

at least annually

significant changes

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

at least every 3 years

at least annually

significant changes

at least annually

CSP defined physical access control systems/devices AND guards

in all circumstances within restricted access area where the information system resides

at least annually

at least annually

at least monthly

for a minimum of one (1) year

at least monthly

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

continuously

all information system components

at least every 3 years

at least annually

significant changes

at least annually

at least every 3 years

at least annually and when the rules are revised or changed

at least annually and when a significant change occurs

at least every 3 years

at least annually

significant changes

at least every three years

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

-

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

four (4) hours

twenty-four (24) hours

twenty-four (24) hours

at least annually

at least annually and any time there is a change to the user's level of access

including access control personnel responsible for the system and/or facilities, as appropriate

within twenty-four (24) hours

at a minimum, the ISSO and/or similar role within the organization

at least every 3 years

at least annually

significant changes

security assessment report

at least every three (3) years and when a significant change occurs

at least every three (3) years

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

prior to a new scan

at least every 3 years

at least annually

significant changes

at a minimum, the ISSO (or similar role within the organization)

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

at least every 3 years

at least annually

significant changes

Protect against

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

In accordance with Federal requirements

FIPS-validated or NSA-approved cryptography

no exceptions for computing devices

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

at least every 3 years

at least annually

significant changes

within thirty (30) days of release of updates

signature based and non-signature based

at least weekly

to include endpoints and network entry and exit points

to include blocking and quarantining malicious code

administrator or defined security personnel near-realtime

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

to include system security personnel and administrators with configuration/patch-management responsibilities

to include chief privacy and ISSO and/or similar role or designees

at least every 3 years

at least annually

significant changes

at least annually

notification of supply chain compromises and results of assessment or audits

all

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

AC-7 Additional FedRAMP Requirements and Guidance

In alignment with NIST SP 800-63B

AC-8 Additional FedRAMP Requirements and Guidance

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

AC-20 Additional FedRAMP Requirements and Guidance

The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

-

AC-20 describes system access to and from external systems.

-

CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

-

SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

AU-2 Additional FedRAMP Requirements and Guidance

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

AU-6 Additional FedRAMP Requirements and Guidance

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

AU-11 Additional FedRAMP Requirements and Guidance

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

The service provider is encouraged to align with M-21-31 where possible

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CA-2 Additional FedRAMP Requirements and Guidance

Reference FedRAMP Annual Assessment Guidance.

CA-5 Additional FedRAMP Requirements and Guidance

POA&Ms must be provided at least monthly.

Reference FedRAMP-POAM-Template

CA-6 Additional FedRAMP Requirements and Guidance

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

CA-7 Additional FedRAMP Requirements and Guidance

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

CA-8 Additional FedRAMP Requirements and Guidance

Scope can be limited to public facing applications in alignment with M-22-09. Reference the FedRAMP Penetration Test Guidance.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CM-2 Additional FedRAMP Requirements and Guidance

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

CM-6 Additional FedRAMP Requirements and Guidance

The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

-

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

CM-7 Additional FedRAMP Requirements and Guidance

The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

CM-8 Additional FedRAMP Requirements and Guidance

must be provided at least monthly or when there is a change.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CP-2 Additional FedRAMP Requirements and Guidance

For JAB authorizations the contingency lists include designated FedRAMP personnel.

CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

CP-3 Additional FedRAMP Requirements and Guidance

Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

CP-4 Additional FedRAMP Requirements and Guidance

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

CP-9 Additional FedRAMP Requirements and Guidance

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

IA-2 Additional FedRAMP Requirements and Guidance

For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

Multi-factor authentication must be phishing-resistant.

Phishing-resistant authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

IA-2 (1) Additional FedRAMP Requirements and Guidance

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

Multi-factor authentication must be phishing-resistant.

Multi-factor authentication to subsequent components in the same user domain is not required.

IA-2 (2) Additional FedRAMP Requirements and Guidance

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

Multi-factor authentication must be phishing-resistant.

Multi-factor authentication to subsequent components in the same user domain is not required.

IA-2 (12) Additional FedRAMP Requirements and Guidance

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

IA-5 Additional FedRAMP Requirements and Guidance

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

IA-5 (1) Additional FedRAMP Requirements and Guidance

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

-

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

IA-11 Additional FedRAMP Requirements and Guidance

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

-
    -
  • AAL1 (low baseline) -
      -
    • 30 days of extended session
      • -
    • No limit on inactivity
      • -
    + + + + FedRAMP Rev 5 Low Baseline + 2024-09-24T02:24:00Z + 2024-09-24T02:24:00Z + fedramp2.1.0-oscal1.0.4 + 1.0.4 + + Document creator + + + The FedRAMP Program Management Office (PMO) + PMO + + + The FedRAMP Joint Authorization Board (JAB) + JAB + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
    + 1800 F St. NW + Washington + DC + 20006 + US +
    +     + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + ca9ba80e-1342-4bfd-b32a-abac468c24b4 + +     + + + ac-1 + ac-2 + ac-3 + ac-7 + ac-8 + ac-14 + ac-17 + ac-18 + ac-19 + ac-20 + ac-22 + at-1 + at-2 + at-2.2 + at-3 + at-4 + au-1 + au-2 + au-3 + au-4 + au-5 + au-6 + au-8 + au-9 + au-11 + au-12 + ca-1 + ca-2 + ca-2.1 + ca-3 + ca-5 + ca-6 + ca-7 + ca-7.4 + ca-8 + ca-9 + cm-1 + cm-2 + cm-4 + cm-5 + cm-6 + cm-7 + cm-8 + cm-10 + cm-11 + cp-1 + cp-2 + cp-3 + cp-4 + cp-9 + cp-10 + ia-1 + ia-2 + ia-2.1 + ia-2.2 + ia-2.8 + ia-2.12 + ia-4 + ia-5 + ia-5.1 + ia-6 + ia-7 + ia-8 + ia-8.1 + ia-8.2 + ia-8.4 + ia-11 + ir-1 + ir-2 + ir-4 + ir-5 + ir-6 + ir-7 + ir-8 + ma-1 + ma-2 + ma-4 + ma-5 + mp-1 + mp-2 + mp-6 + mp-7 + pe-1 + pe-2 + pe-3 + pe-6 + pe-8 + pe-12 + pe-13 + pe-14 + pe-15 + pe-16 + pl-1 + pl-2 + pl-4 + pl-4.1 + pl-8 + pl-10 + pl-11 + ps-1 + ps-2 + ps-3 + ps-4 + ps-5 + ps-6 + ps-7 + ps-8 + ps-9 + ra-1 + ra-2 + ra-3 + ra-3.1 + ra-5 + ra-5.2 + ra-5.11 + ra-7 + sa-1 + sa-2 + sa-3 + sa-4 + sa-4.10 + sa-5 + sa-8 + sa-9 + sa-22 + sc-1 + sc-5 + sc-7 + sc-8 + sc-8.1 + sc-12 + sc-13 + sc-15 + sc-20 + sc-21 + sc-22 + sc-28 + sc-28.1 + sc-39 + si-1 + si-2 + si-3 + si-4 + si-5 + si-12 + sr-1 + sr-2 + sr-2.1 + sr-3 + sr-5 + sr-8 + sr-10 + sr-11 + sr-11.1 + sr-11.2 + sr-12 + + + + true + + + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    eight (8) hours

    +     +     +     + + + +

    eight (8) hours

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    see additional Requirements and Guidance

    +     +     +     + + + +

    see additional Requirements and Guidance

    +     +     +     + + + +

    at least quarterly

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least one (1) year or 1 year after completion of a specific training program

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

    +     +     +     + + + +

    organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

    +     +     +     + + + +

    annually and whenever there is a change in the threat environment

    +     +     +     + + + +

    overwrite oldest record

    +     +     +     + + + +

    at least weekly

    +     +     +     + + + +

    one second granularity of time measurement

    +     +     +     + + + +

    a time period in compliance with M-21-31

    +     +     +     + + + +

    all information system and network components where audit capability is deployed/available

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    individuals or roles to include FedRAMP PMO

    +     +     +     + + + +

    at least annually and on input from JAB/AO

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    in accordance with OMB A-130 requirements or when a significant change occurs

    +     +     +     + + + +

    to include JAB/AO

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually and when a significant change occurs

    +     +     +     + + + +

    to include when directed by the JAB

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    Continuously (via CM-7 (5))

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    *See Additional Requirements

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    classroom exercise/table top written tests

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at a minimum, the ISSO (or similar role within the organization)

    +     +     +     + + + +

    at least two (2) years

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    ten (10) days for privileged users, thirty (30) days for Incident Response roles

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    see additional FedRAMP Requirements and Guidance

    +     +     +     + + + +

    see additional FedRAMP Requirements and Guidance

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    CSP defined physical access control systems/devices AND guards

    +     +     +     + + + +

    in all circumstances within restricted access area where the information system resides

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    for a minimum of one (1) year

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

    +     +     +     + + + +

    continuously

    +     +     +     + + + +

    all information system components

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually and when the rules are revised or changed

    +     +     +     + + + +

    at least annually and when a significant change occurs

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least every three years

    +     +     +     + + + +

    for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

    +

    For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

    +     +     +     + + + +

    four (4) hours

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually and any time there is a change to the user's level of access

    +     +     +     + + + +

    including access control personnel responsible for the system and/or facilities, as appropriate

    +     +     +     + + + +

    within twenty-four (24) hours

    +     +     +     + + + +

    at a minimum, the ISSO and/or similar role within the organization

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    security assessment report

    +     +     +     + + + +

    at least every three (3) years and when a significant change occurs

    +     +     +     + + + +

    at least every three (3) years

    +     +     +     + + + +

    monthly operating system/infrastructure; monthly web applications (including APIs) and databases

    +     +     +     + + + +

    high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

    +     +     +     + + + +

    prior to a new scan

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at a minimum, the ISSO (or similar role within the organization)

    +     +     +     + + + +

    Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

    +     +     +     + + + +

    Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    Protect against

    +     +     +     + + + +

    at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

    +     +     +     + + + +

    In accordance with Federal requirements

    +     +     +     + + + +

    FIPS-validated or NSA-approved cryptography

    +     +     +     + + + +

    no exceptions for computing devices

    +     +     +     + + + +

    all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    within thirty (30) days of release of updates

    +     +     +     + + + +

    signature based and non-signature based

    +     +     +     + + + +

    at least weekly

    +     +     +     + + + +

    to include endpoints and network entry and exit points

    +     +     +     + + + +

    to include blocking and quarantining malicious code

    +     +     +     + + + +

    administrator or defined security personnel near-realtime

    +     +     +     + + + +

    to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

    +     +     +     + + + +

    to include system security personnel and administrators with configuration/patch-management responsibilities

    +     +     +     + + + +

    to include chief privacy and ISSO and/or similar role or designees

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    notification of supply chain compromises and results of assessment or audits

    +     +     +     + + + +

    all

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-7 Additional FedRAMP Requirements and Guidance + + +

    In alignment with NIST SP 800-63B

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + AC-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

    +     + + +

    The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

    +     + + +

    If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

    +     + + +

    If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + AC-20 Additional FedRAMP Requirements and Guidance + + +

    The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

    +

    AC-20 describes system access to and from external systems.

    +

    CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

    +

    SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-2 Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

    +     + + +

    Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-6 Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + AU-11 Additional FedRAMP Requirements and Guidance + + +

    The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

    +     + + +

    The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

    +     + + +

    The service provider is encouraged to align with M-21-31 where possible

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + CA-2 Additional FedRAMP Requirements and Guidance + + +

    Reference FedRAMP Annual Assessment Guidance.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-5 Additional FedRAMP Requirements and Guidance + + +

    POA&Ms must be provided at least monthly.

    +     + + +

    Reference FedRAMP-POAM-Template

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + CA-6 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CA-7 Additional FedRAMP Requirements and Guidance + + +

    Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

    +     + + +

    CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

    +     + + +

    FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-8 Additional FedRAMP Requirements and Guidance + + +

    Scope can be limited to public facing applications in alignment with M-22-09. Reference the FedRAMP Penetration Test Guidance.

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-2 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-6 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;

    +     + + +

    The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

    +     + + +

    Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

    +

    During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CM-7 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

    +     +     +     + + + + + + + + + + + + + + + + + + +     + + + + CM-8 Additional FedRAMP Requirements and Guidance + + +

    must be provided at least monthly or when there is a change.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + CP-2 Additional FedRAMP Requirements and Guidance + + +

    For JAB authorizations the contingency lists include designated FedRAMP personnel.

    +     + + +

    CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CP-3 Additional FedRAMP Requirements and Guidance + + +

    Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CP-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

    +     + + +

    The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CP-9 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

    +     + + +

    The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

    +     + + +

    The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

    +     + + +

    The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + IA-2 Additional FedRAMP Requirements and Guidance + + +

    For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    Phishing-resistant authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

    +     + + +

    All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

    +     +     +     + + + + + + + + + + + + + + + + + + +     + + + + IA-2 (1) Additional FedRAMP Requirements and Guidance + + +

    According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    Multi-factor authentication to subsequent components in the same user domain is not required.

    +     +     +     + + + + + + + + + + +     + + + + IA-2 (2) Additional FedRAMP Requirements and Guidance + + +

    According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    Multi-factor authentication to subsequent components in the same user domain is not required.

    +     +     +     + + + + + + + + + + +     + + + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + +

    Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IA-5 Additional FedRAMP Requirements and Guidance + + +

    Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3

    +     + + +

    SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + IA-5 (1) Additional FedRAMP Requirements and Guidance + + +

    Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

    +     + + +

    For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

    +

    For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

    +     + + +

    Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + IA-11 Additional FedRAMP Requirements and Guidance + + +

    The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

    +
      +
    • AAL1 (low baseline) +
      • 30 days of extended session
      • No limit on inactivity
      • -

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    IR-4 Additional FedRAMP Requirements and Guidance

    The FISMA definition of incident shall be used: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    IR-6 Additional FedRAMP Requirements and Guidance

    Reports security incident information according to FedRAMP Incident Communications Procedure.

    IR-8 Additional FedRAMP Requirements and Guidance

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    PE-14 Additional FedRAMP Requirements and Guidance

    The service provider measures temperature at server inlets and humidity levels by dew point.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    PL-8 Additional FedRAMP Requirements and Guidance

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    PL-10 Additional FedRAMP Requirements and Guidance

    Select the appropriate FedRAMP Baseline

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    RA-3 Additional FedRAMP Requirements and Guidance

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    RA-5 Additional FedRAMP Requirements and Guidance

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    -

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    -

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a warning as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on Tracking of Compliance Scans in FAQs.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SA-4 Additional FedRAMP Requirements and Guidance

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    -

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SC-7 Additional FedRAMP Requirements and Guidance

    SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

    SC-8 Additional FedRAMP Requirements and Guidance

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    -

    For clarity, this control applies to all data in transit. Examples include the following data flows:

    -
      -
    • Crossing the system boundary
      • -
    • Between compute instances - including containers
      • -
    • From a compute instance to storage
      • -
    • Replication between availability zones
      • -
    • Transmission of backups to storage
      • -
    • From a load balancer to a compute instance
      • -
    • Flows from management tools required for their work - e.g. log collection, scanning, etc.
      • -
    -

    The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    -

    FedRAMP-Defined Assignment / Selection Parameters

    -

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    -

    SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    -

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    -

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    -

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    -

    CNSSI No.7003 can be accessed here:

    -

    https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

    -

    DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

    -

    https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

    SC-8 (1) Additional FedRAMP Requirements and Guidance

    Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

    See M-22-09, including Agencies encrypt all DNS requests and HTTP traffic within their environment

    -

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    SC-12 Additional FedRAMP Requirements and Guidance

    See references in NIST 800-53 documentation.

    Must meet applicable Federal Cryptographic Requirements. See References Section of control.

    Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

    SC-13 Additional FedRAMP Requirements and Guidance

    This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

    -
      -
    • Encryption of data
      • -
    • Decryption of data
      • -
    • Generation of one time passwords (OTPs) for MFA
      • -
    • Protocols such as TLS, SSH, and HTTPS
      • -
    -

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    -

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

    For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

    -

    https://www.niap-ccevs.org/Product/index.cfm

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    Moving to non-FIPS CM or product is acceptable when:

    -
      -
    • FIPS validated version has a known vulnerability
      • -
    • Feature with vulnerability is in use
      • -
    • Non-FIPS version fixes the vulnerability
      • -
    • Non-FIPS version is submitted to NIST for FIPS validation
      • -
    • POA&M is added to track approval, and deployment when ready
      • -

    At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

    SC-15 Additional FedRAMP Requirements and Guidance

    The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

    SC-20 Additional FedRAMP Requirements and Guidance

    Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

    SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

    External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

    CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

    SC-21 Additional FedRAMP Requirements and Guidance

    Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

    -
      -
    • If the reply is signed, and fails DNSSEC, do not use the reply
      • -
    • If the reply is unsigned: -
        -
      • CSP chooses the policy to apply
        • -
      +
    +     +     +     + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance + + +

    The FISMA definition of incident shall be used: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    +     + + +

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance + + +

    Reports security incident information according to FedRAMP Incident Communications Procedure.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + IR-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    +     + + +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PE-14 Additional FedRAMP Requirements and Guidance + + +

    The service provider measures temperature at server inlets and humidity levels by dew point.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PL-8 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + PL-10 Additional FedRAMP Requirements and Guidance + + +

    Select the appropriate FedRAMP Baseline

    +     +     +     + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     + + +

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + RA-5 Additional FedRAMP Requirements and Guidance + + +

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    +     + + +

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    +     + + +

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    +     + + +

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    +     + + +

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    +

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    +

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a warning as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on Tracking of Compliance Scans in FAQs.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SA-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    +     + + +

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    +

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SC-7 Additional FedRAMP Requirements and Guidance + + +

    SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SC-8 Additional FedRAMP Requirements and Guidance + + +

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    +

    For clarity, this control applies to all data in transit. Examples include the following data flows:

    +
      +
    • Crossing the system boundary
      • +
    • Between compute instances - including containers
      • +
    • From a compute instance to storage
      • +
    • Replication between availability zones
      • +
    • Transmission of backups to storage
      • +
    • From a load balancer to a compute instance
      • +
    • Flows from management tools required for their work - e.g. log collection, scanning, etc.
      • +
    +

    The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    +

    FedRAMP-Defined Assignment / Selection Parameters

    +

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    +

    SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

    +     + + +

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    +

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    +

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    +

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    +

    CNSSI No.7003 can be accessed here:

    +

    https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

    +

    DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

    +

    https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

    +     +     +     + + + + + + + + + + + + +     + + + + SC-8 (1) Additional FedRAMP Requirements and Guidance + + +

    Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

    +     + + +

    See M-22-09, including Agencies encrypt all DNS requests and HTTP traffic within their environment

    +

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

    +     + + +

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    +     + + +

    When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    +     +     +     + + + + + + + + + +     + + + + SC-12 Additional FedRAMP Requirements and Guidance + + +

    See references in NIST 800-53 documentation.

    +     + + +

    Must meet applicable Federal Cryptographic Requirements. See References Section of control.

    +     + + +

    Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

    +     +     +     + + + + + + + + + + + + +     + + + + SC-13 Additional FedRAMP Requirements and Guidance + + +

    This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

    +
      +
    • Encryption of data
      • +
    • Decryption of data
      • +
    • Generation of one time passwords (OTPs) for MFA
      • +
    • Protocols such as TLS, SSH, and HTTPS
      • +
    +

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    +

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

    +     + + +

    For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

    +

    https://www.niap-ccevs.org/Product/index.cfm

    +     + + +

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    +     + + +

    Moving to non-FIPS CM or product is acceptable when:

    +
      +
    • FIPS validated version has a known vulnerability
      • +
    • Feature with vulnerability is in use
      • +
    • Non-FIPS version fixes the vulnerability
      • +
    • Non-FIPS version is submitted to NIST for FIPS validation
      • +
    • POA&M is added to track approval, and deployment when ready
      • +
    +     + + +

    At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

    +     +     +     + + + + + + + + + + + + + + + + + + + + +     + + + + SC-15 Additional FedRAMP Requirements and Guidance + + +

    The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

    +     +     +     + + + + + + + + + + + + + + + + + +     + + + + SC-20 Additional FedRAMP Requirements and Guidance + + +

    Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

    +     + + +

    SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

    +     + + +

    External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

    +     + + +

    CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SC-21 Additional FedRAMP Requirements and Guidance + + +

    Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

    +
      +
    • If the reply is signed, and fails DNSSEC, do not use the reply
      • +
    • If the reply is unsigned: +
      • CSP chooses the policy to apply
      • -

    Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

    Accepting an unsigned reply is acceptable

    SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

    -
      -
    • DNSSEC resolution to access a component inside the boundary is excluded.
      • -
    SC-28 Additional FedRAMP Requirements and Guidance

    The organization supports the capability to use cryptographic mechanisms to protect information at rest.

