From bab3e4d7c4c2cdffbee1c6da66cb122eb7db2228 Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 28 Jan 2020 14:57:50 -0500 Subject: [PATCH 1/3] FedRAMP Profile Updates --- .gitignore | 3 +- ...IGH-baseline-resolved-profile_catalog.json | 106 +- .../json/FedRAMP_HIGH-baseline_profile.json | 1709 +++-- ...aaS-baseline-resolved-profile_catalog.json | 10 +- .../FedRAMP_LI-SaaS-baseline_profile.json | 8 +- ...LOW-baseline-resolved-profile_catalog.json | 94 +- .../json/FedRAMP_LOW-baseline_profile.json | 525 +- ...ATE-baseline-resolved-profile_catalog.json | 191 +- .../FedRAMP_MODERATE-baseline_profile.json | 1325 ++-- baselines/json/FedRAMP_catalog.json | 136 - ...HIGH-baseline-resolved-profile_catalog.xml | 74 +- .../xml/FedRAMP_HIGH-baseline_profile.xml | 5779 ++++++++--------- ...SaaS-baseline-resolved-profile_catalog.xml | 10 +- .../xml/FedRAMP_LI-SaaS-baseline_profile.xml | 3029 +++++---- ..._LOW-baseline-resolved-profile_catalog.xml | 62 +- .../xml/FedRAMP_LOW-baseline_profile.xml | 2323 ++++--- ...RATE-baseline-resolved-profile_catalog.xml | 70 +- .../xml/FedRAMP_MODERATE-baseline_profile.xml | 4741 +++++++------- baselines/xml/FedRAMP_catalog.xml | 105 - 19 files changed, 9812 insertions(+), 10488 deletions(-) delete mode 100644 baselines/json/FedRAMP_catalog.json delete mode 100644 baselines/xml/FedRAMP_catalog.xml diff --git a/.gitignore b/.gitignore index 3675f09b7..621722807 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -documents/source \ No newline at end of file +documents/source +/utils \ No newline at end of file diff --git a/baselines/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json b/baselines/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json index 969823dbf..30ab43399 100644 --- a/baselines/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json +++ b/baselines/json/FedRAMP_HIGH-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog" : - { "id" : "0a8a1cf0-d22d-4a80-9f57-08483cdd6f37", + { "id" : "3827d9c8-bd61-46f6-9bad-8e2dd990b16b", "metadata" : { "title" : "FedRAMP High Baseline [RESOLVED]", - "published" : "2019-12-17T00:00:00.000-05:00", - "last-modified" : "2019-12-17T00:35:46.000000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T14:25:14.000000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -2864,9 +2864,9 @@ { "id" : "ac-7_prm_3", "select" : { "alternatives" : - [ "locks the account\/node for an {{ ac-7_prm_4 }} ", + [ "locks the account\/node for an {{ ac-7_prm_4 }}", "locks the account\/node until released by an administrator", - "delays next logon prompt according to {{ ac-7_prm_5 }} " ] } }, + "delays next logon prompt according to {{ ac-7_prm_5 }}" ] } }, { "id" : "ac-7_prm_4", "depends-on" : "ac-7_prm_3", @@ -3334,35 +3334,7 @@ { "method" : "TEST" }, "parts" : { "name" : "objects", - "prose" : "Automated mechanisms implementing system use notification" } } ], - "controls" : - { "id" : "ac-8.fr", - "class" : "SP800-53", - "title" : "AC-8 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "AC-8 Req" }, - "parts" : - { "id" : "ac-8.fr_smt", - "name" : "statement", - "parts" : - [ - { "id" : "ac-8.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB\/AO." }, - - { "id" : "ac-8.fr_smt.2", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB\/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." }, - - { "id" : "ac-8.fr_smt.3", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB\/AO." } ] } } }, + "prose" : "Automated mechanisms implementing system use notification" } } ] }, { "id" : "ac-10", "class" : "SP800-53", @@ -3393,7 +3365,7 @@ { "id" : "ac-10_obj", "name" : "objective", - "prose" : " Determine if:", + "prose" : "Determine if:", "parts" : [ { "id" : "ac-10_obj.1", @@ -3481,7 +3453,7 @@ { "id" : "ac-11_obj", "name" : "objective", - "prose" : " Determine if:", + "prose" : "Determine if:", "parts" : [ { "id" : "ac-11.a_obj", @@ -4876,7 +4848,7 @@ { "id" : "ac-19_obj", "name" : "objective", - "prose" : " Determine if the organization:", + "prose" : "Determine if the organization:", "parts" : [ { "id" : "ac-19.a_obj", @@ -11338,43 +11310,7 @@ { "method" : "INTERVIEW" }, "parts" : { "name" : "objects", - "prose" : "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities" } } ] }, - - { "id" : "ca-7.fr", - "class" : "SP800-53-enhancement", - "title" : "Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "CA-7 Req" }, - "parts" : - { "id" : "ca-7.fr_smt", - "name" : "statement", - "parts" : - [ - { "id" : "ca-7.