KEY:

TS.PF.01

TM.AU.01

FedRAMP Associated TIC CapabilitiesVersion 2.0

ID

TM.AU.01

TM.COM.02

TS.RA.01

TS.RA.01

TS.RA.02, TS.RA.03

Awareness and Training (AT)

Audit and Accountability (AU)TM.DS.03, TS.INS.01, TM.DS.04, TO.MON.04

TO.MON.04

TM.LOG.02

TS.PF.06, TS.CF.13

TM.DS.01

TS.INS.01

TS.INS.01, TO.MON.03, TO.MON.03

TM.LOG.01

TM.LOG.03, TM.LOG.04

Security Assessment and Authorization (CA)

TO.MON.02

TM.COM.02, TS.RA.02, TS.RA.03

TS.RA.02TS.RA.02, TS.RA.03

TO.REP.01, TO.REP.02, TO.REP.03

Configuration Management (CM)

TO.MG.02

TM.TC.02

TO.MG.01. TO.MG.07

TO.MG.02

Contingency Planning (CP)

TM.TC.07, TM.DS.02, TO.MG.04

TM.TC.01

TM.TC.01, TO.MG.05TM.TC.01

TM.DS.02

TM.TC.03

Identification and Authentication (IA)TM.AU.01

TM.AU.01TM.AU.01

TS.RA.01, TM.AU.01

TM.AU.01

TM.AU.01

TM.AU.01

TM.AU.01

TM.AU.01TM.AU.01

TM.AU.01TS.CF.10, TM.AU.01

TM.AU.01

TM.AU.01TM.AU.01

TM.AU.01TM.AU.01TM.AU.01TM.AU.01TM.AU.01TM.AU.01

TS.CF.09

Incident Response (IR)TM.TC.06

TO.MON.05

TO.REP.04

TM.TC.05, TO.RES.01

Maintenance (MA)

TO.MG.06

Media Protection (MP)

Physical and Environmental Protection (PE)TM.PC.01, TM.PC.02

TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02, TM.PC.04

TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02, TM.PC.05

TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02

TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02TM.PC.01, TM.PC.02

Planning (PL)

TM.COM.02

Personnel Security (PS)

Risk Assessment (RA)

System and Services Acquisition (SA)

System and Communications Protection (SC)

TO.RES.03

TS.INS.01, TS.PF.01, TS.CF.01, TS.CF.02, TS.CF.03, TS.CF.04, TS.CF.13, TS.PF.03, TS.PF.04

TS.RA.03TS.PF.02, TS.PF.05

TS.RA.01, TS.RA.03TS.CF.01, TS.CF.02, TS.CF.03

TS.CF.06, TS.CF.07

TS.CF.13, TM.TC.04TS.CF.13, TM.TC.04TS.CF.13, TM.TC.04

System and Information Integrity (SI)

TO.RES.02

TS.CF.04

TM.DS.03, TS.CF.05, TS.CF.08, TS.CF.11, TS.CF.12

TS.INS.02

TS.MON.01

TS.CF.04

Service Level Agreement (SLA)TM.DS.03

TO.MG.03

TO.MG.10

TO.MG.11

TM.DS.05

TM.PC.06

TIC Controls NOT SelectedTM.PC.03

TM.COM.01

TM.COM.03

TS.PF.07

Added capability

Added guidance/requirement

TIC capability not applicable to cloud model

Access Control (AC)AC-1

AC-2AC-2 (1)AC-2 (2)AC-2 (3)

AC-2 (4)AC-2 (5)AC-2 (7)AC-2 (9)AC-2 (10)AC-2 (12)

AC-3AC-3 (3)

AC-4AC-4 (21)

AC-5AC-6

AC-6(2). Guidance: Related guidance may be found in AC-6(1) and FedRAMP Test Cases v2.0.

AC-6 (1)

FedRAMP Associated TIC CapabilitiesVersion 2.0

FedRAMP Security Controls BaselineVersion 2.0

IDTIC RELATED REQUIREMENTS AND GUIDANCE

AC-6(2). Guidance: Related guidance may be found in AC-6(1) and FedRAMP Test Cases v2.0.

AC-6 (2)

AC-6 (5)AC-6 (9)AC-6 (10)

AC-7

AC-8

AC-10AC-11

AC-11 (1)

AC-12AC-14AC-16AC-17

AC-17 (1)AC-17 (2)AC-17 (3)AC-17 (4)AC-17 (9)

AC-18AC-18 (1)

AC-19

AC-19 (5)

AC-20AC-20 (1)AC-20 (2)

AC-21AC-22

Awareness and Training (AT)AT-1

AT-2

AT-2 (2)

AT-3

AT-4

Audit and Accountability (AU)AU-1 Requirements: * The service provider will make cloud-based log data (as defined in AU-3) for all external network accesses available to the agency so it can be analyzed by tenants and potentially US-CERT, as part of SC-7 defined controls. External access is defined as access to the D/A cloud service instance that does not route through it TICAP. For instance, direct web-based access or mobile access.* The SLA should provide that the cloud-based log data is owned by the customer and that it is the customer's responsibility to provide audit logs to DHS and US-CERT.

AU-1

AU-2

AU-2 (3)

AU-3. Requirement: The service provider shall make available the ability to configure and collect audit records pertaining to their instance of the service, including automatic transfer of such records.

For IaaS cloud service instances, the content of these audit records shall include, at a minimum, for all users: source IP address, destination IP address, login time, logout time, login date, logout date, user ID, login success, login failure. Audit records shall log privileged events performed by agency administrator of the service instance including new users created, users locked-out, and changes to administrative settings. Where possible, network layer data elements including, but not limited to source port number, destination port number, network protocol (TCP,UDP, etc.), ICMP type/code, packet length, timestamp and duration, sensor ID information, and TCP flag information shall be included.

For PaaS cloud service instances, the content of these audit records shall include, at a minimum, for all users: source IP address, destination IP address (where applicable), login time, logout time, login date, logout date, user ID, login success, login failure. Audit records shall log privileged events performed by agency administrator of the service instance including new users created, users locked-out, and changes to administrative settings. Where possible, network layer data elements including, but not limited to source port number, destination port number, network protocol (TCP,UDP, etc.), ICMP type/code, packet length, timestamp and duration, sensor ID information, and TCP flag information shall be included.

