Professional Documents
Culture Documents
TS.PF.01
TM.AU.01
TM.AU.01
TM.COM.02
TS.RA.01
TS.RA.01
TS.RA.02, TS.RA.03
TO.MON.04
TM.LOG.02
TS.PF.06, TS.CF.13
TM.DS.01
TS.INS.01
TM.LOG.01
TM.LOG.03, TM.LOG.04
TO.MON.02
TS.RA.02
TS.RA.02,
TS.RA.03
TO.MG.02
TM.TC.02
TO.MG.01. TO.MG.07
TO.MG.02
TM.TC.01
TM.TC.01,
TO.MG.05
TM.TC.01
TM.DS.02
TM.TC.03
TM.AU.01
TM.AU.01
TM.AU.01
TS.RA.01,
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TS.CF.10,
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TM.AU.01
TS.CF.09
TM.TC.06
TO.MON.05
TO.REP.04
TM.TC.05, TO.RES.01
TO.MG.06
TM.PC.01, TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02,
TM.PC.04
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02,
TM.PC.05
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.PC.01,
TM.PC.02
TM.COM.02
TO.RES.03
TS.RA.03
TS.PF.02,
TS.PF.05
TS.RA.01,
TS.RA.03
TS.CF.01,
TS.CF.02,
TS.CF.03
TS.CF.06, TS.CF.07
TS.CF.13,
TM.TC.04
TS.CF.13,
TM.TC.04
TS.CF.13,
TM.TC.04
TO.RES.02
TS.CF.04
TS.INS.02
TS.MON.01
TS.CF.04
TM.DS.03
TO.MG.03
TO.MG.10
TO.MG.11
TM.DS.05
TM.PC.06
TM.PC.03
TM.COM.01
TM.COM.03
TS.PF.07
Added
capability
Added
guidance/requirement
TIC
capability
not
applicable
to
cloud
model
ID
Access Control (AC)
AC-1
AC-2
AC-2
(1)
AC-2
(2)
AC-2
(3)
AC-2
(4)
AC-2
(5)
AC-2
(7)
AC-2
(9)
AC-2
(10)
AC-2
(12)
AC-3
AC-3
(3)
AC-4
AC-4
(21)
AC-5
AC-6
AC-6(2).
Guidance:
Related
guidance
may
be
found
in
AC-6(1)
and
FedRAMP
Test
Cases
v2.0.
AC-6 (1)
AC-6 (2)
AC-6
(5)
AC-6
(9)
AC-6
(10)
AC-7
AC-8
AC-10
AC-11
AC-11
(1)
AC-12
AC-14
AC-16
AC-17
AC-17
(1)
AC-17
(2)
AC-17
(3)
AC-17
(4)
AC-17
(9)
AC-18
AC-18
(1)
AC-19
AC-19 (5)
AC-20
AC-20
(1)
AC-20
(2)
AC-21
AC-22
Awareness a
AT-1
AT-2
AT-2 (2)
AT-3
AT-4
Audit and Ac
AU-1
Requirements:
AU-1
*
The
service
provider
will
make
cloud-based
log
data
(as
defined
in
AU-3)
for
all
external
network
accesses
available
to
the
agency
so
it
can
be
analyzed
by
tenants
and
potentially
US-CERT,
as
part
of
SC-7
defined
controls.
External
access
is
defined
as
access
to
the
D/A
cloud
service
instance
that
does
not
route
through
it
TICAP.
For
instance,
direct
web-
based
access
or
mobile
access.
*
The
SLA
should
provide
that
the
cloud-based
log
data
is
owned
by
the
customer
and
that
it
is
the
customer's
responsibility
to
provide
audit
logs
to
DHS
and
US-CERT.
AU-2
AU-2 (3)
AU-3.
Requirement:
The
service
provider
shall
make
available
the
ability
to
AU-3
configure
and
collect
audit
records
pertaining
to
their
instance
of
the
service,
including
automatic
transfer
of
such
records.
For
IaaS
cloud
service
instances,
the
content
of
these
audit
records
shall
include,
at
a
minimum,
for
all
users:
source
IP
address,
destination
IP
address,
login
time,
logout
time,
login
date,
logout
date,
user
ID,
login
success,
login
failure.
