cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate...
Transcript of cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate...
Control ID Implementation Status
Implemented Partially Implemented Planned
AC-1 xAC-2 xAC-2 (1) xAC-2 (2)AC-2 (3) xAC-2 (4) xAC-2 (5) xAC-2 (7) xAC-2 (9) xAC-2 (10) xAC-2 (12) xAC-3 xAC-4 xAC-4 (21) xAC-5 xAC-6 xAC-6 (1) xAC-6 (2) xAC-6 (5) xAC-6 (9) xAC-6 (10) xAC-7 xAC-8 xAC-10 xAC-11 xAC-11 (1) xAC-12 xAC-14 xAC-17 xAC-17 (1) xAC-17 (2) xAC-17 (3) xAC-17 (4) xAC-17 (9) xAC-18AC-18 (1)AC-19AC-19 (5) xAC-20 xAC-20 (1) xAC-20 (2) xAC-21 xAC-22 xAT-1 xAT-2 xAT-2 (2) xAT-3 x
FedRAMP Controls
Moderate
Alternative Implementation
AT-4 xAU-1 xAU-2 xAU-2 (3) xAU-3 xAU-3 (1) xAU-4 xAU-5 xAU-6 xAU-6 (1) xAU-6 (3) xAU-7 xAU-7 (1) xAU-8 xAU-8 (1) xAU-9 xAU-9 (2) xAU-9 (4) xAU-11 xAU-12 xCA-1 xCA-2 xCA-2 (1) xCA-2 (2) xCA-2 (3) xCA-3 CA-3 (3) xCA-3 (5)CA-5 xCA-6 xCA-7 xCA-7 (1) xCA-8 xCA-8 (1) xCA-9 xCM-1 xCM-2 xCM-2 (1) xCM-2 (2) xCM-2 (3) xCM-2 (7) xCM-3 xCM-4 xCM-5 xCM-5 (1) xCM-5 (3) xCM-5 (5) xCM-6 xCM-6 (1) xCM-7 xCM-7 (1) xCM-7 (2) xCM-7 (5) xCM-8 xCM-8 (1) xCM-8 (3) xCM-8 (5) x
CM-9 xCM-10 xCM-10 (1) xCM-11 xCP-1 xCP-2 xCP-2 (1) xCP-2 (2) xCP-2 (3) xCP-2 (8) xCP-3 xCP-4 xCP-4 (1) xCP-6 xCP-6 (1) xCP-6 (3) xCP-7 xCP-7 (1) xCP-7 (2) xCP-7 (3) xCP-8 xCP-8 (1) xCP-8 (2) xCP-9 xCP-9 (1) xCP-9 (3) xCP-10 xCP-10 (2) xIA-1 xIA-2 xIA-2 (1) xIA-2 (2) xIA-2 (3)IA-2 (5) IA-2 (8) xIA-2 (11) xIA-2 (12) xIA-3 xIA-4 xIA-4 (4) xIA-5 xIA-5 (1) xIA-5 (2) xIA-5 (3) xIA-5 (4) xIA-5 (6) xIA-5 (7) xIA-5 (11) xIA-6 xIA-7 xIA-8 xIA-8 (1) xIA-8 (2) xIA-8 (3)IA-8 (4) xIR-1 xIR-2 x
IR-3 xIR-3 (2) xIR-4 xIR-4 (1) xIR-5 xIR-6 xIR-6 (1) xIR-7 xIR-7 (1) xIR-7 (2) xIR-8 xIR-9 xIR-9 (1) xIR-9 (2) xIR-9 (3) xIR-9 (4) xMA-1 xMA-2 xMA-3 xMA-3 (1) xMA-3 (2) xMA-3 (3) xMA-4 xMA-4 (2) xMA-5 xMA-5 (1) xMA-6 xMP-1 xMP-2 xMP-3 xMP-4 xMP-5 xMP-5 (4) xMP-6 xMP-6 (2) xMP-7 xMP-7 (1) xPE-1 xPE-2 xPE-3 xPE-4 xPE-5 xPE-6 xPE-6 (1) xPE-8 xPE-9 xPE-10 xPE-11 xPE-12 xPE-13 xPE-13 (2) xPE-13 (3) xPE-14 xPE-14 (2) xPE-15 xPE-16 xPE-17 x