For SaaS cloud service instances, the content of these audit records shall include, at a minimum, for all users: source IP address, destination IP address (where applicable), login time, logout time, login date, logout date,

AU-3

Please refer to AU-3(1) AU-3 (1)

Service provider has storage capacity to retain at least 24-hours of records as defined in AU-3.

AU-4

AU-5

The D/A submits data made available in their cloud services instance as described in AU-3(1) to DHS through automated means [at least hourly]

AU-6

* Provide access for government authorized audits AU-6 (1)

AU-6 (3)

AU-7AU-7 (1)

AU-8AU-8 (1)

AU-9AU-9 (2)

AU-9 (4)

AU-10AU-11: Requirement All service provider event recording logs remain on-line for 7 days.

AU-11

AU-12Security Assessment and Authorization (CA)

CA-1

CA-2CA-2 (1)CA-2 (2)CA-2 (3)

Dedicated external connections to cloud services should be configured in accordance with the TIC reference architecture.

CA-3

CA-3 (3)CA-3 (5)

CA-5CA-6

CA-7

CA-7 (1)

CA-8CA-8 (1)

CA-9Configuration Management (CM)

CM-1

CM-2CM-2 (1)

CM-2 (3)CM-2 (7)

CM-3

CM-4CM-5

CM-5 (1)CM-5 (3)

CM-5 (5)

CM-6

CM-6 (1)

CM-7

CM-7 (1)CM-7 (2)CM-7 (4)CM-7 (5)

CM-8CM-8 (1)

CM-8 (3)

CM-8 (5)

CM-9CM-10

CM-10 (1)

CM-11Contingency Planning (CP)

CP-1

CP-2 Requirement: Service provider operations personnel have 24x7 physical or remote access to management systems, which control the service devices. Using this access, operations personnel can terminate, troubleshoot or repair external connections, including to the Internet, as required.

CP-2

CP-2 (1)CP-2 (2)

CP-2 (3)CP-2 (8)

CP-3

CP-4

CP-4 (1)

CP-6CP-6 (1)CP-6 (3)

CP-7

CP-7 (1)CP-7 (2)CP-7 (3)

CP-8

CP-8 (1)

CP-8(2) Requirement: The service provider follows the National Communications System (NCS) recommendations for Route Diversity, including at least two physically separate points of entry and physically separate cabling paths to an external telecommunications provider or Internet provider facility.

CP-8 (2)

CP-9

CP-9 (1)CP-9 (3)

CP-10CP-10 (2)

CP-11 Requirement: All service provider systems and components support both IPv4 and IPv6 protocols for tenants in accordance with OMB Memorandum M-05-22 and Federal CIO memorandum Transition to IPv6. The service provider has the capability to support both IPv4 and IPv6 addresses for tenants and can transit both native IPv4 and native IPv6 traffic (i.e. dual-stack) between external connections . The service provider may also support other IPv6 transit methods such as tunneling or translation. The service provider has the capacity to activate these IPv6 capabilities upon request of the D/A client. The service provider ensures that systems have the capacity to implement IPv6 capabilities (native, tunneling or translation) for tenants, without compromising IPv4 capabilities or security. IPv6 security capabilities should achieve at least functional parity with IPv4 security capabilities.

CP-11

Identification and Authentication (IA)IA-1

IA-2IA-2 (1)

IA-2 (2)

IA-2 (3)

IA-2 (5)IA-2 (8)

IA-2 (11)

IA-2 (12)

IA-3IA-4

IA-4 (4)

IA-5 Guidance: The service provider will support mechanisms for tenant management over encrypted channels.

IA-5

IA-5 (1)

IA-5 (2)IA-5 (3)IA-5 (4)

IA-5 (6)IA-5 (7)IA-5 (11)

IA-6IA-7IA-8

IA-8 (1)

IA-8 (2)

IA-8 (3)

IA-8 (4)

IA-9 Recommended: The service provider validates routing protocol information using authenticated protocols. Border Gateway Protocol (BGP) sessions are configured in accordance with, but not limited to, the following recommendation from NIST SP 800-54: BGP sessions are protected with the MD5 signature option.

IA-9

Incident Response (IR)IR-1 Requirement: The service provider system management location is staffed 24x7. On-scene personnel are capable of supporting incident response.

IR-1

IR-2IR-3

IR-3 (2)

IR-4

IR-4 (1)

IR-5CSPs follow FedRAMP guidance on reporting and interfacing with US-CERT. Agencies follow M-15-01.

IR-6

IR-6 (1)

IR-7IR-7 (1)

IR-7 (2)

CSPs follow FedRAMP guidance on reporting and interfacing with US-CERT. Agencies follow M-15-01.

IR-8

IR-9IR-9 (1)IR-9 (2)IR-9 (3)IR-9 (4)

Maintenance (MA)MA-1

MA-2MA-3

MA-3 (1)MA-3 (2)MA-3 (3)

MA-4MA-4 (2)

MA-5MA-5 (1)

MA-6Media Protection (MP)

MP-1

MP-2MP-3MP-4

MP-5

MP-5 (4)

MP-6

MP-6 (2)

MP-7MP-7 (1)

Physical and Environmental Protection (PE)PE-1

PE-2PE-3 Recommended for Moderate-impact deployments: The cloud systems and management functions are secured by physical access controls to ensure that systems and components are accessible only by authorized personnel. Examples of dedicated spaces include, but are not limited to, secured racks, cages, rooms, and buildings.

PE-3

PE-4PE-5PE-6

PE-6 (1)

PE-8PE-9PE-10

PE-11(1) Requirement:The nature of cloud based systems can enable availability and resiliency capabilities to support uninterrupted operations as described in this requirement. The service provider shall document and demonstrate such capabilities for cloud-based equivalencies that support the requirement.

