-
Notifications
You must be signed in to change notification settings - Fork 86
/
fedramp-low.json
717 lines (717 loc) · 77.2 KB
/
fedramp-low.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
{
"standard": "FedRAMP",
"version": "(Low) NIST 800-53r4",
"webLink": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Controls_Baseline.xlsx",
"domains": [
{
"title": "ACCESS CONTROL",
"controls": [
{
"ref": "AC-1",
"title": "Access Control Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and\n b. Reviews and updates the current:\n 1. Access control policy **at least every 3 years**; and\n 2. Access control procedures **at least annually**."
},
{
"ref": "AC-2",
"title": "Account Management",
"summary": "The organization:\n a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];\n b. Assigns account managers for information system accounts;\n c. Establishes conditions for group and role membership;\n d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;\n e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;\n f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];\n g. Monitors the use of, information system accounts;\n h. Notifies account managers:\n 1. When accounts are no longer required;\n 2. When users are terminated or transferred; and\n 3. When individual information system usage or need-to-know changes;\n i. Authorizes access to the information system based on:\n 1. A valid access authorization;\n 2. Intended system usage; and\n 3. Other attributes as required by the organization or associated missions/business functions;\n j. Reviews accounts for compliance with account management requirements **at least annually**; and\n k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group."
},
{
"ref": "AC-3",
"title": "Access Enforcement",
"summary": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
},
{
"ref": "AC-7",
"title": "Unsuccessful Logon Attempts",
"summary": "The information system:\n a. Enforces a limit of **not more than three (3)** consecutive invalid logon attempts by a user during a **fifteen (15) minutes**; and\n b. Automatically [Selection: locks the account/node for an **locks the account/node for thirty minutes**; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded."
},
{
"ref": "AC-8",
"title": "System Use Notification",
"summary": "The information system:\n a. Displays to users **see additional Requirements and Guidance** before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:\n 1. Users are accessing a U.S. Government information system;\n 2. Information system usage may be monitored, recorded, and subject to audit;\n 3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and\n 4. Use of the information system indicates consent to monitoring and recording;\n b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and \n c. For publicly accessible systems:\n 1. Displays system use information [Assignment: organization-defined conditions], before granting further access;\n 2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and\n 3. Includes a description of the authorized uses of the system."
},
{
"ref": "AC-14",
"title": "Permitted Actions Without Identification or Authentication",
"summary": "The organization:\n a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and\n b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."
},
{
"ref": "AC-17",
"title": "Remote Access",
"summary": "The organization:\n a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and\n b. Authorizes remote access to the information system prior to allowing such connections."
},
{
"ref": "AC-18",
"title": "Wireless Access",
"summary": "The organization:\n a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and\n b. Authorizes wireless access to the information system prior to allowing such connections."
},
{
"ref": "AC-19",
"title": "Access Control for Mobile Devices",
"summary": "The organization:\n a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and\n b. Authorizes the connection of mobile devices to organizational information systems."
},
{
"ref": "AC-20",
"title": "Use of External Information Systems",
"summary": "The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:\n a. Access the information system from external information systems; and\n b. Process, store, or transmit organization-controlled information using external information systems."
},
{
"ref": "AC-22",
"title": "Publicly Accessible Content",
"summary": "The organization:\n a. Designates individuals authorized to post information onto a publicly accessible information system;\n b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;\n c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and\n d. Reviews the content on the publicly accessible information system for nonpublic information **at least quarterly** and removes such information, if discovered."
}
]
},
{
"title": "AWARENESS AND TRAINING",
"controls": [
{
"ref": "AT-1",
"title": "Security Awareness and Training Policy Andprocedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and\n b. Reviews and updates the current:\n 1. Security awareness and training policy **at least every 3 years**; and\n 2. Security awareness and training procedures **at least annually**."
},
{
"ref": "AT-2",
"title": "Security Awareness Training",
"summary": "The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):\n a. As part of initial training for new users;\n b. When required by information system changes; and\n c. **at least annually** thereafter."