Audit
records
shall
log
privileged
events
performed
by
agency
administrator
of
the
service
instance
including
new
users
created,
users
locked-out,
and
changes
to
administrative
settings.
Where
possible,
network
layer
data
elements
including,
but
not
limited
to
source
port
number,
destination
port
number,
network
protocol
(TCP,UDP,
etc.),
ICMP
type/code,
packet
length,
timestamp
and
duration,
sensor
ID
information,
and
TCP
flag
information
shall
be
included.
For
PaaS
cloud
service
instances,
the
content
of
these
audit
records
shall
include,
at
a
minimum,
for
all
users:
source
IP
address,
destination
IP
address
(where
applicable),
login
time,
logout
time,
login
date,
logout
date,
user
ID,
login
success,
login
failure.
Audit
records
shall
log
privileged
events
performed
by
agency
administrator
of
the
service
instance
including
new
users
created,
users
locked-out,
and
changes
to
administrative
settings.
Where
possible,
network
layer
data
elements
including,
but
not
limited
to
source
port
number,
destination
port
number,
network
protocol
(TCP,UDP,
etc.),
ICMP
type/code,
packet
length,
timestamp
and
duration,
sensor
ID
information,
and
TCP
flag
information
shall
be
included.
For
SaaS
cloud
service
instances,
the
content
of
these
audit
records
shall
include,
at
a
minimum,
for
all
users:
source
IP
address,
destination
IP
address
(where
applicable),
login
time,
logout
time,
login
date,
logout
date,
Please
refer
to
AU-3(1)
AU-3 (1)
Service
provider
has
storage
capacity
to
retain
at
least
24-hours
of
records
AU-4
as
defined
in
AU-3.
AU-5
The
D/A
submits
data
made
available
in
their
cloud
services
instance
as
described
in
AU-3(1)
to
DHS
through
automated
means
[at
least
hourly]
AU-6
AU-6 (1)
AU-6 (3)
AU-7
AU-7
(1)
AU-8
AU-8
(1)
AU-9
AU-9
(2)
AU-9
(4)
AU-11:
Requirement
All
service
provider
event
recording
logs
remain
on-
line
for
7
days.
AU-10
AU-11
AU-12
Security Assessmen
CA-1
CA-2
CA-2
(1)
CA-2
(2)
CA-2
(3)
CA-3
CA-3
(3)
CA-3
(5)
CA-5
CA-6
CA-7
CA-7 (1)
CA-8
CA-8
(1)
CA-9
Configuration
CM-1
CM-2
CM-2
(1)
CM-2
(3)
CM-2
(7)
CM-3
CM-4
CM-5
CM-5
(1)
CM-5
(3)
CM-5 (5)
CM-6
CM-6 (1)
CM-7
CM-7
(1)
CM-7
(2)
CM-7
(4)
CM-7
(5)
CM-8
CM-8
(1)
CM-8
(3)
CM-8
(5)
CM-9
CM-10
CM-10
(1)
CM-11
Contingency
CP-1
CP-2
Requirement:
Service
provider
operations
personnel
have
24x7
physical
or
remote
access
to
management
systems,
which
control
the
service
devices.
Using
this
access,
operations
personnel
can
terminate,
troubleshoot
or
repair
external
connections,
including
to
the
Internet,
as
required.
CP-2
CP-2
(1)
CP-2
(2)
CP-2
(3)
CP-2
(8)
CP-3
CP-4
CP-4 (1)
CP-6
CP-6
(1)
CP-6
(3)
CP-7
CP-7
(1)
CP-7
(2)
CP-7
(3)
CP-8
CP-8
(1)
CP-8 (2)
CP-9
CP-9
(1)
CP-9
(3)
CP-10
CP-10
(2)
CP-11
Requirement:
All
service
provider
systems
and
components
support
CP-11
both
IPv4
and
IPv6
protocols
for
tenants
in
accordance
with
OMB
Memorandum
M-05-22
and
Federal
CIO
memorandum
Transition
to
IPv6.
The
service
provider
has
the
capability
to
support
both
IPv4
and
IPv6
addresses
for
tenants
and
can
transit
both
native
IPv4
and
native
IPv6
traffic
(i.e.
dual-stack)
between
external
connections
.