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    Note that this enhancement requires the use of cryptography in accordance with SC-13.

    SC-28 (1) Additional FedRAMP Requirements and Guidance

    Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

    -

    Examples:

    -

    A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

    -

    B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

    -

    C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SI-4 Additional FedRAMP Requirements and Guidance

    See US-CERT Incident Response Reporting Guidelines.

    SI-5 Additional FedRAMP Requirements and Guidance

    Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SR-3 Additional FedRAMP Requirements and Guidance

    CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

    SR-8 Additional FedRAMP Requirements and Guidance

    CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

    SR-11 Additional FedRAMP Requirements and Guidance

    CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

    FedRAMP Applicable Laws and Regulations

    FedRAMP Logo

    NIST Special Publication (SP) 800-53 revision 5     \ No newline at end of file +
+ + + +

Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

+ + + +

Accepting an unsigned reply is acceptable

+ + + +

SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

+
    +
  • DNSSEC resolution to access a component inside the boundary is excluded.
    • +
+ + + + + + + + + + + + + + + + + + + + SC-28 Additional FedRAMP Requirements and Guidance + + +

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

+ + + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+ + + +

Note that this enhancement requires the use of cryptography in accordance with SC-13.

+ + + + + + + + + + + + + + + + + + + + SC-28 (1) Additional FedRAMP Requirements and Guidance + + +

Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

+

Examples:

+

A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

+

B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

+

C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-4 Additional FedRAMP Requirements and Guidance + + +

See US-CERT Incident Response Reporting Guidelines.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-5 Additional FedRAMP Requirements and Guidance + +

Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SR-3 Additional FedRAMP Requirements and Guidance + + +

CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SR-8 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

+ + + + + + + + + + + + + + + + SR-11 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + FedRAMP Applicable Laws and Regulations + + + + +

FedRAMP Logo

+ + + + + + NIST Special Publication (SP) 800-53 revision 5 + + + + + diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index 1ba4b5a6c..1afed42d8 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -1,74 +1,11107 @@ -FedRAMP Rev 5 Moderate Baseline2024-09-24T02:24:00Z2024-09-24T02:24:00Zfedramp2.1.0-oscal1.0.41.0.4Document creatorThe FedRAMP Program Management Office (PMO)PMOThe FedRAMP Joint Authorization Board (JAB)JABFederal Risk and Authorization Management Program: Program Management OfficeFedRAMP PMOinfo@fedramp.gov
1800 F St. NWWashingtonDC20006US
Federal Risk and Authorization Management Program: Joint Authorization BoardFedRAMP JAB8cc0b8e5-9650-4d5f-9796-316f05fa9a2d8cc0b8e5-9650-4d5f-9796-316f05fa9a2dca9ba80e-1342-4bfd-b32a-abac468c24b4ac-1ac-2ac-2.1ac-2.2ac-2.3ac-2.4ac-2.5ac-2.7ac-2.9ac-2.12ac-2.13ac-3ac-4ac-4.21ac-5ac-6ac-6.1ac-6.2ac-6.5ac-6.7ac-6.9ac-6.10ac-7ac-8ac-11ac-11.1ac-12ac-14ac-17ac-17.1ac-17.2ac-17.3ac-17.4ac-18ac-18.1ac-18.3ac-19ac-19.5ac-20ac-20.1ac-20.2ac-21ac-22at-1at-2at-2.2at-2.3at-3at-4au-1au-2au-3au-3.1au-4au-5au-6au-6.1au-6.3au-7au-7.1au-8au-9au-9.4au-11au-12ca-1ca-2ca-2.1ca-2.3ca-3ca-5ca-6ca-7ca-7.1ca-7.4ca-8ca-8.1ca-8.2ca-9cm-1cm-2cm-2.2cm-2.3cm-2.7cm-3cm-3.2cm-3.4cm-4cm-4.2cm-5cm-5.1cm-5.5cm-6cm-6.1cm-7cm-7.1cm-7.2cm-7.5cm-8cm-8.1cm-8.3cm-9cm-10cm-11cm-12cm-12.1cp-1cp-2cp-2.1cp-2.3cp-2.8cp-3cp-4cp-4.1cp-6cp-6.1cp-6.3cp-7cp-7.1cp-7.2cp-7.3cp-8cp-8.1cp-8.2cp-9cp-9.1cp-9.8cp-10cp-10.2ia-1ia-2ia-2.1ia-2.2ia-2.5ia-2.6ia-2.8ia-2.12ia-3ia-4ia-4.4ia-5ia-5.1ia-5.2ia-5.6ia-5.7ia-6ia-7ia-8ia-8.1ia-8.2ia-8.4ia-11ia-12ia-12.2ia-12.3ia-12.5ir-1ir-2ir-3ir-3.2ir-4ir-4.1ir-5ir-6ir-6.1ir-6.3ir-7ir-7.1ir-8ir-9ir-9.2ir-9.3ir-9.4ma-1ma-2ma-3ma-3.1ma-3.2ma-3.3ma-4ma-5ma-5.1ma-6mp-1mp-2mp-3mp-4mp-5mp-6mp-7pe-1pe-2pe-3pe-4pe-5pe-6pe-6.1pe-8pe-9pe-10pe-11pe-12pe-13pe-13.1pe-13.2pe-14pe-15pe-16pe-17pl-1pl-2pl-4pl-4.1pl-8pl-10pl-11ps-1ps-2ps-3ps-3.3ps-4ps-5ps-6ps-7ps-8ps-9ra-1ra-2ra-3ra-3.1ra-5ra-5.2ra-5.3ra-5.5ra-5.11ra-7ra-9sa-1sa-2sa-3sa-4sa-4.1sa-4.2sa-4.9sa-4.10sa-5sa-8sa-9sa-9.1sa-9.2sa-9.5sa-10sa-11sa-11.1sa-11.2sa-15sa-15.3sa-22sc-1sc-2sc-4sc-5sc-7sc-7.3sc-7.4sc-7.5sc-7.7sc-7.8sc-7.12sc-7.18sc-8sc-8.1sc-10sc-12sc-13sc-15sc-17sc-18sc-20sc-21sc-22sc-23sc-28sc-28.1sc-39sc-45sc-45.1si-1si-2si-2.2si-2.3si-3si-4si-4.1si-4.2si-4.4si-4.5si-4.16si-4.18si-4.23si-5si-6si-7si-7.1si-7.7si-8si-8.2si-10si-11si-12si-16sr-1sr-2sr-2.1sr-3sr-5sr-6sr-8sr-10sr-11sr-11.1sr-11.2sr-12true

at least every 3 years

at least annually

significant changes

twenty-four (24) hours

eight (8) hours

eight (8) hours

quarterly for privileged access, annually for non-privileged access

Selection: disables

no more than 96 hours from last use

24 hours for user accounts

ninety (90) days (See additional requirements and guidance.)

for privileged users, it is the end of a user's standard work period

organization-defined need with justification statement that explains why such accounts are necessary

at a minimum, the ISSO and/or similar role within the organization

one (1) hour

all security functions

at a minimum, annually

all users with privileges

see additional Requirements and Guidance

see additional Requirements and Guidance

fifteen (15) minutes

at least quarterly

at least every 3 years

at least annually

significant changes

at least annually

at least annually

at least annually

at least annually

at least one (1) year or 1 year after completion of a specific training program

at least every 3 years

at least annually

significant changes

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

annually and whenever there is a change in the threat environment

session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands

overwrite oldest record

at least weekly

one second granularity of time measurement

a time period in compliance with M-21-31

all information system and network components where audit capability is deployed/available

at least every 3 years

at least annually

significant changes

at least annually

individuals or roles to include FedRAMP PMO

any FedRAMP Accredited 3PAO

the conditions of the JAB/AO in the FedRAMP Repository

at least annually and on input from JAB/AO

at least monthly

in accordance with OMB A-130 requirements or when a significant change occurs

to include JAB/AO

at least annually

at least annually

at least every 3 years

at least annually

significant changes

at least annually and when a significant change occurs

to include when directed by the JAB

Configuration control board (CCB) or similar (as defined in CM-3)

at least quarterly

at least annually

at least quarterly or when there is a change

at least monthly

automated mechanisms with a maximum five-minute delay in detection

continuously

Continuously (via CM-7 (5))

Federal data and system data that must be protected at the High or Moderate impact levels

at least every 3 years

at least annually

significant changes

at least annually

all

time period defined in service provider and organization SLA

*See Additional Requirements

at least annually

at least annually

at least annually

functional exercises

daily incremental; weekly full

daily incremental; weekly full

daily incremental; weekly full

at least annually

all backup files

at least every 3 years

at least annually

significant changes

local, network and remote

privileged accounts; non-privileged accounts

FIPS-validated or NSA-approved cryptography

privileged accounts; non-privileged accounts

at a minimum, the ISSO (or similar role within the organization)

at least two (2) years

contractors; foreign nationals

at least every 3 years

at least annually

significant changes

ten (10) days for privileged users, thirty (30) days for Incident Response roles

at least annually

at least annually

functional, at least annually

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

at least annually

see additional FedRAMP Requirements and Guidance

see additional FedRAMP Requirements and Guidance

at least annually

at least every 3 years

at least annually

significant changes

at least annually

the information owner

a timeframe to support advertised uptime and availability

at least every 3 years

at least annually

significant changes

all types of digital and/or non-digital media containing sensitive information

no removable media types

organization-defined security safeguards not applicable

all types of digital and non-digital media with sensitive information

see additional FedRAMP requirements and guidance

all media with sensitive information

prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

at least every 3 years

at least annually

significant changes

at least annually

CSP defined physical access control systems/devices AND guards

in all circumstances within restricted access area where the information system resides

at least annually

at least annually or earlier as required by a security relevant event.

at least monthly

for a minimum of one (1) year

at least monthly

near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off

service provider building maintenance/physical security personnel

service provider emergency responders with incident response responsibilities

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

continuously

all information system components

at least every 3 years

at least annually

significant changes

to include chief privacy and ISSO and/or similar role or designees

to include chief privacy and ISSO and/or similar role

at least annually

at least every 3 years

at least annually and when the rules are revised or changed

at least annually and when a significant change occurs

at least every 3 years

at least annually

significant changes

at least every three years

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

-

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

personnel screening criteria - as required by specific information

four (4) hours

twenty-four (24) hours

including access control personnel responsible for the system

twenty-four (24) hours

at least annually

at least annually and any time there is a change to the user's level of access

including access control personnel responsible for the system and/or facilities, as appropriate

within twenty-four (24) hours

to include the ISSO and/or similar role within the organization

24 hours

at least every 3 years

at least annually

significant changes

security assessment report

at least every three (3) years and when a significant change occurs

at least every three (3) years

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

within 24 hours prior to running scans

all components that support authentication

all scans

at least every 3 years

at least annually

significant changes

at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;

at a minimum, the ISSO (or similar role within the organization)

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

all external systems where Federal information is processed or stored

information processing, information or data, AND system services

development, implementation, AND operation

frequency at least annually

FedRAMP Security Authorization requirements

at least every 3 years

at least annually

significant changes

Protect against

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions

any systems

any network outside of organizational control and any network outside the authorization boundary

Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall

confidentiality AND integrity

prevent unauthorized disclosure of information AND detect changes to information

no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions

In accordance with Federal requirements

FIPS-validated or NSA-approved cryptography

no exceptions for computing devices

confidentiality AND integrity

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

At least hourly

http://tf.nist.gov/tf-cgi/servers.cgi

any difference

at least every 3 years

at least annually

significant changes

within thirty (30) days of release of updates

at least monthly

signature based and non-signature based

at least weekly

to include endpoints and network entry and exit points

to include blocking and quarantining malicious code

administrator or defined security personnel near-realtime

continuously

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

to include system security personnel and administrators with configuration/patch-management responsibilities

to include upon system startup and/or restart

at least monthly

to include system administrators and security personnel

selection to include security relevant event

at least monthly

to include the ISSO and/or similar role within the organization

to include chief privacy and ISSO and/or similar role or designees

at least every 3 years

at least annually

significant changes

at least annually

at least annually

notification of supply chain compromises and results of assessment or audits

all

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

AC-2 (3) Additional FedRAMP Requirements and Guidance

The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

The service provider defines the time period of inactivity for device identifiers.

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

AC-2 (5) Additional FedRAMP Requirements and Guidance

Should use a shorter timeframe than AC-12.

AC-2 (9) Additional FedRAMP Requirements and Guidance

Required if shared/group accounts are deployed.

AC-2 (12) Additional FedRAMP Requirements and Guidance

Required for privileged accounts.

Required for privileged accounts.

AC-5 Additional FedRAMP Requirements and Guidance

CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

AC-6 (2) Additional FedRAMP Requirements and Guidance

Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

AC-7 Additional FedRAMP Requirements and Guidance

In alignment with NIST SP 800-63B

AC-8 Additional FedRAMP Requirements and Guidance

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

AC-20 Additional FedRAMP Requirements and Guidance

The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

-

AC-20 describes system access to and from external systems.

-

CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

-

SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

AU-2 Additional FedRAMP Requirements and Guidance

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

AU-3 (1) Additional FedRAMP Requirements and Guidance

For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

AU-6 Additional FedRAMP Requirements and Guidance

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

AU-11 Additional FedRAMP Requirements and Guidance

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

The service provider is encouraged to align with M-21-31 where possible

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CA-2 Additional FedRAMP Requirements and Guidance

Reference FedRAMP Annual Assessment Guidance.

CA-2 (1) Additional FedRAMP Requirements and Guidance

For JAB Authorization, must use an accredited 3PAO.

CA-5 Additional FedRAMP Requirements and Guidance

POA&Ms must be provided at least monthly.

Reference FedRAMP-POAM-Template

CA-6 Additional FedRAMP Requirements and Guidance

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

CA-7 Additional FedRAMP Requirements and Guidance

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.

FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

CA-8 Additional FedRAMP Requirements and Guidance

Reference the FedRAMP Penetration Test Guidance.

CA-8(2) Additional FedRAMP Requirements and Guidance

See the FedRAMP Documents page> Penetration Test Guidance

-

https://www.FedRAMP.gov/documents/

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CM-2 Additional FedRAMP Requirements and Guidance

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

CM-3 Additional FedRAMP Requirements and Guidance

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

In accordance with record retention policies and procedures.

CM-6 Additional FedRAMP Requirements and Guidance

The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

-

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

CM-7 Additional FedRAMP Requirements and Guidance

The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

CM-7 (2) Additional FedRAMP Requirements and Guidance

This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

CM-8 Additional FedRAMP Requirements and Guidance

must be provided at least monthly or when there is a change.

FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

CM-12 Additional FedRAMP Requirements and Guidance

According to FedRAMP Authorization Boundary Guidance

CM-12 (1) Additional FedRAMP Requirements and Guidance

According to FedRAMP Authorization Boundary Guidance.

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

CP-2 Additional FedRAMP Requirements and Guidance

For JAB authorizations the contingency lists include designated FedRAMP personnel.

CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

CP-3 Additional FedRAMP Requirements and Guidance

Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

CP-4 Additional FedRAMP Requirements and Guidance

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

CP-7 Additional FedRAMP Requirements and Guidance

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

CP-7 (1) Additional FedRAMP Requirements and Guidance

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

CP-8 Additional FedRAMP Requirements and Guidance

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

CP-9 Additional FedRAMP Requirements and Guidance

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

CP-9 (8) Additional FedRAMP Requirements and Guidance

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

This response must address all control sub-statement requirements.

This response must address all control sub-statement requirements.

IA-2 Additional FedRAMP Requirements and Guidance

For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

Multi-factor authentication must be phishing-resistant.

All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

Phishing-resistant authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

IA-2 (1) Additional FedRAMP Requirements and Guidance

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

Multi-factor authentication must be phishing-resistant.

Multi-factor authentication to subsequent components in the same user domain is not required.

IA-2 (2) Additional FedRAMP Requirements and Guidance

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

Multi-factor authentication must be phishing-resistant.

Multi-factor authentication to subsequent components in the same user domain is not required.

IA-2 (6) Additional FedRAMP Requirements and Guidance

PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

IA-2 (12) Additional FedRAMP Requirements and Guidance

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

IA-5 Additional FedRAMP Requirements and Guidance

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

IA-5 (1) Additional FedRAMP Requirements and Guidance

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

-

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

IA-5 (7) Additional FedRAMP Requirements and Guidance

In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

IA-11 Additional FedRAMP Requirements and Guidance

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

-
    -
  • AAL2 (moderate baseline) -
      -
    • 12 hours or
      • -
    • 30 minutes of inactivity
      • -
    + + + + FedRAMP Rev 5 Moderate Baseline + 2024-09-24T02:24:00Z + 2024-09-24T02:24:00Z + fedramp2.1.0-oscal1.0.4 + 1.0.4 + + Document creator + + + The FedRAMP Program Management Office (PMO) + PMO + + + The FedRAMP Joint Authorization Board (JAB) + JAB + + + Federal Risk and Authorization Management Program: Program Management Office + FedRAMP PMO + + + + info@fedramp.gov +
    + 1800 F St. NW + Washington + DC + 20006 + US +
    +     + + Federal Risk and Authorization Management Program: Joint Authorization Board + FedRAMP JAB + + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d + + + ca9ba80e-1342-4bfd-b32a-abac468c24b4 + +     + + + ac-1 + ac-2 + ac-2.1 + ac-2.2 + ac-2.3 + ac-2.4 + ac-2.5 + ac-2.7 + ac-2.9 + ac-2.12 + ac-2.13 + ac-3 + ac-4 + ac-4.21 + ac-5 + ac-6 + ac-6.1 + ac-6.2 + ac-6.5 + ac-6.7 + ac-6.9 + ac-6.10 + ac-7 + ac-8 + ac-11 + ac-11.1 + ac-12 + ac-14 + ac-17 + ac-17.1 + ac-17.2 + ac-17.3 + ac-17.4 + ac-18 + ac-18.1 + ac-18.3 + ac-19 + ac-19.5 + ac-20 + ac-20.1 + ac-20.2 + ac-21 + ac-22 + at-1 + at-2 + at-2.2 + at-2.3 + at-3 + at-4 + au-1 + au-2 + au-3 + au-3.1 + au-4 + au-5 + au-6 + au-6.1 + au-6.3 + au-7 + au-7.1 + au-8 + au-9 + au-9.4 + au-11 + au-12 + ca-1 + ca-2 + ca-2.1 + ca-2.3 + ca-3 + ca-5 + ca-6 + ca-7 + ca-7.1 + ca-7.4 + ca-8 + ca-8.1 + ca-8.2 + ca-9 + cm-1 + cm-2 + cm-2.2 + cm-2.3 + cm-2.7 + cm-3 + cm-3.2 + cm-3.4 + cm-4 + cm-4.2 + cm-5 + cm-5.1 + cm-5.5 + cm-6 + cm-6.1 + cm-7 + cm-7.1 + cm-7.2 + cm-7.5 + cm-8 + cm-8.1 + cm-8.3 + cm-9 + cm-10 + cm-11 + cm-12 + cm-12.1 + cp-1 + cp-2 + cp-2.1 + cp-2.3 + cp-2.8 + cp-3 + cp-4 + cp-4.1 + cp-6 + cp-6.1 + cp-6.3 + cp-7 + cp-7.1 + cp-7.2 + cp-7.3 + cp-8 + cp-8.1 + cp-8.2 + cp-9 + cp-9.1 + cp-9.8 + cp-10 + cp-10.2 + ia-1 + ia-2 + ia-2.1 + ia-2.2 + ia-2.5 + ia-2.6 + ia-2.8 + ia-2.12 + ia-3 + ia-4 + ia-4.4 + ia-5 + ia-5.1 + ia-5.2 + ia-5.6 + ia-5.7 + ia-6 + ia-7 + ia-8 + ia-8.1 + ia-8.2 + ia-8.4 + ia-11 + ia-12 + ia-12.2 + ia-12.3 + ia-12.5 + ir-1 + ir-2 + ir-3 + ir-3.2 + ir-4 + ir-4.1 + ir-5 + ir-6 + ir-6.1 + ir-6.3 + ir-7 + ir-7.1 + ir-8 + ir-9 + ir-9.2 + ir-9.3 + ir-9.4 + ma-1 + ma-2 + ma-3 + ma-3.1 + ma-3.2 + ma-3.3 + ma-4 + ma-5 + ma-5.1 + ma-6 + mp-1 + mp-2 + mp-3 + mp-4 + mp-5 + mp-6 + mp-7 + pe-1 + pe-2 + pe-3 + pe-4 + pe-5 + pe-6 + pe-6.1 + pe-8 + pe-9 + pe-10 + pe-11 + pe-12 + pe-13 + pe-13.1 + pe-13.2 + pe-14 + pe-15 + pe-16 + pe-17 + pl-1 + pl-2 + pl-4 + pl-4.1 + pl-8 + pl-10 + pl-11 + ps-1 + ps-2 + ps-3 + ps-3.3 + ps-4 + ps-5 + ps-6 + ps-7 + ps-8 + ps-9 + ra-1 + ra-2 + ra-3 + ra-3.1 + ra-5 + ra-5.2 + ra-5.3 + ra-5.5 + ra-5.11 + ra-7 + ra-9 + sa-1 + sa-2 + sa-3 + sa-4 + sa-4.1 + sa-4.2 + sa-4.9 + sa-4.10 + sa-5 + sa-8 + sa-9 + sa-9.1 + sa-9.2 + sa-9.5 + sa-10 + sa-11 + sa-11.1 + sa-11.2 + sa-15 + sa-15.3 + sa-22 + sc-1 + sc-2 + sc-4 + sc-5 + sc-7 + sc-7.3 + sc-7.4 + sc-7.5 + sc-7.7 + sc-7.8 + sc-7.12 + sc-7.18 + sc-8 + sc-8.1 + sc-10 + sc-12 + sc-13 + sc-15 + sc-17 + sc-18 + sc-20 + sc-21 + sc-22 + sc-23 + sc-28 + sc-28.1 + sc-39 + sc-45 + sc-45.1 + si-1 + si-2 + si-2.2 + si-2.3 + si-3 + si-4 + si-4.1 + si-4.2 + si-4.4 + si-4.5 + si-4.16 + si-4.18 + si-4.23 + si-5 + si-6 + si-7 + si-7.1 + si-7.7 + si-8 + si-8.2 + si-10 + si-11 + si-12 + si-16 + sr-1 + sr-2 + sr-2.1 + sr-3 + sr-5 + sr-6 + sr-8 + sr-10 + sr-11 + sr-11.1 + sr-11.2 + sr-12 + + + + true + + + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    eight (8) hours