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement 1:" }, - "prose" : "Operating System Scans: at least monthly" }, - - { "id" : "ca-7.fr_smt.2", - "name" : "item", - "properties" : - { "label" : "Requirement 2:" }, - "prose" : "Database and Web Application Scans: at least monthly" }, - - { "id" : "ca-7.fr_smt.3", - "name" : "item", - "properties" : - { "label" : "Requirement 3:" }, - "prose" : "All scans performed by Independent Assessor: at least annually" }, - - { "id" : "ca-7.fr_gdn.1", - "name" : "guidance", - "prose" : "CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates." }, - - { "id" : "ca-7.fr_gdn.2", - "name" : "guidance", - "prose" : "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https:\/\/www.FedRAMP.gov\/documents\/](https:\/\/www.FedRAMP.gov\/documents\/)" } ] } } ] }, + "prose" : "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities" } } ] } ] }, { "id" : "ca-8", "class" : "SP800-53", @@ -15075,7 +15011,7 @@ "alternatives" : [ "disables network access by such components", "isolates the components", - "notifies {{ cm-8.3_prm_3 }} " ] } }, + "notifies {{ cm-8.3_prm_3 }}" ] } }, { "id" : "cm-8.3_prm_3", "depends-on" : "cm-8.3_prm_2", @@ -40159,19 +40095,7 @@ { "method" : "TEST" }, "parts" : { "name" : "objects", - "prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ], - "controls" : - { "id" : "sc-15.fr", - "class" : "SP800-53-enhancement", - "title" : "SC-15 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "SC-15 Req" }, - "parts" : - { "id" : "sc-15.fr_smt", - "name" : "statement", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." } } }, + "prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ] }, { "id" : "sc-17", "class" : "SP800-53", @@ -43504,7 +43428,7 @@ { "how-many" : "one or more", "alternatives" : [ "audits", - "alerts {{ si-4.22_prm_3 }} " ] } }, + "alerts {{ si-4.22_prm_3 }}" ] } }, { "id" : "si-4.22_prm_3", "depends-on" : "si-4.22_prm_2", @@ -44347,7 +44271,7 @@ { "how-many" : "one or more", "alternatives" : [ "at startup", - "at {{ si-7.1_prm_3 }} ", + "at {{ si-7.1_prm_3 }}", "\n {{ si-7.1_prm_4 }}\n " ] } }, { "id" : "si-7.1_prm_3", @@ -44572,7 +44496,7 @@ "alternatives" : [ "shuts the information system down", "restarts the information system", - "implements {{ si-7.5_prm_2 }} " ] } }, + "implements {{ si-7.5_prm_2 }}" ] } }, { "id" : "si-7.5_prm_2", "depends-on" : "si-7.5_prm_1", diff --git a/baselines/json/FedRAMP_HIGH-baseline_profile.json b/baselines/json/FedRAMP_HIGH-baseline_profile.json index d5afedd88..af17647e5 100644 --- a/baselines/json/FedRAMP_HIGH-baseline_profile.json +++ b/baselines/json/FedRAMP_HIGH-baseline_profile.json @@ -1,10 +1,10 @@ { "profile" : - { "id" : "uuid-2d9e9fd6-b9dd-4ed2-be21-79d7c779942c", + { "id" : "uuid-4a4eae61-d11f-4e3e-97fb-af5e3e91d7c5", "metadata" : { "title" : "FedRAMP High Baseline", - "published" : "2019-12-17T00:00:00.000-05:00", - "last-modified" : "2019-12-16T10:00:00.000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T10:00:00.000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -26,868 +26,857 @@ "contact" : { "party-ids" : "fedramp" } } }, "imports" : - [ - { "href" : "https:\/\/raw.githubusercontent.com\/usnistgov\/OSCAL\/master\/content\/nist.gov\/SP800-53\/rev4\/xml\/NIST_SP-800-53_rev4_catalog.xml", - "include" : - { "id-selectors" : - [ - { "control-id" : "ac-1" }, - - { "control-id" : "ac-2" }, - - { "control-id" : "ac-2.1" }, - - { "control-id" : "ac-2.2" }, - - { "control-id" : "ac-2.3" }, - - { "control-id" : "ac-2.4" }, - - { "control-id" : "ac-2.5" }, - - { "control-id" : "ac-2.7" }, - - { "control-id" : "ac-2.9" }, - - { "control-id" : "ac-2.10" }, - - { "control-id" : "ac-2.11" }, - - { "control-id" : "ac-2.12" }, - - { "control-id" : "ac-2.13" }, - - { "control-id" : "ac-3" }, - - { "control-id" : "ac-4" }, - - { "control-id" : "ac-4.8" }, - - { "control-id" : "ac-4.21" }, - - { "control-id" : "ac-5" }, - - { "control-id" : "ac-6" }, - - { "control-id" : "ac-6.1" }, - - { "control-id" : "ac-6.2" }, - - { "control-id" : "ac-6.3" }, - - { "control-id" : "ac-6.5" }, - - { "control-id" : "ac-6.7" }, - - { "control-id" : "ac-6.8" }, - - { "control-id" : "ac-6.9" }, - - { "control-id" : "ac-6.10" }, - - { "control-id" : "ac-7" }, - - { "control-id" : "ac-7.2" }, - - { "control-id" : "ac-8" }, - - { "control-id" : "ac-10" }, - - { "control-id" : "ac-11" }, - - { "control-id" : "ac-11.1" }, - - { "control-id" : "ac-12" }, - - { "control-id" : "ac-12.1" }, - - { "control-id" : "ac-14" }, - - { "control-id" : "ac-17" }, - - { "control-id" : "ac-17.1" }, - - { "control-id" : "ac-17.2" }, - - { "control-id" : "ac-17.3" }, - - { "control-id" : "ac-17.4" }, - - { "control-id" : "ac-17.9" }, - - { "control-id" : "ac-18" }, - - { "control-id" : "ac-18.1" }, - - { "control-id" : "ac-18.3" }, - - { "control-id" : "ac-18.4" }, - - { "control-id" : "ac-18.5" }, - - { "control-id" : "ac-19" }, - - { "control-id" : "ac-19.5" }, - - { "control-id" : "ac-20" }, - - { "control-id" : "ac-20.1" }, - - { "control-id" : "ac-20.2" }, - - { "control-id" : "ac-21" }, - - { "control-id" : "ac-22" }, - - { "control-id" : "at-1" }, - - { "control-id" : "at-2" }, - - { "control-id" : "at-2.2" }, - - { "control-id" : "at-3" }, - - { "control-id" : "at-3.3" }, - - { "control-id" : "at-3.4" }, - - { "