PE-11

PE-12PE-13

PE-13 (2)PE-13 (3)

PE-14

PE-14 (2)

PE-15PE-16PE-17

Planning (PL)PL-1

PL-2PL-2 (3)

PL-4PL-4 (1)

PL-8Personnel Security (PS)

PS-1

PS-2PS-3

PS-3 (3)

PS-4PS-5PS-6

PS-7PS-8

Risk Assessment (RA)RA-1

RA-2RA-3

RA-5

RA-5 (1)RA-5 (2)RA-5 (3)RA-5 (5)RA-5 (6)RA-5 (8)

System and Services Acquisition (SA)SA-1

SA-2SA-3SA-4

SA-4 (1)SA-4 (2)SA-4 (7)SA-4 (8)SA-4 (9)SA-4 (10)

SA-5SA-8SA-9

SA-9 (1)

SA-9 (2)

SA-9 (4)SA-9 (5)

SA-10

SA-10 (1)

SA-11SA-11 (1)

SA-11 (2)SA-11 (8)

SA-12System and Communications Protection (SC)

SC-1

SC-2SC-4 Recommended for Low-impact deployments: The cloud systems and management functions are located in logically isolated spaces dedicated for exclusive. The space is secured by access controls to ensure that systems and components are accessible only by authorized personnel. Examples of dedicated logically isolated spaces include, but are not limited to, hypervisor protections to isolate guests in hosts, ensuring previous guest memory is not accessible by concurrent or subsequent guests, network communication isolation between customers and cloud management via VLAN/VXLAN or similar logical network separation in end hosts as well as interconnecting switches.

SC-4

SC-5 Requirements:* Service provider mitigates the impact of non-targeted client from a DOS attack on another client* Services provider manages files, excess capacity, bandwidth or other redundancy to limited the effects of information flooding types of denial of service attacks.

Related guidance may be found in SC-5, FedRAMP Test Cases v2.0.

SC-5

SC-6

SC-7 Requirements: * The service provider will make cloud-based log data (as defined in AU-3) for external network accesses to the D/A resources available to the agency so it can be analyzed by the tenant and potentially US-CERT.* The service provider implements (using malicious address and domain information from the client D/A and US-CERT): 1) stateless blocking of unallowed [SC-7(5)] outbound connections without being limited by connection state tables of systems and components. Attributes inspected by stateless blocks include, but are not limited to: Direction (inbound, outbound, interface) Source and destination IPv4/IPv6 addresses and network masks Network protocols (TCP, UDP, ICMP, etc.) Source and destination port numbers (TCP, UDP) Message codes (ICMP) 2) filters DNS queries for known malicious domains By default, the service provider blocks unsolicited inbound connections. For authorized outbound connections, the service provider implements stateful inspection that tracks the state of all outbound connections and blocks packets, which deviate, from standard protocol state transitions. Protocols supported by stateful inspection devices include, but are not limited to: ICMP (errors matched to original protocol header) TCP (using protocol state transitions) UDP (using timeouts) Other Internet protocols (using timeouts) Stateless network filtering attributes For web based services, the service provider filters inbound web sessions to web servers at the HTTP/HTTPS/SOAP/XML-RPC/Web Service

SC-7

SC-7 (3)SC-7 (4)

Intent: This is about blocking rogue devices from within the CSP's network, more specifically from within the D/A's instance within the CSP. Depending on the service offering, this may be a tenant or CSP responsibility.

SC-7 (5)

SC-7 (7)SC-7 (8)SC-7 (12)SC-7 (13)

SC-7 (18)

SC-8

For cloud-based email services, CSPs provide the capability for domain-level sender authentication (for example signing and verifying with Domain Keys Identified Mail or Sender Policy Framework), agencies have the responsibly to enable it.

SC-8 (1)

SC-10

SC-11

SC-12SC-12 (2)SC-12 (3)

SC-13SC-15SC-17SC-18SC-19SC-20SC-21SC-22SC-23SC-28

SC-30SC-39

System and Information Integrity (SI)SI-1

CSPs follow FedRAMP guidance on reporting and interfacing with US-CERT. Agencies follow M-15-01.

SI-2

SI-2 (2)SI-2 (3)

SI-3

SI-3 (1)SI-3 (2)

SI-4 Recommended: For email services, it is recommended the service enable quarantine functionality for mail categorized as potentially suspicious while the agency's mail domain reviews and decides what action to take. The agency's mail domain can take at least the following actions: block the message, deliver the message, sanitize malicious content and tag undesirable content.

SI-4(10) Requirement: The service provider documentation includes a description of defensive measures taken to protect clients from malicious content or unauthorized data exfiltration.

SI-4

SI-4(1) Requirement: The service provider passes all inbound/outbound network traffic through Network Intrusion Detection Systems (NIDS) configured with custom signatures, including signatures for the application layer. This includes, but is not limited to, critical signatures published by US-CERT.

SI-4 (1)

SI-4 (2)SI-4 (4)SI-4 (5)SI-4 (16)SI-4 (23)

SI-5

SI-6

SI-7SI-7 (1)SI-7 (7)

SI-8SI-8 (1)SI-8 (2)

SI-10SI-11SI-12SI-16

Service Level Agreement (SLA)SLA-1 Requirement: The service provider documents in the agreement with the customer agency that the customer agency retains ownership of its data collected by the service provider.

SLA-1

SLA-3 Requirement: The provider communicates all changes approved through the formal configuration management and change management processes to customers, as defined in SLAs or other authoritative documents.

SLA-3

SLA-4 Requirement: The provider accommodates tailored communications policies to meet the individual customer requirements as negotiated with the customer.

SLA-4

SLA-5 Requirement: Service provider accommodates tailored communications processes to meet individual customer requirements as negotiated with the customer.

SLA-5

SLA-6 Recommended: (SC-7(10))The service provider has a Data Loss Prevention program and follows a documented procedure for Data Loss Prevention with regards to the operation of the service. The service provider's Data Loss Prevention program extends to the customer only when the customer's data is in the CSP's domain. Otherwise, the overall Data Loss Prevention program is the responsibility of the customer with respect to the customer's data.

SLA-6

SLA-8 Recommended: Service providers that support more than one customer should have multiple ISP peers with diverse geographic paths recommended.

SLA-8

TIC Controls NOT SelectedNOT-1 Guidance: SCIF facilities are not needed if NetFlow information is sent back to the agency to be analyzed by the agency TICAP.