    +     +     +     + + + +

    eight (8) hours

    +     +     +     + + + +

    quarterly for privileged access, annually for non-privileged access

    +     +     +     + + + +

    Selection: disables

    +     +     +     + + + +

    no more than 96 hours from last use

    +     +     +     + + + +

    24 hours for user accounts

    +     +     +     + + + +

    ninety (90) days (See additional requirements and guidance.)

    +     +     +     + + + +

    for privileged users, it is the end of a user's standard work period

    +     +     +     + + + +

    organization-defined need with justification statement that explains why such accounts are necessary

    +     +     +     + + + +

    at a minimum, the ISSO and/or similar role within the organization

    +     +     +     + + + +

    one (1) hour

    +     +     +     + + + +

    all security functions

    +     +     +     + + + +

    at a minimum, annually

    +     +     +     + + + +

    all users with privileges

    +     +     +     + + + +

    see additional Requirements and Guidance

    +     +     +     + + + +

    see additional Requirements and Guidance

    +     +     +     + + + +

    fifteen (15) minutes

    +     +     +     + + + +

    at least quarterly

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least one (1) year or 1 year after completion of a specific training program

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

    +     +     +     + + + +

    organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

    +     +     +     + + + +

    annually and whenever there is a change in the threat environment

    +     +     +     + + + +

    session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands

    +     +     +     + + + +

    overwrite oldest record

    +     +     +     + + + +

    at least weekly

    +     +     +     + + + +

    one second granularity of time measurement

    +     +     +     + + + +

    a time period in compliance with M-21-31

    +     +     +     + + + +

    all information system and network components where audit capability is deployed/available

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    individuals or roles to include FedRAMP PMO

    +     +     +     + + + +

    any FedRAMP Accredited 3PAO

    +     +     +     + + + +

    the conditions of the JAB/AO in the FedRAMP Repository

    +     +     +     + + + +

    at least annually and on input from JAB/AO

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    in accordance with OMB A-130 requirements or when a significant change occurs

    +     +     +     + + + +

    to include JAB/AO

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually and when a significant change occurs

    +     +     +     + + + +

    to include when directed by the JAB

    +     +     +     + + + +

    Configuration control board (CCB) or similar (as defined in CM-3)

    +     +     +     + + + +

    at least quarterly

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least quarterly or when there is a change

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    automated mechanisms with a maximum five-minute delay in detection

    +     +     +     + + + +

    continuously

    +     +     +     + + + +

    Continuously (via CM-7 (5))

    +     +     +     + + + +

    Federal data and system data that must be protected at the High or Moderate impact levels

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    all

    +     +     +     + + + +

    time period defined in service provider and organization SLA

    +     +     +     + + + +

    *See Additional Requirements

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    functional exercises

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    daily incremental; weekly full

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    all backup files

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    local, network and remote

    +     +     +     + + + +

    privileged accounts; non-privileged accounts

    +     +     +     + + + +

    FIPS-validated or NSA-approved cryptography

    +     +     +     + + + +

    privileged accounts; non-privileged accounts

    +     +     +     + + + +

    at a minimum, the ISSO (or similar role within the organization)

    +     +     +     + + + +

    at least two (2) years

    +     +     +     + + + +

    contractors; foreign nationals

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    ten (10) days for privileged users, thirty (30) days for Incident Response roles

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    functional, at least annually

    +     +     +     + + + +

    US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    see additional FedRAMP Requirements and Guidance

    +     +     +     + + + +

    see additional FedRAMP Requirements and Guidance

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    the information owner

    +     +     +     + + + +

    a timeframe to support advertised uptime and availability

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    all types of digital and/or non-digital media containing sensitive information

    +     +     +     + + + +

    no removable media types

    +     +     +     + + + +

    organization-defined security safeguards not applicable

    +     +     +     + + + +

    all types of digital and non-digital media with sensitive information

    +     +     +     + + + +

    see additional FedRAMP requirements and guidance

    +     +     +     + + + +

    all media with sensitive information

    +     +     +     + + + +

    prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container

    +     +     +     + + + +

    techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    CSP defined physical access control systems/devices AND guards

    +     +     +     + + + +

    in all circumstances within restricted access area where the information system resides

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually or earlier as required by a security relevant event.

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    for a minimum of one (1) year

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off

    +     +     +     + + + +

    service provider building maintenance/physical security personnel

    +     +     +     + + + +

    service provider emergency responders with incident response responsibilities

    +     +     +     + + + +

    consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

    +     +     +     + + + +

    continuously

    +     +     +     + + + +

    all information system components

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    to include chief privacy and ISSO and/or similar role or designees

    +     +     +     + + + +

    to include chief privacy and ISSO and/or similar role

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually and when the rules are revised or changed

    +     +     +     + + + +

    at least annually and when a significant change occurs

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least every three years

    +     +     +     + + + +

    for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

    +

    For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

    +     +     +     + + + +

    personnel screening criteria - as required by specific information

    +     +     +     + + + +

    four (4) hours

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    including access control personnel responsible for the system

    +     +     +     + + + +

    twenty-four (24) hours

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually and any time there is a change to the user's level of access

    +     +     +     + + + +

    including access control personnel responsible for the system and/or facilities, as appropriate

    +     +     +     + + + +

    within twenty-four (24) hours

    +     +     +     + + + +

    to include the ISSO and/or similar role within the organization

    +     +     +     + + + +

    24 hours

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    security assessment report

    +     +     +     + + + +

    at least every three (3) years and when a significant change occurs

    +     +     +     + + + +

    at least every three (3) years

    +     +     +     + + + +

    monthly operating system/infrastructure; monthly web applications (including APIs) and databases

    +     +     +     + + + +

    high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

    +     +     +     + + + +

    within 24 hours prior to running scans

    +     +     +     + + + +

    all components that support authentication

    +     +     +     + + + +

    all scans

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;

    +     +     +     + + + +

    at a minimum, the ISSO (or similar role within the organization)

    +     +     +     + + + +

    Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

    +     +     +     + + + +

    Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

    +     +     +     + + + +

    all external systems where Federal information is processed or stored

    +     +     +     + + + +

    information processing, information or data, AND system services

    +     +     +     + + + +

    development, implementation, AND operation

    +     +     +     + + + +

    frequency at least annually

    +     +     +     + + + +

    FedRAMP Security Authorization requirements

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    Protect against

    +     +     +     + + + +

    at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

    +     +     +     + + + +

    at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions

    +     +     +     + + + +

    any systems

    +     +     +     + + + +

    any network outside of organizational control and any network outside the authorization boundary

    +     +     +     + + + +

    Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall

    +     +     +     + + + +

    confidentiality AND integrity

    +     +     +     + + + +

    prevent unauthorized disclosure of information AND detect changes to information

    +     +     +     + + + +

    no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions

    +     +     +     + + + +

    In accordance with Federal requirements

    +     +     +     + + + +

    FIPS-validated or NSA-approved cryptography

    +     +     +     + + + +

    no exceptions for computing devices

    +     +     +     + + + +

    confidentiality AND integrity

    +     +     +     + + + +

    all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

    +     +     +     + + + +

    At least hourly

    +     +     +     + + + +

    http://tf.nist.gov/tf-cgi/servers.cgi

    +     +     +     + + + +

    any difference

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    within thirty (30) days of release of updates

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    signature based and non-signature based

    +     +     +     + + + +

    at least weekly

    +     +     +     + + + +

    to include endpoints and network entry and exit points

    +     +     +     + + + +

    to include blocking and quarantining malicious code

    +     +     +     + + + +

    administrator or defined security personnel near-realtime

    +     +     +     + + + +

    continuously

    +     +     +     + + + +

    to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

    +     +     +     + + + +

    to include system security personnel and administrators with configuration/patch-management responsibilities

    +     +     +     + + + +

    to include upon system startup and/or restart

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    to include system administrators and security personnel

    +     +     +     + + + +

    selection to include security relevant event

    +     +     +     + + + +

    at least monthly

    +     +     +     + + + +

    to include the ISSO and/or similar role within the organization

    +     +     +     + + + +

    to include chief privacy and ISSO and/or similar role or designees

    +     +     +     + + + +

    at least every 3 years

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    significant changes

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    at least annually

    +     +     +     + + + +

    notification of supply chain compromises and results of assessment or audits

    +     +     +     + + + +

    all

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-2 (3) Additional FedRAMP Requirements and Guidance + + +

    The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

    +     + + +

    The service provider defines the time period of inactivity for device identifiers.

    +     + + +

    For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + AC-2 (5) Additional FedRAMP Requirements and Guidance + + +

    Should use a shorter timeframe than AC-12.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-2 (9) Additional FedRAMP Requirements and Guidance + + +

    Required if shared/group accounts are deployed.

    +     +     +     + + + + + + + + + + + +     + + + + AC-2 (12) Additional FedRAMP Requirements and Guidance + + +

    Required for privileged accounts.

    +     + + +

    Required for privileged accounts.

    +     +     +     + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-5 Additional FedRAMP Requirements and Guidance + + +

    CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

    +     +     +     + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-6 (2) Additional FedRAMP Requirements and Guidance + + +

    Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AC-7 Additional FedRAMP Requirements and Guidance + + +

    In alignment with NIST SP 800-63B

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + AC-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

    +     + + +

    The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

    +     + + +

    If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

    +     + + +

    If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + AC-20 Additional FedRAMP Requirements and Guidance + + +

    The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

    +

    AC-20 describes system access to and from external systems.

    +

    CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

    +

    SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-2 Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

    +     + + +

    Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-3 (1) Additional FedRAMP Requirements and Guidance + + +

    For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-6 Additional FedRAMP Requirements and Guidance + + +

    Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + AU-11 Additional FedRAMP Requirements and Guidance + + +

    The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

    +     + + +

    The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

    +     + + +

    The service provider is encouraged to align with M-21-31 where possible

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + CA-2 Additional FedRAMP Requirements and Guidance + + +

    Reference FedRAMP Annual Assessment Guidance.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CA-2 (1) Additional FedRAMP Requirements and Guidance + + +

    For JAB Authorization, must use an accredited 3PAO.

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-5 Additional FedRAMP Requirements and Guidance + + +

    POA&Ms must be provided at least monthly.

    +     + + +

    Reference FedRAMP-POAM-Template

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + CA-6 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CA-7 Additional FedRAMP Requirements and Guidance + + +

    Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

    +     + + +

    CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.

    +     + + +

    FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CA-8 Additional FedRAMP Requirements and Guidance + + +

    Reference the FedRAMP Penetration Test Guidance.

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + CA-8(2) Additional FedRAMP Requirements and Guidance + + +

    See the FedRAMP Documents page> Penetration Test Guidance

    +

    https://www.FedRAMP.gov/documents/

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-2 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-3 Additional FedRAMP Requirements and Guidance + + +

    The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

    +     + + +

    In accordance with record retention policies and procedures.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-6 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

    +     + + +

    The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

    +     + + +

    Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

    +

    During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + CM-7 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

    +     +     +     + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + CM-7 (2) Additional FedRAMP Requirements and Guidance + + +

    This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

    +     +     +     + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CM-8 Additional FedRAMP Requirements and Guidance + + +

    must be provided at least monthly or when there is a change.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

    +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CM-12 Additional FedRAMP Requirements and Guidance + + +

    According to FedRAMP Authorization Boundary Guidance

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CM-12 (1) Additional FedRAMP Requirements and Guidance + + +

    According to FedRAMP Authorization Boundary Guidance.

    +     +     +     + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + CP-2 Additional FedRAMP Requirements and Guidance + + +

    For JAB authorizations the contingency lists include designated FedRAMP personnel.

    +     + + +

    CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-3 Additional FedRAMP Requirements and Guidance + + +

    Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CP-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

    +     + + +

    The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-7 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + CP-7 (1) Additional FedRAMP Requirements and Guidance + + +

    The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

    +     +     +     + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CP-9 Additional FedRAMP Requirements and Guidance + + +

    The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

    +     + + +

    The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

    +     + + +

    The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

    +     + + +

    The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + CP-9 (8) Additional FedRAMP Requirements and Guidance + + +

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    +     +     +     + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + IA-2 Additional FedRAMP Requirements and Guidance + + +

    For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

    +     + + +

    Phishing-resistant authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

    +     +     +     + + + + + + + + + + + + + + + + + + +     + + + + IA-2 (1) Additional FedRAMP Requirements and Guidance + + +

    According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    Multi-factor authentication to subsequent components in the same user domain is not required.

    +     +     +     + + + + + + + + + + +     + + + + IA-2 (2) Additional FedRAMP Requirements and Guidance + + +

    According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

    +     + + +

    Multi-factor authentication must be phishing-resistant.

    +     + + +

    Multi-factor authentication to subsequent components in the same user domain is not required.

    +     +     +     + + + + + + + + + + +     + + + + + + + + + + + + + + + + IA-2 (6) Additional FedRAMP Requirements and Guidance + + +

    PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

    +     + + +

    See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

    +     +     +     + + + + + + + + + + + + + + + + + + + +     + + + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + +

    Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IA-5 Additional FedRAMP Requirements and Guidance + + +

    Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

    +     + + +

    SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + IA-5 (1) Additional FedRAMP Requirements and Guidance + + +

    Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

    +     + + +

    For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

    +

    For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

    +     + + +

    Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IA-5 (7) Additional FedRAMP Requirements and Guidance + + +

    In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

    +     +     +     + + + + + + + +     + + + + IA-11 Additional FedRAMP Requirements and Guidance + + +

    The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

    +
      +
    • AAL2 (moderate baseline) +
      • 12 hours or
      • 30 minutes of inactivity
      • -
    IA-12 Additional FedRAMP Requirements and Guidance

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    IA-12 (5) Additional FedRAMP Requirements and Guidance

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    IR-3-2 Additional FedRAMP Requirements and Guidance

    The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

    IR-4 Additional FedRAMP Requirements and Guidance

    The FISMA definition of incident shall be used: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    IR-6 Additional FedRAMP Requirements and Guidance

    Reports security incident information according to FedRAMP Incident Communications Procedure.

    IR-8 Additional FedRAMP Requirements and Guidance

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    MA-5 (1) Additional FedRAMP Requirements and Guidance

    Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    MP-3 Additional FedRAMP Requirements and Guidance

    Second parameter not-applicable

    MP-4 Additional FedRAMP Requirements and Guidance

    The service provider defines controlled areas within facilities where the information and information system reside.

    MP-5 Additional FedRAMP Requirements and Guidance

    The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    PE-14 Additional FedRAMP Requirements and Guidance

    The service provider measures temperature at server inlets and humidity levels by dew point.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    PL-8 Additional FedRAMP Requirements and Guidance

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    PL-10 Additional FedRAMP Requirements and Guidance

    Select the appropriate FedRAMP Baseline

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    RA-3 Additional FedRAMP Requirements and Guidance

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    RA-5 Additional FedRAMP Requirements and Guidance

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    -

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    -

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a warning as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on Tracking of Compliance Scans in FAQs.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SA-4 Additional FedRAMP Requirements and Guidance

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    -

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    SA-10 Additional FedRAMP Requirements and Guidance

    track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

    SA-11(1) Additional FedRAMP Requirements

    The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

    -

    If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SC-7 Additional FedRAMP Requirements and Guidance

    SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

    SC-7 (5) Additional FedRAMP Requirements and Guidance

    For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

    SC-8 Additional FedRAMP Requirements and Guidance

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    -

    For clarity, this control applies to all data in transit. Examples include the following data flows:

    -
      -
    • Crossing the system boundary
      • -
    • Between compute instances - including containers
      • -
    • From a compute instance to storage
      • -
    • Replication between availability zones
      • -
    • Transmission of backups to storage
      • -
    • From a load balancer to a compute instance
      • -
    • Flows from management tools required for their work - e.g. log collection, scanning, etc.
      • -
    -

    The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    -

    FedRAMP-Defined Assignment / Selection Parameters

    -

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    -

    SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    -

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    -

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    -

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    -

    CNSSI No.7003 can be accessed here:

    -

    https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

    -

    DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

    -

    https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

    SC-8 (1) Additional FedRAMP Requirements and Guidance

    Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

    See M-22-09, including Agencies encrypt all DNS requests and HTTP traffic within their environment

    -

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    SC-12 Additional FedRAMP Requirements and Guidance

    See references in NIST 800-53 documentation.

    Must meet applicable Federal Cryptographic Requirements. See References Section of control.

    Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

    SC-13 Additional FedRAMP Requirements and Guidance

    This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

    -
      -
    • Encryption of data
      • -
    • Decryption of data
      • -
    • Generation of one time passwords (OTPs) for MFA
      • -
    • Protocols such as TLS, SSH, and HTTPS
      • -
    -

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    -

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

    For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

    -

    https://www.niap-ccevs.org/Product/index.cfm

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    Moving to non-FIPS CM or product is acceptable when:

    -
      -
    • FIPS validated version has a known vulnerability
      • -
    • Feature with vulnerability is in use
      • -
    • Non-FIPS version fixes the vulnerability
      • -
    • Non-FIPS version is submitted to NIST for FIPS validation
      • -
    • POA&M is added to track approval, and deployment when ready
      • -

    At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

    SC-15 Additional FedRAMP Requirements and Guidance

    The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

    SC-20 Additional FedRAMP Requirements and Guidance

    Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

    SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

    External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

    CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

    SC-21 Additional FedRAMP Requirements and Guidance

    Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

    -
      -
    • If the reply is signed, and fails DNSSEC, do not use the reply
      • -
    • If the reply is unsigned: -
        -
      • CSP chooses the policy to apply
        • -
      +
    +     +     +     + + + + + + + + + +     + + + + IA-12 Additional FedRAMP Requirements and Guidance + + +

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + IA-12 (5) Additional FedRAMP Requirements and Guidance + + +

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

    +     +     +     + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-3-2 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance + + +

    The FISMA definition of incident shall be used: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    +     + + +

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance + + +

    Reports security incident information according to FedRAMP Incident Communications Procedure.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-8 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    +     + + +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + MA-5 (1) Additional FedRAMP Requirements and Guidance + + +

    Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + MP-3 Additional FedRAMP Requirements and Guidance + + +

    Second parameter not-applicable

    +     +     +     + + + + + + + + + + + + + + +     + + + + MP-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines controlled areas within facilities where the information and information system reside.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + MP-5 Additional FedRAMP Requirements and Guidance + + +

    The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PE-14 Additional FedRAMP Requirements and Guidance + + +

    The service provider measures temperature at server inlets and humidity levels by dew point.

    +     +     +     + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PL-8 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + PL-10 Additional FedRAMP Requirements and Guidance + + +

    Select the appropriate FedRAMP Baseline

    +     +     +     + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

    +     + + +

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + RA-5 Additional FedRAMP Requirements and Guidance + + +

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

    +     + + +

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

    +     + + +

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

    +     + + +

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

    +     + + +

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    +

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    +

    Warnings are commonly associated with scanning solutions that also perform compliance scans, and if the scanner reports a warning as part of the compliance scanning of a CSO, follow guidance surrounding the tracking of compliance findings during either the assessment phases (initial assessment, annual assessment or any SCR) or monthly continuous monitoring as it applies. Guidance on compliance scan findings can be found by searching on Tracking of Compliance Scans in FAQs.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SA-4 Additional FedRAMP Requirements and Guidance + + +

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

    +     + + +

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    +

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SA-10 Additional FedRAMP Requirements and Guidance + + +

    track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SA-11(1) Additional FedRAMP Requirements + + +

    The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

    +

    If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

    +     +     +     + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     + + + + + + +

    This response must address all control sub-statement requirements.

    +     +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SC-7 Additional FedRAMP Requirements and Guidance + + +

    SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SC-7 (5) Additional FedRAMP Requirements and Guidance + + +

    For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

    +     +     +     + + + + + + + + + + + + +     + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SC-8 Additional FedRAMP Requirements and Guidance + + +

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    +

    For clarity, this control applies to all data in transit. Examples include the following data flows:

    +
      +
    • Crossing the system boundary
      • +
    • Between compute instances - including containers
      • +
    • From a compute instance to storage
      • +
    • Replication between availability zones
      • +
    • Transmission of backups to storage
      • +
    • From a load balancer to a compute instance
      • +
    • Flows from management tools required for their work - e.g. log collection, scanning, etc.
      • +
    +

    The following applies only when choosing SC-8 (5) in lieu of SC-8 (1).

    +

    FedRAMP-Defined Assignment / Selection Parameters

    +

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    +

    SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

    +     + + +

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    +

    Hardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).

    +

    Controlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS's Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS' recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).

    +

    Note: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.

    +

    CNSSI No.7003 can be accessed here:

    +

    https://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf

    +

    DHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:

    +

    https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf

    +     +     +     + + + + + + + + + + + + +     + + + + SC-8 (1) Additional FedRAMP Requirements and Guidance + + +

    Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

    +     + + +

    See M-22-09, including Agencies encrypt all DNS requests and HTTP traffic within their environment

    +

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

    +     + + +

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

    +     + + +

    When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    +     +     +     + + + + + + + + + +     + + + + SC-12 Additional FedRAMP Requirements and Guidance + + +

    See references in NIST 800-53 documentation.

    +     + + +

    Must meet applicable Federal Cryptographic Requirements. See References Section of control.

    +     + + +

    Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

    +     +     +     + + + + + + + + + + + + +     + + + + SC-13 Additional FedRAMP Requirements and Guidance + + +

    This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

    +
      +
    • Encryption of data
      • +
    • Decryption of data
      • +
    • Generation of one time passwords (OTPs) for MFA
      • +
    • Protocols such as TLS, SSH, and HTTPS
      • +
    +

    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

    +

    https://csrc.nist.gov/projects/cryptographic-module-validation-program

    +     + + +

    For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

    +

    https://www.niap-ccevs.org/Product/index.cfm

    +     + + +

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    +     + + +

    Moving to non-FIPS CM or product is acceptable when:

    +
      +
    • FIPS validated version has a known vulnerability
      • +
    • Feature with vulnerability is in use
      • +
    • Non-FIPS version fixes the vulnerability
      • +
    • Non-FIPS version is submitted to NIST for FIPS validation
      • +
    • POA&M is added to track approval, and deployment when ready
      • +
    +     + + +

    At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

    +     +     +     + + + + + + + + + + + + + + + + + + + + +     + + + + SC-15 Additional FedRAMP Requirements and Guidance + + +

    The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

    +     +     +     + + + + + + + + + + + + + + + + + +     + + + + SC-20 Additional FedRAMP Requirements and Guidance + + +

    Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

    +     + + +

    SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

    +     + + +

    External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

    +     + + +

    CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

    +     +     +     + + + + + + + + + + + + + + + + + + + + + + + + +     + + + + SC-21 Additional FedRAMP Requirements and Guidance + + +

    Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

    +
      +
    • If the reply is signed, and fails DNSSEC, do not use the reply
      • +
    • If the reply is unsigned: +
      • CSP chooses the policy to apply
      • -

    Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

    Accepting an unsigned reply is acceptable

    SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

    -
      -
    • DNSSEC resolution to access a component inside the boundary is excluded.
      • -
    SC-28 Additional FedRAMP Requirements and Guidance

    The organization supports the capability to use cryptographic mechanisms to protect information at rest.

    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

    Note that this enhancement requires the use of cryptography in accordance with SC-13.

    SC-28 (1) Additional FedRAMP Requirements and Guidance

    Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

    -

    Examples:

    -

    A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

    -

    B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

    -

    C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

    SC-45(1) Additional FedRAMP Requirements and Guidance

    The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

    The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

    Synchronization of system clocks improves the accuracy of log analysis.

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SI-4 Additional FedRAMP Requirements and Guidance

    See US-CERT Incident Response Reporting Guidelines.

    SI-4 (5) Additional FedRAMP Requirements and Guidance

    In accordance with the incident response plan.

    SI-5 Additional FedRAMP Requirements and Guidance

    Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

    SI-8 Additional FedRAMP Requirements and Guidance

    When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

    -

    https://cyber.dhs.gov/bod/18-01/

    CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

    SI-10 Additional FedRAMP Requirements and Guidance

    Validate all information inputs and document any exceptions

    This response must address all control sub-statement requirements.

    This response must address all control sub-statement requirements.

    SR-3 Additional FedRAMP Requirements and Guidance

    CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

    SR-6 Additional FedRAMP Requirements and Guidance

    CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

    SR-8 Additional FedRAMP Requirements and Guidance

    CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

    SR-11 Additional FedRAMP Requirements and Guidance

    CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

    FedRAMP Applicable Laws and Regulations

    FedRAMP Logo

    NIST Special Publication (SP) 800-53 revision 5     \ No newline at end of file +
+ + + +

Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

+ + + +

Accepting an unsigned reply is acceptable

+ + + +

SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

+
    +
  • DNSSEC resolution to access a component inside the boundary is excluded.
    • +
+ + + + + + + + + + + + + + + + + + + + SC-28 Additional FedRAMP Requirements and Guidance + + +

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

+ + + +

When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

+ + + +

Note that this enhancement requires the use of cryptography in accordance with SC-13.

+ + + + + + + + + + + + + + + + + + + + SC-28 (1) Additional FedRAMP Requirements and Guidance + + +

Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

+

Examples:

+

A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

+

B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

+

C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.

+ + + + + + + + + + + + + + + + + SC-45(1) Additional FedRAMP Requirements and Guidance + + +

The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

+ + + +

The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

+ + + +

Synchronization of system clocks improves the accuracy of log analysis.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-4 Additional FedRAMP Requirements and Guidance + + +

See US-CERT Incident Response Reporting Guidelines.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-4 (5) Additional FedRAMP Requirements and Guidance + + +

In accordance with the incident response plan.

+ + + + + + + + + + + + + + + + + SI-5 Additional FedRAMP Requirements and Guidance + +

Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SI-8 Additional FedRAMP Requirements and Guidance + + +

When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

+

https://cyber.dhs.gov/bod/18-01/

+ + + +

CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

+ + + + + + + + + + + + + + + + + + + + + + + + SI-10 Additional FedRAMP Requirements and Guidance + + +

Validate all information inputs and document any exceptions

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + +

This response must address all control sub-statement requirements.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SR-3 Additional FedRAMP Requirements and Guidance + + +

CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SR-6 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

+ + + + + + + + + + + + + + + + SR-8 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

+ + + + + + + + + + + + + + + + SR-11 Additional FedRAMP Requirements and Guidance + + +

CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + FedRAMP Applicable Laws and Regulations + + + + +

FedRAMP Logo

+ + + + + + NIST Special Publication (SP) 800-53 revision 5 + + + + + diff --git a/package-lock.json b/package-lock.json index 969b121bc..4cd717680 100644 --- a/package-lock.json +++ b/package-lock.json @@ -28,6 +28,7 @@ "@types/jsdom": "^21.1.7", "@types/xml2js": "^0.4.14", "cross-env": "^7.0.3", + "pretty-data": "^0.40.0", "typescript": "^5.5.2" } }, @@ -2921,6 +2922,16 @@ "url": "https://github.com/prettier/prettier?sponsor=1" } }, + "node_modules/pretty-data": { + "version": "0.40.0", + "resolved": "https://registry.npmjs.org/pretty-data/-/pretty-data-0.40.0.tgz", + "integrity": "sha512-YFLnEdDEDnkt/GEhet5CYZHCvALw6+Elyb/tp8kQG03ZSIuzeaDWpZYndCXwgqu4NAjh1PI534dhDS1mHarRnQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": "*" + } + }, "node_modules/progress": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz", diff --git a/src/content/module.mk b/src/content/module.mk index 88de7e22c..45e5a853c 100644 --- a/src/content/module.mk +++ b/src/content/module.mk @@ -7,6 +7,7 @@ DIST_DIR = ./dist XML_DIR = $(DIST_DIR)/content/rev5/baselines/xml JSON_DIR = $(DIST_DIR)/content/rev5/baselines/json YAML_DIR = $(DIST_DIR)/content/rev5/baselines/yaml +XMLLINT := $(shell command -v xmllint 2>/dev/null || command -v /usr/bin/xmllint 2>/dev/null || command -v /mingw64/bin/xmllint 2>/dev/null) # Format configuration XML_FILES := $(shell find $(XML_DIR) -type f -name "*.xml" 2>/dev/null) @@ -19,6 +20,8 @@ init-content: $(OSCAL_CLI) use $(OSCAL_CLI_VERSION) $(OSCAL_CLI) server update $(OSCAL_CLI) server start -bg + @(command -v xmllint >/dev/null 2>&1 || (command -v apt-get >/dev/null 2>&1 && sudo apt-get install -y libxml2-utils) || (command -v brew >/dev/null 2>&1 && brew install libxml2) || (command -v choco >/dev/null 2>&1 && choco install xsltproc) || echo "Please install xmllint manually") + # Generate content and perform conversions .PHONY: build-content @@ -54,7 +57,7 @@ format-xml: @echo "Formatting XML files..." @for file in $(XML_FILES); do \ echo "Formatting $$file..."; \ - xmllint --format --output "$$file" "$$file"; \ + $(XMLLINT) --format --output "$$file" "$$file"; \ done .PHONY: format-json From 870fcd8ae91470e4e7989dc2093b852894d50d7e Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Thu, 16 Jan 2025 12:29:40 -0500 Subject: [PATCH 3/7] fix duplicate statement ids --- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 512 +++++++++--------- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 464 ++++++++-------- 2 files changed, 488 insertions(+), 488 deletions(-) diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 6805e88f7..659d89f98 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -1,12 +1,12 @@ - + FedRAMP Rev 5 High Baseline 2024-09-24T02:24:00Z - 2025-01-15T00:00:00Z - fedramp-3.0.0rc1-oscal-1.1.2 - 1.1.2 + 2024-09-24T02:24:00Z + fedramp2.1.0-oscal1.0.4 + 1.0.4 Document creator @@ -2873,17 +2873,17 @@ - + AC-2 (3) Additional FedRAMP Requirements and Guidance - +

The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

 - +

The service provider defines the time period of inactivity for device identifiers.

 - +

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

 @@ -2940,9 +2940,9 @@ - + AC-2 (5) Additional FedRAMP Requirements and Guidance - +

Should use a shorter timeframe than AC-12.

 @@ -2999,9 +2999,9 @@ - + AC-2 (9) Additional FedRAMP Requirements and Guidance - +

Required if shared/group accounts are deployed.

 @@ -3021,13 +3021,13 @@ - + AC-2 (12) Additional FedRAMP Requirements and Guidance - +

Required for privileged accounts.

 - +

Required for privileged accounts.

 @@ -3168,9 +3168,9 @@ - + AC-4 (4) Additional FedRAMP Requirements and Guidance - +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

 @@ -3187,9 +3187,9 @@ - + AC-5 Additional FedRAMP Requirements and Guidance - +

CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

 @@ -3256,9 +3256,9 @@ - + AC-6 (2) Additional FedRAMP Requirements and Guidance - +

Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

 @@ -3349,9 +3349,9 @@ - + AC-7 Additional FedRAMP Requirements and Guidance - +

In alignment with NIST SP 800-63B.

 @@ -3376,21 +3376,21 @@ - + AC-8 Additional FedRAMP Requirements and Guidance - +

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

 - +

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

 - +

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

 - +

If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

 @@ -3438,9 +3438,9 @@ - + AC-20 Additional FedRAMP Requirements and Guidance - +

The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

AC-20 describes system access to and from external systems.

@@ -3767,13 +3767,13 @@ - + AU-2 Additional FedRAMP Requirements and Guidance - +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

 - +

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

 @@ -3856,9 +3856,9 @@ - + AU-3 (1) Additional FedRAMP Requirements and Guidance - +

For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

 @@ -3938,9 +3938,9 @@ - + AU-6 Additional FedRAMP Requirements and Guidance - +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

 @@ -4028,9 +4028,9 @@ - + AU-6 (6) Additional FedRAMP Requirements and Guidance - +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

 @@ -4141,9 +4141,9 @@ - + AU-9 (3) Additional FedRAMP Requirements and Guidance - +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

 @@ -4160,17 +4160,17 @@ - + AU-11 Additional FedRAMP Requirements and Guidance - +

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

 - +

The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

 - +

The service provider is encouraged to align with M-21-31 where possible

 @@ -4256,9 +4256,9 @@ - + CA-2 Additional FedRAMP Requirements and Guidance - +

Reference FedRAMP Annual Assessment Guidance.

 @@ -4322,9 +4322,9 @@ - + CA-2 (1) Additional FedRAMP Requirements and Guidance - +

For JAB Authorization, must use an accredited 3PAO.

 @@ -4341,9 +4341,9 @@ - + CA-2 (2) Additional FedRAMP Requirements and Guidance - +

To include 'announced', 'vulnerability scanning'

 @@ -4405,13 +4405,13 @@ - + CA-5 Additional FedRAMP Requirements and Guidance - +

POA&Ms must be provided at least monthly.

 - +

Reference FedRAMP-POAM-Template

 @@ -4436,9 +4436,9 @@ - + CA-6 Additional FedRAMP Requirements and Guidance - +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

 @@ -4491,17 +4491,17 @@ - + CA-7 Additional FedRAMP Requirements and Guidance - +

Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

 - +

CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

 - +

FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

 @@ -4617,9 +4617,9 @@ - + CA-8 Additional FedRAMP Requirements and Guidance - +

Reference the FedRAMP Penetration Test Guidance.

 @@ -4646,9 +4646,9 @@ - + CA-8(2) Additional FedRAMP Requirements and Guidance - +

See the FedRAMP Documents page> Penetration Test Guidance

https://www.FedRAMP.gov/documents/

@@ -4809,9 +4809,9 @@ - + CM-2 Additional FedRAMP Requirements and Guidance - +

Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

 @@ -4882,13 +4882,13 @@ - + CM-3 Additional FedRAMP Requirements and Guidance - +

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

 - +

In accordance with record retention policies and procedures.

 @@ -5153,17 +5153,17 @@ - + CM-6 Additional FedRAMP Requirements and Guidance - +

The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

 - +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

 - +

Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

@@ -5232,9 +5232,9 @@ - + CM-7 Additional FedRAMP Requirements and Guidance - +

The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

 @@ -5282,9 +5282,9 @@ - + CM-7 (2) Additional FedRAMP Requirements and Guidance - +

This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

 @@ -5331,9 +5331,9 @@ - + CM-8 Additional FedRAMP Requirements and Guidance - +

must be provided at least monthly or when there is a change.

 @@ -5427,7 +5427,7 @@ - +

FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

 @@ -5484,9 +5484,9 @@ - + CM-12 Additional FedRAMP Requirements and Guidance - +

According to FedRAMP Authorization Boundary Guidance

 @@ -5529,9 +5529,9 @@ - + CM-12 (1) Additional FedRAMP Requirements and Guidance - +

According to FedRAMP Authorization Boundary Guidance.

 @@ -5547,7 +5547,7 @@ - +

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

 @@ -5652,13 +5652,13 @@ - + CP-2 Additional FedRAMP Requirements and Guidance - +

For JAB authorizations the contingency lists include designated FedRAMP personnel.

 - +

CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

 @@ -5824,9 +5824,9 @@ - + CP-3 Additional FedRAMP Requirements and Guidance - +

Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

 @@ -5877,13 +5877,13 @@ - + CP-4 Additional FedRAMP Requirements and Guidance - +

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

 - +

The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

 @@ -6026,9 +6026,9 @@ - + CP-7 Additional FedRAMP Requirements and Guidance - +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

 @@ -6070,9 +6070,9 @@ - + CP-7 (1) Additional FedRAMP Requirements and Guidance - +

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

 @@ -6125,9 +6125,9 @@ - + CP-8 Additional FedRAMP Requirements and Guidance - +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

 @@ -6211,21 +6211,21 @@ - + CP-9 Additional FedRAMP Requirements and Guidance - +

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

 - +

The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

 - +

The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

 - +

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

 @@ -6318,9 +6318,9 @@ - + CP-9 (8) Additional FedRAMP Requirements and Guidance - +

Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

 @@ -6425,21 +6425,21 @@ - + IA-2 Additional FedRAMP Requirements and Guidance - +

For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

 - +

Multi-factor authentication must be phishing-resistant.

 - +

All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

 - +

"Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

 @@ -6466,17 +6466,17 @@ - + IA-2 (1) Additional FedRAMP Requirements and Guidance - +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

 - +

Multi-factor authentication must be phishing-resistant.

 - +

Multi-factor authentication to subsequent components in the same user domain is not required.

 @@ -6495,17 +6495,17 @@ - + IA-2 (2) Additional FedRAMP Requirements and Guidance - +

According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

 - +

Multi-factor authentication must be phishing-resistant.

 - +

Multi-factor authentication to subsequent components in the same user domain is not required.

 @@ -6536,13 +6536,13 @@ - + IA-2 (6) Additional FedRAMP Requirements and Guidance - +

PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

 - +

See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

 @@ -6570,9 +6570,9 @@ - + IA-2 (12) Additional FedRAMP Requirements and Guidance - +

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

 @@ -6662,13 +6662,13 @@ - + IA-5 Additional FedRAMP Requirements and Guidance - +

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3

 - +

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

 @@ -6757,18 +6757,18 @@ - + IA-5 (1) Additional FedRAMP Requirements and Guidance - +

Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

 - +

For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

 - +

Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

 @@ -6869,9 +6869,9 @@ - + IA-5 (7) Additional FedRAMP Requirements and Guidance - +

In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

 @@ -6887,9 +6887,9 @@ - + IA-5 (8) Additional FedRAMP Requirements and Guidance - +

If a single user authentication domain is used to access multiple systems, such as in single-sign-on, then only a single authenticator is required.