PL-1 xPL-2 xPL-2 (3) xPL-4 xPL-4 (1) xPL-8 xPS-1 xPS-2 xPS-3 xPS-3 (3)PS-4 xPS-5 xPS-6 xPS-7 xPS-8 xRA-1 xRA-2 xRA-3 xRA-5 xRA-5 (1) xRA-5 (2) xRA-5 (3) xRA-5 (5) xRA-5 (6) xRA-5 (8) xSA-1 xSA-2 xSA-3 xSA-4 xSA-4 (1) xSA-4 (2) xSA-4 (8) xSA-4 (9) xSA-4 (10)SA-5 xSA-8 xSA-9 xSA-9 (1) xSA-9 (2) xSA-9 (4) xSA-9 (5) xSA-10 xSA-10 (1) xSA-11 xSA-11 (1) xSA-11 (2) xSA-11 (8) xSC-1 xSC-2 xSC-4 xSC-5 xSC-6 xSC-7 xSC-7 (3) xSC-7 (4) xSC-7 (5) xSC-7 (7)
SC-7 (8)SC-7 (12) xSC-7 (13) xSC-7 (18) xSC-8 xSC-8 (1) xSC-10 x xSC-12 xSC-12 (2) x xSC-12 (3) SC-13 xSC-15SC-17 xSC-18 xSC-19 SC-20 x xSC-21 xSC-22 xSC-23 xSC-28 xSC-28 (1) xSC-39 xSI-1 xSI-2 xSI-2 (2) xSI-2 (3) xSI-3 xSI-3 (1) xSI-3 (2) xSI-3 (7) xSI-4 xSI-4 (1) xSI-4 (2) xSI-4 (4) xSI-4 (5) xSI-4 (14)SI-4 (16) xSI-4 (23) xSI-5 xSI-6 xSI-7 xSI-7 (1) xSI-7 (7) xSI-8 SI-8 (1)SI-8 (2)SI-10 xSI-11 xSI-12 xSI-16 x
Implementation Status Control Origination
Not applicable
x
xx x
xx
x xx
xxxx
xxxx
xxx
xxx
xxxxx
xxx
xx xx xx x
xxx
xx
xx
x
Service Provider Corporate (GSA/18F)
Service Provider System Specific
(cloud.gov)
Service Provider Hybrid (Service
Provider Corporate and Service Provider
System Specific)
Configured by Customer (Customer
System Specific)
xxxxxxx
xx
xx
xx
xxxx
xx
xx
xxxx
x xx x
x xxxxxxx
xx
xx
xx
xx
xxxxx
xx
xx
xxxx
x
xxx
xxxx
xx
xxx
xxx
xxxxxx
x xx x
xx
xxx
x x
x
xx
x
xx
xx
xx
xx
xxx
xxxxxxx
x
x
x
xx
xxx
xxxx
xxx
xxxxxx
xxxxxx
xxxxxx
xx
xxx
xxx
xxx
xxx
xx
xxxx
xxxx
x x
x xxxx
xxx
x xx
x xx
xx x
xxxxxxx
xxx
xx
xx
xxx
xx
xx
xx
xx
xx
xx xx xx
xx
x
Control Origination
x xx
x xx
x xxxx
x
xx
x x
x
x
xxx
Provided by Customer (Customer
System Specific)
Shared (Service Provider and
Customer Responsibility)
Inherited from Pre-Existing Provisional Authorization (AWS
GovCloud)
x x
x
xx
x x
x
x
x
x
x
xx
xx
x
x
xxxxxxxxxx
xx
x
x
xx
x xx
xxxxxxxxx
xxx
xxxx
x
xxxxx
xxxxxxxxxx
xxxxxxxxx
xxxxxxxxxxxxxxxxxxx
x
xx
x
x
xxxx
x
x
xx
x
xx
x
xx
x
x xx
x
x
x
xx
Ref #
1
2
3
4
5
6
7
8
9
10
GUIDANCE: For the controls and enhancements identified in the Control Implementation Summary (CIS) as being Shared (Column L), please explain what the Customer responsibility is in the "Customer Responsibility" column below and note the corresponding controls and enhancements in the "Controls Reference" column.
