Skip to content

Commit

Permalink
Merge pull request #38 from brianrufgsa/baseline-updates
Browse files Browse the repository at this point in the history 
FedRAMP Profile Updates
  • Loading branch information
@brian-ruf
brian-ruf authored Feb 5, 2020
2 parents 0eb87ea + e2127ff commit 9ced82b
Show file tree
Hide file tree
Showing 18 changed files with 9,828 additions and 10,501 deletions.
108 changes: 16 additions & 92 deletions baselines/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

{ "catalog" :
{ "id" : "0a8a1cf0-d22d-4a80-9f57-08483cdd6f37",
{ "id" : "uuid-87e79dc1-5254-4911-bea0-fed8c9ae957d",
"metadata" :
{ "title" : "FedRAMP High Baseline [RESOLVED]",
"published" : "2019-12-17T00:00:00.000-05:00",
"last-modified" : "2019-12-17T00:35:46.000000-05:00",
"published" : "2020-02-02T00:00:00.000-05:00",
"last-modified" : "2020-02-05T17:00:19.000000-05:00",
"version" : "1.2",
"oscal-version" : "1.0.0-milestone2",
"roles" :
Expand Down Expand Up @@ -2864,9 +2864,9 @@
{ "id" : "ac-7_prm_3",
"select" :
{ "alternatives" :
[ "locks the account\/node for an {{ ac-7_prm_4 }} ",
[ "locks the account\/node for an {{ ac-7_prm_4 }}",
"locks the account\/node until released by an administrator",
"delays next logon prompt according to {{ ac-7_prm_5 }} " ] } },
"delays next logon prompt according to {{ ac-7_prm_5 }}" ] } },

{ "id" : "ac-7_prm_4",
"depends-on" : "ac-7_prm_3",
Expand Down Expand Up @@ -3334,35 +3334,7 @@
{ "method" : "TEST" },
"parts" :
{ "name" : "objects",
"prose" : "Automated mechanisms implementing system use notification" } } ],
"controls" :
{ "id" : "ac-8.fr",
"class" : "SP800-53",
"title" : "AC-8 Additional FedRAMP Requirements and Guidance",
"properties" :
{ "label" : "AC-8 Req" },
"parts" :
{ "id" : "ac-8.fr_smt",
"name" : "statement",
"parts" :
[
{ "id" : "ac-8.fr_smt.1",
"name" : "item",
"properties" :
{ "label" : "Requirement:" },
"prose" : "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB\/AO." },

{ "id" : "ac-8.fr_smt.2",
"name" : "item",
"properties" :
{ "label" : "Requirement:" },
"prose" : "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB\/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." },

{ "id" : "ac-8.fr_smt.3",
"name" : "item",
"properties" :
{ "label" : "Requirement:" },
"prose" : "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB\/AO." } ] } } },
"prose" : "Automated mechanisms implementing system use notification" } } ] },

{ "id" : "ac-10",
"class" : "SP800-53",
Expand Down Expand Up @@ -3393,7 +3365,7 @@

{ "id" : "ac-10_obj",
"name" : "objective",
"prose" : " Determine if:",
"prose" : "Determine if:",
"parts" :
[
{ "id" : "ac-10_obj.1",
Expand Down Expand Up @@ -3481,7 +3453,7 @@

{ "id" : "ac-11_obj",
"name" : "objective",
"prose" : " Determine if:",
"prose" : "Determine if:",
"parts" :
[
{ "id" : "ac-11.a_obj",
Expand Down Expand Up @@ -4876,7 +4848,7 @@

{ "id" : "ac-19_obj",
"name" : "objective",
"prose" : " Determine if the organization:",
"prose" : "Determine if the organization:",
"parts" :
[
{ "id" : "ac-19.a_obj",
Expand Down Expand Up @@ -7477,7 +7449,7 @@
"name" : "item",
"properties" :
{ "label" : "Requirement:" },
"prose" : "Coordination between service provider and consumer shall be documented and accepted by the JAB\/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." } } ] },
"prose" : "Coordination between service provider and consumer shall be documented and accepted by the JAB\/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented." } } ] },