 @@ -6906,9 +6906,9 @@ - + IA-5 (13) Additional FedRAMP Requirements and Guidance - +

For components subject to configuration baseline(s) (such as STIG or CIS,) the time period should conform to the baseline standard.

 @@ -6925,9 +6925,9 @@ - + IA-11 Additional FedRAMP Requirements and Guidance - +

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

    @@ -6952,9 +6952,9 @@ - + IA-12 Additional FedRAMP Requirements and Guidance - +

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

     @@ -6988,9 +6988,9 @@     - + IA-12 (5) Additional FedRAMP Requirements and Guidance - +

    In accordance with NIST SP 800-63A Enrollment and Identity Proofing

     @@ -7181,9 +7181,9 @@     - + IR-3-2 Additional FedRAMP Requirements and Guidance - +

    The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

     @@ -7213,13 +7213,13 @@     - + IR-4 Additional FedRAMP Requirements and Guidance - +

    The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

     - +

    The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

     @@ -7361,9 +7361,9 @@     - + IR-6 Additional FedRAMP Requirements and Guidance - +

    Reports security incident information according to FedRAMP Incident Communications Procedure.

     @@ -7435,13 +7435,13 @@     - + IR-8 Additional FedRAMP Requirements and Guidance - +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

     - +

    The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

     @@ -8001,9 +8001,9 @@     - + MP-3 Additional FedRAMP Requirements and Guidance - +

    Second parameter not-applicable

     @@ -8026,9 +8026,9 @@     - + MP-4 Additional FedRAMP Requirements and Guidance - +

    The service provider defines controlled areas within facilities where the information and information system reside.

     @@ -8073,9 +8073,9 @@     - + MP-5 Additional FedRAMP Requirements and Guidance - +

    The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

     @@ -8141,9 +8141,9 @@     - + MP-6 (1) Additional FedRAMP Requirements and Guidance - +

    Must comply with NIST SP 800-88

     @@ -8159,9 +8159,9 @@     - + MP-6 (2) Additional FedRAMP Requirements and Guidance - +

    Equipment and procedures may be tested or validated for effectiveness

     @@ -8177,9 +8177,9 @@     - + MP-6 (3) Additional FedRAMP Requirements and Guidance - +

    Must comply with NIST SP 800-88

     @@ -8424,9 +8424,9 @@     - + PE-14 Additional FedRAMP Requirements and Guidance - +

    The service provider measures temperature at server inlets and humidity levels by dew point.

     @@ -9086,9 +9086,9 @@     - + PL-8 Additional FedRAMP Requirements and Guidance - +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

     @@ -9159,9 +9159,9 @@     - + PL-10 Additional FedRAMP Requirements and Guidance - +

    Select the appropriate FedRAMP Baseline

     @@ -9556,13 +9556,13 @@     - + RA-3 Additional FedRAMP Requirements and Guidance - +

    Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

     - +

    Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

     @@ -9646,25 +9646,25 @@     - + RA-5 Additional FedRAMP Requirements and Guidance - +

    See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

     - +

    an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

     - +

    If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

     - +

    to include all Authorizing Officials; for JAB authorizations to include FedRAMP

     - +

    Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

    Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

    @@ -9802,9 +9802,9 @@     - + RA-5(8) Additional FedRAMP Requirement - +

    This enhancement is required for all high (or critical) vulnerability scan findings.

     @@ -10281,13 +10281,13 @@     - + SA-4 Additional FedRAMP Requirements and Guidance - +

    The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

     - +

    The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

    See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

    @@ -10384,9 +10384,9 @@     - + SA-10 Additional FedRAMP Requirements and Guidance - +

    track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

     @@ -10436,9 +10436,9 @@     - + SA-11(1) Additional FedRAMP Requirements - +

    The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

    If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

    @@ -10965,9 +10965,9 @@     - + SC-7 Additional FedRAMP Requirements and Guidance - +

    SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

     @@ -11182,9 +11182,9 @@     - + SC-7 (5) Additional FedRAMP Requirements and Guidance - +

    For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

     @@ -11233,9 +11233,9 @@     - + SC-8 Additional FedRAMP Requirements and Guidance - +

    For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

    @@ -11255,7 +11255,7 @@

    SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

    SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

     - +

    SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

    @@ -11288,22 +11288,22 @@ - + SC-8 (1) Additional FedRAMP Requirements and Guidance - +

    Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

     - +

    See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

    SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

     - +

    Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

     - +

    When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

     @@ -11321,17 +11321,17 @@     - + SC-12 Additional FedRAMP Requirements and Guidance - +

    See references in NIST 800-53 documentation.

     - +

    Must meet applicable Federal Cryptographic Requirements. See References Section of control.

     - +

    Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

     @@ -11352,10 +11352,10 @@     - + SC-13 Additional FedRAMP Requirements and Guidance - +

    This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

      @@ -11368,16 +11368,16 @@

      The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

      https://csrc.nist.gov/projects/cryptographic-module-validation-program

      - +

      For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

      https://www.niap-ccevs.org/Product/index.cfm

       - +

      When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

       - +

      Moving to non-FIPS CM or product is acceptable when:

        @@ -11388,7 +11388,7 @@
      • POA&M is added to track approval, and deployment when ready
       - +

      At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

       @@ -11417,9 +11417,9 @@ - + SC-15 Additional FedRAMP Requirements and Guidance - +

      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

       @@ -11445,25 +11445,25 @@       - + SC-20 Additional FedRAMP Requirements and Guidance - +

      Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

       - +

      Authoritative DNS servers must be geolocated in accordance with SA-9 (5).

       - +

      SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

       - +

      External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

       - +

      CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

       @@ -11496,9 +11496,9 @@       - + SC-21 Additional FedRAMP Requirements and Guidance - +

      Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

        @@ -11509,15 +11509,15 @@
      - +

      Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

       - +

      Accepting an unsigned reply is acceptable

       - +

      SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

      - DNSSEC resolution to access a component inside the boundary is excluded.

      @@ -11539,17 +11539,17 @@       - + SC-28 Additional FedRAMP Requirements and Guidance - +

      The organization supports the capability to use cryptographic mechanisms to protect information at rest.

       - +

      When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

       - +

      Note that this enhancement requires the use of cryptography in accordance with SC-13.

       @@ -11570,9 +11570,9 @@       - + SC-28 (1) Additional FedRAMP Requirements and Guidance - +

      Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

      Examples:

      @@ -11594,17 +11594,17 @@       - + SC-45(1) Additional FedRAMP Requirements and Guidance - +

      The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

       - +

      The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

       - +

      Synchronization of system clocks improves the accuracy of log analysis.

       @@ -11840,9 +11840,9 @@       - + SI-4 Additional FedRAMP Requirements and Guidance - +

      See US-CERT Incident Response Reporting Guidelines.

       @@ -12088,9 +12088,9 @@       - + SI-4 (5) Additional FedRAMP Requirements and Guidance - +

      In accordance with the incident response plan.

       @@ -12108,9 +12108,9 @@       - + SI-4 (10) Additional FedRAMP Requirements and Guidance - +

      The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

       @@ -12130,7 +12130,7 @@       - + SI-5 Additional FedRAMP Requirements and Guidance

      Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

      @@ -12297,14 +12297,14 @@       - + SI-8 Additional FedRAMP Requirements and Guidance - +

      When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

      https://cyber.dhs.gov/bod/18-01/

       - +

      CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

       @@ -12329,9 +12329,9 @@       - + SI-10 Additional FedRAMP Requirements and Guidance - +

      Validate all information inputs and document any exceptions

       @@ -12524,9 +12524,9 @@       - + SR-3 Additional FedRAMP Requirements and Guidance - +

      CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

       @@ -12575,9 +12575,9 @@       - + SR-6 Additional FedRAMP Requirements and Guidance - +

      CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

       @@ -12594,9 +12594,9 @@       - + SR-8 Additional FedRAMP Requirements and Guidance - +

      CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

       @@ -12613,9 +12613,9 @@       - + SR-9 Additional FedRAMP Requirements and Guidance - +

      CSOs must ensure vendors provide authenticity of software and patches supplied to the service provider including documenting the safeguards in place.

       @@ -12642,9 +12642,9 @@       - + SR-11 Additional FedRAMP Requirements and Guidance - +

      CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

       diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index 70977fe61..3e4e80f01 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -1,12 +1,12 @@ - + FedRAMP Rev 5 Moderate Baseline 2024-09-24T02:24:00Z - 2025-01-15T00:00:00Z - fedramp-3.0.0rc1-oscal-1.1.2 - 1.1.2 + 2024-09-24T02:24:00Z + fedramp2.1.0-oscal1.0.4 + 1.0.4 Document creator @@ -2494,17 +2494,17 @@ - + AC-2 (3) Additional FedRAMP Requirements and Guidance - +

      The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

       - +

      The service provider defines the time period of inactivity for device identifiers.

       - +

      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

       @@ -2562,9 +2562,9 @@ - + AC-2 (5) Additional FedRAMP Requirements and Guidance - +

      Should use a shorter timeframe than AC-12.

       @@ -2621,9 +2621,9 @@       - + AC-2 (9) Additional FedRAMP Requirements and Guidance - +

      Required if shared/group accounts are deployed.

       @@ -2644,13 +2644,13 @@ - + AC-2 (12) Additional FedRAMP Requirements and Guidance - +

      Required for privileged accounts.

       - +

      Required for privileged accounts.

       @@ -2792,9 +2792,9 @@       - + AC-5 Additional FedRAMP Requirements and Guidance - +

      CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

       @@ -2861,9 +2861,9 @@       - + AC-6 (2) Additional FedRAMP Requirements and Guidance - +

      Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

       @@ -2926,9 +2926,9 @@ - + AC-7 Additional FedRAMP Requirements and Guidance - +

      In alignment with NIST SP 800-63B

       @@ -2953,21 +2953,21 @@       - + AC-8 Additional FedRAMP Requirements and Guidance - +

      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

       - +

      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

       - +

      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

       - +

      If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

       @@ -3020,9 +3020,9 @@ - + AC-20 Additional FedRAMP Requirements and Guidance - +

      The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

      AC-20 describes system access to and from external systems.

      @@ -3318,13 +3318,13 @@ - + AU-2 Additional FedRAMP Requirements and Guidance - +

      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

       - +

      Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

       @@ -3407,9 +3407,9 @@       - + AU-3 (1) Additional FedRAMP Requirements and Guidance - +

      For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

       @@ -3464,9 +3464,9 @@ - + AU-6 Additional FedRAMP Requirements and Guidance - +

      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

       @@ -3506,17 +3506,17 @@ - + AU-11 Additional FedRAMP Requirements and Guidance - +

      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

       - +

      The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

       - +

      The service provider is encouraged to align with M-21-31 where possible

       @@ -3698,9 +3698,9 @@ - + CA-2 Additional FedRAMP Requirements and Guidance - +

      Reference FedRAMP Annual Assessment Guidance.

       @@ -3764,9 +3764,9 @@       - + CA-2 (1) Additional FedRAMP Requirements and Guidance - +

      For JAB Authorization, must use an accredited 3PAO.

       @@ -3822,13 +3822,13 @@ - + CA-5 Additional FedRAMP Requirements and Guidance - +

      POA&Ms must be provided at least monthly.

       - +

      Reference FedRAMP-POAM-Template

       @@ -3853,9 +3853,9 @@       - + CA-6 Additional FedRAMP Requirements and Guidance - +

      Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

       @@ -3909,17 +3909,17 @@ - + CA-7 Additional FedRAMP Requirements and Guidance - +

      Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

       - +

      CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.

       - +

      FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

       @@ -4037,9 +4037,9 @@ - + CA-8 Additional FedRAMP Requirements and Guidance - +

      Reference the FedRAMP Penetration Test Guidance.

       @@ -4066,9 +4066,9 @@       - + CA-8(2) Additional FedRAMP Requirements and Guidance - +

      See the FedRAMP Documents page> Penetration Test Guidance

      https://www.FedRAMP.gov/documents/

      @@ -4232,9 +4232,9 @@ - + CM-2 Additional FedRAMP Requirements and Guidance - +

      Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

       @@ -4306,13 +4306,13 @@ - + CM-3 Additional FedRAMP Requirements and Guidance - +

      The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

       - +

      In accordance with record retention policies and procedures.

       @@ -4470,17 +4470,17 @@ - + CM-6 Additional FedRAMP Requirements and Guidance - +

      The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

       - +

      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

       - +

      Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

      During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

      @@ -4536,9 +4536,9 @@       - + CM-7 Additional FedRAMP Requirements and Guidance - +

      The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

       @@ -4587,9 +4587,9 @@       - + CM-7 (2) Additional FedRAMP Requirements and Guidance - +

      This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

       @@ -4638,9 +4638,9 @@ - + CM-8 Additional FedRAMP Requirements and Guidance - +

      must be provided at least monthly or when there is a change.

       @@ -4716,7 +4716,7 @@ - +

      FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

       @@ -4774,9 +4774,9 @@ - + CM-12 Additional FedRAMP Requirements and Guidance - +

      According to FedRAMP Authorization Boundary Guidance

       @@ -4820,9 +4820,9 @@ - + CM-12 (1) Additional FedRAMP Requirements and Guidance - +

      According to FedRAMP Authorization Boundary Guidance.

       @@ -4919,13 +4919,13 @@ - + CP-2 Additional FedRAMP Requirements and Guidance - +

      For JAB authorizations the contingency lists include designated FedRAMP personnel.

       - +

      CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

       @@ -5063,9 +5063,9 @@ - + CP-3 Additional FedRAMP Requirements and Guidance - +

      Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

       @@ -5106,13 +5106,13 @@ - + CP-4 Additional FedRAMP Requirements and Guidance - +

      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

       - +

      The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

       @@ -5224,9 +5224,9 @@       - + CP-7 Additional FedRAMP Requirements and Guidance - +

      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

       @@ -5268,9 +5268,9 @@       - + CP-7 (1) Additional FedRAMP Requirements and Guidance - +

      The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

       @@ -5312,9 +5312,9 @@       - + CP-8 Additional FedRAMP Requirements and Guidance - +

      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

       @@ -5362,21 +5362,21 @@       - + CP-9 Additional FedRAMP Requirements and Guidance - +

      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

       - +

      The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

       - +

      The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

       - +

      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

       @@ -5433,9 +5433,9 @@ - + CP-9 (8) Additional FedRAMP Requirements and Guidance - +

      Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

       @@ -5531,21 +5531,21 @@       - + IA-2 Additional FedRAMP Requirements and Guidance - +

      For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

       - +

      Multi-factor authentication must be phishing-resistant.

       - +

      All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

       - +

      "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

       @@ -5572,17 +5572,17 @@       - + IA-2 (1) Additional FedRAMP Requirements and Guidance - +

      According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

       - +

      Multi-factor authentication must be phishing-resistant.

       - +

      Multi-factor authentication to subsequent components in the same user domain is not required.

       @@ -5601,17 +5601,17 @@       - + IA-2 (2) Additional FedRAMP Requirements and Guidance - +

      According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

       - +

      Multi-factor authentication must be phishing-resistant.

       - +

      Multi-factor authentication to subsequent components in the same user domain is not required.

       @@ -5642,13 +5642,13 @@       - + IA-2 (6) Additional FedRAMP Requirements and Guidance - +

      PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

       - +

      See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

       @@ -5676,9 +5676,9 @@       - + IA-2 (12) Additional FedRAMP Requirements and Guidance - +

      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

       @@ -5770,13 +5770,13 @@ - + IA-5 Additional FedRAMP Requirements and Guidance - +

      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

       - +

      SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

       @@ -5865,18 +5865,18 @@       - + IA-5 (1) Additional FedRAMP Requirements and Guidance - +

      Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

       - +

      For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

      For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

       - +

      Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

       @@ -5977,9 +5977,9 @@       - + IA-5 (7) Additional FedRAMP Requirements and Guidance - +

      In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

       @@ -5998,9 +5998,9 @@ - + IA-11 Additional FedRAMP Requirements and Guidance - +

      The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

        @@ -6026,9 +6026,9 @@ - + IA-12 Additional FedRAMP Requirements and Guidance - +

        In accordance with NIST SP 800-63A Enrollment and Identity Proofing

         @@ -6066,9 +6066,9 @@ - + IA-12 (5) Additional FedRAMP Requirements and Guidance - +

        In accordance with NIST SP 800-63A Enrollment and Identity Proofing

         @@ -6243,9 +6243,9 @@ - + IR-3-2 Additional FedRAMP Requirements and Guidance - +

        The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

         @@ -6275,13 +6275,13 @@         - + IR-4 Additional FedRAMP Requirements and Guidance - +

        The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

         - +

        The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

         @@ -6360,9 +6360,9 @@ - + IR-6 Additional FedRAMP Requirements and Guidance - +

        Reports security incident information according to FedRAMP Incident Communications Procedure.

         @@ -6436,13 +6436,13 @@ - + IR-8 Additional FedRAMP Requirements and Guidance - +

        The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

         - +

        The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

         @@ -6854,9 +6854,9 @@         - + MA-5 (1) Additional FedRAMP Requirements and Guidance - +

        Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline

         @@ -6972,9 +6972,9 @@         - + MP-3 Additional FedRAMP Requirements and Guidance - +

        Second parameter not-applicable

         @@ -6997,9 +6997,9 @@         - + MP-4 Additional FedRAMP Requirements and Guidance - +

        The service provider defines controlled areas within facilities where the information and information system reside.

         @@ -7044,9 +7044,9 @@         - + MP-5 Additional FedRAMP Requirements and Guidance - +

        The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

         @@ -7333,9 +7333,9 @@         - + PE-14 Additional FedRAMP Requirements and Guidance - +

        The service provider measures temperature at server inlets and humidity levels by dew point.

         @@ -7932,9 +7932,9 @@ - + PL-8 Additional FedRAMP Requirements and Guidance - +

        Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

         @@ -8006,9 +8006,9 @@ - + PL-10 Additional FedRAMP Requirements and Guidance - +

        Select the appropriate FedRAMP Baseline

         @@ -8407,13 +8407,13 @@         - + RA-3 Additional FedRAMP Requirements and Guidance - +

        Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

         - +

        Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

         @@ -8499,25 +8499,25 @@ - + RA-5 Additional FedRAMP Requirements and Guidance - +

        See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

         - +

        an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

         - +

        If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

         - +

        to include all Authorizing Officials; for JAB authorizations to include FedRAMP

         - +

        Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

        Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

        @@ -9038,13 +9038,13 @@         - + SA-4 Additional FedRAMP Requirements and Guidance - +

        The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

         - +

        The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

        See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

        @@ -9142,9 +9142,9 @@ - + SA-10 Additional FedRAMP Requirements and Guidance - +

        track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

         @@ -9194,9 +9194,9 @@         - + SA-11(1) Additional FedRAMP Requirements - +

        The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

        If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

        @@ -9677,9 +9677,9 @@         - + SC-7 Additional FedRAMP Requirements and Guidance - +

        SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

         @@ -9848,9 +9848,9 @@         - + SC-7 (5) Additional FedRAMP Requirements and Guidance - +

        For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

         @@ -9899,9 +9899,9 @@         - + SC-8 Additional FedRAMP Requirements and Guidance - +

        For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

        @@ -9921,7 +9921,7 @@

        SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

        SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

         - +

        SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

        @@ -9954,22 +9954,22 @@ - + SC-8 (1) Additional FedRAMP Requirements and Guidance - +

        Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

         - +

        See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

        SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

         - +

        Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

         - +

        When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

         @@ -9987,17 +9987,17 @@         - + SC-12 Additional FedRAMP Requirements and Guidance - +

        See references in NIST 800-53 documentation.

         - +

        Must meet applicable Federal Cryptographic Requirements. See References Section of control.