},
{
"ref": "AT-3",
"title": "Role-Based Security Training",
"summary": "The organization provides role-based security training to personnel with assigned security roles and responsibilities:\na. Before authorizing access to the information system or performing assigned duties;\nb. When required by information system changes; and\nc. **at least annually** thereafter."
},
{
"ref": "AT-4",
"title": "Security Training Records",
"summary": "The organization:\n a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and\n b. Retains individual training records for **At least one year**."
}
]
},
{
"title": "AUDIT AND ACCOUNTABILITY",
"controls": [
{
"ref": "AU-1",
"title": "Audit and Accountability Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and\n b. Reviews and updates the current:\n 1. Audit and accountability policy **at least every 3 years**; and\n 2. Audit and accountability procedures **at least annually**."
},
{
"ref": "AU-2",
"title": "Audit Events",
"summary": "The organization:\n a. Determines that the information system is capable of auditing the following events: **successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes**;\n b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events;\n c. Provides a rationale for why the auditable events are deemed to be adequate to support after- the-fact investigations of security incidents; and\n d. Determines that the following events are to be audited within the information system: **organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event**."
},
{
"ref": "AU-3",
"title": "Content of Audit Records",
"summary": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."
},
{
"ref": "AU-4",
"title": "Audit Storage Capacity",
"summary": "The organization allocates audit record storage capacity in accordance with [Assignment:\norganization-defined audit record storage requirements]."
},
{
"ref": "AU-5",
"title": "Response To Audit Processing Failures",
"summary": "The information system:\n a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and\n b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]."
},
{
"ref": "AU-6",
"title": "Audit Review, Analysis, and Reporting",
"summary": "The organization:\n a. Reviews and analyzes information system audit records **at least weekly** for indications of [Assignment: organization-defined inappropriate or unusual activity]; and\n b. Reports findings to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "AU-8",
"title": "Time Stamps",
"summary": "The information system:\n a. Uses internal system clocks to generate time stamps for audit records; and\n b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]."
},
{
"ref": "AU-9",
"title": "Protection of Audit Information",
"summary": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion."
},
{
"ref": "AU-11",
"title": "Audit Record Retention",
"summary": "The organization retains audit records for **at least ninety days** to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."
},
{
"ref": "AU-12",
"title": "Audit Generation",
"summary": "The information system:\n a. Provides audit record generation capability for the auditable events defined in AU-2 a. at **all information system and network components where audit capability is deployed/available**;\n b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and\n c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."
}
]
},
{
"title": "SECURITY ASSESSMENT AND AUTHORIZATION",
"controls": [
{
"ref": "CA-1",
"title": "Security Assessment and Authorization Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and\n b. Reviews and updates the current:\n 1. Security assessment and authorization policy **at least every 3 years**; and\n 2. Security assessment and authorization procedures **at least annually**."
},
{
"ref": "CA-2",
"title": "Security Assessments",
"summary": "The organization:\n a. Develops a security assessment plan that describes the scope of the assessment including:\n 1. Security controls and control enhancements under assessment;\n 2. Assessment procedures to be used to determine security control effectiveness; and\n 3. Assessment environment, assessment team, and assessment roles and responsibilities;\n b. Assesses the security controls in the information system and its environment of operation **at least annually** to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;\n c. Produces a security assessment report that documents the results of the assessment; and\n d. Provides the results of the security control assessment to **individuals or roles to include FedRAMP PMO**."
},
{
"ref": "CA-2 (1)",
"title": "Security Assessments | Independent Assessors",
"summary": "The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments."
},
{
"ref": "CA-3",
"title": "System Interconnections",
"summary": "The organization:\n a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;\n b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and\n c. Reviews and updates Interconnection Security Agreements **at least annually and on input from FedRAMP**."
},
{
"ref": "CA-5",
"title": "Plan of Action and Milestones",
"summary": "The organization:\n a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during\nthe assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and\n b. Updates existing plan of action and milestones **at least monthly** based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."
},
{
"ref": "CA-6",
"title": "Security Authorization",
"summary": "The organization:\n a. Assigns a senior-level executive or manager as the authorizing official for the information system;\n b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and\n c. Updates the security authorization **at least every three years or when a significant change occurs**."
