KEY:

FedRAMP Associated TIC Capabilities

Version 2.0
ID

TS.PF.01

TM.AU.01

TM.AU.01

TM.COM.02

TS.RA.01
TS.RA.01

TS.RA.02, TS.RA.03

TM.DS.03, TS.INS.01, TM.DS.04, TO.MON.04

TO.MON.04

TM.LOG.02

TS.PF.06, TS.CF.13

TM.DS.01

TS.INS.01

TS.INS.01, TO.MON.03, TO.MON.03

TM.LOG.01

TM.LOG.03, TM.LOG.04

TO.MON.02

TM.COM.02, TS.RA.02, TS.RA.03

TS.RA.02
TS.RA.02, TS.RA.03

TO.REP.01, TO.REP.02, TO.REP.03

TO.MG.02

TM.TC.02

TO.MG.01. TO.MG.07

TO.MG.02

TM.TC.07, TM.DS.02, TO.MG.04

TM.TC.01
TM.TC.01, TO.MG.05
TM.TC.01

TM.DS.02

TM.TC.03

TM.AU.01
TM.AU.01
TM.AU.01
TS.RA.01, TM.AU.01
TM.AU.01

TM.AU.01
TM.AU.01

TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TS.CF.10, TM.AU.01

TM.AU.01

TM.AU.01
TM.AU.01

TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01

TS.CF.09

TM.TC.06

TO.MON.05

TO.REP.04

TM.TC.05, TO.RES.01

TO.MG.06

TM.PC.01, TM.PC.02

TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02, TM.PC.04

TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02, TM.PC.05

TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02

TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02
TM.PC.01, TM.PC.02

TM.COM.02

TO.RES.03

TS.INS.01, TS.PF.01, TS.CF.01, TS.CF.02,

TS.CF.03, TS.CF.04, TS.CF.13, TS.PF.03,
TS.PF.04

TS.RA.03
TS.PF.02, TS.PF.05

TS.RA.01, TS.RA.03
TS.CF.01, TS.CF.02, TS.CF.03

TS.CF.06, TS.CF.07

TS.CF.13, TM.TC.04
TS.CF.13, TM.TC.04
TS.CF.13, TM.TC.04

TO.RES.02

TS.CF.04

TM.DS.03, TS.CF.05, TS.CF.08, TS.CF.11,

TS.CF.12

TS.INS.02

TS.MON.01

TS.CF.04

TM.DS.03

TO.MG.03

TO.MG.10

TO.MG.11

TM.DS.05

TM.PC.06

TM.PC.03

TM.COM.01
TM.COM.03
TS.PF.07

Added capability
Added guidance/requirement
TIC capability not applicable to cloud model

FedRAMP Associated TIC Capabilities

Version 2.0
TIC RELATED REQUIREMENTS AND GUIDANCE

ID
Access Control (AC)
AC-1
AC-2
AC-2 (1)
AC-2 (2)
AC-2 (3)

AC-2 (4)
AC-2 (5)
AC-2 (7)
AC-2 (9)
AC-2 (10)
AC-2 (12)

AC-3
AC-3 (3)

AC-4
AC-4 (21)

AC-5
AC-6
AC-6(2). Guidance: Related guidance may be found in AC-6(1) and
FedRAMP Test Cases v2.0.

AC-6 (1)

AC-6(2). Guidance: Related guidance may be found in AC-6(1) and

FedRAMP Test Cases v2.0.

AC-6 (2)

AC-6 (5)
AC-6 (9)
AC-6 (10)

AC-7

AC-8

AC-10
AC-11
AC-11 (1)

AC-12
AC-14
AC-16
AC-17
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-17 (9)

AC-18
AC-18 (1)

AC-19

AC-19 (5)

AC-20
AC-20 (1)
AC-20 (2)

AC-21
AC-22

Awareness a
AT-1
AT-2

AT-2 (2)

AT-3

AT-4

Audit and Ac
AU-1 Requirements:
AU-1
* The service provider will make cloud-based log data (as defined in AU-3)
for all external network accesses available to the agency so it can be
analyzed by tenants and potentially US-CERT, as part of SC-7 defined
controls. External access is defined as access to the D/A cloud service
instance that does not route through it TICAP. For instance, direct web-
based access or mobile access.
* The SLA should provide that the cloud-based log data is owned by the
customer and that it is the customer's responsibility to provide audit logs to
DHS and US-CERT.
AU-2

AU-2 (3)

AU-3. Requirement: The service provider shall make available the ability to AU-3
configure and collect audit records pertaining to their instance of the
service, including automatic transfer of such records.
For IaaS cloud service instances, the content of these audit records shall
include, at a minimum, for all users: source IP address, destination IP
address, login time, logout time, login date, logout date, user ID, login
success, login failure. Audit records shall log privileged events performed
by agency administrator of the service instance including new users
created, users locked-out, and changes to administrative settings. Where
possible, network layer data elements including, but not limited to source
port number, destination port number, network protocol (TCP,UDP, etc.),
ICMP type/code, packet length, timestamp and duration, sensor ID
information, and TCP flag information shall be included.
For PaaS cloud service instances, the content of these audit records shall
include, at a minimum, for all users: source IP address, destination IP
address (where applicable), login time, logout time, login date, logout date,
user ID, login success, login failure. Audit records shall log privileged events
performed by agency administrator of the service instance including new
users created, users locked-out, and changes to administrative settings.
Where possible, network layer data elements including, but not limited to
source port number, destination port number, network protocol (TCP,UDP,
etc.), ICMP type/code, packet length, timestamp and duration, sensor ID
information, and TCP flag information shall be included.
For SaaS cloud service instances, the content of these audit records shall
include, at a minimum, for all users: source IP address, destination IP
address (where applicable), login time, logout time, login date, logout date,
Please refer to AU-3(1)

AU-3 (1)

Service provider has storage capacity to retain at least 24-hours of records AU-4
as defined in AU-3.
AU-5

The D/A submits data made available in their cloud services instance as
described in AU-3(1) to DHS through automated means [at least hourly]

AU-6

* Provide access for government authorized audits

AU-6 (1)

AU-6 (3)

AU-7
AU-7 (1)

AU-8
AU-8 (1)

AU-9
AU-9 (2)
AU-9 (4)

AU-11: Requirement All service provider event recording logs remain on-
line for 7 days.

AU-10
AU-11

AU-12

Security Assessmen
CA-1
CA-2
CA-2 (1)
CA-2 (2)
CA-2 (3)

Dedicated external connections to cloud services should be configured in

accordance with the TIC reference architecture.

CA-3

CA-3 (3)
CA-3 (5)

CA-5
CA-6

CA-7

CA-7 (1)

CA-8
CA-8 (1)

CA-9
Configuration
CM-1
CM-2
CM-2 (1)
CM-2 (3)
CM-2 (7)

CM-3

CM-4
CM-5
CM-5 (1)
CM-5 (3)

CM-5 (5)

CM-6

CM-6 (1)

CM-7

CM-7 (1)
CM-7 (2)
CM-7 (4)
CM-7 (5)

CM-8
CM-8 (1)
CM-8 (3)
CM-8 (5)

CM-9
CM-10
CM-10 (1)

CM-11

Contingency
CP-1
CP-2 Requirement: Service provider operations personnel have 24x7
physical or remote access to management systems, which control the
service devices. Using this access, operations personnel can terminate,
troubleshoot or repair external connections, including to the Internet, as
required.