         - +

        Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

         @@ -10019,10 +10019,10 @@ - + SC-13 Additional FedRAMP Requirements and Guidance - +

        This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

          @@ -10035,16 +10035,16 @@

          The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

          https://csrc.nist.gov/projects/cryptographic-module-validation-program

          - +

          For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

          https://www.niap-ccevs.org/Product/index.cfm

           - +

          When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

           - +

          Moving to non-FIPS CM or product is acceptable when:

            @@ -10055,7 +10055,7 @@
          • POA&M is added to track approval, and deployment when ready
           - +

          At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

           @@ -10084,9 +10084,9 @@ - + SC-15 Additional FedRAMP Requirements and Guidance - +

          The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

           @@ -10112,21 +10112,21 @@           - + SC-20 Additional FedRAMP Requirements and Guidance - +

          Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

           - +

          SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

           - +

          External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

           - +

          CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

           @@ -10159,9 +10159,9 @@           - + SC-21 Additional FedRAMP Requirements and Guidance - +

          Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

            @@ -10172,15 +10172,15 @@
          - +

          Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

           - +

          Accepting an unsigned reply is acceptable

           - +

          SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

            @@ -10204,17 +10204,17 @@ - + SC-28 Additional FedRAMP Requirements and Guidance - +

            The organization supports the capability to use cryptographic mechanisms to protect information at rest.

             - +

            When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

             - +

            Note that this enhancement requires the use of cryptography in accordance with SC-13.

             @@ -10235,9 +10235,9 @@             - + SC-28 (1) Additional FedRAMP Requirements and Guidance - +

            Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

            Examples:

            @@ -10260,17 +10260,17 @@ - + SC-45(1) Additional FedRAMP Requirements and Guidance - +

            The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

             - +

            The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

             - +

            Synchronization of system clocks improves the accuracy of log analysis.

             @@ -10511,9 +10511,9 @@ - + SI-4 Additional FedRAMP Requirements and Guidance - +

            See US-CERT Incident Response Reporting Guidelines.

             @@ -10682,9 +10682,9 @@             - + SI-4 (5) Additional FedRAMP Requirements and Guidance - +

            In accordance with the incident response plan.

             @@ -10705,7 +10705,7 @@ - + SI-5 Additional FedRAMP Requirements and Guidance

            Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

            @@ -10833,14 +10833,14 @@             - + SI-8 Additional FedRAMP Requirements and Guidance - +

            When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

            https://cyber.dhs.gov/bod/18-01/

             - +

            CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

             @@ -10866,9 +10866,9 @@ - + SI-10 Additional FedRAMP Requirements and Guidance - +

            Validate all information inputs and document any exceptions

             @@ -11065,9 +11065,9 @@ - + SR-3 Additional FedRAMP Requirements and Guidance - +

            CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

             @@ -11118,9 +11118,9 @@ - + SR-6 Additional FedRAMP Requirements and Guidance - +

            CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

             @@ -11138,9 +11138,9 @@ - + SR-8 Additional FedRAMP Requirements and Guidance - +

            CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

             @@ -11161,9 +11161,9 @@ - + SR-11 Additional FedRAMP Requirements and Guidance - +

            CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

             From 62544eae639d59d4175acd2b18c68c3c94b40eb0 Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Thu, 16 Jan 2025 12:43:49 -0500 Subject: [PATCH 4/7] Update module.mk --- src/content/module.mk | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/src/content/module.mk b/src/content/module.mk index 45e5a853c..195bb50d3 100644 --- a/src/content/module.mk +++ b/src/content/module.mk @@ -94,18 +94,33 @@ test-content: .PHONY: test-dist-content test-dist-content: @echo "Validating Output files" - @for file in $(YAML_FILES); do \ + @set -e; \ + validation_failed=0; \ + for file in $(YAML_FILES); do \ echo "Validating $$file..."; \ - $(OSCAL_CLI) validate -f -s "$$file"; \ - done - @for file in $(JSON_FILES); do \ + if ! $(OSCAL_CLI) validate -f -s "$$file"; then \ + echo "Error: Validation failed for YAML file: $$file"; \ + validation_failed=1; \ + fi; \ + done; \ + for file in $(JSON_FILES); do \ echo "Validating $$file..."; \ - $(OSCAL_CLI) validate -f -s "$$file"; \ - done - @for file in $(XML_FILES); do \ + if ! $(OSCAL_CLI) validate -f -s "$$file"; then \ + echo "Error: Validation failed for JSON file: $$file"; \ + validation_failed=1; \ + fi; \ + done; \ + for file in $(XML_FILES); do \ echo "Validating $$file..."; \ - $(OSCAL_CLI) validate -f -s "$$file"; \ - done + if ! $(OSCAL_CLI) validate -f -s "$$file"; then \ + echo "Error: Validation failed for XML file: $$file"; \ + validation_failed=1; \ + fi; \ + done; \ + if [ $$validation_failed -eq 1 ]; then \ + echo "One or more validations failed"; \ + exit 1; \ + fi .PHONY: test-legacy-content test-legacy-content: format From 346c4079960b134cb71f6bc78d91d34f07759a43 Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Thu, 16 Jan 2025 13:07:27 -0500 Subject: [PATCH 5/7] update oscal version --- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 2 +- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 2 +- package-lock.json | 20 ++++--------------- package.json | 2 +- 4 files changed, 7 insertions(+), 19 deletions(-) diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index a7224825a..7b5c5732c 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -5904,7 +5904,7 @@

            The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

             - +

            The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

             diff --git a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index 1afed42d8..c2513faf6 100644 --- a/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/dist/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -5045,7 +5045,7 @@

            The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

             - +

            The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

             diff --git a/package-lock.json b/package-lock.json index 4cd717680..d6f4ada36 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15,7 +15,7 @@ "inquirer": "^10.1.8", "js-yaml": "^4.1.0", "jsdom": "^25.0.0", - "oscal": "2.0.7", + "oscal": "2.0.8-rc8", "prettier": "^3.4.2", "ts-node": "^10.9.2", "xml-formatter": "^3.6.3", @@ -28,7 +28,6 @@ "@types/jsdom": "^21.1.7", "@types/xml2js": "^0.4.14", "cross-env": "^7.0.3", - "pretty-data": "^0.40.0", "typescript": "^5.5.2" } }, @@ -2696,10 +2695,9 @@ } }, "node_modules/oscal": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.7.tgz", - "integrity": "sha512-V924hmb+QZDuBJGLH63RZui7yzrpVvSQAq9TvWCt2XacrpXqiYwEst0ZyyWza9wrt4zEXJrhAP3wzz1oj38pHA==", - "license": "MIT", + "version": "2.0.8-rc8", + "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.8-rc8.tgz", + "integrity": "sha512-4zDAEyPJfJwI/DDfo//E9Uft9NvEvDqFP3A96iUyH/6EYInSClavFLD4mJKoG0EFI3ssJ0QFYT2D1kRmdwe+aw==", "dependencies": { "@terascope/fetch-github-release": "^0.8.10", "@types/sarif": "^2.1.7", @@ -2922,16 +2920,6 @@ "url": "https://github.com/prettier/prettier?sponsor=1" } }, - "node_modules/pretty-data": { - "version": "0.40.0", - "resolved": "https://registry.npmjs.org/pretty-data/-/pretty-data-0.40.0.tgz", - "integrity": "sha512-YFLnEdDEDnkt/GEhet5CYZHCvALw6+Elyb/tp8kQG03ZSIuzeaDWpZYndCXwgqu4NAjh1PI534dhDS1mHarRnQ==", - "dev": true, - "license": "MIT", - "engines": { - "node": "*" - } - }, "node_modules/progress": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz", diff --git a/package.json b/package.json index 29ae337b6..a913d9390 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "inquirer": "^10.1.8", "js-yaml": "^4.1.0", "jsdom": "^25.0.0", - "oscal": "2.0.7", + "oscal": "2.0.8-rc8", "prettier": "^3.4.2", "ts-node": "^10.9.2", "xml-formatter": "^3.6.3", From 863a22f88cd02d0a97d9e87e60fd5436804fab8c Mon Sep 17 00:00:00 2001 From: "~ . ~" <156969148+wandmagic@users.noreply.github.com> Date: Fri, 17 Jan 2025 12:00:42 -0500 Subject: [PATCH 6/7] add fedramp namespace to nested guidance parts --- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 148 +++++++++--------- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 138 ++++++++-------- 2 files changed, 143 insertions(+), 143 deletions(-) diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index 659d89f98..e45bbfde2 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -2883,7 +2883,7 @@

            The service provider defines the time period of inactivity for device identifiers.

             - +

            For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

             @@ -2942,7 +2942,7 @@ AC-2 (5) Additional FedRAMP Requirements and Guidance - +

            Should use a shorter timeframe than AC-12.

             @@ -3189,7 +3189,7 @@ AC-5 Additional FedRAMP Requirements and Guidance - +

            CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

             @@ -3258,7 +3258,7 @@ AC-6 (2) Additional FedRAMP Requirements and Guidance - +

            Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

             @@ -3390,7 +3390,7 @@

            If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

             - +

            If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

             @@ -3440,7 +3440,7 @@ AC-20 Additional FedRAMP Requirements and Guidance - +

            The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

            AC-20 describes system access to and from external systems.

            @@ -3773,7 +3773,7 @@

            Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

             - +

            Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

             @@ -3858,7 +3858,7 @@ AU-3 (1) Additional FedRAMP Requirements and Guidance - +

            For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

             @@ -4143,7 +4143,7 @@ AU-9 (3) Additional FedRAMP Requirements and Guidance - +

            Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

             @@ -4170,7 +4170,7 @@

            The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

             - +

            The service provider is encouraged to align with M-21-31 where possible

             @@ -4258,7 +4258,7 @@ CA-2 Additional FedRAMP Requirements and Guidance - +

            Reference FedRAMP Annual Assessment Guidance.

             @@ -4411,7 +4411,7 @@

            POA&Ms must be provided at least monthly.

             - +

            Reference FedRAMP-POAM-Template

             @@ -4438,7 +4438,7 @@ CA-6 Additional FedRAMP Requirements and Guidance - +

            Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

             @@ -4501,7 +4501,7 @@

            CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

             - +

            FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

             @@ -4619,7 +4619,7 @@ CA-8 Additional FedRAMP Requirements and Guidance - +

            Reference the FedRAMP Penetration Test Guidance.

             @@ -4648,7 +4648,7 @@ CA-8(2) Additional FedRAMP Requirements and Guidance - +

            See the FedRAMP Documents page> Penetration Test Guidance

            https://www.FedRAMP.gov/documents/

            @@ -4811,7 +4811,7 @@ CM-2 Additional FedRAMP Requirements and Guidance - +

            Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

             @@ -4888,7 +4888,7 @@

            The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

             - +

            In accordance with record retention policies and procedures.

             @@ -5163,7 +5163,7 @@

            The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

             - +

            Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

            During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

            @@ -5284,7 +5284,7 @@ CM-7 (2) Additional FedRAMP Requirements and Guidance - +

            This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

             @@ -5427,7 +5427,7 @@             - +

            FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

             @@ -5547,7 +5547,7 @@             - +

            If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

             @@ -6072,7 +6072,7 @@ CP-7 (1) Additional FedRAMP Requirements and Guidance - +

            The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

             @@ -6320,7 +6320,7 @@ CP-9 (8) Additional FedRAMP Requirements and Guidance - +

            Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

             @@ -6439,7 +6439,7 @@

            All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

             - +

            "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

             @@ -6476,7 +6476,7 @@

            Multi-factor authentication must be phishing-resistant.

             - +

            Multi-factor authentication to subsequent components in the same user domain is not required.

             @@ -6505,7 +6505,7 @@

            Multi-factor authentication must be phishing-resistant.

             - +

            Multi-factor authentication to subsequent components in the same user domain is not required.

             @@ -6538,11 +6538,11 @@ IA-2 (6) Additional FedRAMP Requirements and Guidance - +

            PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

             - +

            See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

             @@ -6572,7 +6572,7 @@ IA-2 (12) Additional FedRAMP Requirements and Guidance - +

            Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

             @@ -6668,7 +6668,7 @@

            Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3

             - +

            SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

             @@ -6768,7 +6768,7 @@

            For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

            For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

             - +

            Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

             @@ -6871,7 +6871,7 @@ IA-5 (7) Additional FedRAMP Requirements and Guidance - +

            In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

             @@ -6889,7 +6889,7 @@ IA-5 (8) Additional FedRAMP Requirements and Guidance - +

            If a single user authentication domain is used to access multiple systems, such as in single-sign-on, then only a single authenticator is required.

             @@ -6908,7 +6908,7 @@ IA-5 (13) Additional FedRAMP Requirements and Guidance - +

            For components subject to configuration baseline(s) (such as STIG or CIS,) the time period should conform to the baseline standard.

             @@ -6927,7 +6927,7 @@ IA-11 Additional FedRAMP Requirements and Guidance - +

            The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

              @@ -6954,7 +6954,7 @@ IA-12 Additional FedRAMP Requirements and Guidance - +

              In accordance with NIST SP 800-63A Enrollment and Identity Proofing

               @@ -6990,7 +6990,7 @@ IA-12 (5) Additional FedRAMP Requirements and Guidance - +

              In accordance with NIST SP 800-63A Enrollment and Identity Proofing

               @@ -8003,7 +8003,7 @@ MP-3 Additional FedRAMP Requirements and Guidance - +

              Second parameter not-applicable

               @@ -8161,7 +8161,7 @@ MP-6 (2) Additional FedRAMP Requirements and Guidance - +

              Equipment and procedures may be tested or validated for effectiveness

               @@ -9088,7 +9088,7 @@ PL-8 Additional FedRAMP Requirements and Guidance - +

              Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

               @@ -9558,7 +9558,7 @@ RA-3 Additional FedRAMP Requirements and Guidance - +

              Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

               @@ -9648,7 +9648,7 @@ RA-5 Additional FedRAMP Requirements and Guidance - +

              See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

               @@ -9664,7 +9664,7 @@

              to include all Authorizing Officials; for JAB authorizations to include FedRAMP

               - +

              Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

              Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

              @@ -10287,7 +10287,7 @@

              The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

               - +

              The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

              See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

              @@ -10967,7 +10967,7 @@ SC-7 Additional FedRAMP Requirements and Guidance - +

              SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

               @@ -11184,7 +11184,7 @@ SC-7 (5) Additional FedRAMP Requirements and Guidance - +

              For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

               @@ -11235,7 +11235,7 @@ SC-8 Additional FedRAMP Requirements and Guidance - +

              For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

              @@ -11255,7 +11255,7 @@

              SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

              SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

               - +

              SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

              @@ -11294,16 +11294,16 @@

              Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

               - +

              See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

              SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

               - +

              Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

               - +

              When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

               @@ -11323,15 +11323,15 @@ SC-12 Additional FedRAMP Requirements and Guidance - +

              See references in NIST 800-53 documentation.

               - +

              Must meet applicable Federal Cryptographic Requirements. See References Section of control.

               - +

              Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

               @@ -11355,7 +11355,7 @@ SC-13 Additional FedRAMP Requirements and Guidance - +

              This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

                @@ -11368,16 +11368,16 @@

                The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

                https://csrc.nist.gov/projects/cryptographic-module-validation-program

                - +

                For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

                https://www.niap-ccevs.org/Product/index.cfm

                 - +

                When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                 - +

                Moving to non-FIPS CM or product is acceptable when:

                  @@ -11388,7 +11388,7 @@
                • POA&M is added to track approval, and deployment when ready
                 - +

                At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

                 @@ -11455,15 +11455,15 @@

                Authoritative DNS servers must be geolocated in accordance with SA-9 (5).

                 - +

                SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

                 - +

                External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

                 - +

                CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

                 @@ -11513,11 +11513,11 @@

                Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

                 - +

                Accepting an unsigned reply is acceptable

                 - +

                SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

                - DNSSEC resolution to access a component inside the boundary is excluded.

                @@ -11541,15 +11541,15 @@ SC-28 Additional FedRAMP Requirements and Guidance - +

                The organization supports the capability to use cryptographic mechanisms to protect information at rest.

                 - +

                When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                 - +

                Note that this enhancement requires the use of cryptography in accordance with SC-13.

                 @@ -11572,7 +11572,7 @@ SC-28 (1) Additional FedRAMP Requirements and Guidance - +

                Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

                Examples:

                @@ -11604,7 +11604,7 @@

                The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

                 - +

                Synchronization of system clocks improves the accuracy of log analysis.

                 @@ -11842,7 +11842,7 @@ SI-4 Additional FedRAMP Requirements and Guidance - +

                See US-CERT Incident Response Reporting Guidelines.

                 @@ -12090,7 +12090,7 @@ SI-4 (5) Additional FedRAMP Requirements and Guidance - +

                In accordance with the incident response plan.

                 @@ -12299,12 +12299,12 @@ SI-8 Additional FedRAMP Requirements and Guidance - +

                When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

                https://cyber.dhs.gov/bod/18-01/

                 - +

                CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

                 diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index 3e4e80f01..862a7f88f 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -2504,7 +2504,7 @@

                The service provider defines the time period of inactivity for device identifiers.

                 - +

                For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

                 @@ -2564,7 +2564,7 @@ AC-2 (5) Additional FedRAMP Requirements and Guidance - +

                Should use a shorter timeframe than AC-12.

                 @@ -2794,7 +2794,7 @@ AC-5 Additional FedRAMP Requirements and Guidance - +

                CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

                 @@ -2863,7 +2863,7 @@ AC-6 (2) Additional FedRAMP Requirements and Guidance - +

                Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

                 @@ -2967,7 +2967,7 @@

                If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

                 - +

                If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

                 @@ -3022,7 +3022,7 @@ AC-20 Additional FedRAMP Requirements and Guidance - +

                The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

                AC-20 describes system access to and from external systems.

                @@ -3324,7 +3324,7 @@

                Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

                 - +

                Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

                 @@ -3409,7 +3409,7 @@ AU-3 (1) Additional FedRAMP Requirements and Guidance - +

                For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

                 @@ -3516,7 +3516,7 @@

                The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

                 - +

                The service provider is encouraged to align with M-21-31 where possible

                 @@ -3700,7 +3700,7 @@ CA-2 Additional FedRAMP Requirements and Guidance - +

                Reference FedRAMP Annual Assessment Guidance.

                 @@ -3828,7 +3828,7 @@

                POA&Ms must be provided at least monthly.

                 - +

                Reference FedRAMP-POAM-Template

                 @@ -3855,7 +3855,7 @@ CA-6 Additional FedRAMP Requirements and Guidance - +

                Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

                 @@ -3919,7 +3919,7 @@

                CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.

                 - +

                FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

                 @@ -4039,7 +4039,7 @@ CA-8 Additional FedRAMP Requirements and Guidance - +

                Reference the FedRAMP Penetration Test Guidance.

                 @@ -4068,7 +4068,7 @@ CA-8(2) Additional FedRAMP Requirements and Guidance - +

                See the FedRAMP Documents page> Penetration Test Guidance

                https://www.FedRAMP.gov/documents/

                @@ -4234,7 +4234,7 @@ CM-2 Additional FedRAMP Requirements and Guidance - +

                Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

                 @@ -4312,7 +4312,7 @@

                The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

                 - +

                In accordance with record retention policies and procedures.

                 @@ -4480,7 +4480,7 @@

                The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

                 - +

                Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

                During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

                @@ -4589,7 +4589,7 @@ CM-7 (2) Additional FedRAMP Requirements and Guidance - +

                This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

                 @@ -4716,7 +4716,7 @@ - +

                FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

                 @@ -5270,7 +5270,7 @@ CP-7 (1) Additional FedRAMP Requirements and Guidance - +

                The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

                 @@ -5435,7 +5435,7 @@ CP-9 (8) Additional FedRAMP Requirements and Guidance - +

                Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

                 @@ -5545,7 +5545,7 @@

                All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

                 - +

                "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

                 @@ -5582,7 +5582,7 @@

                Multi-factor authentication must be phishing-resistant.

                 - +

                Multi-factor authentication to subsequent components in the same user domain is not required.

                 @@ -5611,7 +5611,7 @@

                Multi-factor authentication must be phishing-resistant.

                 - +

                Multi-factor authentication to subsequent components in the same user domain is not required.