},
{
"ref": "CA-7",
"title": "Continuous Monitoring",
"summary": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:\n a. Establishment of [Assignment: organization-defined metrics] to be monitored;\n b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;\n c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;\n d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;\n e. Correlation and analysis of security-related information generated by assessments and monitoring;\n f. Response actions to address results of the analysis of security-related information; and\n g. Reporting the security status of organization and the information system to **to meet Federal and FedRAMP requirements** [Assignment: organization-defined frequency]."
},
{
"ref": "CA-9",
"title": "Internal System Connections",
"summary": "The organization:\n a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and\n b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."
}
]
},
{
"title": "CONFIGURATION MANAGEMENT",
"controls": [
{
"ref": "CM-1",
"title": "Configuration Management Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and\n b. Reviews and updates the current:\n 1. Configuration management policy **at least every 3 years**; and\n 2. Configuration management procedures **at least annually**."
},
{
"ref": "CM-2",
"title": "Baseline Configuration",
"summary": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."
},
{
"ref": "CM-4",
"title": "Security Impact Analysis",
"summary": "The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."
},
{
"ref": "CM-6",
"title": "Configuration Settings",
"summary": "The organization:\n a. Establishes and documents configuration settings for information technology products employed within the information system using **United States Government Configuration Baseline (USGCB)** that reflect the most restrictive mode consistent with operational requirements;\n b. Implements the configuration settings;\n c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and\n d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."
},
{
"ref": "CM-7",
"title": "Least Functionality",
"summary": "The organization:\n a. Configures the information system to provide only essential capabilities; and\n b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: **United States Government Configuration Baseline (USGCB)**."
},
{
"ref": "CM-8",
"title": "Information System Component Inventory",
"summary": "The organization:\n a. Develops and documents an inventory of information system components that:\n 1. Accurately reflects the current information system;\n 2. Includes all components within the authorization boundary of the information system;\n 3. Is at the level of granularity deemed necessary for tracking and reporting; and\n 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and\n b. Reviews and updates the information system component inventory **at least monthly**."
},
{
"ref": "CM-10",
"title": "Software Usage Restrictions",
"summary": "The organization:\na. Uses software and associated documentation in accordance with contract agreements and copyright laws;\nb. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and\nc. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
},
{
"ref": "CM-11",
"title": "User-Installed Software",
"summary": "The organization:\n a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;\n b. Enforces software installation policies through [Assignment: organization-defined methods]; and\n c. Monitors policy compliance at **Continuously (via CM-7 (5))**."
}
]
},
{
"title": "CONTINGENCY PLANNING",
"controls": [
{
"ref": "CP-1",
"title": "Contingency Planning Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and\n b. Reviews and updates the current:\n 1. Contingency planning policy **at least every 3 years**; and\n 2. Contingency planning procedures **at least annually**."
},
{
"ref": "CP-2",
"title": "Contingency Plan",
"summary": "The organization:\n a. Develops a contingency plan for the information system that:\n 1. Identifies essential missions and business functions and associated contingency requirements;\n 2. Provides recovery objectives, restoration priorities, and metrics;\n 3. Addresses contingency roles, responsibilities, assigned individuals with contact information;\n 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;\n 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and\n 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];\n b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];\n c. Coordinates contingency planning activities with incident handling activities;\n d. Reviews the contingency plan for the information system **at least annually**;\n e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;\n f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and\n g. Protects the contingency plan from unauthorized disclosure and modification."
},
{
"ref": "CP-3",
"title": "Contingency Training",
"summary": "The organization provides contingency training to information system users consistent with assigned roles and responsibilities:\n a. Within **ten (10) days** of assuming a contingency role or responsibility;\n b. When required by information system changes; and\n c. **at least annually** thereafter."
},
{
"ref": "CP-4",
"title": "Contingency Plan Testing",
"summary": "The organization:\n a. Tests the contingency plan for the information system **at least annually for moderate impact systems; at least every three years for low impact systems** using **functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems** to determine the effectiveness of the plan and the organizational readiness to execute the plan;\n b. Reviews the contingency plan test results; and\n c. Initiates corrective actions, if needed."