CP-2

CP-2 (1)
CP-2 (2)

CP-2 (3)
CP-2 (8)

CP-3
CP-4

CP-4 (1)

CP-6
CP-6 (1)
CP-6 (3)

CP-7

CP-7 (1)
CP-7 (2)
CP-7 (3)

CP-8
CP-8 (1)

CP-8(2) Requirement: The service provider follows the National

Communications System (NCS) recommendations for Route Diversity,
including at least two physically separate points of entry and physically
separate cabling paths to an external telecommunications provider or
Internet provider facility.

CP-8 (2)

CP-9

CP-9 (1)
CP-9 (3)

CP-10
CP-10 (2)

CP-11 Requirement: All service provider systems and components support CP-11
both IPv4 and IPv6 protocols for tenants in accordance with OMB
Memorandum M-05-22 and Federal CIO memorandum Transition to
IPv6.
The service provider has the capability to support both IPv4 and IPv6
addresses for tenants and can transit both native IPv4 and native IPv6
traffic (i.e. dual-stack) between external connections . The service provider
may also support other IPv6 transit methods such as tunneling or
translation. The service provider has the capacity to activate these IPv6
capabilities upon request of the D/A client.
The service provider ensures that systems have the capacity to
implement IPv6 capabilities (native, tunneling or translation) for tenants,
without compromising IPv4 capabilities or security. IPv6 security
capabilities should achieve at least functional parity with IPv4 security
capabilities.

Identification and
IA-1
IA-2
IA-2 (1)
IA-2 (2)
IA-2 (3)
IA-2 (5)
IA-2 (8)
IA-2 (11)

IA-2 (12)

IA-3
IA-4
IA-4 (4)

IA-5 Guidance: The service provider will support mechanisms for tenant
management over encrypted channels.

IA-5

IA-5 (1)

IA-5 (2)
IA-5 (3)
IA-5 (4)

IA-5 (6)
IA-5 (7)
IA-5 (11)

IA-6
IA-7
IA-8
IA-8 (1)
IA-8 (2)
IA-8 (3)
IA-8 (4)

IA-9 Recommended: The service provider validates routing protocol

IA-9
information using authenticated protocols. Border Gateway Protocol (BGP)
sessions are configured in accordance with, but not limited to, the
following recommendation from NIST SP 800-54: BGP sessions are
protected with the MD5 signature option.

Incident R
IR-1 Requirement: The service provider system management location is
staffed 24x7. On-scene personnel are capable of supporting incident
response.

IR-1

IR-2
IR-3

IR-3 (2)

IR-4

IR-4 (1)

IR-5
CSPs follow FedRAMP guidance on reporting and interfacing with US-CERT. IR-6
Agencies follow M-15-01.
IR-6 (1)

IR-7
IR-7 (1)
IR-7 (2)

CSPs follow FedRAMP guidance on reporting and interfacing with US-CERT. IR-8
Agencies follow M-15-01.

IR-9
IR-9 (1)
IR-9 (2)
IR-9 (3)
IR-9 (4)

Mainten
MA-1
MA-2
MA-3
MA-3 (1)
MA-3 (2)
MA-3 (3)

MA-4
MA-4 (2)

MA-5
MA-5 (1)

MA-6

Media Pro
MP-1
MP-2
MP-3
MP-4

MP-5

MP-5 (4)

MP-6

MP-6 (2)

MP-7
MP-7 (1)

Physical and Enviro

PE-1

PE-2
PE-3 Recommended for Moderate-impact deployments: The cloud systems PE-3
and management functions are secured by physical access controls to
ensure that systems and components are accessible only by authorized
personnel. Examples of dedicated spaces include, but are not limited to,
secured racks, cages, rooms, and buildings.

PE-4
PE-5
PE-6
PE-6 (1)

PE-11(1) Requirement:
The nature of cloud based systems can enable availability and resiliency
capabilities to support uninterrupted operations as described in this
requirement. The service provider shall document and demonstrate such
capabilities for cloud-based equivalencies that support the requirement.

PE-8
PE-9
PE-10
PE-11

PE-12
PE-13
PE-13 (2)
PE-13 (3)

PE-14

PE-14 (2)

PE-15
PE-16
PE-17

Plann
PL-1
PL-2
PL-2 (3)

PL-4
PL-4 (1)

PL-8

Personnel
PS-1
PS-2
PS-3

PS-3 (3)

PS-4
PS-5
PS-6
PS-7
PS-8

Risk Asse
RA-1
RA-2
RA-3

RA-5

RA-5 (1)
RA-5 (2)
RA-5 (3)
RA-5 (5)
RA-5 (6)
RA-5 (8)

System and Servi

SA-1
SA-2
SA-3
SA-4

SA-4 (1)
SA-4 (2)
SA-4 (7)
SA-4 (8)
SA-4 (9)
SA-4 (10)

SA-5
SA-8
SA-9

SA-9 (1)

SA-9 (2)
SA-9 (4)
SA-9 (5)

SA-10
SA-10 (1)

SA-11
SA-11 (1)

SA-11 (2)
SA-11 (8)

SA-12

System and Commun

SC-1
SC-2
SC-4 Recommended for Low-impact deployments: The cloud systems and SC-4
management functions are located in logically isolated spaces dedicated
for exclusive. The space is secured by access controls to ensure that
systems and components are accessible only by authorized personnel.
Examples of dedicated logically isolated spaces include, but are not limited
to, hypervisor protections to isolate guests in hosts, ensuring previous
guest memory is not accessible by concurrent or subsequent guests,
network communication isolation between customers and cloud
management via VLAN/VXLAN or similar logical network separation in end
hosts as well as interconnecting switches.
SC-5 Requirements:
SC-5
* Service provider mitigates the impact of non-targeted client from a DOS
attack on another client
* Services provider manages files, excess capacity, bandwidth or other
redundancy to limited the effects of information flooding types of denial of
service attacks.
Related guidance may be found in SC-5, FedRAMP Test Cases v2.0.
SC-6

SC-7 Requirements:
SC-7
* The service provider will make cloud-based log data (as defined in AU-3)
for external network accesses to the D/A resources available to the agency
so it can be analyzed by the tenant and potentially US-CERT.
* The service provider implements (using malicious address and domain
information from the client D/A and US-CERT):
1) stateless blocking of unallowed [SC-7(5)] outbound connections
without being limited by connection state tables of systems and
components. Attributes inspected by stateless blocks include, but are not
limited to:
Direction (inbound, outbound, interface)
Source and destination IPv4/IPv6 addresses and network masks
Network protocols (TCP, UDP, ICMP, etc.)
Source and destination port numbers (TCP, UDP)
Message codes (ICMP)
2) filters DNS queries for known malicious domains
By default, the service provider blocks unsolicited inbound
connections. For authorized outbound connections, the service provider
implements stateful inspection that tracks the state of all outbound
connections and blocks packets, which deviate, from standard protocol
state transitions. Protocols supported by stateful inspection devices
include, but are not limited to:
ICMP (errors matched to original protocol header)
TCP (using protocol state transitions)
UDP (using timeouts)
Other Internet protocols (using timeouts)
Stateless network filtering attributes
For web based services, the service provider filters inbound web
sessions to web servers at the HTTP/HTTPS/SOAP/XML-RPC/Web Service

SC-7 (3)
SC-7 (4)

Intent: This is about blocking rogue devices from within the CSP's
network, more specifically from within the D/A's instance within the CSP.
Depending on the service offering, this may be a tenant or CSP
responsibility.