                 @@ -5644,11 +5644,11 @@ IA-2 (6) Additional FedRAMP Requirements and Guidance - +

                PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

                 - +

                See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

                 @@ -5678,7 +5678,7 @@ IA-2 (12) Additional FedRAMP Requirements and Guidance - +

                Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

                 @@ -5776,7 +5776,7 @@

                Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

                 - +

                SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

                 @@ -5876,7 +5876,7 @@

                For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

                For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

                 - +

                Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

                 @@ -5979,7 +5979,7 @@ IA-5 (7) Additional FedRAMP Requirements and Guidance - +

                In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

                 @@ -6000,7 +6000,7 @@ IA-11 Additional FedRAMP Requirements and Guidance - +

                The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

                  @@ -6028,7 +6028,7 @@ IA-12 Additional FedRAMP Requirements and Guidance - +

                  In accordance with NIST SP 800-63A Enrollment and Identity Proofing

                   @@ -6068,7 +6068,7 @@ IA-12 (5) Additional FedRAMP Requirements and Guidance - +

                  In accordance with NIST SP 800-63A Enrollment and Identity Proofing

                   @@ -6974,7 +6974,7 @@ MP-3 Additional FedRAMP Requirements and Guidance - +

                  Second parameter not-applicable

                   @@ -7934,7 +7934,7 @@ PL-8 Additional FedRAMP Requirements and Guidance - +

                  Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

                   @@ -8409,7 +8409,7 @@ RA-3 Additional FedRAMP Requirements and Guidance - +

                  Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

                   @@ -8501,7 +8501,7 @@ RA-5 Additional FedRAMP Requirements and Guidance - +

                  See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

                   @@ -8517,7 +8517,7 @@

                  to include all Authorizing Officials; for JAB authorizations to include FedRAMP

                   - +

                  Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

                  Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

                  @@ -9044,7 +9044,7 @@

                  The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

                   - +

                  The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

                  See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

                  @@ -9679,7 +9679,7 @@ SC-7 Additional FedRAMP Requirements and Guidance - +

                  SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

                   @@ -9850,7 +9850,7 @@ SC-7 (5) Additional FedRAMP Requirements and Guidance - +

                  For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

                   @@ -9901,7 +9901,7 @@ SC-8 Additional FedRAMP Requirements and Guidance - +

                  For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

                  @@ -9921,7 +9921,7 @@

                  SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

                  SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

                   - +

                  SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

                  @@ -9960,16 +9960,16 @@

                  Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

                   - +

                  See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

                  SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

                   - +

                  Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

                   - +

                  When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                   @@ -9989,15 +9989,15 @@ SC-12 Additional FedRAMP Requirements and Guidance - +

                  See references in NIST 800-53 documentation.

                   - +

                  Must meet applicable Federal Cryptographic Requirements. See References Section of control.

                   - +

                  Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

                   @@ -10022,7 +10022,7 @@ SC-13 Additional FedRAMP Requirements and Guidance - +

                  This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

                    @@ -10035,16 +10035,16 @@

                    The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

                    https://csrc.nist.gov/projects/cryptographic-module-validation-program

                    - +

                    For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

                    https://www.niap-ccevs.org/Product/index.cfm

                     - +

                    When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                     - +

                    Moving to non-FIPS CM or product is acceptable when:

                      @@ -10055,7 +10055,7 @@
                    • POA&M is added to track approval, and deployment when ready
                     - +

                    At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

                     @@ -10118,15 +10118,15 @@

                    Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

                     - +

                    SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

                     - +

                    External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

                     - +

                    CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

                     @@ -10176,11 +10176,11 @@

                    Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

                     - +

                    Accepting an unsigned reply is acceptable

                     - +

                    SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

                      @@ -10206,15 +10206,15 @@ SC-28 Additional FedRAMP Requirements and Guidance - +

                      The organization supports the capability to use cryptographic mechanisms to protect information at rest.

                       - +

                      When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                       - +

                      Note that this enhancement requires the use of cryptography in accordance with SC-13.

                       @@ -10237,7 +10237,7 @@ SC-28 (1) Additional FedRAMP Requirements and Guidance - +

                      Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

                      Examples:

                      @@ -10270,7 +10270,7 @@

                      The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

                       - +

                      Synchronization of system clocks improves the accuracy of log analysis.

                       @@ -10513,7 +10513,7 @@ SI-4 Additional FedRAMP Requirements and Guidance - +

                      See US-CERT Incident Response Reporting Guidelines.

                       @@ -10684,7 +10684,7 @@ SI-4 (5) Additional FedRAMP Requirements and Guidance - +

                      In accordance with the incident response plan.

                       @@ -10835,12 +10835,12 @@ SI-8 Additional FedRAMP Requirements and Guidance - +

                      When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

                      https://cyber.dhs.gov/bod/18-01/

                       - +

                      CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

                       From b176d4465130e6324f958e3cfc49105be739f718 Mon Sep 17 00:00:00 2001 From: "~ . ~" <156969148+wandmagic@users.noreply.github.com> Date: Fri, 17 Jan 2025 12:25:46 -0500 Subject: [PATCH 7/7] update baselines --- src/content/module.mk | 6 +- .../FedRAMP_rev5_HIGH-baseline_profile.xml | 362 +++++++------- ...FedRAMP_rev5_MODERATE-baseline_profile.xml | 464 +++++++++--------- 3 files changed, 416 insertions(+), 416 deletions(-) diff --git a/src/content/module.mk b/src/content/module.mk index 195bb50d3..8f9ec6f2f 100644 --- a/src/content/module.mk +++ b/src/content/module.mk @@ -98,21 +98,21 @@ test-dist-content: validation_failed=0; \ for file in $(YAML_FILES); do \ echo "Validating $$file..."; \ - if ! $(OSCAL_CLI) validate -f -s "$$file"; then \ + if ! $(OSCAL_CLI) validate -s -f "$$file"; then \ echo "Error: Validation failed for YAML file: $$file"; \ validation_failed=1; \ fi; \ done; \ for file in $(JSON_FILES); do \ echo "Validating $$file..."; \ - if ! $(OSCAL_CLI) validate -f -s "$$file"; then \ + if ! $(OSCAL_CLI) validate -s -f "$$file"; then \ echo "Error: Validation failed for JSON file: $$file"; \ validation_failed=1; \ fi; \ done; \ for file in $(XML_FILES); do \ echo "Validating $$file..."; \ - if ! $(OSCAL_CLI) validate -f -s "$$file"; then \ + if ! $(OSCAL_CLI) validate -s -f "$$file"; then \ echo "Error: Validation failed for XML file: $$file"; \ validation_failed=1; \ fi; \ diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml index e45bbfde2..b5f9f97cc 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline_profile.xml @@ -1,12 +1,12 @@ - + FedRAMP Rev 5 High Baseline 2024-09-24T02:24:00Z - 2024-09-24T02:24:00Z - fedramp2.1.0-oscal1.0.4 - 1.0.4 + 2025-01-15T00:00:00Z + fedramp-3.0.0rc1-oscal-1.1.2 + 1.1.2 Document creator @@ -2873,13 +2873,13 @@ - + AC-2 (3) Additional FedRAMP Requirements and Guidance - +

                      The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

                       - +

                      The service provider defines the time period of inactivity for device identifiers.

                       @@ -2940,7 +2940,7 @@                       - + AC-2 (5) Additional FedRAMP Requirements and Guidance @@ -2999,9 +2999,9 @@ - + AC-2 (9) Additional FedRAMP Requirements and Guidance - +

                      Required if shared/group accounts are deployed.

                       @@ -3021,13 +3021,13 @@                       - + AC-2 (12) Additional FedRAMP Requirements and Guidance - +

                      Required for privileged accounts.

                       - +

                      Required for privileged accounts.

                       @@ -3168,9 +3168,9 @@                       - + AC-4 (4) Additional FedRAMP Requirements and Guidance - +

                      The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

                       @@ -3187,7 +3187,7 @@                       - + AC-5 Additional FedRAMP Requirements and Guidance @@ -3256,7 +3256,7 @@ - + AC-6 (2) Additional FedRAMP Requirements and Guidance @@ -3349,9 +3349,9 @@ - + AC-7 Additional FedRAMP Requirements and Guidance - +

                      In alignment with NIST SP 800-63B.

                       @@ -3376,17 +3376,17 @@                       - + AC-8 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

                       - +

                      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

                       - +

                      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

                       @@ -3438,7 +3438,7 @@                       - + AC-20 Additional FedRAMP Requirements and Guidance @@ -3767,9 +3767,9 @@ - + AU-2 Additional FedRAMP Requirements and Guidance - +

                      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

                       @@ -3856,7 +3856,7 @@                       - + AU-3 (1) Additional FedRAMP Requirements and Guidance @@ -3938,9 +3938,9 @@ - + AU-6 Additional FedRAMP Requirements and Guidance - +

                      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

                       @@ -4028,9 +4028,9 @@                       - + AU-6 (6) Additional FedRAMP Requirements and Guidance - +

                      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

                       @@ -4141,7 +4141,7 @@                       - + AU-9 (3) Additional FedRAMP Requirements and Guidance @@ -4160,13 +4160,13 @@ - + AU-11 Additional FedRAMP Requirements and Guidance - +

                      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

                       - +

                      The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

                       @@ -4256,7 +4256,7 @@                       - + CA-2 Additional FedRAMP Requirements and Guidance @@ -4322,9 +4322,9 @@ - + CA-2 (1) Additional FedRAMP Requirements and Guidance - +

                      For JAB Authorization, must use an accredited 3PAO.

                       @@ -4341,9 +4341,9 @@                       - + CA-2 (2) Additional FedRAMP Requirements and Guidance - +

                      To include 'announced', 'vulnerability scanning'

                       @@ -4405,9 +4405,9 @@                       - + CA-5 Additional FedRAMP Requirements and Guidance - +

                      POA&Ms must be provided at least monthly.

                       @@ -4436,7 +4436,7 @@                       - + CA-6 Additional FedRAMP Requirements and Guidance @@ -4491,13 +4491,13 @@ - + CA-7 Additional FedRAMP Requirements and Guidance - +

                      Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

                       - +

                      CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

                       @@ -4617,7 +4617,7 @@                       - + CA-8 Additional FedRAMP Requirements and Guidance @@ -4646,7 +4646,7 @@ - + CA-8(2) Additional FedRAMP Requirements and Guidance @@ -4809,7 +4809,7 @@ - + CM-2 Additional FedRAMP Requirements and Guidance @@ -4882,9 +4882,9 @@ - + CM-3 Additional FedRAMP Requirements and Guidance - +

                      The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

                       @@ -5153,13 +5153,13 @@                       - + CM-6 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

                       - +

                      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

                       @@ -5232,9 +5232,9 @@                       - + CM-7 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

                       @@ -5282,7 +5282,7 @@                       - + CM-7 (2) Additional FedRAMP Requirements and Guidance @@ -5331,9 +5331,9 @@ - + CM-8 Additional FedRAMP Requirements and Guidance - +

                      must be provided at least monthly or when there is a change.

                       @@ -5484,9 +5484,9 @@                       - + CM-12 Additional FedRAMP Requirements and Guidance - +

                      According to FedRAMP Authorization Boundary Guidance

                       @@ -5529,9 +5529,9 @@                       - + CM-12 (1) Additional FedRAMP Requirements and Guidance - +

                      According to FedRAMP Authorization Boundary Guidance.

                       @@ -5652,13 +5652,13 @@                       - + CP-2 Additional FedRAMP Requirements and Guidance - +

                      For JAB authorizations the contingency lists include designated FedRAMP personnel.

                       - +

                      CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

                       @@ -5824,9 +5824,9 @@                       - + CP-3 Additional FedRAMP Requirements and Guidance - +

                      Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

                       @@ -5877,9 +5877,9 @@                       - + CP-4 Additional FedRAMP Requirements and Guidance - +

                      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

                       @@ -6026,9 +6026,9 @@                       - + CP-7 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

                       @@ -6070,7 +6070,7 @@                       - + CP-7 (1) Additional FedRAMP Requirements and Guidance @@ -6125,9 +6125,9 @@ - + CP-8 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

                       @@ -6211,21 +6211,21 @@                       - + CP-9 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

                       - +

                      The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

                       - +

                      The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

                       - +

                      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

                       @@ -6318,7 +6318,7 @@                       - + CP-9 (8) Additional FedRAMP Requirements and Guidance @@ -6425,17 +6425,17 @@ - + IA-2 Additional FedRAMP Requirements and Guidance - +

                      For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

                       - +

                      Multi-factor authentication must be phishing-resistant.

                       - +

                      All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

                       @@ -6466,13 +6466,13 @@                       - + IA-2 (1) Additional FedRAMP Requirements and Guidance - +

                      According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

                       - +

                      Multi-factor authentication must be phishing-resistant.

                       @@ -6495,13 +6495,13 @@                       - + IA-2 (2) Additional FedRAMP Requirements and Guidance - +

                      According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

                       - +

                      Multi-factor authentication must be phishing-resistant.

                       @@ -6536,7 +6536,7 @@                       - + IA-2 (6) Additional FedRAMP Requirements and Guidance @@ -6570,7 +6570,7 @@ - + IA-2 (12) Additional FedRAMP Requirements and Guidance @@ -6662,9 +6662,9 @@ - + IA-5 Additional FedRAMP Requirements and Guidance - +

                      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3

                       @@ -6757,13 +6757,13 @@                       - + IA-5 (1) Additional FedRAMP Requirements and Guidance - +

                      Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

                       - +

                      For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

                      For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

                      @@ -6869,7 +6869,7 @@                       - + IA-5 (7) Additional FedRAMP Requirements and Guidance @@ -6887,7 +6887,7 @@ - + IA-5 (8) Additional FedRAMP Requirements and Guidance @@ -6906,7 +6906,7 @@ - + IA-5 (13) Additional FedRAMP Requirements and Guidance @@ -6925,7 +6925,7 @@ - + IA-11 Additional FedRAMP Requirements and Guidance @@ -6952,7 +6952,7 @@ - + IA-12 Additional FedRAMP Requirements and Guidance @@ -6988,7 +6988,7 @@ - + IA-12 (5) Additional FedRAMP Requirements and Guidance @@ -7181,9 +7181,9 @@ - + IR-3-2 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

                       @@ -7213,13 +7213,13 @@                       - + IR-4 Additional FedRAMP Requirements and Guidance - +

                      The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

                       - +

                      The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

                       @@ -7361,9 +7361,9 @@                       - + IR-6 Additional FedRAMP Requirements and Guidance - +

                      Reports security incident information according to FedRAMP Incident Communications Procedure.

                       @@ -7435,13 +7435,13 @@                       - + IR-8 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

                       - +

                      The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

                       @@ -8001,7 +8001,7 @@                       - + MP-3 Additional FedRAMP Requirements and Guidance @@ -8026,9 +8026,9 @@ - + MP-4 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines controlled areas within facilities where the information and information system reside.

                       @@ -8073,9 +8073,9 @@                       - + MP-5 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

                       @@ -8141,9 +8141,9 @@                       - + MP-6 (1) Additional FedRAMP Requirements and Guidance - +

                      Must comply with NIST SP 800-88

                       @@ -8159,7 +8159,7 @@                       - + MP-6 (2) Additional FedRAMP Requirements and Guidance @@ -8177,9 +8177,9 @@ - + MP-6 (3) Additional FedRAMP Requirements and Guidance - +

                      Must comply with NIST SP 800-88

                       @@ -8424,9 +8424,9 @@                       - + PE-14 Additional FedRAMP Requirements and Guidance - +

                      The service provider measures temperature at server inlets and humidity levels by dew point.

                       @@ -9086,7 +9086,7 @@                       - + PL-8 Additional FedRAMP Requirements and Guidance @@ -9159,9 +9159,9 @@ - + PL-10 Additional FedRAMP Requirements and Guidance - +

                      Select the appropriate FedRAMP Baseline

                       @@ -9556,13 +9556,13 @@                       - + RA-3 Additional FedRAMP Requirements and Guidance

                      Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

                       - +

                      Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

                       @@ -9646,21 +9646,21 @@                       - + RA-5 Additional FedRAMP Requirements and Guidance

                      See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

                       - +

                      an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

                       - +

                      If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

                       - +

                      to include all Authorizing Officials; for JAB authorizations to include FedRAMP

                       @@ -9802,9 +9802,9 @@                       - + RA-5(8) Additional FedRAMP Requirement - +

                      This enhancement is required for all high (or critical) vulnerability scan findings.

                       @@ -10281,9 +10281,9 @@                       - + SA-4 Additional FedRAMP Requirements and Guidance - +

                      The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

                       @@ -10384,9 +10384,9 @@                       - + SA-10 Additional FedRAMP Requirements and Guidance - +

                      track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

                       @@ -10436,9 +10436,9 @@                       - + SA-11(1) Additional FedRAMP Requirements - +

                      The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

                      If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

                      @@ -10965,7 +10965,7 @@                       - + SC-7 Additional FedRAMP Requirements and Guidance @@ -11182,7 +11182,7 @@ - + SC-7 (5) Additional FedRAMP Requirements and Guidance @@ -11233,7 +11233,7 @@ - + SC-8 Additional FedRAMP Requirements and Guidance @@ -11288,9 +11288,9 @@ - + SC-8 (1) Additional FedRAMP Requirements and Guidance - +

                      Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

                       @@ -11321,7 +11321,7 @@                       - + SC-12 Additional FedRAMP Requirements and Guidance @@ -11352,7 +11352,7 @@ - + SC-13 Additional FedRAMP Requirements and Guidance @@ -11417,9 +11417,9 @@ - + SC-15 Additional FedRAMP Requirements and Guidance - +

                      The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

                       @@ -11445,13 +11445,13 @@                       - + SC-20 Additional FedRAMP Requirements and Guidance - +

                      Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

                       - +

                      Authoritative DNS servers must be geolocated in accordance with SA-9 (5).

                       @@ -11496,9 +11496,9 @@                       - + SC-21 Additional FedRAMP Requirements and Guidance - +

                      Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

                        @@ -11509,7 +11509,7 @@
                      - +

                      Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

                       @@ -11539,7 +11539,7 @@                       - + SC-28 Additional FedRAMP Requirements and Guidance @@ -11570,7 +11570,7 @@ - + SC-28 (1) Additional FedRAMP Requirements and Guidance @@ -11594,13 +11594,13 @@ - + SC-45(1) Additional FedRAMP Requirements and Guidance - +

                      The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

                       - +

                      The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

                       @@ -11840,7 +11840,7 @@                       - + SI-4 Additional FedRAMP Requirements and Guidance @@ -12088,7 +12088,7 @@ - + SI-4 (5) Additional FedRAMP Requirements and Guidance @@ -12108,9 +12108,9 @@ - + SI-4 (10) Additional FedRAMP Requirements and Guidance - +

                      The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

                       @@ -12130,7 +12130,7 @@                       - + SI-5 Additional FedRAMP Requirements and Guidance

                      Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

                      @@ -12297,7 +12297,7 @@                       - + SI-8 Additional FedRAMP Requirements and Guidance @@ -12329,9 +12329,9 @@ - + SI-10 Additional FedRAMP Requirements and Guidance - +

                      Validate all information inputs and document any exceptions

                       @@ -12524,9 +12524,9 @@                       - + SR-3 Additional FedRAMP Requirements and Guidance - +

                      CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

                       @@ -12575,9 +12575,9 @@                       - + SR-6 Additional FedRAMP Requirements and Guidance - +

                      CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

                       @@ -12594,9 +12594,9 @@                       - + SR-8 Additional FedRAMP Requirements and Guidance - +

                      CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

                       @@ -12613,9 +12613,9 @@                       - + SR-9 Additional FedRAMP Requirements and Guidance - +

                      CSOs must ensure vendors provide authenticity of software and patches supplied to the service provider including documenting the safeguards in place.

                       @@ -12642,9 +12642,9 @@                       - + SR-11 Additional FedRAMP Requirements and Guidance - +

                      CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.

                       diff --git a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml index 862a7f88f..b91168805 100644 --- a/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml +++ b/src/content/rev5/baselines/xml/FedRAMP_rev5_MODERATE-baseline_profile.xml @@ -1,12 +1,12 @@ - + FedRAMP Rev 5 Moderate Baseline 2024-09-24T02:24:00Z - 2024-09-24T02:24:00Z - fedramp2.1.0-oscal1.0.4 - 1.0.4 + 2025-01-15T00:00:00Z + fedramp-3.0.0rc1-oscal-1.1.2 + 1.1.2 Document creator @@ -2494,17 +2494,17 @@ - + AC-2 (3) Additional FedRAMP Requirements and Guidance - +

                      The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

                       - +

                      The service provider defines the time period of inactivity for device identifiers.