NOT-1

NOT-1 Guidance: TS/SCI cleared personnel are not needed if related analysis is happening at the agency TICAP.

NOT-2

NOT-1 Guidance: Secret cleared personnel are not needed if related analysis is happening at the agency TICAP.

NOT-3

NOT APPLICABLE - Agencies may document alternative ways to achieve reasonable accommodation for users of FedVRS.

NOT-4

Access Control Policy and Procedures AC-1

Account Management AC-2Account Management | Automated System Account Management AC-2 (1)Account Management | Removal of Temporary / Emergency Accounts AC-2 (2)Account Management | Disable Inactive Accounts AC-2 (3)

Account Management | Automated Audit Actions AC-2 (4)Account Management | Inactivity Logout AC-2 (5)Account Management | Role-Based Schemes AC-2 (7)Account Management | Restrictions on Use of Shared Groups / Accounts AC-2 (9)Account Management | Shared / Group Account Credential Termination AC-2 (10)Account Management | Account Monitoring / Atypical Usage AC-2 (12)

Access Enforcement AC-3Access Enforcement | Mandatory Access Control

Information Flow Enforcement AC-4Information Flow Enforcement | Physical / Logical Separation of Information Flows AC-4 (21)

Separation of Duties AC-5Least Privilege AC-6

Least Privilege | Authorize Access to Security Functions AC-6 (1)

FedRAMPMODERATE

FedRAMP Security Controls BaselineVersion 2.0

CONTROL NAME

Least Privilege | Non-Privileged Access For Nonsecurity Functions AC-6 (2)

Least Privilege | Privileged Accounts AC-6 (5)Least Privilege | Auditing Use of Privileged Functions AC-6 (9)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions AC-6 (10)

Unsuccessful Logon Attempts AC-7

System Use Notification AC-8

Concurrent Session Control AC-10Session Lock AC-11

Session Lock | Pattern-Hiding Displays AC-11 (1)

Session Termination AC-12Permitted Actions Without Identification or Authentication AC-14Security AttributesRemote Access AC-17

Remote Access | Automated Monitoring / Control AC-17 (1)Remote Access | Protection of Confidentiality / Integrity Using Encryption AC-17 (2)Remote Access | Managed Access Control Points AC-17 (3)Remote Access | Privileged Commands / Access AC-17 (4)Remote Access | Disconnect / Disable Access AC-17 (9)

Wireless Access AC-18Wireless Access | Authentication and Encryption AC-18 (1)

Access Control For Mobile Devices AC-19

Access Control For Mobile Devices | Full Device / Container-Based Encryption AC-19 (5)

Use of External Information Systems AC-20Use of External Information Systems | Limits on Authorized Use AC-20 (1)Use of External Information Systems | Portable Storage Devices AC-20 (2)

Information Sharing AC-21Publicly Accessible Content AC-22

Awareness and Training (AT)Security Awareness and Training Policy and Procedures AT-1

Security Awareness Training AT-2

Security Awareness | Insider Threat AT-2 (2)

Role-Based Security Training AT-3

Security Training Records AT-4

Audit and Accountability (AU)Audit and Accountability Policy and Procedures AU-1

Audit Events AU-2

Audit Events | Reviews and Updates AU-2 (3)

Content of Audit Records AU-3

Content of Audit Records | Additional Audit Information AU-3 (1)

Audit Storage Capacity AU-4

Response to Audit Processing Failures AU-5

Audit Review, Analysis, and Reporting AU-6

Audit Review, Analysis, and Reporting | Process Integration AU-6 (1)

Audit Review, Analysis, and Reporting | Correlate Audit Repositories AU-6 (3)

Audit Reduction and Report Generation AU-7Audit Reduction and Report Generation | Automatic Processing AU-7 (1)

Time Stamps AU-8Time Stamps | Synchronization With Authoritative Time Source AU-8 (1)

Protection of Audit Information AU-9Protection of Audit Information | Audit Backup on Separate Physical Systems / Components

AU-9 (2)

Protection of Audit Information | Access by Subset of Privileged Users AU-9 (4)

Non-RepudiationAudit Record Retention AU-11

Audit Generation AU-12Security Assessment and Authorization (CA)

Security Assessment and Authorization Policies and Procedures CA-1

Security Assessments CA-2Security Assessments | Independent Assessors CA-2 (1)Security Assessments | Specialized Assessments CA-2 (2)Security Assessments | External Organizations CA-2 (3)

System Interconnections CA-3

System Interconnections | Unclassified Non-National Security System Connections CA-3 (3)System Interconnections | Restrictions on External Network Connections CA-3 (5)

Plan of Action and Milestones CA-5Security Authorization CA-6

Continuous Monitoring CA-7

Continuous Monitoring | Independent Assessment CA-7 (1)

Penetration Testing CA-8Penetration Testing | Independent Penetration Agent or Team CA-8 (1)

Internal System Connections CA-9Configuration Management (CM)Configuration Management Policy and Procedures CM-1

Baseline Configuration CM-2Baseline Configuration | Reviews and Updates CM-2 (1)

Baseline Configuration | Retention of Previous Configurations CM-2 (3)Baseline Configuration | Configure Systems, Components, or Devices for High-Risk Areas

CM-2 (7)

Configuration Change Control CM-3

Security Impact Analysis CM-4Access Restrictions For Change CM-5

Access Restrictions For Change | Automated Access Enforcement / Auditing CM-5 (1)Access Restrictions For Change | Signed Components CM-5 (3)

Access Restrictions For Change | Limit Production / Operational Privileges CM-5 (5)

Configuration Settings CM-6

Configuration Settings | Automated Central Management / Application / Verification CM-6 (1)

Least Functionality CM-7

Least Functionality | Periodic Review CM-7 (1)Least Functionality | Prevent Program Execution CM-7 (2)Least Functionality | Unauthorized Software / BlacklistingLeast Functionality | Authorized Software / Whitelisting CM-7 (5)

Information System Component Inventory CM-8Information System Component Inventory | Updates During Installations / Removals CM-8 (1)

Information System Component Inventory | Automated Unauthorized Component Detection

CM-8 (3)