The
service
provider
may
also
support
other
IPv6
transit
methods
such
as
tunneling
or
translation.
The
service
provider
has
the
capacity
to
activate
these
IPv6
capabilities
upon
request
of
the
D/A
client.
The
service
provider
ensures
that
systems
have
the
capacity
to
implement
IPv6
capabilities
(native,
tunneling
or
translation)
for
tenants,
without
compromising
IPv4
capabilities
or
security.
IPv6
security
capabilities
should
achieve
at
least
functional
parity
with
IPv4
security
capabilities.
Identification and
IA-1
IA-2
IA-2
(1)
IA-2
(2)
IA-2
(3)
IA-2
(5)
IA-2
(8)
IA-2
(11)
IA-2 (12)
IA-3
IA-4
IA-4
(4)
IA-5
Guidance:
The
service
provider
will
support
mechanisms
for
tenant
management
over
encrypted
channels.
IA-5
IA-5 (1)
IA-5
(2)
IA-5
(3)
IA-5
(4)
IA-5
(6)
IA-5
(7)
IA-5
(11)
IA-6
IA-7
IA-8
IA-8
(1)
IA-8
(2)
IA-8
(3)
IA-8
(4)
Incident R
IR-1
Requirement:
The
service
provider
system
management
location
is
staffed
24x7.
On-scene
personnel
are
capable
of
supporting
incident
response.
IR-1
IR-2
IR-3
IR-3 (2)
IR-4
IR-4 (1)
IR-5
CSPs
follow
FedRAMP
guidance
on
reporting
and
interfacing
with
US-CERT.
IR-6
Agencies
follow
M-15-01.
IR-6
(1)
IR-7
IR-7
(1)
IR-7
(2)
CSPs
follow
FedRAMP
guidance
on
reporting
and
interfacing
with
US-CERT.
IR-8
Agencies
follow
M-15-01.
IR-9
IR-9
(1)
IR-9
(2)
IR-9
(3)
IR-9
(4)
Mainten
MA-1
MA-2
MA-3
MA-3
(1)
MA-3
(2)
MA-3
(3)
MA-4
MA-4
(2)
MA-5
MA-5
(1)
MA-6
Media Pro
MP-1
MP-2
MP-3
MP-4
MP-5
MP-5 (4)
MP-6
MP-6 (2)
MP-7
MP-7
(1)
PE-2
PE-3
Recommended
for
Moderate-impact
deployments:
The
cloud
systems
PE-3
and
management
functions
are
secured
by
physical
access
controls
to
ensure
that
systems
and
components
are
accessible
only
by
authorized
personnel.
Examples
of
dedicated
spaces
include,
but
are
not
limited
to,
secured
racks,
cages,
rooms,
and
buildings.
PE-4
PE-5
PE-6
PE-6
(1)
PE-11(1)
Requirement:
The
nature
of
cloud
based
systems
can
enable
availability
and
resiliency
capabilities
to
support
uninterrupted
operations
as
described
in
this
requirement.
The
service
provider
shall
document
and
demonstrate
such
capabilities
for
cloud-based
equivalencies
that
support
the
requirement.
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13
PE-13
(2)
PE-13
(3)
PE-14
PE-14 (2)
PE-15
PE-16
PE-17
Plann
PL-1
PL-2
PL-2
(3)
PL-4
PL-4
(1)
PL-8
Personnel
PS-1
PS-2
PS-3
PS-3 (3)
PS-4
PS-5
PS-6
PS-7
PS-8
Risk Asse
RA-1
RA-2
RA-3
RA-5
RA-5
(1)
RA-5
(2)
RA-5
(3)
RA-5
(5)
RA-5
(6)
RA-5
(8)
SA-4
(1)
SA-4
(2)
SA-4
(7)
SA-4
(8)
SA-4
(9)
SA-4
(10)
SA-5
SA-8
SA-9
SA-9 (1)
SA-9
(2)
SA-9
(4)
SA-9
(5)
SA-10
SA-10
(1)
SA-11
SA-11
(1)
SA-11
(2)
SA-11
(8)
SA-12
SC-1
SC-2
SC-4
Recommended
for
Low-impact
deployments:
The
cloud
systems
and
SC-4
management
functions
are
located
in
logically
isolated
spaces
dedicated
for
exclusive.