},
{
"ref": "CP-9",
"title": "Information System Backup",
"summary": "The organization:\na. Conducts backups of user-level information contained in the information system **daily incremental; weekly full**;\nb. Conducts backups of system-level information contained in the information system **daily incremental; weekly full**;\nc. Conducts backups of information system documentation including security-related documentation **daily incremental; weekly full**; and\nd. Protects the confidentiality, integrity, and availability of backup information at storage locations."
},
{
"ref": "CP-10",
"title": "Information System Recovery and Reconstitution",
"summary": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."
}
]
},
{
"title": "IDENTIFICATION AND AUTHENTICATION",
"controls": [
{
"ref": "IA-1",
"title": "Identification and Authentication Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and\n b. Reviews and updates the current:\n 1. Identification and authentication policy **at least every 3 years**; and\n 2. Identification and authentication procedures **at least annually**."
},
{
"ref": "IA-2",
"title": "Identification and Authentication (Organizational Users)",
"summary": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."
},
{
"ref": "IA-2 (1)",
"title": "Identification and Authentication | Network Access To Privileged Accounts",
"summary": "The information system implements multifactor authentication for network access to privileged accounts."
},
{
"ref": "IA-2 (12)",
"title": "Identification and Authentication | Acceptance of Piv Credentials",
"summary": "The information system accepts and electronically verifies Personal Identity Verification (PIV)\ncredentials."
},
{
"ref": "IA-4",
"title": "Identifier Management",
"summary": "The organization manages information system identifiers by:\n a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;\n b. Selecting an identifier that identifies an individual, group, role, or device;\n c. Assigning the identifier to the intended individual, group, role, or device;\n d. Preventing reuse of identifiers for **at least two years**; and\n e. Disabling the identifier after **ninety days for user identifiers**."
},
{
"ref": "IA-5",
"title": "Authenticator Management",
"summary": "The organization manages information system authenticators by:\n a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;\n b. Establishing initial authenticator content for authenticators defined by the organization;\n c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;\n d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;\n e. Changing default content of authenticators prior to information system installation;\n f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;\n g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];\n h. Protecting authenticator content from unauthorized disclosure and modification;\n i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and\n j. Changing authenticators for group/role accounts when membership to those accounts changes."
},
{
"ref": "IA-5 (1)",
"title": "Authenticator Management | Password-Based Authentication",
"summary": "The information system, for password-based authentication:\n (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];\n (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];\n (c) Stores and transmits only encrypted representations of passwords;\n (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];\n (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and\n (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password."
},
{
"ref": "IA-5 (11)",
"title": "Authenticator Management | Hardware Token-Based Authentication",
"summary": "The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]."
},
{
"ref": "IA-6",
"title": "Authenticator Feedback",
"summary": "The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals."
},
{
"ref": "IA-7",
"title": "Cryptographic Module Authentication",
"summary": "The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."
},
{
"ref": "IA-8",
"title": "Identification and Authentication (Non- Organizational Users)",
"summary": "The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."
},
{
"ref": "IA-8 (1)",
"title": "Identification and Authentication | Acceptance of Piv Credentials From Other Agencies",
"summary": "The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."
},
{
"ref": "IA-8 (2)",
"title": "Identification and Authentication | Acceptance of Third-Party Credentials",
"summary": "The information system accepts only FICAM-approved third-party credentials."
},
{
"ref": "IA-8 (3)",
"title": "Identification and Authentication | Use of Ficam-Approved Products",
"summary": "The organization employs only FICAM-approved information system components in [Assignment:\norganization-defined information systems] to accept third-party credentials."
},
{
"ref": "IA-8 (4)",
"title": "Identification and Authentication | Use of Ficam-Issued Profiles",
"summary": "The information system conforms to FICAM-issued profiles."
}
]
},
{
"title": "INCIDENT RESPONSE",
"controls": [
{
"ref": "IR-1",
"title": "Incident Response Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and\n b. Reviews and updates the current:\n 1. Incident response policy **at least every 3 years**; and\n 2. Incident response procedures **at least annually**."