Information System Component Inventory | No Duplicate Accounting of Components CM-8 (5)

Configuration Management Plan CM-9Software Usage Restrictions CM-10

Software Usage Restrictions | Open Source Software CM-10 (1)

User-Installed Software CM-11Contingency Planning (CP)

Contingency Planning Policy and Procedures CP-1

Contingency Plan CP-2

Contingency Plan | Coordinate With Related Plans CP-2 (1)Contingency Plan | Capacity Planning CP-2 (2)

Contingency Plan | Resume Essential Missions / Business Functions CP-2 (3)Contingency Plan | Identify Critical Assets CP-2 (8)

Contingency Training CP-3

Contingency Plan Testing CP-4

Contingency Plan Testing | Coordinate With Related Plans CP-4 (1)

Alternate Storage Site CP-6Alternate Storage Site | Separation From Primary Site CP-6 (1)Alternate Storage Site | Accessibility CP-6 (3)

Alternate Processing Site CP-7

Alternate Processing Site | Separation From Primary Site CP-7 (1)Alternate Processing Site | Accessibility CP-7 (2)Alternate Processing Site | Priority of Service CP-7 (3)

Telecommunications Services CP-8

Telecommunications Services | Priority of Service Provisions CP-8 (1)Telecommunications Services | Single Points of Failure CP-8 (2)

Information System Backup CP-9

Information System Backup | Testing For Reliability / Integrity CP-9 (1)Information System Backup | Separate Storage for Critical Information CP-9 (3)

Information System Recovery and Reconstitution CP-10Information System Recovery and Reconstitution | Transaction Recovery CP-10 (2)

Alternate Communications Protocols

Identification and Authentication (IA)Identification and Authentication Policy and Procedures IA-1

Identification and Authentication (Organizational Users) IA-2Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts

IA-2 (1)

Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts

IA-2 (2)

Identification and Authentication (Organizational Users) | Local Access to Privileged Accounts

IA-2 (3)

Identification and Authentication (Organizational Users) | Group Authentication IA-2 (5)Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts - Replay Resistant

IA-2 (8)

Identification and Authentication (Organizational Users) | Remote Access - Separate Device

IA-2 (11)

Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials

IA-2 (12)

Device Identification and Authentication IA-3Identifier Management IA-4

Identifier Management | Identify User Status IA-4 (4)

Authenticator Management IA-5

Authenticator Management | Password-Based Authentication IA-5 (1)

Authenticator Management | PKI-Based Authentication IA-5 (2)Authenticator Management | In-Person or Trusted Third-Party Registration IA-5 (3)Authenticator Management | Automated Support for Password Strength Determination

IA-5 (4)

Authenticator Management | Protection of Authenticators IA-5 (6)Authenticator Management | No Embedded Unencrypted Static Authenticators IA-5 (7)Authenticator Management | Hardware Token-Based Authentication IA-5 (11)

Authenticator Feedback IA-6Cryptographic Module Authentication IA-7Identification and Authentication (Non-Organizational Users) IA-8

Identification and Authentication (Non-Organizational Users) | Acceptance of PIV Credentials from Other Agencies

IA-8 (1)

Identification and Authentication (Non-Organizational Users) | Acceptance of Third-Party Credentials

IA-8 (2)

Identification and Authentication (Non-Organizational Users) | Use of FICAM-Approved Products

IA-8 (3)

Identification and Authentication (Non-Organizational Users) | Use of FICAM-Issued Profiles

IA-8 (4)

Service Identification and Authentication

Incident Response (IR)Incident Response Policy and Procedures IR-1

Incident Response Training IR-2Incident Response Testing IR-3

Incident Response Testing | Coordination With Related Plans IR-3 (2)

Incident Handling IR-4

Incident Handling | Automated Incident Handling Processes IR-4 (1)

Incident Monitoring IR-5Incident Reporting IR-6

Incident Reporting | Automated Reporting IR-6 (1)

Incident Response Assistance IR-7Incident Response Assistance | Automation Support For Availability of Information / Support

IR-7 (1)

Incident Response Assistance | Coordination With External Providers IR-7 (2)

Incident Response Plan IR-8

Information Spillage Response IR-9Information Spillage Response | Responsible Personnel IR-9 (1)Information Spillage Response | Training IR-9 (2)Information Spillage Response | Post-Spill Operations IR-9 (3)Information Spillage Response | Exposure to Unauthorized Personnel IR-9 (4)

Maintenance (MA)System Maintenance Policy and Procedures MA-1

Controlled Maintenance MA-2Maintenance Tools MA-3

Maintenance Tools | Inspect Tools MA-3 (1)Maintenance Tools | Inspect Media MA-3 (2)Maintenance Tools | Prevent Unauthorized Removal MA-3 (3)

Nonlocal Maintenance MA-4Nonlocal Maintenance | Document Nonlocal Maintenance MA-4 (2)

Maintenance Personnel MA-5Maintenance Personnel | Individuals Without Appropriate Access MA-5 (1)

Timely Maintenance MA-6Media Protection (MP)

Media Protection Policy and Procedures MP-1

Media Access MP-2Media Marking MP-3Media Storage MP-4

Media Transport MP-5

Media Transport | Cryptographic Protection MP-5 (4)

Media Sanitization MP-6

Media Sanitization | Equipment Testing MP-6 (2)

Media Use MP-7Media Use | Prohibit Use without Owner MP-7 (1)

Physical and Environmental Protection (PE)Physical and Environmental Protection Policy and Procedures PE-1

Physical Access Authorizations PE-2Physical Access Control PE-3

Access Control For Transmission Medium PE-4Access Control For Output Devices PE-5Monitoring Physical Access PE-6

Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment PE-6 (1)

Visitor Access Records PE-8Power Equipment and Cabling PE-9Emergency Shutoff PE-10Emergency Power PE-11

Emergency Lighting PE-12Fire Protection PE-13

Fire Protection | Suppression Devices / Systems PE-13 (2)Fire Protection | Automatic Fire Suppression PE-13 (3)

Temperature and Humidity Controls PE-14

Temperature and Humidity Controls | Monitoring With Alarms / Notifications PE-14 (2)