control-id" : "at-4" }, - - { "control-id" : "au-1" }, - - { "control-id" : "au-2" }, - - { "control-id" : "au-2.3" }, - - { "control-id" : "au-3" }, - - { "control-id" : "au-3.1" }, - - { "control-id" : "au-3.2" }, - - { "control-id" : "au-4" }, - - { "control-id" : "au-5" }, - - { "control-id" : "au-5.1" }, - - { "control-id" : "au-5.2" }, - - { "control-id" : "au-6" }, - - { "control-id" : "au-6.1" }, - - { "control-id" : "au-6.3" }, - - { "control-id" : "au-6.4" }, - - { "control-id" : "au-6.5" }, - - { "control-id" : "au-6.6" }, - - { "control-id" : "au-6.7" }, - - { "control-id" : "au-6.10" }, - - { "control-id" : "au-7" }, - - { "control-id" : "au-7.1" }, - - { "control-id" : "au-8" }, - - { "control-id" : "au-8.1" }, - - { "control-id" : "au-9" }, - - { "control-id" : "au-9.2" }, - - { "control-id" : "au-9.3" }, - - { "control-id" : "au-9.4" }, - - { "control-id" : "au-10" }, - - { "control-id" : "au-11" }, - - { "control-id" : "au-12" }, - - { "control-id" : "au-12.1" }, - - { "control-id" : "au-12.3" }, - - { "control-id" : "ca-1" }, - - { "control-id" : "ca-2" }, - - { "control-id" : "ca-2.1" }, - - { "control-id" : "ca-2.2" }, - - { "control-id" : "ca-2.3" }, - - { "control-id" : "ca-3" }, - - { "control-id" : "ca-3.3" }, - - { "control-id" : "ca-3.5" }, - - { "control-id" : "ca-5" }, - - { "control-id" : "ca-6" }, - - { "control-id" : "ca-7" }, - - { "control-id" : "ca-7.1" }, - - { "control-id" : "ca-7.3" }, - - { "control-id" : "ca-8" }, - - { "control-id" : "ca-8.1" }, - - { "control-id" : "ca-9" }, - - { "control-id" : "cm-1" }, - - { "control-id" : "cm-2" }, - - { "control-id" : "cm-2.1" }, - - { "control-id" : "cm-2.2" }, - - { "control-id" : "cm-2.3" }, - - { "control-id" : "cm-2.7" }, - - { "control-id" : "cm-3" }, - - { "control-id" : "cm-3.1" }, - - { "control-id" : "cm-3.2" }, - - { "control-id" : "cm-3.4" }, - - { "control-id" : "cm-3.6" }, - - { "control-id" : "cm-4" }, - - { "control-id" : "cm-4.1" }, - - { "control-id" : "cm-5" }, - - { "control-id" : "cm-5.1" }, - - { "control-id" : "cm-5.2" }, - - { "control-id" : "cm-5.3" }, - - { "control-id" : "cm-5.5" }, - - { "control-id" : "cm-6" }, - - { "control-id" : "cm-6.1" }, - - { "control-id" : "cm-6.2" }, - - { "control-id" : "cm-7" }, - - { "control-id" : "cm-7.1" }, - - { "control-id" : "cm-7.2" }, - - { "control-id" : "cm-7.5" }, - - { "control-id" : "cm-8" }, - - { "control-id" : "cm-8.1" }, - - { "control-id" : "cm-8.2" }, - - { "control-id" : "cm-8.3" }, - - { "control-id" : "cm-8.4" }, - - { "control-id" : "cm-8.5" }, - - { "control-id" : "cm-9" }, - - { "control-id" : "cm-10" }, - - { "control-id" : "cm-10.1" }, - - { "control-id" : "cm-11" }, - - { "control-id" : "cm-11.1" }, - - { "control-id" : "cp-1" }, - - { "control-id" : "cp-2" }, - - { "control-id" : "cp-2.1" }, - - { "control-id" : "cp-2.2" }, - - { "control-id" : "cp-2.3" }, - - { "control-id" : "cp-2.4" }, - - { "control-id" : "cp-2.5" }, - - { "control-id" : "cp-2.8" }, - - { "control-id" : "cp-3" }, - - { "control-id" : "cp-3.1" }, - - { "control-id" : "cp-4" }, - - { "control-id" : "cp-4.1" }, - - { "control-id" : "cp-4.2" }, - - { "control-id" : "cp-6" }, - - { "control-id" : "cp-6.1" }, - - { "control-id" : "cp-6.2" }, - - { "control-id" : "cp-6.3" }, - - { "control-id" : "cp-7" }, - - { "control-id" : "cp-7.1" }, - - { "control-id" : "cp-7.2" }, - - { "control-id" : "cp-7.3" }, - - { "control-id" : "cp-7.4" }, - - { "control-id" : "cp-8" }, - - { "control-id" : "cp-8.1" }, - - { "control-id" : "cp-8.2" }, - - { "control-id" : "cp-8.3" }, - - { "control-id" : "cp-8.4" }, - - { "control-id" : "cp-9" }, - - { "control-id" : "cp-9.1" }, - - { "control-id" : "cp-9.2" }, - - { "control-id" : "cp-9.3" }, - - { "control-id" : "cp-9.5" }, - - { "control-id" : "cp-10" }, - - { "control-id" : "cp-10.2" }, - - { "control-id" : "cp-10.4" }, - - { "control-id" : "ia-1" }, - - { "control-id" : "ia-2" }, - - { "control-id" : "ia-2.1" }, - - { "control-id" : "ia-2.2" }, - - { "control-id" : "ia-2.3" }, - - { "control-id" : "ia-2.4" }, - - { "control-id" : "ia-2.5" }, - - { "control-id" : "ia-2.8" }, - - { "control-id" : "ia-2.9" }, - - { "control-id" : "ia-2.11" }, - - { "control-id" : "ia-2.12" }, - - { "control-id" : "ia-3" }, - - { "control-id" : "ia-4" }, - - { "control-id" : "ia-4.4" }, - - { "control-id" : "ia-5" }, - - { "control-id" : "ia-5.1" }, - - { "control-id" : "ia-5.2" }, - - { "control-id" : "ia-5.3" }, - - { "control-id" : "ia-5.4" }, - - { "control-id" : "ia-5.6" }, - - { "control-id" : "ia-5.7" }, - - { "control-id" : "ia-5.8" }, - - { "control-id" : "ia-5.11" }, - - { "control-id" : "ia-5.13" }, - - { "control-id" : "ia-6" }, - - { "control-id" : "ia-7" }, - - { "control-id" : "ia-8" }, - - { "control-id" : "ia-8.1" }, - - { "control-id" : "ia-8.2" }, - - { "control-id" : "ia-8.3" }, - - { "control-id" : "ia-8.4" }, - - { "control-id" : "ir-1" }, - - { "control-id" : "ir-2" }, - - { "control-id" : "ir-2.1" }, - - { "control-id" : "ir-2.2" }, - - { "control-id" : "ir-3" }, - - { "control-id" : "ir-3.2" }, - - { "control-id" : "ir-4" }, - - { "control-id" : "ir-4.1" }, - - { "control-id" : "ir-4.2" }, - - { "control-id" : "ir-4.3" }, - - { "control-id" : "ir-4.4" }, - - { "control-id" : "ir-4.6" }, - - { "control-id" : "ir-4.8" }, - - { "control-id" : "ir-5" }, - - { "control-id" : "ir-5.1" }, - - { "control-id" : "ir-6" }, - - { "control-id" : "ir-6.1" }, - - { "control-id" : "ir-7" }, - - { "control-id" : "ir-7.1" }, - - { "control-id" : "ir-7.2" }, - - { "control-id" : "ir-8" }, - - { "control-id" : "ir-9" }, - - { "control-id" : "ir-9.1" }, - - { "control-id" : "ir-9.2" }, - - { "control-id" : "ir-9.3" }, - - { "control-id" : "ir-9.4" }, - - { "control-id" : "ma-1" }, - - { "control-id" : "ma-2" }, - - { "control-id" : "ma-2.2" }, - - { "control-id" : "ma-3" }, - - { "control-id" : "ma-3.1" }, - - { "control-id" : "ma-3.2" }, - - { "control-id" : "ma-3.3" }, - - { "control-id" : "ma-4" }, - - { "control-id" : "ma-4.2" }, - - { "control-id" : "ma-4.3" }, - - { "control-id" : "ma-4.6" }, - - { "control-id" : "ma-5" }, - - { "control-id" : "ma-5.1" }, - - { "control-id" : "ma-6" }, - - { "control-id" : "mp-1" }, - - { "control-id" : "mp-2" }, - - { "control-id" : "mp-3" }, - - { "control-id" : "mp-4" }, - - { "control-id" : "mp-5" }, - - { "control-id" : "mp-5.4" }, - - { "control-id" : "mp-6" }, - - { "control-id" : "mp-6.1" }, - - { "control-id" : "mp-6.2" }, - - { "control-id" : "mp-6.3" }, - - { "control-id" : "mp-7" }, - - { "control-id" : "mp-7.1" }, - - { "control-id" : "pe-1" }, - - { "control-id" : "pe-2" }, - - { "control-id" : "pe-3" }, - - { "control-id" : "pe-3.1" }, - - { "control-id" : "pe-4" }, - - { "control-id" : "pe-5" }, - - { "control-id" : "pe-6" }, - - { "control-id" : "pe-6.1" }, - - { "control-id" : "pe-6.4" }, - - { "control-id" : "pe-8" }, - - { "control-id" : "pe-8.1" }, - - { "control-id" : "pe-9" }, - - { "control-id" : "pe-10" }, - - { "control-id" : "pe-11" }, - - { "control-id" : "pe-11.1" }, - - { "control-id" : "pe-12" }, - - { "control-id" : "pe-13" }, - - { "control-id" : "pe-13.1" }, - - { "control-id" : "pe-13.2" }, - - { "control-id" : "pe-13.3" }, - - { "control-id" : "pe-14" }, - - { "control-id" : "pe-14.2" }, - - { "control-id" : "pe-15" }, - - { "control-id" : "pe-15.1" }, - - { "control-id" : "pe-16" }, - - { "control-id" : "pe-17" }, - - { "control-id" : "pe-18" }, - - { "control-id" : "pl-1" }, - - { "control-id" : "pl-2" }, - - { "control-id" : "pl-2.3" }, - - { "control-id" : "pl-4" }, - - { "control-id" : "pl-4.1" }, - - { "control-id" : "pl-8" }, - - { "control-id" : "ps-1" }, - - { "control-id" : "ps-2" }, - - { "control-id" : "ps-3" }, - - { "control-id" : "ps-3.3" }, - - { "control-id" : "ps-4" }, - - { "control-id" : "ps-4.2" }, - - { "control-id" : "ps-5" }, - - { "control-id" : "ps-6" }, - - { "control-id" : "ps-7" }, - - { "control-id" : "ps-8" }, - - { "control-id" : "ra-1" }, - - { "control-id" : "ra-2" }, - - { "control-id" : "ra-3" }, - - { "control-id" : "ra-5" }, - - { "control-id" : "ra-5.1" }, - - { "control-id" : "ra-5.2" }, - - { "control-id" : "ra-5.3" }, - - { "control-id" : "ra-5.4" }, - - { "control-id" : "ra-5.5" }, - - { "control-id" : "ra-5.6" }, - - { "control-id" : "ra-5.8" }, - - { "control-id" : "ra-5.10" }, - - { "control-id" : "sa-1" }, - - { "control-id" : "sa-2" }, - - { "control-id" : "sa-3" }, - - { "control-id" : "sa-4" }, - - { "control-id" : "sa-4.1" }, - - { "control-id" : "sa-4.2" }, - - { "control-id" : "sa-4.8" }, - - { "control-id" : "sa-4.9" }, - - { "control-id" : "sa-4.10" }, - - { "control-id" : "sa-5" }, - - { "control-id" : "sa-8" }, - - { "control-id" : "sa-9" }, - - { "control-id" : "sa-9.1" }, - - { "control-id" : "sa-9.2" }, - - { "control-id" : "sa-9.4" }, - - { "control-id" : "sa-9.5" }, - - { "control-id" : "sa-10" }, - - { "control-id" : "sa-10.1" }, - - { "control-id" : "sa-11" }, - - { "control-id" : "sa-11.1" }, - - { "control-id" : "sa-11.2" }, - - { "control-id" : "sa-11.8" }, - - { "control-id" : "sa-12" }, - - { "control-id" : "sa-15" }, - - { "control-id" : "sa-16" }, - - { "control-id" : "sa-17" }, - - { "control-id" : "sc-1" }, - - { "control-id" : "sc-2" }, - - { "control-id" : "sc-3" }, - - { "control-id" : "sc-4" }, - - { "control-id" : "sc-5" }, - - { "control-id" : "sc-6" }, - - { "control-id" : "sc-7" }, - - { "control-id" : "sc-7.3" }, - - { "control-id" : "sc-7.4" }, - - { "control-id" : "sc-7.5" }, - - { "control-id" : "sc-7.7" }, - - { "control-id" : "sc-7.8" }, - - { "control-id" : "sc-7.10" }, - - { "control-id" : "sc-7.12" }, - - { "control-id" : "sc-7.13" }, - - { "control-id" : "sc-7.18" }, - - { "control-id" : "sc-7.20" }, - - { "control-id" : "sc-7.21" }, - - { "control-id" : "sc-8" }, - - { "control-id" : "sc-8.1" }, - - { "control-id" : "sc-10" }, - - { "control-id" : "sc-12" }, - - { "control-id" : "sc-12.1" }, - - { "control-id" : "sc-12.2" }, - - { "control-id" : "sc-12.3" }, - - { "control-id" : "sc-13" }, - - { "control-id" : "sc-15" }, - - { "control-id" : "sc-17" }, - - { "control-id" : "sc-18" }, - - { "control-id" : "sc-19" }, - - { "control-id" : "sc-20" }, - - { "control-id" : "sc-21" }, - - { "control-id" : "sc-22" }, - - { "control-id" : "sc-23" }, - - { "control-id" : "sc-23.1" }, - - { "control-id" : "sc-24" }, - - { "control-id" : "sc-28" }, - - { "control-id" : "sc-28.1" }, - - { "control-id" : "sc-39" }, - - { "control-id" : "si-1" }, - - { "control-id" : "si-2" }, - - { "control-id" : "si-2.1" }, - - { "control-id" : "si-2.2" }, - - { "control-id" : "si-2.3" }, - - { "control-id" : "si-3" }, - - { "control-id" : "si-3.1" }, - - { "control-id" : "si-3.2" }, - - { "control-id" : "si-3.7" }, - - { "control-id" : "si-4" }, - - { "control-id" : "si-4.1" }, - - { "control-id" : "si-4.2" }, - - { "control-id" : "si-4.4" }, - - { "control-id" : "si-4.5" }, - - { "control-id" : "si-4.11" }, - - { "control-id" : "si-4.14" }, - - { "control-id" : "si-4.16" }, - - { "control-id" : "si-4.18" }, - - { "control-id" : "si-4.19" }, - - { "control-id" : "si-4.20" }, - - { "control-id" : "si-4.22" }, - - { "control-id" : "si-4.23" }, - - { "control-id" : "si-4.24" }, - - { "control-id" : "si-5" }, - - { "control-id" : "si-5.1" }, - - { "control-id" : "si-6" }, - - { "control-id" : "si-7" }, - - { "control-id" : "si-7.1" }, - - { "control-id" : "si-7.2" }, - - { "control-id" : "si-7.5" }, - - { "control-id" : "si-7.7" }, - - { "control-id" : "si-7.14" }, - - { "control-id" : "si-8" }, - - { "control-id" : "si-8.1" }, - - { "control-id" : "si-8.2" }, - - { "control-id" : "si-10" }, - - { "control-id" : "si-11" }, - - { "control-id" : "si-12" }, - - { "control-id" : "si-16" } ] } }, - - { "href" : "https:\/\/raw.githubusercontent.com\/gsa\/fedramp-automation\/master\/baselines\/xml\/FedRAMP_catalog.xml", - "include" : - { "id-selectors" : - [ - { "control-id" : "ac-8.fr" }, - - { "control-id" : "ca-7.fr" }, - - { "control-id" : "sc-15.fr" } ] } } ], + { "href" : "https:\/\/raw.githubusercontent.com\/usnistgov\/OSCAL\/master\/content\/nist.gov\/SP800-53\/rev4\/xml\/NIST_SP-800-53_rev4_catalog.xml", + "include" : + { "id-selectors" : + [ + { "control-id" : "ac-1" }, + + { "control-id" : "ac-2" }, + + { "control-id" : "ac-2.1" }, + + { "control-id" : "ac-2.2" }, + + { "control-id" : "ac-2.3" }, + + { "control-id" : "ac-2.4" }, + + { "control-id" : "ac-2.5" }, + + { "control-id" : "ac-2.7" }, + + { "control-id" : "ac-2.9" }, + + { "control-id" : "ac-2.10" }, + + { "control-id" : "ac-2.11" }, + + { "control-id" : "ac-2.12" }, + + { "control-id" : "ac-2.13" }, + + { "control-id" : "ac-3" }, + + { "control-id" : "ac-4" }, + + { "control-id" : "ac-4.8" }, + + { "control-id" : "ac-4.21" }, + + { "control-id" : "ac-5" }, + + { "control-id" : "ac-6" }, + + { "control-id" : "ac-6.1" }, + + { "control-id" : "ac-6.2" }, + + { "control-id" : "ac-6.3" }, + + { "control-id" : "ac-6.5" }, + + { "control-id" : "ac-6.7" }, + + { "control-id" : "ac-6.8" }, + + { "control-id" : "ac-6.9" }, + + { "control-id" : "ac-6.10" }, + + { "control-id" : "ac-7" }, + + { "control-id" : "ac-7.2" }, + + { "control-id" : "ac-8" }, + + { "control-id" : "ac-10" }, + + { "control-id" : "ac-11" }, + + { "control-id" : "ac-11.1" }, + + { "control-id" : "ac-12" }, + + { "control-id" : "ac-12.1" }, + + { "control-id" : "ac-14" }, + + { "control-id" : "ac-17" }, + + { "control-id" : "ac-17.1" }, + + { "control-id" : "ac-17.2" }, + + { "control-id" : "ac-17.3" }, + + { "control-id" : "ac-17.4" }, + + { "control-id" : "ac-17.9" }, + + { "control-id" : "ac-18" }, + + { "control-id" : "ac-18.1" }, + + { "control-id" : "ac-18.3" }, + + { "control-id" : "ac-18.4" }, + + { "control-id" : "ac-18.5" }, + + { "control-id" : "ac-19" }, + + { "control-id" : "ac-19.5" }, + + { "control-id" : "ac-20" }, + + { "control-id" : "ac-20.1" }, + + { "control-id" : "ac-20.2" }, + + { "control-id" : "ac-21" }, + + { "control-id" : "ac-22" }, + + { "control-id" : "at-1" }, + + { "control-id" : "at-2" }, + + { "control-id" : "at-2.2" }, + + { "control-id" : "at-3" }, + + { "control-id" : "at-3.3" }, + + { "control-id" : "at-3.4" }, + + { "control-id" : "at-4" }, + + { "control-id" : "au-1" }, + + { "control-id" : "au-2" }, + + { "control-id" : "au-2.3" }, + + { "control-id" : "au-3" }, + + { "control-id" : "au-3.1" }, + + { "control-id" : "au-3.2" }, + + { "control-id" : "au-4" }, + + { "control-id" : "au-5" }, + + { "control-id" : "au-5.1" }, + + { "control-id" : "au-5.2" }, + + { "control-id" : "au-6" }, + + { "control-id" : "au-6.1" }, + + { "control-id" : "au-6.3" }, + + { "control-id" : "au-6.4" }, + + { "control-id" : "au-6.5" }, + + { "control-id" : "au-6.6" }