SC-7 (5)

SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)

SC-7 (18)

SC-8

For cloud-based email services, CSPs provide the capability for domain-
level sender authentication (for example signing and verifying with
Domain Keys Identified Mail or Sender Policy Framework), agencies
have the responsibly to enable it.

SC-8 (1)

SC-10
SC-11

SC-12
SC-12 (2)
SC-12 (3)

SC-13
SC-15
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-28
SC-30
SC-39

System and Infor

SI-1
CSPs follow FedRAMP guidance on reporting and interfacing with US-CERT. SI-2
Agencies follow M-15-01.
SI-2 (2)
SI-2 (3)

SI-3
SI-3 (1)
SI-3 (2)

SI-4 Recommended: For email services, it is recommended the service

SI-4
enable quarantine functionality for mail categorized as potentially
suspicious while the agency's mail domain reviews and decides what action
to take. The agency's mail domain can take at least the following actions:
block the message, deliver the message, sanitize malicious content and tag
undesirable content.
SI-4(10) Requirement: The service provider documentation includes a
description of defensive measures taken to protect clients from malicious
content
r unauthorized
exfiltration.
SI-4(1) Ro
equirement:
The dsata
ervice
provider passes all inbound/outbound

SI-4 (1)

network traffic through Network Intrusion Detection Systems (NIDS)

configured with custom signatures, including signatures for the application
layer. This includes, but is not limited to, critical signatures published by US-
CERT.
SI-4 (2)
SI-4 (4)
SI-4 (5)
SI-4 (16)
SI-4 (23)

SI-5

SI-6

SI-7
SI-7 (1)
SI-7 (7)

SI-8
SI-8 (1)
SI-8 (2)

SI-10
SI-11
SI-12
SI-16
Service Level
SLA-1 Requirement: The service provider documents in the agreement with SLA-1
the customer agency that the customer agency retains ownership of its
data collected by the service provider.

SLA-3 Requirement: The provider communicates all changes approved

through the formal configuration management and change management
processes to customers, as defined in SLAs or other authoritative
documents.

SLA-3

SLA-4 Requirement: The provider accommodates tailored communications SLA-4

policies to meet the individual customer requirements as negotiated with
the customer.

SLA-5 Requirement: Service provider accommodates tailored

communications processes to meet individual customer requirements as
negotiated with the customer.

SLA-5

SLA-6 Recommended: (SC-7(10))The service provider has a Data Loss

Prevention program and follows a documented procedure for Data Loss
Prevention with regards to the operation of the service. The service
provider's Data Loss Prevention program extends to the customer only
when the customer's data is in the CSP's domain. Otherwise, the overall
Data Loss Prevention program is the responsibility of the customer with
respect to the customer's data.

SLA-6

SLA-8 Recommended: Service providers that support more than one

customer should have multiple ISP peers with diverse geographic paths
recommended.

SLA-8

TIC Controls
NOT-1 Guidance: SCIF facilities are not needed if NetFlow information is
sent back to the agency to be analyzed by the agency TICAP.

NOT-1

NOT-1 Guidance: TS/SCI cleared personnel are not needed if related

analysis is happening at the agency TICAP.
NOT-1 Guidance: Secret cleared personnel are not needed if related
analysis is happening at the agency TICAP.
NOT APPLICABLE - Agencies may document alternative ways to achieve
reasonable accommodation for users of FedVRS.

NOT-2
NOT-3
NOT-4

FedRAMP Security Controls Baseline

Version 2.0
CONTROL NAME

FedRAMP
MODERATE

Access Control Policy and Procedures

AC-1

Account Management

AC-2

Account Management | Automated System Account Management

AC-2 (1)

Account Management | Removal of Temporary / Emergency Accounts

AC-2 (2)

Account Management | Disable Inactive Accounts

AC-2 (3)

Account Management | Automated Audit Actions

AC-2 (4)

Account Management | Inactivity Logout

AC-2 (5)

Account Management | Role-Based Schemes

AC-2 (7)

Account Management | Restrictions on Use of Shared Groups / Accounts

AC-2 (9)

Account Management | Shared / Group Account Credential Termination

AC-2 (10)

Account Management | Account Monitoring / Atypical Usage

AC-2 (12)

Access Enforcement

AC-3

Access Enforcement | Mandatory Access Control

Information Flow Enforcement

Information Flow Enforcement | Physical / Logical Separation of Information Flows

Separation of Duties
Least Privilege
Least Privilege | Authorize Access to Security Functions

AC-4
AC-4 (21)

AC-5
AC-6
AC-6 (1)

Least Privilege | Non-Privileged Access For Nonsecurity Functions

AC-6 (2)

Least Privilege | Privileged Accounts

AC-6 (5)

Least Privilege | Auditing Use of Privileged Functions

AC-6 (9)

Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

AC-6 (10)

Unsuccessful Logon Attempts

AC-7

System Use Notification

AC-8

Concurrent Session Control

Session Lock

AC-10
AC-11

Session Lock | Pattern-Hiding Displays

Session Termination
Permitted Actions Without Identification or Authentication
Security Attributes
Remote Access

AC-11 (1)

AC-12
AC-14
AC-17

Remote Access | Automated Monitoring / Control

AC-17 (1)

Remote Access | Protection of Confidentiality / Integrity Using Encryption

AC-17 (2)

Remote Access | Managed Access Control Points

AC-17 (3)

Remote Access | Privileged Commands / Access

AC-17 (4)

Remote Access | Disconnect / Disable Access

AC-17 (9)

Wireless Access
Wireless Access | Authentication and Encryption

Access Control For Mobile Devices

AC-18
AC-18 (1)

AC-19

Access Control For Mobile Devices | Full Device / Container-Based Encryption

Use of External Information Systems

AC-19 (5)

AC-20

Use of External Information Systems | Limits on Authorized Use

AC-20 (1)

Use of External Information Systems | Portable Storage Devices

AC-20 (2)

Information Sharing
Publicly Accessible Content
Awareness and Training (AT)

AC-21
AC-22

Security Awareness and Training Policy and Procedures

AT-1

Security Awareness Training

AT-2

Security Awareness | Insider Threat

AT-2 (2)

Role-Based Security Training

AT-3

Security Training Records

AT-4

Audit and Accountability (AU)

Audit and Accountability Policy and Procedures

AU-1

Audit Events

AU-2

Audit Events | Reviews and Updates

AU-2 (3)

Content of Audit Records

Content of Audit Records | Additional Audit Information

AU-3

AU-3 (1)