The
space
is
secured
by
access
controls
to
ensure
that
systems
and
components
are
accessible
only
by
authorized
personnel.
Examples
of
dedicated
logically
isolated
spaces
include,
but
are
not
limited
to,
hypervisor
protections
to
isolate
guests
in
hosts,
ensuring
previous
guest
memory
is
not
accessible
by
concurrent
or
subsequent
guests,
network
communication
isolation
between
customers
and
cloud
management
via
VLAN/VXLAN
or
similar
logical
network
separation
in
end
hosts
as
well
as
interconnecting
switches.
SC-5
Requirements:
SC-5
*
Service
provider
mitigates
the
impact
of
non-targeted
client
from
a
DOS
attack
on
another
client
*
Services
provider
manages
files,
excess
capacity,
bandwidth
or
other
redundancy
to
limited
the
effects
of
information
flooding
types
of
denial
of
service
attacks.
Related
guidance
may
be
found
in
SC-5,
FedRAMP
Test
Cases
v2.0.
SC-6
SC-7
Requirements:
SC-7
*
The
service
provider
will
make
cloud-based
log
data
(as
defined
in
AU-3)
for
external
network
accesses
to
the
D/A
resources
available
to
the
agency
so
it
can
be
analyzed
by
the
tenant
and
potentially
US-CERT.
*
The
service
provider
implements
(using
malicious
address
and
domain
information
from
the
client
D/A
and
US-CERT):
1)
stateless
blocking
of
unallowed
[SC-7(5)]
outbound
connections
without
being
limited
by
connection
state
tables
of
systems
and
components.
Attributes
inspected
by
stateless
blocks
include,
but
are
not
limited
to:
Direction
(inbound,
outbound,
interface)
Source
and
destination
IPv4/IPv6
addresses
and
network
masks
Network
protocols
(TCP,
UDP,
ICMP,
etc.)
Source
and
destination
port
numbers
(TCP,
UDP)
Message
codes
(ICMP)
2)
filters
DNS
queries
for
known
malicious
domains
By
default,
the
service
provider
blocks
unsolicited
inbound
connections.
For
authorized
outbound
connections,
the
service
provider
implements
stateful
inspection
that
tracks
the
state
of
all
outbound
connections
and
blocks
packets,
which
deviate,
from
standard
protocol
state
transitions.
Protocols
supported
by
stateful
inspection
devices
include,
but
are
not
limited
to:
ICMP
(errors
matched
to
original
protocol
header)
TCP
(using
protocol
state
transitions)
UDP
(using
timeouts)
Other
Internet
protocols
(using
timeouts)
Stateless
network
filtering
attributes
For
web
based
services,
the
service
provider
filters
inbound
web
sessions
to
web
servers
at
the
HTTP/HTTPS/SOAP/XML-RPC/Web
Service
SC-7
(3)
SC-7
(4)
Intent:
This
is
about
blocking
rogue
devices
from
within
the
CSP's
network,
more
specifically
from
within
the
D/A's
instance
within
the
CSP.
Depending
on
the
service
offering,
this
may
be
a
tenant
or
CSP
responsibility.
SC-7 (5)
SC-7
(7)
SC-7
(8)
SC-7
(12)
SC-7
(13)
SC-7 (18)
SC-8
For
cloud-based
email
services,
CSPs
provide
the
capability
for
domain-
level
sender
authentication
(for
example
signing
and
verifying
with
Domain
Keys
Identified
Mail
or
Sender
Policy
Framework),
agencies
have
the
responsibly
to
enable
it.
SC-8 (1)
SC-10
SC-11
SC-12
SC-12
(2)
SC-12
(3)
SC-13
SC-15
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-28
SC-30
SC-39
SI-3
SI-3
(1)
SI-3
(2)
SI-4 (1)
SI-5
SI-6
SI-7
SI-7
(1)
SI-7
(7)
SI-8
SI-8
(1)
SI-8
(2)
SI-10
SI-11
SI-12
SI-16
Service Level
SLA-1
Requirement:
The
service
provider
documents
in
the
agreement
with
SLA-1
the
customer
agency
that
the
customer
agency
retains
ownership
of
its
data
collected
by
the
service
provider.