Water Damage Protection PE-15Delivery and Removal PE-16Alternate Work Site PE-17

Planning (PL)Security Planning Policy and Procedures PL-1

System Security Plan PL-2System Security Plan | Plan / Coordinate With Other Organizational Entities PL-2 (3)

Rules of Behavior PL-4Rules of Behavior | Social Media and Networking Restrictions PL-4 (1)

Information Security Architecture PL-8Personnel Security (PS)

Personnel Security Policy and Procedures PS-1

Position Risk Designation PS-2Personnel Screening PS-3

Personnel Screening | Information With Special Protection Measures PS-3 (3)

Personnel Termination PS-4Personnel Transfer PS-5Access Agreements PS-6

Third-Party Personnel Security PS-7Personnel Sanctions PS-8

Risk Assessment (RA)Risk Assessment Policy and Procedures RA-1

Security Categorization RA-2Risk Assessment RA-3

Vulnerability Scanning RA-5

Vulnerability Scanning | Update Tool Capability RA-5 (1)Vulnerability Scanning | Update by Frequency / Prior to New Scan / When Identified RA-5 (2)Vulnerability Scanning | Breadth / Depth of Coverage RA-5 (3)Vulnerability Scanning | Privileged Access RA-5 (5)Vulnerability Scanning | Automated Trend Analyses RA-5 (6)Vulnerability Scanning | Review Historic Audit Logs RA-5 (8)

System and Services Acquisition (SA)System and Services Acquisition Policy and Procedures SA-1

Allocation of Resources SA-2System Development Life Cycle SA-3Acquisition Process SA-4

Acquisition Process | Functional Properties of Security Controls SA-4 (1)Acquisition Process | Design / Implementation Information for Security Controls SA-4 (2)Acquisition Process | NIAP-Approved Protection ProfilesAcquisition Process | Continuous Monitoring Plan SA-4 (8)Acquisition Process | Functions / Ports / Protocols / Services in Use SA-4 (9)Acquisition Process | Use of Approved PIV Products SA-4 (10)

Information System Documentation SA-5Security Engineering Principles SA-8External Information System Services SA-9

External Information Systems | Risk Assessments / Organizational Approvals SA-9 (1)

External Information Systems | Identification of Functions / Ports / Protocols / Services

SA-9 (2)

External Information Systems | Consistent Interests of Consumers and Providers SA-9 (4)External Information Systems | Processing, Storage, and Service Location SA-9 (5)

Developer Configuration Management SA-10

Developer Configuration Management | Software / Firmware Integrity Verification SA-10 (1)

Developer Security Testing and Evaluation SA-11Developer Security Testing and Evaluation | Static Code Analysis SA-11 (1)*

Developer Security Testing and Evaluation | Threat and Vulnerability Analyses SA-11 (2)Developer Security Testing and Evaluation | Dynamic Code Analysis SA-11 (8)*

Supply Chain ProtectionSystem and Communications Protection (SC)

System and Communications Protection Policy and Procedures SC-1

Application Partitioning SC-2Information In Shared Resources SC-4

Denial of Service Protection SC-5

Resource Availability SC-6

Boundary Protection SC-7

Boundary Protection | Access Points SC-7 (3)Boundary Protection | External Telecommunications Services SC-7 (4)Boundary Protection | Deny by Default / Allow by Exception SC-7 (5)

Boundary Protection | Prevent Split Tunneling for Remote Devices SC-7 (7)Boundary Protection | Route Traffic to Authenticated Proxy Servers SC-7 (8)Boundary Protection | Host-Based Protection SC-7 (12)Boundary Protection | Isolation of Security Tools / Mechanisms / Support Components

SC-7 (13)

Boundary Protection | Fail Secure SC-7 (18)

Transmission Confidentiality and Integrity SC-8

Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection

SC-8 (1)

Network Disconnect SC-10

Trusted Path

Cryptographic Key Establishment and Management SC-12Cryptographic Key Establishment and Management | Symmetric Keys SC-12 (2)Cryptographic Key Establishment and Management | Asymmetric Keys SC-12 (3)

Cryptographic Protection SC-13Collaborative Computing Devices SC-15Public Key Infrastructure Certificates SC-17Mobile Code SC-18Voice Over Internet Protocol SC-19Secure Name / Address Resolution Service (Authoritative Source) SC-20Secure Name / Address Resolution Service (Recursive or Caching Resolver) SC-21Architecture and Provisioning for Name / Address Resolution Service SC-22Session Authenticity SC-23Protection of Information At Rest SC-28

Concealment and MisdirectionProcess Isolation SC-39

System and Information Integrity (SI)System and Information Integrity Policy and Procedures SI-1

Flaw Remediation SI-2

Flaw Remediation | Automated Flaw Remediation Status SI-2 (2)Flaw Remediation | Time to Remediate Flaws / Benchmarks for Corrective Actions SI-2 (3)

Malicious Code Protection SI-3

Malicious Code Protection | Central Management SI-3 (1)Malicious Code Protection | Automatic Updates SI-3 (2)

Information System Monitoring SI-4

Information System Monitoring | System-Wide Intrusion Detection System SI-4 (1)

Information System Monitoring | Automated Tools For Real-Time Analysis SI-4 (2)Information System Monitoring | Inbound and Outbound Communications Traffic SI-4 (4)Information System Monitoring | System-Generated Alerts SI-4 (5)Information System Monitoring | Correlate Monitoring Information SI-4 (16)Information System Monitoring | Host-Based Devices SI-4 (23)

Security Alerts, Advisories, and Directives SI-5

Security Function Verification SI-6

Software, Firmware, and Information Integrity SI-7Software, Firmware, and Information Integrity | Integrity Checks SI-7 (1)Software, Firmware, and Information Integrity | Integration of Detection and Response

SI-7 (7)

Spam Protection SI-8Spam Protection | Central Management SI-8 (1)Spam Protection | Automatic Updates SI-8 (2)

Information Input Validation SI-10Error Handling SI-11Information Handling and Retention SI-12Memory Protection SI-16Service Level Agreement (SLA)Data Ownership

Change Communication

Tailored Security Policies

Tailored Communications

Information System Partitioning

TIC Controls NOT SelectedSCIF Facilities

TIC and US-CERT (TS/SCI)

TIC and US-CERT (SECRET)

H.323

AC-1.b.1 [at least every 3 years]AC-1.b.2 [at least anually]AC-2j [annually]

[no more than 30 days for temporary and emergency account types (DoD 15 days)][90 days for user accounts]

AC-3 (3). [Assignment: organization-defined nondiscretionary access control policies]

Parameter: [role-based access control]. [Assignment: organization-defined set of users and resources]

Parameter: [all users and resources]

FedRAMP Security Controls BaselineVersion 2.0

ASSIGNMENT/SELECTION PARAMETERS

[all security functions]

AC-7a [not more than three] [fifteen minutes]

AC-7b [locks the account/node for thirty minutes]Parameter: See Additional Requirements and Guidance.