},
{
"ref": "IR-2",
"title": "Incident Response Training",
"summary": "The organization provides incident response training to information system users consistent with assigned roles and responsibilities:\n a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;\n b. When required by information system changes; and\n c. **at least annually** thereafter."
},
{
"ref": "IR-4",
"title": "Incident Handling",
"summary": "The organization:\na. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;\nb. Coordinates incident handling activities with contingency planning activities; and\nc. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly."
},
{
"ref": "IR-5",
"title": "Incident Monitoring",
"summary": "The organization tracks and documents information system security incidents."
},
{
"ref": "IR-6",
"title": "Incident Reporting",
"summary": "The organization:\n a. Requires personnel to report suspected security incidents to the organizational incident response capability within **US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)**; and\n b. Reports security incident information to [Assignment: organization-defined authorities]."
},
{
"ref": "IR-7",
"title": "Incident Response Assistance",
"summary": "The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."
},
{
"ref": "IR-8",
"title": "Incident Response Plan",
"summary": "The organization:\n a. Develops an incident response plan that:\n 1. Provides the organization with a roadmap for implementing its incident response capability;\n 2. Describes the structure and organization of the incident response capability;\n 3. Provides a high-level approach for how the incident response capability fits into the overall organization;\n 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;\n 5. Defines reportable incidents;\n 6. Provides metrics for measuring the incident response capability within the organization;\n 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and\n 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];\n b. Distributes copies of the incident response plan to **see additional FedRAMP Requirements and Guidance**;\n c. Reviews the incident response plan **at least annually**;\n d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;\n e. Communicates incident response plan changes to **see additional FedRAMP Requirements and Guidance**; and\nf. Protects the incident response plan from unauthorized disclosure and modification."
}
]
},
{
"title": "MAINTENANCE",
"controls": [
{
"ref": "MA-1",
"title": "System Maintenance Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and\n b. Reviews and updates the current:\n 1. System maintenance policy **at least every 3 years**; and\n 2. System maintenance procedures **at least annually**."
},
{
"ref": "MA-2",
"title": "Controlled Maintenance",
"summary": "The organization:\n a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;\n b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;\n c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\n d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;\n e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and\n f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records."
},
{
"ref": "MA-4",
"title": "Nonlocal Maintenance",
"summary": "The organization:\n a. Approves and monitors nonlocal maintenance and diagnostic activities;\n b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;\n c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;\n d. Maintains records for nonlocal maintenance and diagnostic activities; and\n e. Terminates session and network connections when nonlocal maintenance is completed."
},
{
"ref": "MA-5",
"title": "Maintenance Personnel",
"summary": "The organization:\n a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;\n b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and\n c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."
}
]
},
{
"title": "MEDIA PROTECTION",
"controls": [
{
"ref": "MP-1",
"title": "Media Protection Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and\n b. Reviews and updates the current:\n 1. Media protection policy **at least every 3 years**; and\n 2. Media protection procedures **at least annually**."
},
{
"ref": "MP-2",
"title": "Media Access",
"summary": "The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "MP-6",
"title": "Media Sanitization",
"summary": "The organization:\n a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization- defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and\n b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."
},
{
"ref": "MP-7",
"title": "Media Use",
"summary": "The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]."
}
]
},
{
"title": "PHYSICAL AND ENVIRONMENTAL PROTECTION",
"controls": [
{
"ref": "PE-1",
"title": "Physical and Environmental Protection Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and\n b. Reviews and updates the current:\n 1. Physical and environmental protection policy **at least every 3 years**; and\n 2. Physical and environmental protection procedures **at least annually**."
},
{
"ref": "PE-2",
"title": "Physical Access Authorizations",
"summary": "The organization:\n a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;\n b. Issues authorization credentials for facility access;\n c. Reviews the access list detailing authorized facility access by individuals **at least annually**; and\n d. Removes individuals from the facility access list when access is no longer required."