, + + { "control-id" : "au-6.7" }, + + { "control-id" : "au-6.10" }, + + { "control-id" : "au-7" }, + + { "control-id" : "au-7.1" }, + + { "control-id" : "au-8" }, + + { "control-id" : "au-8.1" }, + + { "control-id" : "au-9" }, + + { "control-id" : "au-9.2" }, + + { "control-id" : "au-9.3" }, + + { "control-id" : "au-9.4" }, + + { "control-id" : "au-10" }, + + { "control-id" : "au-11" }, + + { "control-id" : "au-12" }, + + { "control-id" : "au-12.1" }, + + { "control-id" : "au-12.3" }, + + { "control-id" : "ca-1" }, + + { "control-id" : "ca-2" }, + + { "control-id" : "ca-2.1" }, + + { "control-id" : "ca-2.2" }, + + { "control-id" : "ca-2.3" }, + + { "control-id" : "ca-3" }, + + { "control-id" : "ca-3.3" }, + + { "control-id" : "ca-3.5" }, + + { "control-id" : "ca-5" }, + + { "control-id" : "ca-6" }, + + { "control-id" : "ca-7" }, + + { "control-id" : "ca-7.1" }, + + { "control-id" : "ca-7.3" }, + + { "control-id" : "ca-8" }, + + { "control-id" : "ca-8.1" }, + + { "control-id" : "ca-9" }, + + { "control-id" : "cm-1" }, + + { "control-id" : "cm-2" }, + + { "control-id" : "cm-2.1" }, + + { "control-id" : "cm-2.2" }, + + { "control-id" : "cm-2.3" }, + + { "control-id" : "cm-2.7" }, + + { "control-id" : "cm-3" }, + + { "control-id" : "cm-3.1" }, + + { "control-id" : "cm-3.2" }, + + { "control-id" : "cm-3.4" }, + + { "control-id" : "cm-3.6" }, + + { "control-id" : "cm-4" }, + + { "control-id" : "cm-4.1" }, + + { "control-id" : "cm-5" }, + + { "control-id" : "cm-5.1" }, + + { "control-id" : "cm-5.2" }, + + { "control-id" : "cm-5.3" }, + + { "control-id" : "cm-5.5" }, + + { "control-id" : "cm-6" }, + + { "control-id" : "cm-6.1" }, + + { "control-id" : "cm-6.2" }, + + { "control-id" : "cm-7" }, + + { "control-id" : "cm-7.1" }, + + { "control-id" : "cm-7.2" }, + + { "control-id" : "cm-7.5" }, + + { "control-id" : "cm-8" }, + + { "control-id" : "cm-8.1" }, + + { "control-id" : "cm-8.2" }, + + { "control-id" : "cm-8.3" }, + + { "control-id" : "cm-8.4" }, + + { "control-id" : "cm-8.5" }, + + { "control-id" : "cm-9" }, + + { "control-id" : "cm-10" }, + + { "control-id" : "cm-10.1" }, + + { "control-id" : "cm-11" }, + + { "control-id" : "cm-11.1" }, + + { "control-id" : "cp-1" }, + + { "control-id" : "cp-2" }, + + { "control-id" : "cp-2.1" }, + + { "control-id" : "cp-2.2" }, + + { "control-id" : "cp-2.3" }, + + { "control-id" : "cp-2.4" }, + + { "control-id" : "cp-2.5" }, + + { "control-id" : "cp-2.8" }, + + { "control-id" : "cp-3" }, + + { "control-id" : "cp-3.1" }, + + { "control-id" : "cp-4" }, + + { "control-id" : "cp-4.1" }, + + { "control-id" : "cp-4.2" }, + + { "control-id" : "cp-6" }, + + { "control-id" : "cp-6.1" }, + + { "control-id" : "cp-6.2" }, + + { "control-id" : "cp-6.3" }, + + { "control-id" : "cp-7" }, + + { "control-id" : "cp-7.1" }, + + { "control-id" : "cp-7.2" }, + + { "control-id" : "cp-7.3" }, + + { "control-id" : "cp-7.4" }, + + { "control-id" : "cp-8" }, + + { "control-id" : "cp-8.1" }, + + { "control-id" : "cp-8.2" }, + + { "control-id" : "cp-8.3" }, + + { "control-id" : "cp-8.4" }, + + { "control-id" : "cp-9" }, + + { "control-id" : "cp-9.1" }, + + { "control-id" : "cp-9.2" }, + + { "control-id" : "cp-9.3" }, + + { "control-id" : "cp-9.5" }, + + { "control-id" : "cp-10" }, + + { "control-id" : "cp-10.2" }, + + { "control-id" : "cp-10.4" }, + + { "control-id" : "ia-1" }, + + { "control-id" : "ia-2" }, + + { "control-id" : "ia-2.1" }, + + { "control-id" : "ia-2.2" }, + + { "control-id" : "ia-2.3" }, + + { "control-id" : "ia-2.4" }, + + { "control-id" : "ia-2.5" }, + + { "control-id" : "ia-2.8" }, + + { "control-id" : "ia-2.9" }, + + { "control-id" : "ia-2.11" }, + + { "control-id" : "ia-2.12" }, + + { "control-id" : "ia-3" }, + + { "control-id" : "ia-4" }, + + { "control-id" : "ia-4.4" }, + + { "control-id" : "ia-5" }, + + { "control-id" : "ia-5.1" }, + + { "control-id" : "ia-5.2" }, + + { "control-id" : "ia-5.3" }, + + { "control-id" : "ia-5.4" }, + + { "control-id" : "ia-5.6" }, + + { "control-id" : "ia-5.7" }, + + { "control-id" : "ia-5.8" }, + + { "control-id" : "ia-5.11" }, + + { "control-id" : "ia-5.13" }, + + { "control-id" : "ia-6" }, + + { "control-id" : "ia-7" }, + + { "control-id" : "ia-8" }, + + { "control-id" : "ia-8.1" }, + + { "control-id" : "ia-8.2" }, + + { "control-id" : "ia-8.3" }, + + { "control-id" : "ia-8.4" }, + + { "control-id" : "ir-1" }, + + { "control-id" : "ir-2" }, + + { "control-id" : "ir-2.1" }, + + { "control-id" : "ir-2.2" }, + + { "control-id" : "ir-3" }, + + { "control-id" : "ir-3.2" }, + + { "control-id" : "ir-4" }, + + { "control-id" : "ir-4.1" }, + + { "control-id" : "ir-4.2" }, + + { "control-id" : "ir-4.3" }, + + { "control-id" : "ir-4.4" }, + + { "control-id" : "ir-4.6" }, + + { "control-id" : "ir-4.8" }, + + { "control-id" : "ir-5" }, + + { "control-id" : "ir-5.1" }, + + { "control-id" : "ir-6" }, + + { "control-id" : "ir-6.1" }, + + { "control-id