SLA-3
SLA-5
SLA-6
SLA-8
TIC Controls
NOT-1
Guidance:
SCIF
facilities
are
not
needed
if
NetFlow
information
is
sent
back
to
the
agency
to
be
analyzed
by
the
agency
TICAP.
NOT-1
NOT-2
NOT-3
NOT-4
FedRAMP
MODERATE
AC-1
Account Management
AC-2
AC-2 (1)
AC-2 (2)
AC-2 (3)
AC-2 (4)
AC-2 (5)
AC-2 (7)
AC-2 (9)
AC-2 (10)
AC-2 (12)
Access Enforcement
AC-3
Separation
of
Duties
Least
Privilege
Least
Privilege
|
Authorize
Access
to
Security
Functions
AC-4
AC-4
(21)
AC-5
AC-6
AC-6
(1)
AC-6 (2)
AC-6 (5)
AC-6 (9)
AC-6 (10)
AC-7
AC-8
AC-10
AC-11
Session
Termination
Permitted
Actions
Without
Identification
or
Authentication
Security
Attributes
Remote
Access
AC-11 (1)
AC-12
AC-14
AC-17
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-17 (9)
Wireless
Access
Wireless
Access
|
Authentication
and
Encryption
AC-18
AC-18
(1)
AC-19
AC-19 (5)
AC-20
AC-20 (1)
AC-20 (2)
Information
Sharing
Publicly
Accessible
Content
Awareness and Training (AT)
AC-21
AC-22
AT-1
AT-2
AT-2 (2)
AT-3
AT-4
AU-1
Audit Events
AU-2
AU-2 (3)
AU-3
AU-3 (1)
AU-4
AU-5
AU-6
Time
Stamps
Time
Stamps
|
Synchronization
With
Authoritative
Time
Source
Non-Repudiation
Audit
Record
Retention
Audit
Generation
Security Assessment and Authorization (CA)
AU-6 (1)
AU-6 (3)
AU-7
AU-7
(1)
AU-8
AU-8
(1)
AU-9
AU-9
(2)
AU-9
(4)
AU-11
AU-12
CA-1
Security Assessments
CA-2
CA-2 (1)
CA-2 (2)
CA-2 (3)
System Interconnections
CA-3
CA-3 (3)
CA-3 (5)
CA-5
CA-6
Continuous Monitoring
CA-7
Penetration
Testing
Penetration
Testing
|
Independent
Penetration
Agent
or
Team
CA-7 (1)
CA-8
CA-8
(1)
CA-9
CM-1
Baseline Configuration
CM-2
CM-2 (1)
CM-2 (3)
CM-2 (7)
CM-3
CM-4
CM-5
CM-5 (1)
CM-5 (3)
CM-5 (5)
Configuration Settings
Least Functionality
CM-6
CM-6 (1)
CM-7
CM-7 (1)
CM-7 (2)
CM-7 (5)
CM-8
CM-8 (1)
CM-8 (3)
CM-8 (5)
CM-9
CM-10
CM-10
(1)
User-Installed
Software
Contingency Planning (CP)
CM-11
CP-1
Contingency Plan
CP-2
CP-2 (1)
CP-2 (2)
CP-2 (3)
CP-2 (8)
Contingency Training
CP-3
CP-4
CP-4 (1)
CP-6
CP-6 (1)
CP-6 (3)
CP-7
CP-7 (1)
CP-7 (2)
CP-7 (3)
Telecommunications Services
CP-8
CP-8 (1)
CP-8 (2)
CP-9
CP-9
(1)
CP-9
(3)
CP-10
CP-10
(2)
IA-1
IA-2
IA-2 (1)
IA-2 (8)
IA-2 (12)
Authenticator Management
IA-2
(2)
IA-2
(3)
IA-2
(5)
IA-2 (11)
IA-3
IA-4
IA-4
(4)
IA-5
IA-5 (1)
IA-5 (2)
IA-5 (3)
IA-5 (4)
IA-5 (6)
IA-5 (7)
Authenticator
Feedback
Cryptographic
Module
Authentication
Identification
and
Authentication
(Non-Organizational
Users)
Identification
and
Authentication
(Non-Organizational
Users)
|
Acceptance
of
PIV
Credentials
from
Other
Agencies
Identification
and
Authentication
(Non-Organizational
Users)
|
Acceptance
of
Third-
Party
Credentials
Identification
and
Authentication
(Non-Organizational
Users)
|
Use
of
FICAM-
Approved
Products
Identification
and
Authentication
(Non-Organizational
Users)
|
Use
of
FICAM-Issued
Profiles
IA-5 (11)
IA-6
IA-7
IA-8
IA-8