},
{
"ref": "PE-3",
"title": "Physical Access Control",
"summary": "The organization:\n a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;\n 1. Verifying individual access authorizations before granting access to the facility; and\n 2. Controlling ingress/egress to the facility using [Selection (one or more): **CSP defined physical access control systems/devices AND guards**; guards];\n b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];\n c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;\n d. Escorts visitors and monitors visitor activity **in all circumstances within restricted access area where the information system resides**;\n e. Secures keys, combinations, and other physical access devices;\n f. Inventories **at least annually** every [Assignment: organization-defined frequency]; and\n g. Changes combinations and keys **at least annually** and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."
},
{
"ref": "PE-6",
"title": "Monitoring Physical Access",
"summary": "The organization:\n a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;\n b. Reviews physical access logs **at least monthly** and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and\n c. Coordinates results of reviews and investigations with the organizational incident response capability."
},
{
"ref": "PE-8",
"title": "Visitor Access Records",
"summary": "The organization:\n a. Maintains visitor access records to the facility where the information system resides for **for a minimum of one (1) year**; and\n b. Reviews visitor access records **at least monthly**."
},
{
"ref": "PE-12",
"title": "Emergency Lighting",
"summary": "The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."
},
{
"ref": "PE-13",
"title": "Fire Protection",
"summary": "The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source."
},
{
"ref": "PE-14",
"title": "Temperature and Humidity Controls",
"summary": "The organization:\n a. Maintains temperature and humidity levels within the facility where the information system resides at **consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments**; and\n b. Monitors temperature and humidity levels **continuously**."
},
{
"ref": "PE-15",
"title": "Water Damage Protection",
"summary": "The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."
},
{
"ref": "PE-16",
"title": "Delivery and Removal",
"summary": "The organization authorizes, monitors, and controls **all information system components** entering and exiting the facility and maintains records of those items."
}
]
},
{
"title": "PLANNING",
"controls": [
{
"ref": "PL-1",
"title": "Security Planning Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and\n b. Reviews and updates the current:\n 1. Security planning policy **at least every 3 years**; and\n 2. Security planning procedures **at least annually**."
},
{
"ref": "PL-2",
"title": "System Security Plan",
"summary": "The organization:\n a. Develops a security plan for the information system that:\n 1. Is consistent with the organization’s enterprise architecture;\n 2. Explicitly defines the authorization boundary for the system;\n 3. Describes the operational context of the information system in terms of missions and business processes;\n 4. Provides the security categorization of the information system including supporting rationale;\n 5. Describes the operational environment for the information system and relationships with or connections to other information systems;\n 6. Provides an overview of the security requirements for the system;\n 7. Identifies any relevant overlays, if applicable;\n 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and\n 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;\n b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];\n c. Reviews the security plan for the information system **at least annually**;\n d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and\n e. Protects the security plan from unauthorized disclosure and modification."
},
{
"ref": "PL-4",
"title": "Rules of Behavior",
"summary": "The organization:\n a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;\n b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;\n c. Reviews and updates the rules of behavior **At least every 3 years**; and d. Requires individuals who have signed a previous version of the rules of behavior to read and\nresign when the rules of behavior are revised/updated."
}
]
},
{
"title": "PERSONNEL SECURITY",
"controls": [
{
"ref": "PS-1",
"title": "Personnel Security Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and\n b. Reviews and updates the current:\n 1. Personnel security policy **at least every 3 years**; and\n 2. Personnel security procedures **at least annually**."
},
{
"ref": "PS-2",
"title": "Position Risk Designation",
"summary": "The organization:\n a. Assigns a risk designation to all organizational positions;\n b. Establishes screening criteria for individuals filling those positions; and\n c. Reviews and updates position risk designations **at least every three years**."
},
{
"ref": "PS-3",
"title": "Personnel Screening",
"summary": "The organization:\n a. Screens individuals prior to authorizing access to the information system; and\n b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]."
},
{
"ref": "PS-4",
"title": "Personnel Termination",
"summary": "The organization, upon termination of individual employment:\n a. Disables information system access within **same day**;\n b. Terminates/revokes any authenticators/credentials associated with the individual;\n c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];\n d. Retrieves all security-related organizational information system-related property;\n e. Retains access to organizational information and information systems formerly controlled by terminated individual; and\n f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."