                       - +

                      For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP https://public.cyber.mil/dccs/.

                       @@ -2562,9 +2562,9 @@ - + AC-2 (5) Additional FedRAMP Requirements and Guidance - +

                      Should use a shorter timeframe than AC-12.

                       @@ -2621,9 +2621,9 @@                       - + AC-2 (9) Additional FedRAMP Requirements and Guidance - +

                      Required if shared/group accounts are deployed.

                       @@ -2644,13 +2644,13 @@ - + AC-2 (12) Additional FedRAMP Requirements and Guidance - +

                      Required for privileged accounts.

                       - +

                      Required for privileged accounts.

                       @@ -2792,9 +2792,9 @@                       - + AC-5 Additional FedRAMP Requirements and Guidance - +

                      CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

                       @@ -2861,9 +2861,9 @@                       - + AC-6 (2) Additional FedRAMP Requirements and Guidance - +

                      Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

                       @@ -2926,9 +2926,9 @@ - + AC-7 Additional FedRAMP Requirements and Guidance - +

                      In alignment with NIST SP 800-63B

                       @@ -2953,21 +2953,21 @@                       - + AC-8 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

                       - +

                      The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.

                       - +

                      If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

                       - +

                      If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

                       @@ -3020,9 +3020,9 @@ - + AC-20 Additional FedRAMP Requirements and Guidance - +

                      The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

                      AC-20 describes system access to and from external systems.

                      @@ -3318,13 +3318,13 @@ - + AU-2 Additional FedRAMP Requirements and Guidance - +

                      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

                       - +

                      Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

                       @@ -3407,9 +3407,9 @@                       - + AU-3 (1) Additional FedRAMP Requirements and Guidance - +

                      For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

                       @@ -3464,9 +3464,9 @@ - + AU-6 Additional FedRAMP Requirements and Guidance - +

                      Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

                       @@ -3506,17 +3506,17 @@ - + AU-11 Additional FedRAMP Requirements and Guidance - +

                      The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

                       - +

                      The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)

                       - +

                      The service provider is encouraged to align with M-21-31 where possible

                       @@ -3698,9 +3698,9 @@ - + CA-2 Additional FedRAMP Requirements and Guidance - +

                      Reference FedRAMP Annual Assessment Guidance.

                       @@ -3764,9 +3764,9 @@                       - + CA-2 (1) Additional FedRAMP Requirements and Guidance - +

                      For JAB Authorization, must use an accredited 3PAO.

                       @@ -3822,13 +3822,13 @@ - + CA-5 Additional FedRAMP Requirements and Guidance - +

                      POA&Ms must be provided at least monthly.

                       - +

                      Reference FedRAMP-POAM-Template

                       @@ -3853,9 +3853,9 @@                       - + CA-6 Additional FedRAMP Requirements and Guidance - +

                      Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F and according to FedRAMP Significant Change Policies and Procedures. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

                       @@ -3909,17 +3909,17 @@ - + CA-7 Additional FedRAMP Requirements and Guidance - +

                      Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

                       - +

                      CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.

                       - +

                      FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

                       @@ -4037,9 +4037,9 @@ - + CA-8 Additional FedRAMP Requirements and Guidance - +

                      Reference the FedRAMP Penetration Test Guidance.

                       @@ -4066,9 +4066,9 @@                       - + CA-8(2) Additional FedRAMP Requirements and Guidance - +

                      See the FedRAMP Documents page> Penetration Test Guidance

                      https://www.FedRAMP.gov/documents/

                      @@ -4232,9 +4232,9 @@ - + CM-2 Additional FedRAMP Requirements and Guidance - +

                      Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

                       @@ -4306,13 +4306,13 @@ - + CM-3 Additional FedRAMP Requirements and Guidance - +

                      The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

                       - +

                      In accordance with record retention policies and procedures.

                       @@ -4470,17 +4470,17 @@ - + CM-6 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.

                       - +

                      The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

                       - +

                      Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.

                      During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.

                      @@ -4536,9 +4536,9 @@                       - + CM-7 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall use Security guidelines (See CM-6) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if STIGs or CIS is not available.

                       @@ -4587,9 +4587,9 @@                       - + CM-7 (2) Additional FedRAMP Requirements and Guidance - +

                      This control refers to software deployment by CSP personnel into the production environment. The control requires a policy that states conditions for deploying software. This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. allow-listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

                       @@ -4638,9 +4638,9 @@ - + CM-8 Additional FedRAMP Requirements and Guidance - +

                      must be provided at least monthly or when there is a change.

                       @@ -4716,7 +4716,7 @@ - +

                      FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide

                       @@ -4774,9 +4774,9 @@ - + CM-12 Additional FedRAMP Requirements and Guidance - +

                      According to FedRAMP Authorization Boundary Guidance

                       @@ -4820,9 +4820,9 @@ - + CM-12 (1) Additional FedRAMP Requirements and Guidance - +

                      According to FedRAMP Authorization Boundary Guidance.

                       @@ -4919,13 +4919,13 @@ - + CP-2 Additional FedRAMP Requirements and Guidance - +

                      For JAB authorizations the contingency lists include designated FedRAMP personnel.

                       - +

                      CSPs must use the FedRAMP Information System Contingency Plan (ISCP) Template (available on the fedramp.gov: https://www.fedramp.gov/assets/resources/templates/SSP-A06-FedRAMP-ISCP-Template.docx).

                       @@ -5063,9 +5063,9 @@ - + CP-3 Additional FedRAMP Requirements and Guidance - +

                      Privileged admins and engineers must take the basic contingency training within 10 days. Consideration must be given for those privileged admins and engineers with critical contingency-related roles, to gain enough system context and situational awareness to understand the full impact of contingency training as it applies to their respective level. Newly hired critical contingency personnel must take this more in-depth training within 60 days of hire date when the training will have more impact.

                       @@ -5106,13 +5106,13 @@ - + CP-4 Additional FedRAMP Requirements and Guidance - +

                      The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

                       - +

                      The service provider must include the Contingency Plan test results with the security package within the Contingency Plan-designated appendix (Appendix G, Contingency Plan Test Report).

                       @@ -5224,9 +5224,9 @@                       - + CP-7 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

                       @@ -5268,9 +5268,9 @@                       - + CP-7 (1) Additional FedRAMP Requirements and Guidance - +

                      The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

                       @@ -5312,9 +5312,9 @@                       - + CP-8 Additional FedRAMP Requirements and Guidance - +

                      The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

                       @@ -5362,21 +5362,21 @@                       - + CP-9 Additional FedRAMP Requirements and Guidance - +

                      The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

                       - +

                      The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.

                       - +

                      The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.

                       - +

                      The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

                       @@ -5433,9 +5433,9 @@ - + CP-9 (8) Additional FedRAMP Requirements and Guidance - +

                      Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

                       @@ -5531,21 +5531,21 @@                       - + IA-2 Additional FedRAMP Requirements and Guidance - +

                      For all control enhancements that specify multifactor authentication, the implementation must adhere to the Digital Identity Guidelines specified in NIST Special Publication 800-63B.

                       - +

                      Multi-factor authentication must be phishing-resistant.

                       - +

                      All uses of encrypted virtual private networks must meet all applicable Federal requirements and architecture, dataflow, and security and privacy controls must be documented, assessed, and authorized to operate.

                       - +

                      "Phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.

                       @@ -5572,17 +5572,17 @@                       - + IA-2 (1) Additional FedRAMP Requirements and Guidance - +

                      According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

                       - +

                      Multi-factor authentication must be phishing-resistant.

                       - +

                      Multi-factor authentication to subsequent components in the same user domain is not required.

                       @@ -5601,17 +5601,17 @@                       - + IA-2 (2) Additional FedRAMP Requirements and Guidance - +

                      According to SP 800-63-3, SP 800-63A (IAL), SP 800-63B (AAL), and SP 800-63C (FAL).

                       - +

                      Multi-factor authentication must be phishing-resistant.

                       - +

                      Multi-factor authentication to subsequent components in the same user domain is not required.

                       @@ -5642,13 +5642,13 @@                       - + IA-2 (6) Additional FedRAMP Requirements and Guidance - +

                      PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

                       - +

                      See SC-13 Guidance for more information on FIPS-validated or NSA-approved cryptography.

                       @@ -5676,9 +5676,9 @@                       - + IA-2 (12) Additional FedRAMP Requirements and Guidance - +

                      Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

                       @@ -5770,13 +5770,13 @@ - + IA-5 Additional FedRAMP Requirements and Guidance - +

                      Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

                       - +

                      SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

                       @@ -5865,18 +5865,18 @@                       - + IA-5 (1) Additional FedRAMP Requirements and Guidance - +

                      Password policies must be compliant with NIST SP 800-63B for all memorized, lookup, out-of-band, or One-Time-Passwords (OTP). Password policies shall not enforce special character or minimum password rotation requirements for memorized secrets of users.

                       - +

                      For cases where technology doesn't allow multi-factor authentication, these rules should be enforced: must have a minimum length of 14 characters and must support all printable ASCII characters.

                      For emergency use accounts, these rules should be enforced: must have a minimum length of 14 characters, must support all printable ASCII characters, and passwords must be changed if used.

                       - +

                      Note that (c) and (d) require the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13).

                       @@ -5977,9 +5977,9 @@                       - + IA-5 (7) Additional FedRAMP Requirements and Guidance - +

                      In this context, prohibited static storage refers to any storage where unencrypted authenticators, such as passwords, persist beyond the time required to complete the access process.

                       @@ -5998,9 +5998,9 @@ - + IA-11 Additional FedRAMP Requirements and Guidance - +

                      The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

                        @@ -6026,9 +6026,9 @@ - + IA-12 Additional FedRAMP Requirements and Guidance - +

                        In accordance with NIST SP 800-63A Enrollment and Identity Proofing

                         @@ -6066,9 +6066,9 @@ - + IA-12 (5) Additional FedRAMP Requirements and Guidance - +

                        In accordance with NIST SP 800-63A Enrollment and Identity Proofing

                         @@ -6243,9 +6243,9 @@ - + IR-3-2 Additional FedRAMP Requirements and Guidance - +

                        The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

                         @@ -6275,13 +6275,13 @@                         - + IR-4 Additional FedRAMP Requirements and Guidance - +

                        The FISMA definition of "incident" shall be used: "An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies."

                         - +

                        The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

                         @@ -6360,9 +6360,9 @@ - + IR-6 Additional FedRAMP Requirements and Guidance - +

                        Reports security incident information according to FedRAMP Incident Communications Procedure.

                         @@ -6436,13 +6436,13 @@ - + IR-8 Additional FedRAMP Requirements and Guidance - +

                        The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

                         - +

                        The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

                         @@ -6854,9 +6854,9 @@                         - + MA-5 (1) Additional FedRAMP Requirements and Guidance - +

                        Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline

                         @@ -6972,9 +6972,9 @@                         - + MP-3 Additional FedRAMP Requirements and Guidance - +

                        Second parameter not-applicable

                         @@ -6997,9 +6997,9 @@                         - + MP-4 Additional FedRAMP Requirements and Guidance - +

                        The service provider defines controlled areas within facilities where the information and information system reside.

                         @@ -7044,9 +7044,9 @@                         - + MP-5 Additional FedRAMP Requirements and Guidance - +

                        The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

                         @@ -7333,9 +7333,9 @@                         - + PE-14 Additional FedRAMP Requirements and Guidance - +

                        The service provider measures temperature at server inlets and humidity levels by dew point.

                         @@ -7932,9 +7932,9 @@ - + PL-8 Additional FedRAMP Requirements and Guidance - +

                        Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

                         @@ -8006,9 +8006,9 @@ - + PL-10 Additional FedRAMP Requirements and Guidance - +

                        Select the appropriate FedRAMP Baseline

                         @@ -8407,13 +8407,13 @@                         - + RA-3 Additional FedRAMP Requirements and Guidance - +

                        Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

                         - +

                        Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

                         @@ -8499,25 +8499,25 @@ - + RA-5 Additional FedRAMP Requirements and Guidance - +

                        See the FedRAMP Documents page> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/

                         - +

                        an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

                         - +

                        If a vulnerability is listed among the CISA Known Exploited Vulnerability (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) the KEV remediation date supersedes the FedRAMP parameter requirement.

                         - +

                        to include all Authorizing Officials; for JAB authorizations to include FedRAMP

                         - +

                        Informational findings from a scanner are detailed as a returned result that holds no vulnerability risk or severity and for FedRAMP does not require an entry onto the POA&M or entry onto the RET during any assessment phase.

                        Warning findings, on the other hand, are given a risk rating (low, moderate, high or critical) by the scanning solution and should be treated like any other finding with a risk or severity rating for tracking purposes onto either the POA&M or RET depending on when the findings originated (during assessments or during monthly continuous monitoring). If a warning is received during scanning, but further validation turns up no actual issue then this item should be categorized as a false positive. If this situation presents itself during an assessment phase (initial assessment, annual assessment or any SCR), follow guidance on how to report false positives in the Security Assessment Report (SAR). If this situation happens during monthly continuous monitoring, a deviation request will need to be submitted per the FedRAMP Vulnerability Deviation Request Form.

                        @@ -9038,13 +9038,13 @@                         - + SA-4 Additional FedRAMP Requirements and Guidance - +

                        The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).

                         - +

                        The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

                        See https://www.niap-ccevs.org/Product/index.cfm or https://www.commoncriteriaportal.org/products/.

                        @@ -9142,9 +9142,9 @@ - + SA-10 Additional FedRAMP Requirements and Guidance - +

                        track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

                         @@ -9194,9 +9194,9 @@                         - + SA-11(1) Additional FedRAMP Requirements - +

                        The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

                        If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

                        @@ -9677,9 +9677,9 @@                         - + SC-7 Additional FedRAMP Requirements and Guidance - +

                        SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.

                         @@ -9848,9 +9848,9 @@                         - + SC-7 (5) Additional FedRAMP Requirements and Guidance - +

                        For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

                         @@ -9899,9 +9899,9 @@                         - + SC-8 Additional FedRAMP Requirements and Guidance - +

                        For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.

                        @@ -9921,7 +9921,7 @@

                        SC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]

                        SC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]

                         - +

                        SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.

                        @@ -9954,22 +9954,22 @@ - + SC-8 (1) Additional FedRAMP Requirements and Guidance - +

                        Please ensure SSP Section 10.3 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT) is fully populated for reference in this control.

                         - +

                        See M-22-09, including "Agencies encrypt all DNS requests and HTTP traffic within their environment"

                        SC-8 (1) applies when encryption has been selected as the method to protect confidentiality and integrity. Otherwise refer to SC-8 (5). SC-8 (1) is strongly encouraged.

                         - +

                        Note that this enhancement requires the use of cryptography which must be compliant with Federal requirements and utilize FIPS validated or NSA approved cryptography (see SC-13.)

                         - +

                        When leveraging encryption from the underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                         @@ -9987,17 +9987,17 @@                         - + SC-12 Additional FedRAMP Requirements and Guidance - +

                        See references in NIST 800-53 documentation.

                         - +

                        Must meet applicable Federal Cryptographic Requirements. See References Section of control.

                         - +

                        Wildcard certificates may be used internally within the system, but are not permitted for external customer access to the system.

                         @@ -10019,10 +10019,10 @@ - + SC-13 Additional FedRAMP Requirements and Guidance - +

                        This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:

                          @@ -10035,16 +10035,16 @@

                          The requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).

                          https://csrc.nist.gov/projects/cryptographic-module-validation-program

                          - +

                          For NSA-approved cryptography, the National Information Assurance Partnership (NIAP) oversees a national program to evaluate Commercial IT Products for Use in National Security Systems. The NIAP Product Compliant List can be found at the following location:

                          https://www.niap-ccevs.org/Product/index.cfm

                           - +

                          When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                           - +

                          Moving to non-FIPS CM or product is acceptable when:

                            @@ -10055,7 +10055,7 @@
                          • POA&M is added to track approval, and deployment when ready
                           - +

                          At a minimum, this control applies to cryptography in use for the following controls: AU-9(3), CP-9(8), IA-2(6), IA-5(1), MP-5, SC-8(1), and SC-28(1).

                           @@ -10084,9 +10084,9 @@ - + SC-15 Additional FedRAMP Requirements and Guidance - +

                          The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

                           @@ -10112,21 +10112,21 @@                           - + SC-20 Additional FedRAMP Requirements and Guidance - +

                          Control Description should include how DNSSEC is implemented on authoritative DNS servers to supply valid responses to external DNSSEC requests.

                           - +

                          SC-20 applies to use of external authoritative DNS to access a CSO from outside the boundary.

                           - +

                          External authoritative DNS servers may be located outside an authorized environment. Positioning these servers inside an authorized boundary is encouraged.

                           - +

                          CSPs are recommended to self-check DNSSEC configuration through one of many available analyzers such as Sandia National Labs (https://dnsviz.net)

                           @@ -10159,9 +10159,9 @@                           - + SC-21 Additional FedRAMP Requirements and Guidance - +

                          Control description should include how DNSSEC is implemented on recursive DNS servers to make DNSSEC requests when resolving DNS requests from internal components to domains external to the CSO boundary.

                            @@ -10172,15 +10172,15 @@
                          - +

                          Internal recursive DNS servers must be located inside an authorized environment. It is typically within the boundary, or leveraged from an underlying IaaS/PaaS.

                           - +

                          Accepting an unsigned reply is acceptable

                           - +

                          SC-21 applies to use of internal recursive DNS to access a domain outside the boundary by a component inside the boundary.

                            @@ -10204,17 +10204,17 @@ - + SC-28 Additional FedRAMP Requirements and Guidance - +

                            The organization supports the capability to use cryptographic mechanisms to protect information at rest.

                             - +

                            When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured.

                             - +

                            Note that this enhancement requires the use of cryptography in accordance with SC-13.

                             @@ -10235,9 +10235,9 @@                             - + SC-28 (1) Additional FedRAMP Requirements and Guidance - +

                            Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

                            Examples:

                            @@ -10260,17 +10260,17 @@ - + SC-45(1) Additional FedRAMP Requirements and Guidance - +

                            The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

                             - +

                            The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

                             - +

                            Synchronization of system clocks improves the accuracy of log analysis.

                             @@ -10511,9 +10511,9 @@ - + SI-4 Additional FedRAMP Requirements and Guidance - +

                            See US-CERT Incident Response Reporting Guidelines.

                             @@ -10682,9 +10682,9 @@                             - + SI-4 (5) Additional FedRAMP Requirements and Guidance - +

                            In accordance with the incident response plan.

                             @@ -10705,7 +10705,7 @@ - + SI-5 Additional FedRAMP Requirements and Guidance

                            Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status.

                            @@ -10833,14 +10833,14 @@                             - + SI-8 Additional FedRAMP Requirements and Guidance - +

                            When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.

                            https://cyber.dhs.gov/bod/18-01/

                             - +

                            CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) that will be seen by email recipients.

                             @@ -10866,9 +10866,9 @@ - + SI-10 Additional FedRAMP Requirements and Guidance - +

                            Validate all information inputs and document any exceptions

                             @@ -11065,9 +11065,9 @@ - + SR-3 Additional FedRAMP Requirements and Guidance - +

                            CSO must document and maintain the supply chain custody, including replacement devices, to ensure the integrity of the devices before being introduced to the boundary.

                             @@ -11118,9 +11118,9 @@ - + SR-6 Additional FedRAMP Requirements and Guidance - +

                            CSOs must ensure that their supply chain vendors build and test their systems in alignment with NIST SP 800-171 or a commensurate security and compliance framework. CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.

                             @@ -11138,9 +11138,9 @@ - + SR-8 Additional FedRAMP Requirements and Guidance - +

                            CSOs must ensure and document how they receive notifications from their supply chain vendor of newly discovered vulnerabilities including zero-day vulnerabilities.

                             @@ -11161,9 +11161,9 @@ - + SR-11 Additional FedRAMP Requirements and Guidance - +

                            CSOs must ensure that their supply chain vendors provide authenticity of software and patches and the vendor must have a plan to protect the development pipeline.