Audit Storage Capacity

AU-4

Response to Audit Processing Failures

AU-5

Audit Review, Analysis, and Reporting

AU-6

Audit Review, Analysis, and Reporting | Process Integration

Audit Review, Analysis, and Reporting | Correlate Audit Repositories

Audit Reduction and Report Generation

Audit Reduction and Report Generation | Automatic Processing

Time Stamps
Time Stamps | Synchronization With Authoritative Time Source

Protection of Audit Information

Protection of Audit Information | Audit Backup on Separate Physical Systems /
Components
Protection of Audit Information | Access by Subset of Privileged Users

Non-Repudiation
Audit Record Retention

Audit Generation
Security Assessment and Authorization (CA)

AU-6 (1)

AU-6 (3)

AU-7
AU-7 (1)

AU-8
AU-8 (1)

AU-9
AU-9 (2)
AU-9 (4)

AU-11

AU-12

Security Assessment and Authorization Policies and Procedures

CA-1

Security Assessments

CA-2

Security Assessments | Independent Assessors

CA-2 (1)

Security Assessments | Specialized Assessments

CA-2 (2)

Security Assessments | External Organizations

CA-2 (3)

System Interconnections

CA-3

System Interconnections | Unclassified Non-National Security System Connections

CA-3 (3)

System Interconnections | Restrictions on External Network Connections

CA-3 (5)

Plan of Action and Milestones

Security Authorization

CA-5
CA-6

Continuous Monitoring

CA-7

Continuous Monitoring | Independent Assessment

Penetration Testing
Penetration Testing | Independent Penetration Agent or Team

CA-7 (1)

CA-8
CA-8 (1)

Internal System Connections

Configuration Management (CM)

CA-9

Configuration Management Policy and Procedures

CM-1

Baseline Configuration

CM-2

Baseline Configuration | Reviews and Updates

CM-2 (1)

Baseline Configuration | Retention of Previous Configurations

CM-2 (3)

Baseline Configuration | Configure Systems, Components, or Devices for High-Risk

Areas

CM-2 (7)

Configuration Change Control

CM-3

Security Impact Analysis

Access Restrictions For Change

CM-4
CM-5

Access Restrictions For Change | Automated Access Enforcement / Auditing

CM-5 (1)

Access Restrictions For Change | Signed Components

CM-5 (3)

Access Restrictions For Change | Limit Production / Operational Privileges

CM-5 (5)

Configuration Settings

Configuration Settings | Automated Central Management / Application / Verification

Least Functionality

CM-6

CM-6 (1)

CM-7

Least Functionality | Periodic Review

CM-7 (1)

Least Functionality | Prevent Program Execution

CM-7 (2)

Least Functionality | Unauthorized Software / Blacklisting

Least Functionality | Authorized Software / Whitelisting

Information System Component Inventory

CM-7 (5)

CM-8

Information System Component Inventory | Updates During Installations / Removals

CM-8 (1)

Information System Component Inventory | Automated Unauthorized Component

Detection

CM-8 (3)

Information System Component Inventory | No Duplicate Accounting of Components

CM-8 (5)

Configuration Management Plan

Software Usage Restrictions
Software Usage Restrictions | Open Source Software

CM-9
CM-10
CM-10 (1)

User-Installed Software
Contingency Planning (CP)

CM-11

Contingency Planning Policy and Procedures

CP-1

Contingency Plan

CP-2

Contingency Plan | Coordinate With Related Plans

CP-2 (1)

Contingency Plan | Capacity Planning

CP-2 (2)

Contingency Plan | Resume Essential Missions / Business Functions

CP-2 (3)

Contingency Plan | Identify Critical Assets

CP-2 (8)

Contingency Training

CP-3

Contingency Plan Testing

CP-4

Contingency Plan Testing | Coordinate With Related Plans

Alternate Storage Site

CP-4 (1)

CP-6

Alternate Storage Site | Separation From Primary Site

CP-6 (1)

Alternate Storage Site | Accessibility

CP-6 (3)

Alternate Processing Site

CP-7

Alternate Processing Site | Separation From Primary Site

CP-7 (1)

Alternate Processing Site | Accessibility

CP-7 (2)

Alternate Processing Site | Priority of Service

CP-7 (3)

Telecommunications Services

CP-8

Telecommunications Services | Priority of Service Provisions

CP-8 (1)

Telecommunications Services | Single Points of Failure

CP-8 (2)

Information System Backup

Information System Backup | Testing For Reliability / Integrity

Information System Backup | Separate Storage for Critical Information

Information System Recovery and Reconstitution

Information System Recovery and Reconstitution | Transaction Recovery

CP-9

CP-9 (1)
CP-9 (3)

CP-10
CP-10 (2)

Alternate Communications Protocols

Identification and Authentication (IA)

Identification and Authentication Policy and Procedures

IA-1

Identification and Authentication (Organizational Users)

IA-2

Identification and Authentication (Organizational Users) | Network Access to

Privileged Accounts
Identification and Authentication (Organizational Users) | Network Access to Non-
Privileged Accounts
Identification and Authentication (Organizational Users) | Local Access to Privileged
Accounts
Identification and Authentication (Organizational Users) | Group Authentication

IA-2 (1)

Identification and Authentication (Organizational Users) | Network Access to

Privileged Accounts - Replay Resistant
Identification and Authentication (Organizational Users) | Remote Access - Separate
Device

IA-2 (8)

Identification and Authentication (Organizational Users) | Acceptance of PIV

Credentials

IA-2 (12)

Device Identification and Authentication

Identifier Management
Identifier Management | Identify User Status

Authenticator Management

IA-2 (2)
IA-2 (3)
IA-2 (5)

IA-2 (11)

IA-3
IA-4
IA-4 (4)

IA-5

Authenticator Management | Password-Based Authentication

IA-5 (1)

Authenticator Management | PKI-Based Authentication

IA-5 (2)

Authenticator Management | In-Person or Trusted Third-Party Registration

IA-5 (3)

Authenticator Management | Automated Support for Password Strength

Determination

IA-5 (4)

Authenticator Management | Protection of Authenticators

IA-5 (6)

Authenticator Management | No Embedded Unencrypted Static Authenticators

IA-5 (7)

Authenticator Management | Hardware Token-Based Authentication

Authenticator Feedback
Cryptographic Module Authentication
Identification and Authentication (Non-Organizational Users)
Identification and Authentication (Non-Organizational Users) | Acceptance of PIV
Credentials from Other Agencies
Identification and Authentication (Non-Organizational Users) | Acceptance of Third-
Party Credentials
Identification and Authentication (Non-Organizational Users) | Use of FICAM-
Approved Products
Identification and Authentication (Non-Organizational Users) | Use of FICAM-Issued
Profiles

IA-5 (11)

IA-6
IA-7
IA-8
IA-8 (1)
IA-8 (2)
IA-8 (3)
IA-8 (4)

Service Identification and Authentication

Incident Response (IR)

Incident Response Policy and Procedures

IR-1

Incident Response Training

Incident Response Testing

IR-2
IR-3

Incident Response Testing | Coordination With Related Plans

Incident Handling

Incident Handling | Automated Incident Handling Processes

IR-3 (2)

IR-4

IR-4 (1)