},
{
"ref": "PS-5",
"title": "Personnel Transfer",
"summary": "The organization:\n a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;\n b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];\n c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and\n d. Notifies **five days of the time period following the formal transfer action (DoD 24 hours)** within [Assignment: organization-defined time period]."
},
{
"ref": "PS-6",
"title": "Access Agreements",
"summary": "The organization:\n a. Develops and documents access agreements for organizational information systems;\n b. Reviews and updates the access agreements **at least annually**; and\n c. Ensures that individuals requiring access to organizational information and information systems:\n 1. Sign appropriate access agreements prior to being granted access; and\n 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or **at least annually**."
},
{
"ref": "PS-7",
"title": "Third-Party Personnel Security",
"summary": "The organization:\n a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;\n b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;\n c. Documents personnel security requirements;\n d. Requires third-party providers to notify **organization-defined time period – same day** of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and\n e. Monitors provider compliance."
},
{
"ref": "PS-8",
"title": "Personnel Sanctions",
"summary": "The organization:\n a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and\n b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
}
]
},
{
"title": "RISK ASSESSMENT",
"controls": [
{
"ref": "RA-1",
"title": "Risk Assessment Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and\n b. Reviews and updates the current:\n 1. Risk assessment policy **at least every 3 years**; and\n 2. Risk assessment procedures **at least annually**."
},
{
"ref": "RA-2",
"title": "Security Categorization",
"summary": "The organization:\n a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;\n b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and\n c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative."
},
{
"ref": "RA-3",
"title": "Risk Assessment",
"summary": "The organization:\n a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;\n b. Documents risk assessment results in [Selection: security plan; risk assessment report; **security assessment report**];\n c. Reviews risk assessment results **at least every three (3) years or when a significant change occurs**;\n d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and\n e. Updates the risk assessment **at least every three (3) years or when a significant change occurs** or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."
},
{
"ref": "RA-5",
"title": "Vulnerability Scanning",
"summary": "The organization:\n a. Scans for vulnerabilities in the information system and hosted applications **monthly operating system/infrastructure; monthly web applications and databases** and when new vulnerabilities potentially affecting the system/applications are identified and reported;\n b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\n 1. Enumerating platforms, software flaws, and improper configurations;\n 2. Formatting checklists and test procedures; and\n 3. Measuring vulnerability impact;\n c. Analyzes vulnerability scan reports and results from security control assessments;\n d. Remediates legitimate vulnerabilities **high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery**, in accordance with an organizational assessment of risk; and\n e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."
}
]
},
{
"title": "SYSTEM AND SERVICES ACQUISITION",
"controls": [
{
"ref": "SA-1",
"title": "System and Services Acquisition Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and\n b. Reviews and updates the current:\n 1. System and services acquisition policy **at least every 3 years**; and\n 2. System and services acquisition procedures **at least annually**."
},
{
"ref": "SA-2",
"title": "Allocation of Resources",
"summary": "The organization:\n a. Determines information security requirements for the information system or information system service in mission/business process planning;\n b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and\n c. Establishes a discrete line item for information security in organizational programming and budgeting documentation."
},
{
"ref": "SA-3",
"title": "System Development Life Cycle",
"summary": "The organization:\n a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;\n b. Defines and documents information security roles and responsibilities throughout the system development life cycle;\n c. Identifies individuals having information security roles and responsibilities; and\n d. Integrates the organizational information security risk management process into system development life cycle activities."
},
{
"ref": "SA-4",
"title": "Acquisition Process",
"summary": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:\n a. Security functional requirements;\n b. Security strength requirements;\n c. Security assurance requirements;\n d. Security-related documentation requirements;\n e. Requirements for protecting security-related documentation;\n f. Description of the information system development environment and environment in which the system is intended to operate; and\n g. Acceptance criteria."