AC-11a. [fifteen minutes]

[no greater than 15 minutes]

AC-22d. [at least quarterly]

AT-1.b.1 [at least every 3 years]AT-1.b.2 [at least annually]AT-2. [Assignment: organization-defined frequency]

Parameter: [at least annually]

AT-3c. [Assignment: organization-defined frequency]

Parameter: [at least annually]AT-4b. [Assignment: organization-defined frequency]

Parameter: [At least one years]

AU-1.b.1 [at least every 3 years]AU-1.b.2 [at least annually]

AU-2a. [Assignment: organization-defined list of auditable events]

Parameter: [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]AU-2d. [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited]Parameter: See additional requirements and guidance.AU-2d. [Assignment: organization-defined frequency of (or situation requiring) auditing for each identified event].Parameter: [continually]AU-2 (3). [Assignment: organization-defined frequency]

Parameter: [annually or whenever there is a change in the threat environment]

AU-3 (1). [Assignment: organization-defined additional, more detailed information] Parameter: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon]

AU-5b. [Assignment: Organization-defined actions to be taken]

Parameter: [low-impact: overwrite oldest audit records; moderate-impact: shut down] AU-6a. [Assignment: organization-defined frequency]

Parameter: [at least weekly]

AU-8 (1). [http://tf.nist.gov/tf-cgi/servers.cgi]

AU-9 (2). [at least weekly]

AU-11. [at least ninety days]

AU-12a. [all information system components where audit capability is deployed]

CA-1.b.1 [at least every 3 years]CA-1.b.2 [at least annually]CA-2b. [at least annually] Added to NIST Baseline for "Low" FedRAMP baseline.

[any 3PAO] [P-ATO in FedRAMP Repository]

CA-3c. 3 Years / Annually and on input from FedRAMP

Boundary Protections which meet the Trusted Internet Connection (TIC) requirements

CA-5b. [at least monthly]CA-6c. [at least every three years or when a significant change occurs]

CA-7d. [To meet Federal and FedRAMP requirements]

[at least annually]

CM-1.b.1 [at least every 3 years]CM-1.b.2 [at least annually]

CM-2 (1) (a). [at least annually]CM-2 (1) (b). [to include when directed by JAB]

CM-5 (5) (b). [at least quarterly]

CM-6a. [United States Government Configuration Baseline (USGCB)]

CM-7. [United States Government Configuration Baseline (USGCB)]

CM-7 (1). [at least quarterly]

CM-8b. [at least monthly]

CM-8 (3) (a). [Continuously, using automated mechanisms with a maximum five-minute delay in detection.]

CM-11.c. [Continously (via CM-7 (5))]

CP-1.b.1 [at least every 3 years]CP-1.b.2 [at least annually]CP-2d. [at least annually]

CP-3.a. [90 days]CP-3.c. [at least annually]CP-4a. [at least annually for moderate impact systems; at least every three years for low impact systems] [functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems]

CP-9a. [daily incremental; weekly full]CP-9b. [daily incremental; weekly full]CP-9c. [daily incremental; weekly full]

CP-9 (1). [at least annually]

IA-1.b.1 [at least every 3 years]IA-1.b.2 [at least annually]

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

IA-4d. [at least two years]IA-4e. [ninety days for user identifiers] (See additional requirements and guidance.)IA-4 (4). [contractors; foreign nationals] IA-5g. [to include sixty days for passwords]

IA-5 (1) (a). [case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters]IA-5 (1) (b). [at least one]IA-5 (1) (d). [one day minimum, sixty day maximum]IA-5 (1) (e). [twenty four]

IA-5 (3). [All hardware/biometric (multifactor authenticators] [in person]

IR-1.b.1 [at least every 3 years]IR-1.b.2 [at least annually]

IR-2b. [at least annually]IR-3. [at least annually]

IR-6a. [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]

IR-8c. [at least annually]

MA-1.b.1 [at least every 3 years]MA-1.b.2 [at least annually]

MA-3 (3) (d). [the information owner explicitly authorizing removal of the equipment from the facility]

MP-1.b.1 [at least every 3 years]MP-1.b.2 [at least annually]

MP-3b. [no removable media types]MP-4a. [all types of digital and non-digital media with sensitive information].

MP-5a. [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container]

The organization: a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. [At least annually]

PE-1.b.1 [at least every 3 years]PE-1.b.2 [at least annually]

PE-2c. [at least annually] PE-3a.2 [CSP defined physical access control systems/devices AND guards]PE-3d. [in all circumstances within restricted access area where the information system resides]PE-3f. [at least annually]

PE-3g. [at least annually]

PE-6b. [at least semi-annually]

PE-8b. [at least monthly]

PE-14a. [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments]

PE-14b. [continuously]

PE-16. [all information system components]

PL-1.b.1 [at least every 3 years]PL-1.b.2 [at least annually]PL-2b. [at least annually]

PL-4c. [At least every 3 years]

PL-8b. [At least annually]

PS-1.b.1 [at least every 3 years]PS-1.b.2 [at least annually]PS-2c. [at least every three years] PS-3b. [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance.