{ "id" : "au-6_gdn",
"name" : "guidance",
Expand Down Expand Up @@ -11338,43 +11310,7 @@
{ "method" : "INTERVIEW" },
"parts" :
{ "name" : "objects",
"prose" : "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities" } } ] },

{ "id" : "ca-7.fr",
"class" : "SP800-53-enhancement",
"title" : "Additional FedRAMP Requirements and Guidance",
"properties" :
{ "label" : "CA-7 Req" },
"parts" :
{ "id" : "ca-7.fr_smt",
"name" : "statement",
"parts" :
[
{ "id" : "ca-7.fr_smt.1",
"name" : "item",
"properties" :
{ "label" : "Requirement 1:" },
"prose" : "Operating System Scans: at least monthly" },

{ "id" : "ca-7.fr_smt.2",
"name" : "item",
"properties" :
{ "label" : "Requirement 2:" },
"prose" : "Database and Web Application Scans: at least monthly" },

{ "id" : "ca-7.fr_smt.3",
"name" : "item",
"properties" :
{ "label" : "Requirement 3:" },
"prose" : "All scans performed by Independent Assessor: at least annually" },

{ "id" : "ca-7.fr_gdn.1",
"name" : "guidance",
"prose" : "CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates." },

{ "id" : "ca-7.fr_gdn.2",
"name" : "guidance",
"prose" : "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https:\/\/www.FedRAMP.gov\/documents\/](https:\/\/www.FedRAMP.gov\/documents\/)" } ] } } ] },
"prose" : "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities" } } ] } ] },

{ "id" : "ca-8",
"class" : "SP800-53",
Expand Down Expand Up @@ -15075,7 +15011,7 @@
"alternatives" :
[ "disables network access by such components",
"isolates the components",
"notifies {{ cm-8.3_prm_3 }} " ] } },
"notifies {{ cm-8.3_prm_3 }}" ] } },

{ "id" : "cm-8.3_prm_3",
"depends-on" : "cm-8.3_prm_2",
Expand Down Expand Up @@ -40159,19 +40095,7 @@
{ "method" : "TEST" },
"parts" :
{ "name" : "objects",
"prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ],
"controls" :
{ "id" : "sc-15.fr",
"class" : "SP800-53-enhancement",
"title" : "SC-15 Additional FedRAMP Requirements and Guidance",
"properties" :
{ "label" : "SC-15 Req" },
"parts" :
{ "id" : "sc-15.fr_smt",
"name" : "statement",
"properties" :
{ "label" : "Requirement:" },
"prose" : "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." } } },
"prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ] },

{ "id" : "sc-17",
"class" : "SP800-53",
Expand Down Expand Up @@ -43504,7 +43428,7 @@
{ "how-many" : "one or more",
"alternatives" :
[ "audits",
"alerts {{ si-4.22_prm_3 }} " ] } },
"alerts {{ si-4.22_prm_3 }}" ] } },

{ "id" : "si-4.22_prm_3",
"depends-on" : "si-4.22_prm_2",
Expand Down Expand Up @@ -44347,7 +44271,7 @@
{ "how-many" : "one or more",
"alternatives" :
[ "at startup",
"at {{ si-7.1_prm_3 }} ",
"at {{ si-7.1_prm_3 }}",
"\n {{ si-7.1_prm_4 }}\n " ] } },

{ "id" : "si-7.1_prm_3",
Expand Down Expand Up @@ -44572,7 +44496,7 @@
"alternatives" :
[ "shuts the information system down",
"restarts the information system",
"implements {{ si-7.5_prm_2 }} " ] } },
"implements {{ si-7.5_prm_2 }}" ] } },

{ "id" : "si-7.5_prm_2",
"depends-on" : "si-7.5_prm_1",
Expand Down
Loading

0 comments on commit 9ced82b

Please sign in to comment.