Incident Monitoring
Incident Reporting

Incident Reporting | Automated Reporting

Incident Response Assistance

Incident Response Assistance | Automation Support For Availability of Information /
Support
Incident Response Assistance | Coordination With External Providers

IR-5
IR-6

IR-6 (1)

IR-7
IR-7 (1)
IR-7 (2)

Incident Response Plan

IR-8

Information Spillage Response

IR-9

Information Spillage Response | Responsible Personnel

IR-9 (1)

Information Spillage Response | Training

IR-9 (2)

Information Spillage Response | Post-Spill Operations

IR-9 (3)

Information Spillage Response | Exposure to Unauthorized Personnel

IR-9 (4)

Maintenance (MA)
System Maintenance Policy and Procedures

MA-1

Controlled Maintenance
Maintenance Tools

MA-2
MA-3

Maintenance Tools | Inspect Tools

MA-3 (1)

Maintenance Tools | Inspect Media

MA-3 (2)

Maintenance Tools | Prevent Unauthorized Removal

MA-3 (3)

Nonlocal Maintenance
Nonlocal Maintenance | Document Nonlocal Maintenance

Maintenance Personnel
Maintenance Personnel | Individuals Without Appropriate Access

MA-4
MA-4 (2)

MA-5
MA-5 (1)

Timely Maintenance
Media Protection (MP)

MA-6

Media Protection Policy and Procedures

MP-1

Media Access
Media Marking
Media Storage

MP-2
MP-3
MP-4

Media Transport

MP-5

Media Transport | Cryptographic Protection

MP-5 (4)

Media Sanitization

Media Sanitization | Equipment Testing

Media Use
Media Use | Prohibit Use without Owner

MP-6

MP-6 (2)

MP-7
MP-7 (1)

Physical and Environmental Protection (PE)

Physical and Environmental Protection Policy and Procedures

PE-1

Physical Access Authorizations

Physical Access Control

PE-2
PE-3

Access Control For Transmission Medium

Access Control For Output Devices
Monitoring Physical Access

PE-4
PE-5
PE-6

Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment

PE-6 (1)

Visitor Access Records

Power Equipment and Cabling
Emergency Shutoff
Emergency Power

PE-8
PE-9
PE-10
PE-11

Emergency Lighting
Fire Protection

PE-12
PE-13

Fire Protection | Suppression Devices / Systems

PE-13 (2)

Fire Protection | Automatic Fire Suppression

PE-13 (3)

Temperature and Humidity Controls

Temperature and Humidity Controls | Monitoring With Alarms / Notifications

Water Damage Protection

Delivery and Removal
Alternate Work Site

PE-14

PE-14 (2)

PE-15
PE-16
PE-17

Planning (PL)
Security Planning Policy and Procedures

PL-1

System Security Plan

PL-2

System Security Plan | Plan / Coordinate With Other Organizational Entities

Rules of Behavior
Rules of Behavior | Social Media and Networking Restrictions

PL-2 (3)

PL-4
PL-4 (1)

Information Security Architecture

Personnel Security (PS)

PL-8

Personnel Security Policy and Procedures

PS-1

Position Risk Designation

Personnel Screening

PS-2
PS-3

Personnel Screening | Information With Special Protection Measures

PS-3 (3)

Personnel Termination
Personnel Transfer
Access Agreements

PS-4
PS-5
PS-6

Third-Party Personnel Security

Personnel Sanctions
Risk Assessment (RA)

PS-7
PS-8

Risk Assessment Policy and Procedures

RA-1

Security Categorization
Risk Assessment

RA-2
RA-3

Vulnerability Scanning

RA-5

Vulnerability Scanning | Update Tool Capability

RA-5 (1)

Vulnerability Scanning | Update by Frequency / Prior to New Scan / When Identified

RA-5 (2)

Vulnerability Scanning | Breadth / Depth of Coverage

RA-5 (3)

Vulnerability Scanning | Privileged Access

RA-5 (5)

Vulnerability Scanning | Automated Trend Analyses

RA-5 (6)

Vulnerability Scanning | Review Historic Audit Logs

RA-5 (8)

System and Services Acquisition (SA)

System and Services Acquisition Policy and Procedures

SA-1

Allocation of Resources
System Development Life Cycle
Acquisition Process

SA-2
SA-3
SA-4

Acquisition Process | Functional Properties of Security Controls

SA-4 (1)

Acquisition Process | Design / Implementation Information for Security Controls

SA-4 (2)

Acquisition Process | NIAP-Approved Protection Profiles

Acquisition Process | Continuous Monitoring Plan

SA-4 (8)

Acquisition Process | Functions / Ports / Protocols / Services in Use

SA-4 (9)

Acquisition Process | Use of Approved PIV Products

SA-4 (10)

Information System Documentation

Security Engineering Principles
External Information System Services

SA-5
SA-8
SA-9

External Information Systems | Risk Assessments / Organizational Approvals

SA-9 (1)

External Information Systems | Identification of Functions / Ports / Protocols /

Services
External Information Systems | Consistent Interests of Consumers and Providers

SA-9 (2)

External Information Systems | Processing, Storage, and Service Location

SA-9 (5)

Developer Configuration Management

Developer Configuration Management | Software / Firmware Integrity Verification

Developer Security Testing and Evaluation

SA-9 (4)

SA-10
SA-10 (1)

SA-11

Developer Security Testing and Evaluation | Static Code Analysis

SA-11 (1)*

Developer Security Testing and Evaluation | Threat and Vulnerability Analyses

SA-11 (2)

Developer Security Testing and Evaluation | Dynamic Code Analysis

SA-11 (8)*

Supply Chain Protection

System and Communications Protection (SC)

System and Communications Protection Policy and Procedures

SC-1

Application Partitioning
Information In Shared Resources

SC-2
SC-4

Denial of Service Protection

SC-5

Resource Availability

SC-6

Boundary Protection

SC-7

Boundary Protection | Access Points

Boundary Protection | External Telecommunications Services

SC-7 (3)
SC-7 (4)

Boundary Protection | Deny by Default / Allow by Exception

SC-7 (5)

Boundary Protection | Prevent Split Tunneling for Remote Devices

SC-7 (7)

Boundary Protection | Route Traffic to Authenticated Proxy Servers

SC-7 (8)

Boundary Protection | Host-Based Protection

SC-7 (12)

Boundary Protection | Isolation of Security Tools / Mechanisms / Support

Components

SC-7 (13)

Boundary Protection | Fail Secure

SC-7 (18)

Transmission Confidentiality and Integrity

SC-8

Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical

Protection

Network Disconnect

SC-8 (1)

SC-10

Trusted Path

Cryptographic Key Establishment and Management

SC-12

Cryptographic Key Establishment and Management | Symmetric Keys

SC-12 (2)

Cryptographic Key Establishment and Management | Asymmetric Keys

SC-12 (3)

Cryptographic Protection
Collaborative Computing Devices
Public Key Infrastructure Certificates
Mobile Code
Voice Over Internet Protocol
Secure Name / Address Resolution Service (Authoritative Source)
Secure Name / Address Resolution Service (Recursive or Caching Resolver)
Architecture and Provisioning for Name / Address Resolution Service
Session Authenticity
Protection of Information At Rest
Concealment and Misdirection
Process Isolation
System and Information Integrity (SI)