11
12
13
Customer Responsibility
Customers are responsible for identifying and authorizing the software programs within their application spaces.
Customers are responsible for scanning for vulnerabilities in their applications.
Customers are responsible for managing access to their customer application data.
GUIDANCE: For the controls and enhancements identified in the Control Implementation Summary (CIS) as being Shared (Column L), please explain what the Customer responsibility is in the "Customer Responsibility" column below and note the corresponding controls and enhancements in the "Controls Reference" column.
Customers are responsible for managing the "External" roles listed in Table 9-1 User Roles and Privileges (including Application System Owner, Org Manager, Org Auditor, Space Manager, Space Developer, and Space Auditor), which are the roles available for customer Orgs, Spaces, and Applications. Customer responsibility includes assigning personnel to those roles (using the principle of least privilege), removing them from roles, and identifying non-organizational users with access.
cloud.gov delegates authentication to customer enterprise single-sign-on identity systems. Customers are responsible for configuring, monitoring, and managing their authentication systems. This includes:* Monitoring (and handling or restricting) inactive accounts, inactive authentication sessions, shared/group access, and invalid login attempts.* Implementing multi-factor authentication (MFA) for all accounts.* Handling identity verification, management, and authorization.* Managing authenticators.* Conforming to FICAM-issued profiles, if applicable.
Customers are responsible for ensuring that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
Customers are responsible for ensuring that their application's activities are monitored and captured within audit logs, and for reviewing and analyzing their application logs. They may use cloud.gov's built-in logging features to help them fulfill this requirement.
Customers are responsible for ensuring that their applications comply with the cloud.gov Rules of Behavior ("Use your account responsibly" on https://cloud.gov/docs/getting-started/accounts/ ) and all applicable federal and agency laws and policies.
Customers are responsible for identifying and handling information spills related to their applications, including identifying the specific information involved, alerting appropriate personnel, implementing procedures, and training personnel. Customers may request assistance from cloud.gov for handling information spills.
Customer agencies and cloud.gov have a shared responsibility to create, review, and approve inter-agency agreements (IAAs) that allow customer agencies to access and use cloud.gov.
cloud.gov requires that customer applications use HTTPS. HSTS is enabled by default. Customers are responsible for enabling stricter HSTS settings if they need to. Customers are responsible for selecting a name resolution service that fulfills this requirement and for obtaining certificates for custom domains.
cloud.gov EBS volumes, RDS, and S3 buckets are encrypted at rest. Customers are responsible for further encrypting any sensitive information in their customer applications, and for auditing the permissions their users have for managing their applications.
Customers are responsible for fulfilling information handling and storage requirements in their applications in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Controls Reference
AC-2, AC-2 (7), AC-5, AC-6, IA-8
IA-5 (7)
AU-2, AU-6, AU-6 (3), AU-7 (1)
CM-7 (2)
CM-7 (5)
IR-9, IR-9 (1), IR-9 (2), IR-9 (3), IR-9 (4)
PS-6
RA-5
SC-4
GUIDANCE: For the controls and enhancements identified in the Control Implementation Summary (CIS) as being Shared (Column L), please explain what the Customer responsibility is in the "Customer Responsibility" column below and note the corresponding controls and enhancements in the "Controls Reference" column.
AC-2 (3), AC-2 (5), AC-2 (9), AC-2 (10), AC-7, IA-2 (1), IA-2 (2), IA-4, IA-4 (4), IA-5, IA-5 (1), IA-5 (2), IA-5 (3), IA-5 (4), IA-5 (6), IA-8 (4)
SC-8, SC-20
SC-28, SC-28 (1)
SI-12