(1)
IA-8
(2)
IA-8
(3)
IA-8
(4)
IR-1
IR-2
IR-3
Incident Handling
IR-3 (2)
IR-4
IR-4 (1)
Incident
Monitoring
Incident
Reporting
IR-5
IR-6
IR-6 (1)
IR-7
IR-7
(1)
IR-7
(2)
IR-8
IR-9
IR-9 (1)
IR-9 (2)
IR-9 (3)
IR-9 (4)
Maintenance (MA)
System
Maintenance
Policy
and
Procedures
MA-1
Controlled
Maintenance
Maintenance
Tools
MA-2
MA-3
MA-3 (1)
MA-3 (2)
MA-3 (3)
Nonlocal
Maintenance
Nonlocal
Maintenance
|
Document
Nonlocal
Maintenance
Maintenance
Personnel
Maintenance
Personnel
|
Individuals
Without
Appropriate
Access
MA-4
MA-4
(2)
MA-5
MA-5
(1)
Timely
Maintenance
Media Protection (MP)
MA-6
MP-1
Media
Access
Media
Marking
Media
Storage
MP-2
MP-3
MP-4
Media Transport
MP-5
MP-5 (4)
Media Sanitization
Media
Use
Media
Use
|
Prohibit
Use
without
Owner
MP-6
MP-6 (2)
MP-7
MP-7
(1)
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6
PE-6 (1)
PE-8
PE-9
PE-10
PE-11
Emergency
Lighting
Fire
Protection
PE-12
PE-13
PE-13 (2)
PE-13 (3)
PE-14
PE-14 (2)
PE-15
PE-16
PE-17
Planning (PL)
Security
Planning
Policy
and
Procedures
PL-1
PL-2
Rules
of
Behavior
Rules
of
Behavior
|
Social
Media
and
Networking
Restrictions
PL-2 (3)
PL-4
PL-4
(1)
PL-8
PS-1
PS-2
PS-3
PS-3 (3)
Personnel
Termination
Personnel
Transfer
Access
Agreements
PS-4
PS-5
PS-6
PS-7
PS-8
RA-1
Security
Categorization
Risk
Assessment
RA-2
RA-3
Vulnerability Scanning
RA-5
RA-5 (1)
RA-5 (2)
RA-5 (3)
RA-5 (5)
RA-5 (6)
RA-5 (8)
SA-1
Allocation
of
Resources
System
Development
Life
Cycle
Acquisition
Process
SA-2
SA-3
SA-4
SA-4 (1)
SA-4 (2)
SA-4 (8)
SA-4 (9)
SA-4 (10)
SA-5
SA-8
SA-9
SA-9 (1)
SA-9 (2)
SA-9 (5)
SA-9 (4)
SA-10
SA-10
(1)
SA-11
SA-11 (1)*
SA-11 (2)
SA-11 (8)*
SC-1
Application
Partitioning
Information
In
Shared
Resources
SC-2
SC-4
SC-5
Resource Availability
SC-6
Boundary Protection
SC-7
SC-7
(3)
SC-7
(4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-8
Network Disconnect
SC-8 (1)
SC-10
Trusted Path
SC-12
SC-12 (2)
SC-12 (3)
Cryptographic
Protection
Collaborative
Computing
Devices
Public
Key
Infrastructure
Certificates
Mobile
Code
Voice
Over
Internet
Protocol
Secure
Name
/
Address
Resolution
Service
(Authoritative
Source)
Secure
Name
/
Address
Resolution
Service
(Recursive
or
Caching
Resolver)
Architecture
and
Provisioning
for
Name
/
Address
Resolution
Service
Session
Authenticity
Protection
of
Information
At
Rest
Concealment
and
Misdirection
Process
Isolation
System and Information Integrity (SI)
SC-13
SC-15
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-28
SC-39
SI-1
Flaw Remediation
SI-2
SI-2 (2)
SI-2 (3)
SI-3
SI-3 (1)
SI-3 (2)
SI-4
SI-4 (1)
SI-4 (2)
SI-4 (4)
SI-4 (5)
SI-4 (16)
SI-4 (23)
SI-5
SI-6
SI-7
SI-7 (1)
SI-7 (7)
Spam Protection
SI-8
SI-8 (1)
SI-8 (2)
SI-10
SI-11
SI-12
SI-16
Change Communication
Tailored Communications
Boundary Protections which meet the Trusted Internet Connection (TIC) requirements
CM-8
(3)
(a).