SC-13
SC-15
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-28

SC-39

System and Information Integrity Policy and Procedures

SI-1

Flaw Remediation

SI-2

Flaw Remediation | Automated Flaw Remediation Status

SI-2 (2)

Flaw Remediation | Time to Remediate Flaws / Benchmarks for Corrective Actions

SI-2 (3)

Malicious Code Protection

SI-3

Malicious Code Protection | Central Management

SI-3 (1)

Malicious Code Protection | Automatic Updates

SI-3 (2)

Information System Monitoring

SI-4

Information System Monitoring | System-Wide Intrusion Detection System

SI-4 (1)

Information System Monitoring | Automated Tools For Real-Time Analysis

SI-4 (2)

Information System Monitoring | Inbound and Outbound Communications Traffic

SI-4 (4)

Information System Monitoring | System-Generated Alerts

SI-4 (5)

Information System Monitoring | Correlate Monitoring Information

SI-4 (16)

Information System Monitoring | Host-Based Devices

SI-4 (23)

Security Alerts, Advisories, and Directives

SI-5

Security Function Verification

SI-6

Software, Firmware, and Information Integrity

SI-7

Software, Firmware, and Information Integrity | Integrity Checks

SI-7 (1)

Software, Firmware, and Information Integrity | Integration of Detection and

Response

SI-7 (7)

Spam Protection

SI-8

Spam Protection | Central Management

SI-8 (1)

Spam Protection | Automatic Updates

SI-8 (2)

Information Input Validation

Error Handling
Information Handling and Retention
Memory Protection
Service Level Agreement (SLA)
Data Ownership

SI-10
SI-11
SI-12
SI-16

Change Communication

Tailored Security Policies

Tailored Communications

Information System Partitioning

TIC Controls NOT Selected

SCIF Facilities

TIC and US-CERT (TS/SCI)

TIC and US-CERT (SECRET)
H.323

FedRAMP Security Controls Baseline

Version 2.0
ASSIGNMENT/SELECTION PARAMETERS

AC-1.b.1 [at least every 3 years]

AC-1.b.2 [at least anually]
AC-2j [annually]
[no more than 30 days for temporary and emergency account types (DoD 15 days)]
[90 days for user accounts]

AC-3 (3). [Assignment: organization-defined nondiscretionary access control policies]

Parameter: [role-based access control]. [Assignment: organization-defined set of users and
resources]
Parameter: [all users and resources]

[all security functions]

AC-7a [not more than three]

[fifteen minutes]
AC-7b [locks the account/node for thirty minutes]
Parameter: See Additional Requirements and Guidance.

AC-11a. [fifteen minutes]

[no greater than 15 minutes]

AC-22d. [at least quarterly]

AT-1.b.1 [at least every 3 years]
AT-1.b.2 [at least annually]
AT-2. [Assignment: organization-defined frequency]
Parameter: [at least annually]
AT-3c. [Assignment: organization-defined frequency]
Parameter: [at least annually]
AT-4b. [Assignment: organization-defined frequency]
Parameter: [At least one years]
AU-1.b.1 [at least every 3 years]
AU-1.b.2 [at least annually]

AU-2a. [Assignment: organization-defined list of auditable events]

Parameter: [Successful and unsuccessful account logon events, account management events,
object access, policy change, privilege functions, process tracking, and system events. For Web
applications: all administrator activity, authentication checks, authorization checks, data
deletions, data access, data changes, and permission changes]
AU-2d. [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be
audited]
Parameter: See additional requirements and guidance.
AU-2d. [Assignment: organization-defined frequency of (or situation requiring) auditing for each
identified event].
Parameter: [continually]
AU-2 (3). [Assignment: organization-defined frequency]
Parameter: [annually or whenever there is a change in the threat environment]

AU-3 (1). [Assignment: organization-defined additional, more detailed information]

Parameter: [session, connection, transaction, or activity duration; for client-server transactions,
the number of bytes received and bytes sent; additional informational messages to diagnose or
identify the event; characteristics that describe or identify the object or resource being acted
upon]

AU-5b. [Assignment: Organization-defined actions to be taken]

Parameter: [low-impact: overwrite oldest audit records; moderate-impact: shut down]
AU-6a. [Assignment: organization-defined frequency]
Parameter: [at least weekly]

AU-8 (1). [http://tf.nist.gov/tf-cgi/servers.cgi] <At least hourly>

AU-9 (2). [at least weekly]

AU-11. [at least ninety days]

AU-12a. [all information system components where audit capability is deployed]

CA-1.b.1 [at least every 3 years]
CA-1.b.2 [at least annually]
CA-2b. [at least annually]
Added to NIST Baseline for "Low" FedRAMP baseline.
[any 3PAO] [P-ATO in FedRAMP Repository]

CA-3c. 3 Years / Annually and on input from FedRAMP

Boundary Protections which meet the Trusted Internet Connection (TIC) requirements

CA-5b. [at least monthly]

CA-6c. [at least every three years or when a significant change occurs]

CA-7d. [To meet Federal and FedRAMP requirements]

[at least annually]

CM-1.b.1 [at least every 3 years]

CM-1.b.2 [at least annually]
CM-2 (1) (a). [at least annually]
CM-2 (1) (b). [to include when directed by JAB]

CM-5 (5) (b). [at least quarterly]

CM-6a. [United States Government Configuration Baseline (USGCB)]

CM-7. [United States Government Configuration Baseline (USGCB)]

CM-7 (1). [at least quarterly]

CM-8b. [at least monthly]

CM-8 (3) (a). [Continuously, using automated mechanisms with a maximum five-minute delay in
detection.]

CM-11.c. [Continously (via CM-7 (5))]

CP-1.b.1 [at least every 3 years]
CP-1.b.2 [at least annually]
CP-2d. [at least annually]

CP-3.a. [90 days]

CP-3.c. [at least annually]
CP-4a. [at least annually for moderate impact systems; at least every three years for low impact
systems] [functional exercises for moderate impact systems; classroom exercises/table top
written tests for low impact systems]

CP-9a. [daily incremental; weekly full]

CP-9b. [daily incremental; weekly full]
CP-9c. [daily incremental; weekly full]

CP-9 (1). [at least annually]

IA-1.b.1 [at least every 3 years]

IA-1.b.2 [at least annually]

The information system implements multifactor authentication for remote access to privileged
and non-privileged accounts such that one of the factors is provided by a device separate from
the system gaining access and the device meets [Assignment: organization-defined strength of
mechanism requirements].

IA-4d. [at least two years]

IA-4e. [ninety days for user identifiers] (See additional requirements and guidance.)
IA-4 (4). [contractors; foreign nationals]
IA-5g. [to include sixty days for passwords]

IA-5 (1) (a). [case sensitive, minimum of twelve characters, and at least one each of upper-case
letters, lower-case letters, numbers, and special characters]
IA-5 (1) (b). [at least one]
IA-5 (1) (d). [one day minimum, sixty day maximum]
IA-5 (1) (e). [twenty four]
IA-5 (3). [All hardware/biometric (multifactor authenticators] [in person]

IR-1.b.1 [at least every 3 years]

IR-1.b.2 [at least annually]
IR-2b. [at least annually]
IR-3. [at least annually]

IR-6a. [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as
amended)]

IR-8c. [at least annually]

MA-1.b.1 [at least every 3 years]

MA-1.b.2 [at least annually]

MA-3 (3) (d). [the information owner explicitly authorizing removal of the equipment from the
facility]

MP-1.b.1 [at least every 3 years]

MP-1.b.2 [at least annually]
MP-3b. [no removable media types]
MP-4a. [all types of digital and non-digital media with sensitive information].