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions]PS-3 (3)(b). [personnel screening criteria as required by specific information]PS-4.a. [same day]PS-5. [within five days]PS-6b. [at least annually]PS-6c.2. [at least annually]PS-7d. organization-defined time period same day

RA-1.b.1 [at least every 3 years]RA-1.b.2 [at least annually]

RA-3b. [security assessment report]

RA-3c. [at least every three years or when a significant change occurs]

RA-3d. [at least every three years or when a significant change occurs] RA-5a. [monthly operating system/infrastructure; quarterly web applications and databases]

RA-5d. [high-risk vulnerabilities mitigated within thirty days; moderate-risk vulnerabilities mitigated within ninety days]

RA-5 (2). [prior to a new scan]

RA-5 (5). [operating systems / web applications / databases] [all scans]

SA-1.b.1 [at least every 3 years]SA-1.b.2 [at least annually]

[to include security-relevant external system interfaces and high-level design]

SA-4 (8). [to meet Federal/FedRAMP Continuous Monitoring requirements]

SA-9a. [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system]SA-9c. [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored]SA-9 (1) see Additional Requirement and Guidance

SA-9 (2). [All external systems where Federal information is processed or stored]

SA-9 (4). [All external systems where Federal information is processed or stored]SA-9 (5). [information processing, information data, AND information services]SA-10a. [development, implementation, AND operation]

SC-1.b.1 [at least every 3 years]SC-1.b.2 [at least annually]

SC-7 (4). [at least annually]

SC-8. [confidentiality AND integrity]

SC-8 (1). [prevent unauthorized disclosure of information AND detect changes to information] [a hardened or alarmed carrier Protective Distribution System (PDS)]

SC-10. [no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions]SC-11. [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]

Parameter: See additional requirements and guidance

SC-12 (2). [NIST FIPS-compliant]

[FIPS-validated or NSA-approved cryptography]SC-15a. [no exceptions]

SC-28. [confidentiality AND integrity]

SI-1.b.1 [at least every 3 years]SI-1.b.2 [at least annually]SI-2c. [No greater than 30 days]

SI-2 (2). [at least monthly]

SI-3.c.1 [at least weekly] [to include endpoints]SI-3.c.2 [to include alerting administrator or defined security personnel]

SI-4 (4). [continually]

SI-5a. [to include US-CERT]SI-5c. [to include system security personnel and administrators with configuration/patch-management reponsibilities]SI-6b [to include upon system startup and/or restart and at least every ninety days]SI-6c [to include system administrators and security personnel]SI-6d [to include notification of system administrators and security personnel]

SI-7 (1). [Selection to include security relevant events and at least monthly]

Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB.

Required if shared/group accounts are deployedRequired if shared/group accounts are deployedRequired for privileged accounts

AC-3 (3). Requirement: The service provider: a. Assigns user accounts and authenticators in accordance within service provider's role-based access control policies; b. Configures the information system to request user ID and authenticator prior to system access; andc. Configures the databases containing federal information in accordance with service provider's security administration guide to provide role-based access controls enforcing assigned privileges and permissions at the file, table, row, column, or cell level, as appropriate.

FedRAMP Security Controls BaselineVersion 2.0

FedRAMP RELATED REQUIREMENTS AND GUIDANCE

AC-6 (2). Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB.Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB.Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB.

Requirement: d. The service provider defines the subset of auditable events from AU-2a to be audited. The events to be audited are approved and accepted by JAB.

Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB.

AU-3 (1). Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the JAB.Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

AU-8 (1). Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.Guidance: Synchronization of system clocks improves the accuracy of log analysis.

AU-11. Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

For JAB Authorization, must be an accredited 3PAORequirement: To include 'announced', 'vulnerability scanning'

For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

CA-6c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB.Operating System Scans: at least monthlyDatabase and Web Application Scans: at least quarterlyAll scans performed by Independent Assessor: at least annually

Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB.

Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

CM-6a. Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.CM-6a. Requirement: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).CM-6a. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc .

Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.CM-7. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.(Partially derived from AC-17(8).)

Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.

CP-4a. Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by Risk-executive/JAB prior to initiating testing.

CP-7a. Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

CP-8. Requirement: The service provider defines a time period consistent with the business impact analysis.

CP-9. Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control.Requirement: The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.CP-9a. Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative.CP-9b. Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative.CP-9c. Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative.

PIV = separate device

Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

IA-4e. Requirement: The service provider defines time period of inactivity for device identifiers.

Guidance: If automated mechanisms which enforce authenticator strength at creation are not used, automated mechanisims must be used to audit strength of created authenticators

PMO guidance on (1,2,3,4) supported, but not requirement to implement (CIS/CTW)

IR-3. Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended).Requirement: For JAB Authorization, the service provider provides test plans to FedRAMP annually.

IR-4/A13. Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

Reports security incident information to: according to FedRAMP Incident Communications Procedure (to add non-P-ATO guidance and also interconnected systems)

IR-8b. Requirement: The list includes designated FedRAMP personnel.IR-8e. Requirement: The list includes designated FedRAMP personnel.

Requirement: Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline

MP-3b. Guidance: Second parameter not-applicableMP-4a. Requirement: The service provider defines controlled areas within facilities where the information and information system reside. This includes all types of digital or non-digital media with sensitive information

a. point to standards/requirementsDHS + DoD reqs

Guidance: Equipment and procedures may be tested or validated for effectiveness

Guidance: Organization acceptance of certified third-party assessment of PE-controls must be performed in appropriate time.

PE-14a. Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.

Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3d. Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMPRA-5a. Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.RA-5e. Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP

SA-4. Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.

Guidance: see FedRAMP Continuous Monitoring Strategy Guide

SA-9 (1). Requirement: The service provider documents all existing outsourced security services and conducts a risk assessment of future outsourced security services. For JAB authorizations, future planned outsourced services are approved and accepted by the JAB.

SA-10e. Requirement: for JAB authorizations, personnel to include FedRAMP

Requirement: SA-11 (1) or SA-11 (8) or bothRequirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

Requirement: SA-11 (1) or SA-11 (8) or bothRequirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

SC-7 (13). Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.

SC-11 Requirement: The service provider defines the security functions that require a trusted path, including but not limited to system authentication, re-authentication, and provisioning or de-provisioning of services (i.e. allocating additional bandwidth to a cloud user). The list of security functions requiring a trusted path is approved and accepted by JAB.

SC-28. Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest.

QUESTIONS/COMMENTS