[Continuously,
using
automated
mechanisms
with
a
maximum
five-minute
delay
in
detection.]
The
information
system
implements
multifactor
authentication
for
remote
access
to
privileged
and
non-privileged
accounts
such
that
one
of
the
factors
is
provided
by
a
device
separate
from
the
system
gaining
access
and
the
device
meets
[Assignment:
organization-defined
strength
of
mechanism
requirements].
IA-5
(1)
(a).
[case
sensitive,
minimum
of
twelve
characters,
and
at
least
one
each
of
upper-case
letters,
lower-case
letters,
numbers,
and
special
characters]
IA-5
(1)
(b).
[at
least
one]
IA-5
(1)
(d).
[one
day
minimum,
sixty
day
maximum]
IA-5
(1)
(e).
[twenty
four]
IA-5
(3).
[All
hardware/biometric
(multifactor
authenticators]
[in
person]
IR-6a.
[US-CERT
incident
reporting
timelines
as
specified
in
NIST
Special
Publication
800-61
(as
amended)]
MA-3
(3)
(d).
[the
information
owner
explicitly
authorizing
removal
of
the
equipment
from
the
facility]
MP-5a.
[all
media
with
sensitive
information]
[prior
to
leaving
secure/controlled
environment:
for
digital
media,
encryption
using
a
FIPS
140-2
validated
encryption
module;
for
non-digital
media,
secured
in
locked
container]
SA-9
(2).
[All
external
systems
where
Federal
information
is
processed
or
stored]
SA-9
(4).
[All
external
systems
where
Federal
information
is
processed
or
stored]
SA-9
(5).
[information
processing,
information
data,
AND
information
services]
SA-10a.
[development,
implementation,
AND
operation]
SC-8
(1).
[prevent
unauthorized
disclosure
of
information
AND
detect
changes
to
information]
[a
hardened
or
alarmed
carrier
Protective
Distribution
System
(PDS)]
SC-10.
[no
longer
than
30
minutes
for
RAS-based
sessions
or
no
longer
than
60
minutes
for
non-
interactive
user
sessions]
SC-11.
[Assignment:
organization-defined
security
functions
to
include
at
a
minimum,
information
system
authentication
and
re-authentication]
Parameter:
See
additional
requirements
and
guidance
Requirement:
The
service
provider
defines
the
time
period
for
non-
user
accounts
(e.g.,
accounts
associated
with
devices).
The
time
periods
are
approved
and
accepted
by
the
JAB.
CM-6a.
Requirement:
The
service
provider
shall
use
the
Center
for
Internet
Security
guidelines
(Level
1)
to
establish
configuration
settings
or
establishes
its
own
configuration
settings
if
USGCB
is
not
available.
CM-6a.
Requirement:
The
service
provider
shall
ensure
that
checklists
for
configuration
settings
are
Security
Content
Automation
Protocol
(SCAP)
validated
or
SCAP
compatible
(if
validated
checklists
are
not
available).
CM-6a.
Guidance:
Information
on
the
USGCB
checklists
can
be
found
at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc
.
Requirement:
The
service
provider
shall
use
the
Center
for
Internet
Security
guidelines
(Level
1)
to
establish
list
of
prohibited
or
restricted
functions,
ports,
protocols,
and/or
services
or
establishes
its
own
list
of
prohibited
or
restricted
functions,
ports,
protocols,
and/or
services
if
USGCB
is
not
available.
CM-7.
Guidance:
Information
on
the
USGCB
checklists
can
be
found
at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.
(Partially
derived
from
AC-17(8).)
a.
point
to
standards/requirements
DHS
+
DoD
reqs
QUESTIONS/COMMENTS