MP-5a. [all media with sensitive information] [prior to leaving secure/controlled environment: for
digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media,
secured in locked container]

The organization: a. Sanitizes [Assignment: organization-defined information system media] prior

to disposal, release out of organizational control, or release for reuse using [Assignment:
organization-defined sanitization techniques and procedures] in accordance with applicable
federal and organizational standards and policies; and b. Employs sanitization mechanisms with
the strength and integrity commensurate with the security category or classification of the
information.
[At least annually]

PE-1.b.1 [at least every 3 years]

PE-1.b.2 [at least annually]
PE-2c. [at least annually]
PE-3a.2 [CSP defined physical access control systems/devices AND guards]
PE-3d. [in all circumstances within restricted access area where the information system resides]
PE-3f. [at least annually]
PE-3g. [at least annually]

PE-6b. [at least semi-annually]

PE-8b. [at least monthly]

PE-14a. [consistent with American Society of Heating, Refrigerating and Air-conditioning

Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]
PE-14b. [continuously]

PE-16. [all information system components]

PL-1.b.1 [at least every 3 years]

PL-1.b.2 [at least annually]
PL-2b. [at least annually]
PL-4c. [At least every 3 years]
PL-8b. [At least annually]
PS-1.b.1 [at least every 3 years]
PS-1.b.2 [at least annually]
PS-2c. [at least every three years]
PS-3b. [for national security clearances; a reinvestigation is required during the 5th year for top
secret security clearance, the 10th year for secret security clearance, and 15th year for
confidential security clearance.
For moderate risk law enforcement and high impact public trust level, a reinvestigation is
required during the 5th year. There is no reinvestigation for other moderate risk positions or any
low risk positions]
PS-3 (3)(b). [personnel screening criteria as required by specific information]
PS-4.a. [same day]
PS-5. [within five days]
PS-6b. [at least annually]
PS-6c.2. [at least annually]
PS-7d. organization-defined time period same day

RA-1.b.1 [at least every 3 years]

RA-1.b.2 [at least annually]
RA-3b. [security assessment report]
RA-3c. [at least every three years or when a significant change occurs]
RA-3d. [at least every three years or when a significant change occurs]
RA-5a. [monthly operating system/infrastructure; quarterly web applications and databases]
RA-5d. [high-risk vulnerabilities mitigated within thirty days; moderate-risk vulnerabilities
mitigated within ninety days]

RA-5 (2). [prior to a new scan]

RA-5 (5). [operating systems / web applications / databases] [all scans]

SA-1.b.1 [at least every 3 years]

SA-1.b.2 [at least annually]

[to include security-relevant external system interfaces and high-level design]

SA-4 (8). [to meet Federal/FedRAMP Continuous Monitoring requirements]

SA-9a. [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored

within the external system]
SA-9c. [Federal/FedRAMP Continuous Monitoring requirements must be met for external
systems where Federal information is processed or stored]
SA-9 (1) see Additional Requirement and Guidance

SA-9 (2). [All external systems where Federal information is processed or stored]
SA-9 (4). [All external systems where Federal information is processed or stored]
SA-9 (5). [information processing, information data, AND information services]
SA-10a. [development, implementation, AND operation]

SC-1.b.1 [at least every 3 years]

SC-1.b.2 [at least annually]

SC-7 (4). [at least annually]

SC-8. [confidentiality AND integrity]

SC-8 (1). [prevent unauthorized disclosure of information AND detect changes to information] [a
hardened or alarmed carrier Protective Distribution System (PDS)]

SC-10. [no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-
interactive user sessions]
SC-11. [Assignment: organization-defined security functions to include at a minimum,
information system authentication and re-authentication]
Parameter: See additional requirements and guidance

SC-12 (2). [NIST FIPS-compliant]

[FIPS-validated or NSA-approved cryptography]
SC-15a. [no exceptions]

SC-28. [confidentiality AND integrity]

SI-1.b.1 [at least every 3 years]

SI-1.b.2 [at least annually]
SI-2c. [No greater than 30 days]
SI-2 (2). [at least monthly]
SI-3.c.1 [at least weekly] [to include endpoints]
SI-3.c.2 [to include alerting administrator or defined security personnel]

SI-4 (4). [continually]

SI-5a. [to include US-CERT]

SI-5c. [to include system security personnel and administrators with configuration/patch-
management reponsibilities]
SI-6b [to include upon system startup and/or restart and at least every ninety days]
SI-6c [to include system administrators and security personnel]
SI-6d [to include notification of system administrators and security personnel]
SI-7 (1). [Selection to include security relevant events and at least monthly]

FedRAMP RELATED REQUIREMENTS AND GUIDANCE

Requirement: The service provider defines the time period for non-
user accounts (e.g., accounts associated with devices). The time
periods are approved and accepted by the JAB.

Required if shared/group accounts are deployed

Required if shared/group accounts are deployed
Required for privileged accounts
AC-3 (3). Requirement: The service provider:
a. Assigns user accounts and authenticators in accordance within
service provider's role-based access control policies;
b. Configures the information system to request user ID and
authenticator prior to system access; and
c. Configures the databases containing federal information in
accordance with service provider's security administration guide to
provide role-based access controls enforcing assigned privileges
and permissions at the file, table, row, column, or cell level, as
appropriate.

AC-6 (2). Guidance: Examples of security functions include but are

not limited to: establishing system accounts, configuring access
authorizations (i.e., permissions, privileges), setting events to be
audited, and setting intrusion detection parameters, system
programming, system and security administration, other privileged
functions.

Requirement: The service provider shall determine elements of

the cloud environment that require the System Use Notification
control. The elements of the cloud environment that require
System Use Notification are approved and accepted by the JAB.
Requirement: The service provider shall determine how System
Use Notification is going to be verified and provide appropriate
periodicity of the check. The System Use Notification verification
and periodicity are approved and accepted by the JAB.
Guidance: If performed as part of a Configuration Baseline check,
then the % of items requiring setting that are checked and that
pass (or fail) check can be provided.
Requirement: If not performed as part of a Configuration Baseline
check, then there must be documented agreement on how to
provide results of verification and the necessary periodicity of the
verification by the service provider. The documented agreement
on how to provide verification of the results are approved and
accepted by the JAB.

Requirement: d. The service provider defines the subset of

auditable events from AU-2a to be audited. The events to be
audited are approved and accepted by JAB.

Guidance: Annually or whenever changes in the threat

environment are communicated to the service provider by the
JAB.

AU-3 (1). Requirement: The service provider defines audit record

types. The audit record types are approved and accepted by the
JAB.
Guidance: For client-server transactions, the number of bytes sent
and received gives bidirectional transfer information that can be
helpful during an investigation or inquiry.