},
{
"ref": "SA-5",
"title": "Information System Documentation",
"summary": "The organization:\n a. Obtains administrator documentation for the information system, system component, or information system service that describes:\n 1. Secure configuration, installation, and operation of the system, component, or service;\n 2. Effective use and maintenance of security functions/mechanisms; and\n 3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;\n b. Obtains user documentation for the information system, system component, or information system service that describes:\n 1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;\n 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and\n 3. User responsibilities in maintaining the security of the system, component, or service;\n c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;\n d. Protects documentation as required, in accordance with the risk management strategy; and e. Distributes documentation to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "SA-9",
"title": "External Information System Services",
"summary": "The organization:\n a. Requires that providers of external information system services comply with organizational information security requirements and employ **FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system** in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;\n b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and\n c. Employs **Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored** to monitor security control compliance by external service providers on an ongoing basis."
}
]
},
{
"title": "SYSTEM AND COMMUNICATIONS PROTECTION",
"controls": [
{
"ref": "SC-1",
"title": "System and Communications Protection Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and\n b. Reviews and updates the current:\n 1. System and communications protection policy **at least every 3 years**; and\n 2. System and communications protection procedures **at least annually**."
},
{
"ref": "SC-5",
"title": "Denial of Service Protection",
"summary": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]."
},
{
"ref": "SC-7",
"title": "Boundary Protection",
"summary": "The information system:\n a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;\n b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and\n c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."
},
{
"ref": "SC-12",
"title": "Cryptographic Key Establishment and Management",
"summary": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]."
},
{
"ref": "SC-13",
"title": "Cryptographic Protection",
"summary": "The information system implements **FIPS-validated or NSA-approved cryptography** in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."
},
{
"ref": "SC-15",
"title": "Collaborative Computing Devices",
"summary": "The information system:\n a. Prohibits remote activation of collaborative computing devices with the following exceptions: **no exceptions**; and\n b. Provides an explicit indication of use to users physically present at the devices."
},
{
"ref": "SC-20",
"title": "Secure Name /Address Resolution Service (Authoritative Source)",
"summary": "The information system:\n a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and\n b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."
},
{
"ref": "SC-21",
"title": "Secure Name /Address Resolution Service (Recursive or Caching Resolver)",
"summary": "The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources."
},
{
"ref": "SC-22",
"title": "Architecture and Provisioning for Name/Address Resolution Service",
"summary": "The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation."
},
{
"ref": "SC-39",
"title": "Process Isolation",
"summary": "The information system maintains a separate execution domain for each executing process."
}
]
},
{
"title": "SYSTEM AND INFORMATION INTEGRITY",
"controls": [
{
"ref": "SI-1",
"title": "System and Information Integrity Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and\n b. Reviews and updates the current:\n 1. System and information integrity policy **at least every 3 years**; and\n 2. System and information integrity procedures **at least annually**."
},
{
"ref": "SI-2",
"title": "Flaw Remediation",
"summary": "The organization:\na. Identifies, reports, and corrects information system flaws;\nb. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;\nc. Installs security-relevant software and firmware updates within **thirty (30) days of release of updates** of the release of the updates; and\nd. Incorporates flaw remediation into the organizational configuration management process."
},
{
"ref": "SI-3",
"title": "Malicious Code Protection",
"summary": "The organization:\n a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;\n b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;\n c. Configures malicious code protection mechanisms to:\n 1. Perform periodic scans of the information system **at least weekly** and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and\n 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action, **to include alerting administrator or defined security personnel**]] in response to malicious code detection; and\n d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."
},
{
"ref": "SI-4",
"title": "Information System Monitoring",
"summary": "The organization:\n a. Monitors the information system to detect:\n 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and\n 2. Unauthorized local, network, and remote connections;\n b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods];\n c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;\n d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;\n e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;\n f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and\n g. Provides [Assignment: or ganization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]."
},
{
"ref": "SI-5",
"title": "Security Alerts, Advisories, and Directives",
"summary": "The organization:\n a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations, **to include US-CERT**] on an ongoing basis;\n b. Generates internal security alerts, advisories, and directives as deemed necessary;\n c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles, **to include system security personnel and administrators with configuration/patch-management responsibilities**]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and\n d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."
},
{
"ref": "SI-12",
"title": "Information Handling and Retention",
"summary": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."
},
{
"ref": "SI-16",
"title": "Memory Protection",
"summary": "The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution."
}
]
}
]
}