AU-8 (1). Requirement: The service provider selects primary and

secondary time servers used by the NIST Internet time service. The
secondary server is selected from a different geographic region
than the primary server.
Requirement: The service provider synchronizes the system clocks
of network computers that run operating systems other than
Windows to the Windows Server Domain Controller emulator or
to the same time source for that server.
Guidance: Synchronization of system clocks improves the accuracy
of log analysis.

AU-11. Requirement: The service provider retains audit records on-

line for at least ninety days and further preserves audit records off-
line for a period that is in accordance with NARA requirements.

For JAB Authorization, must be an accredited 3PAO

Requirement: To include 'announced', 'vulnerability scanning'

For JAB Authorization, CSPs shall include details of this control in

their Architecture Briefing
CA-6c. Guidance: Significant change is defined in NIST Special
Publication 800-37 Revision 1, Appendix F. The service provider
describes the types of changes to the information system or the
environment of operations that would impact the risk posture.
The types of changes are approved and accepted by the JAB.
Operating System Scans: at least monthly
Database and Web Application Scans: at least quarterly
All scans performed by Independent Assessor: at least annually

Requirement: The service provider establishes a central means of

communicating major changes to or developments in the
information system or environment of operations that may affect
its services to the federal government and associated service
consumers (e.g., electronic bulletin board, web status page). The
means of communication are approved and accepted by the JAB.

Guidance: If digital signatures/certificates are unavailable,

alternative cryptographic integrity checks (hashes, self-signed
certs, etc.) can be utilized.

CM-6a. Requirement: The service provider shall use the Center for
Internet Security guidelines (Level 1) to establish configuration
settings or establishes its own configuration settings if USGCB is
not available.
CM-6a. Requirement: The service provider shall ensure that
checklists for configuration settings are Security Content
Automation Protocol (SCAP) validated or SCAP compatible (if
validated checklists are not available).
CM-6a. Guidance: Information on the USGCB checklists can be
found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc .
Requirement: The service provider shall use the Center for
Internet Security guidelines (Level 1) to establish list of prohibited
or restricted functions, ports, protocols, and/or services or
establishes its own list of prohibited or restricted functions, ports,
protocols, and/or services if USGCB is not available.
CM-7. Guidance: Information on the USGCB checklists can be
found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.
(Partially derived from AC-17(8).)

Requirement: For JAB authorizations the contingency lists include

designated FedRAMP personnel.

CP-4a. Requirement: The service provider develops test plans in

accordance with NIST Special Publication 800-34 (as amended);
plans are approved by Risk-executive/JAB prior to initiating
testing.

CP-7a. Requirement: The service provider defines a time period

consistent with the recovery time objectives and business impact
analysis.

CP-8. Requirement: The service provider defines a time period

consistent with the business impact analysis.

CP-9. Requirement: The service provider shall determine what

elements of the cloud environment require the Information
System Backup control.
Requirement: The service provider shall determine how
Information System Backup is going to be verified and appropriate
periodicity of the check.
CP-9a. Requirement: The service provider maintains at least three
backup copies of user-level information (at least one of which is
available online) or provides an equivalent alternative.
CP-9b. Requirement: The service provider maintains at least three
backup copies of system-level information (at least one of which is
available online) or provides an equivalent alternative.
CP-9c. Requirement: The service provider maintains at least three
backup copies of information system documentation including
security information (at least one of which is available online) or
provides an equivalent alternative.

PIV = separate device

Guidance: Include Common Access Card (CAC), i.e., the DoD

technical implementation of PIV/FIPS 201/HSPD-12.
IA-4e. Requirement: The service provider defines time period of
inactivity for device identifiers.

Guidance: If automated mechanisms which enforce authenticator

strength at creation are not used, automated mechanisims must
be used to audit strength of created authenticators

PMO guidance on (1,2,3,4) supported, but not requirement to

implement (CIS/CTW)

IR-3. Requirement: The service provider defines tests and/or

exercises in accordance with NIST Special Publication 800-61 (as
amended).
Requirement: For JAB Authorization, the service provider provides
test plans to FedRAMP annually.
IR-4/A13. Requirement: The service provider ensures that
individuals conducting incident handling meet personnel security
requirements commensurate with the criticality/sensitivity of the
information being processed, stored, and transmitted by the
information system.

Reports security incident information to: according to FedRAMP

Incident Communications Procedure (to add non-P-ATO guidance
and also interconnected systems)

IR-8b. Requirement: The list includes designated FedRAMP

personnel.
IR-8e. Requirement: The list includes designated FedRAMP
personnel.

Requirement: Only MA-5 (1)(a)(1) is required by FedRAMP

Moderate Baseline

MP-3b. Guidance: Second parameter not-applicable

MP-4a. Requirement: The service provider defines controlled
areas within facilities where the information and information
system reside. This includes all types of digital or non-digital media
with sensitive information

a. point to standards/requirements
DHS + DoD reqs

Guidance: Equipment and procedures may be tested or validated

for effectiveness

Guidance: Organization acceptance of certified third-party

assessment of PE-controls must be performed in appropriate time.

PE-14a. Requirements: The service provider measures

temperature at server inlets and humidity levels by dew point.

Guidance: Significant change is defined in NIST Special Publication

800-37 Revision 1, Appendix F.

RA-3d. Requirement: to include the Risk Executive; for JAB
authorizations to include FedRAMP
RA-5a. Requirement: an accredited independent assessor scans
operating systems/infrastructure, web applications, and databases
once annually.
RA-5e. Requirement: to include the Risk Executive; for JAB
authorizations to include FedRAMP

SA-4. Guidance: The use of Common Criteria (ISO/IEC 15408)

evaluated products is strongly preferred.
See http://www.niap-ccevs.org/vpl or
http://www.commoncriteriaportal.org/products.html.

Guidance: see FedRAMP Continuous Monitoring Strategy Guide

SA-9 (1). Requirement: The service provider documents all existing

outsourced security services and conducts a risk assessment of
future outsourced security services. For JAB authorizations, future
planned outsourced services are approved and accepted by the
JAB.

SA-10e. Requirement: for JAB authorizations, personnel to include

FedRAMP

Requirement: SA-11 (1) or SA-11 (8) or both

Requirement: The service provider documents in the Continuous
Monitoring Plan, how newly developed code for the information
system is reviewed.
Requirement: SA-11 (1) or SA-11 (8) or both
Requirement: The service provider documents in the Continuous
Monitoring Plan, how newly developed code for the information
system is reviewed.

SC-7 (13). Requirement: The service provider defines key

information security tools, mechanisms, and support components
associated with system and security administration and isolates
those tools, mechanisms, and support components from other
internal information system components via physically or logically
separate subnets.

SC-11 Requirement: The service provider defines the security

functions that require a trusted path, including but not limited to
system authentication, re-authentication, and provisioning or de-
provisioning of services (i.e. allocating additional bandwidth to a
cloud user). The list of security functions requiring a trusted path
is approved and accepted by JAB.

SC-28. Guidance: The organization supports the capability to use

cryptographic mechanisms to protect information at rest.

QUESTIONS/COMMENTS