" : "ir-7" }, + + { "control-id" : "ir-7.1" }, + + { "control-id" : "ir-7.2" }, + + { "control-id" : "ir-8" }, + + { "control-id" : "ir-9" }, + + { "control-id" : "ir-9.1" }, + + { "control-id" : "ir-9.2" }, + + { "control-id" : "ir-9.3" }, + + { "control-id" : "ir-9.4" }, + + { "control-id" : "ma-1" }, + + { "control-id" : "ma-2" }, + + { "control-id" : "ma-2.2" }, + + { "control-id" : "ma-3" }, + + { "control-id" : "ma-3.1" }, + + { "control-id" : "ma-3.2" }, + + { "control-id" : "ma-3.3" }, + + { "control-id" : "ma-4" }, + + { "control-id" : "ma-4.2" }, + + { "control-id" : "ma-4.3" }, + + { "control-id" : "ma-4.6" }, + + { "control-id" : "ma-5" }, + + { "control-id" : "ma-5.1" }, + + { "control-id" : "ma-6" }, + + { "control-id" : "mp-1" }, + + { "control-id" : "mp-2" }, + + { "control-id" : "mp-3" }, + + { "control-id" : "mp-4" }, + + { "control-id" : "mp-5" }, + + { "control-id" : "mp-5.4" }, + + { "control-id" : "mp-6" }, + + { "control-id" : "mp-6.1" }, + + { "control-id" : "mp-6.2" }, + + { "control-id" : "mp-6.3" }, + + { "control-id" : "mp-7" }, + + { "control-id" : "mp-7.1" }, + + { "control-id" : "pe-1" }, + + { "control-id" : "pe-2" }, + + { "control-id" : "pe-3" }, + + { "control-id" : "pe-3.1" }, + + { "control-id" : "pe-4" }, + + { "control-id" : "pe-5" }, + + { "control-id" : "pe-6" }, + + { "control-id" : "pe-6.1" }, + + { "control-id" : "pe-6.4" }, + + { "control-id" : "pe-8" }, + + { "control-id" : "pe-8.1" }, + + { "control-id" : "pe-9" }, + + { "control-id" : "pe-10" }, + + { "control-id" : "pe-11" }, + + { "control-id" : "pe-11.1" }, + + { "control-id" : "pe-12" }, + + { "control-id" : "pe-13" }, + + { "control-id" : "pe-13.1" }, + + { "control-id" : "pe-13.2" }, + + { "control-id" : "pe-13.3" }, + + { "control-id" : "pe-14" }, + + { "control-id" : "pe-14.2" }, + + { "control-id" : "pe-15" }, + + { "control-id" : "pe-15.1" }, + + { "control-id" : "pe-16" }, + + { "control-id" : "pe-17" }, + + { "control-id" : "pe-18" }, + + { "control-id" : "pl-1" }, + + { "control-id" : "pl-2" }, + + { "control-id" : "pl-2.3" }, + + { "control-id" : "pl-4" }, + + { "control-id" : "pl-4.1" }, + + { "control-id" : "pl-8" }, + + { "control-id" : "ps-1" }, + + { "control-id" : "ps-2" }, + + { "control-id" : "ps-3" }, + + { "control-id" : "ps-3.3" }, + + { "control-id" : "ps-4" }, + + { "control-id" : "ps-4.2" }, + + { "control-id" : "ps-5" }, + + { "control-id" : "ps-6" }, + + { "control-id" : "ps-7" }, + + { "control-id" : "ps-8" }, + + { "control-id" : "ra-1" }, + + { "control-id" : "ra-2" }, + + { "control-id" : "ra-3" }, + + { "control-id" : "ra-5" }, + + { "control-id" : "ra-5.1" }, + + { "control-id" : "ra-5.2" }, + + { "control-id" : "ra-5.3" }, + + { "control-id" : "ra-5.4" }, + + { "control-id" : "ra-5.5" }, + + { "control-id" : "ra-5.6" }, + + { "control-id" : "ra-5.8" }, + + { "control-id" : "ra-5.10" }, + + { "control-id" : "sa-1" }, + + { "control-id" : "sa-2" }, + + { "control-id" : "sa-3" }, + + { "control-id" : "sa-4" }, + + { "control-id" : "sa-4.1" }, + + { "control-id" : "sa-4.2" }, + + { "control-id" : "sa-4.8" }, + + { "control-id" : "sa-4.9" }, + + { "control-id" : "sa-4.10" }, + + { "control-id" : "sa-5" }, + + { "control-id" : "sa-8" }, + + { "control-id" : "sa-9" }, + + { "control-id" : "sa-9.1" }, + + { "control-id" : "sa-9.2" }, + + { "control-id" : "sa-9.4" }, + + { "control-id" : "sa-9.5" }, + + { "control-id" : "sa-10" }, + + { "control-id" : "sa-10.1" }, + + { "control-id" : "sa-11" }, + + { "control-id" : "sa-11.1" }, + + { "control-id" : "sa-11.2" }, + + { "control-id" : "sa-11.8" }, + + { "control-id" : "sa-12" }, + + { "control-id" : "sa-15" }, + + { "control-id" : "sa-16" }, + + { "control-id" : "sa-17" }, + + { "control-id" : "sc-1" }, + + { "control-id" : "sc-2" }, + + { "control-id" : "sc-3" }, + + { "control-id" : "sc-4" }, + + { "control-id" : "sc-5" }, + + { "control-id" : "sc-6" }, + + { "control-id" : "sc-7" }, + + { "control-id" : "sc-7.3" }, + + { "control-id" : "sc-7.4" }, + + { "control-id" : "sc-7.5" }, + + { "control-id" : "sc-7.7" }, + + { "control-id" : "sc-7.8" }, + + { "control-id" : "sc-7.10" }, + + { "control-id" : "sc-7.12" }, + + { "control-id" : "sc-7.13" }, + + { "control-id" : "sc-7.18" }, + + { "control-id" : "sc-7.20" }, + + { "control-id" : "sc-7.21" }, + + { "control-id" : "sc-8" }, + + { "control-id" : "sc-8.1" }, + + { "control-id" : "sc-10" }, + + { "control-id" : "sc-12" }, + + { "control-id" : "sc-12.1" }, + + { "control-id" : "sc-12.2" }, + + { "control-id" : "sc-12.3" }, + + { "control-id" : "sc-13" }, + + { "control-id" : "sc-15" }, + + { "control-id" : "sc-17" }, + + { "control-id" : "sc-18" }, + + { "control-id" : "sc-19" }, + + { "control-id" : "sc-20" }, + + { "control-id" : "sc-21" }, + + { "control-id" : "sc-22" }, + + { "control-id" : "sc-23" }, + + { "control-id" : "sc-23.1" }, + + { "control-id" : "sc-24" }, + + { "control-id" : "sc-28" }, + + { "control-id" : "sc-28.1" }, + + { "control-id" : "sc-39" }, + + { "control-id" : "si-1" }, + + { "control-id" : "si-2" }, + + { "control-id" : "si-2.1" }, + + { "control-id" : "si-2.2" }, + + { "control-id" : "si-2.3" }, + + { "control-id" : "si-3" }, + + { "control-id" : "si-3.1" }, + + { "control-id" : "si-3.2" }, + + { "control-id" : "si-3.7" }, + + { "control-id" : "si-4" }, + + { "control-id" : "si-4.1" }, + + { "control-id" : "si-4.2" }, + + { "control-id" : "si-4.4" }, + + { "control-id" : "si-4.5" }, + + { "control-id" : "si-4.11" }, + + { "control-id" : "si-4.14" }, + + { "control-id" : "si-4.16" }, + + { "control-id" : "si-4.18" }, + + { "control-id" : "si-4.19" }, + + { "control-id" : "si-4.20" }, + + { "control-id" : "si-4.22" }, + + { "control-id" : "si-4.23" }, + + { "control-id" : "si-4.24" }, + + { "control-id" : "si-5" }, + + { "control-id" : "si-5.1" }, + + { "control-id" : "si-6" }, + + { "control-id" : "si-7" }, + + { "control-id" : "si-7.1" }, + + { "control-id" : "si-7.2" }, + + { "control-id" : "si-7.5" }, + + { "control-id" : "si-7.7" }, + + { "control-id" : "si-7.14" }, + + { "control-id" : "si-8" }, + + { "control-id" : "si-8.1" }, + + { "control-id" : "si-8.2" }, + + { "control-id" : "si-10" }, + + { "control-id" : "si-11" }, + + { "control-id" : "si-12" }, + + { "control-id" : "si-16" } ] } }, "merge" : { "combine" : { "method" : "keep" }, "as-is" : true }, "modify" : - { "settings" : + { "parameter-settings" : { "ac-1_prm_2" : { "constraints" : { "detail" : "at least annually" } }, diff --git a/baselines/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json b/baselines/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json index a978704ea..c628a8aff 100644 --- a/baselines/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json +++ b/baselines/json/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog" : - { "id" : "8b898586-6ae4-4685-8e32-600755fe556b", + { "id" : "0c798736-55c4-4191-8c0a-52759ad32ee8", "metadata" : { "title" : "FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline [RESOLVED]", - "published" : "2019-11-27T00:00:00.000-05:00", - "last-modified" : "2019-11-25T22:23:42.000000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T14:26:33.000000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -399,9 +399,9 @@ { "id" : "ac-7_prm_3", "select" : { "alternatives" : - [ "locks the account\/node for an {{ ac-7_prm_4 }} ", + [ "locks the account\/node for an {{ ac-7_prm_4 }}", "locks the account\/node until released by an administrator", - "delays next logon prompt according to {{ ac-7_prm_5 }} " ] } }, + "delays next logon prompt according to {{ ac-7_prm_5 }}" ] } }, { "id" : "ac-7_prm_4", "depends-on" : "ac-7_prm_3", diff --git a/baselines/json/FedRAMP_LI-SaaS-baseline_profile.json b/baselines/json/FedRAMP_LI-SaaS-baseline_profile.json index 8eb1c8db1..8a831b513 100644 --- a/baselines/json/FedRAMP_LI-SaaS-baseline_profile.json +++ b/baselines/json/FedRAMP_LI-SaaS-baseline_profile.json @@ -1,10 +1,10 @@ { "profile" : - { "id" : "uuid-3ae02e88-e68f-434a-8ec6-83dbefadf304", + { "id" : "uuid-24a8ac6e-b71a-40c1-a845-e9c640813134", "metadata" : { "title" : "FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline", - "published" : "2019-11-27T00:00:00.000-05:00", - "last-modified" : "2019-11-24T10:00:00.000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T10:00:00.000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -281,7 +281,7 @@ { "method" : "keep" }, "as-is" : true }, "modify" : - { "settings" : + { "parameter-settings" : { "ac-22_prm_1" : { "constraints" : { "detail" : "at least quarterly" } }, diff --git a/baselines/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json b/baselines/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json index f17854fbe..497f4c0d0 100644 --- a/baselines/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json +++ b/baselines/json/FedRAMP_LOW-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog" : - { "id" : "c08ce481-4da2-4071-9fc3-4ccaffb1b7cf", + { "id" : "eeffbf3f-a798-49f7-9382-c13a7586eb7e", "metadata" : { "title" : "FedRAMP Low Baseline [RESOLVED]", - "published" : "2019-12-17T00:00:00.000-05:00", - "last-modified" : "2019-12-17T00:34:48.000000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T14:26:08.000000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -900,9 +900,9 @@ { "id" : "ac-7_prm_3", "select" : { "alternatives" : - [ "locks the account\/node for an {{ ac-7_prm_4 }} ", + [ "locks the account\/node for an {{ ac-7_prm_4 }}", "locks the account\/node until released by an administrator", - "delays next logon prompt according to {{ ac-7_prm_5 }} " ] } }, + "delays next logon prompt according to {{ ac-7_prm_5 }}" ] } }, { "id" : "ac-7_prm_4", "depends-on" : "ac-7_prm_3", @@ -1271,35 +1271,7 @@ { "method" : "TEST" }, "parts" : { "name" : "objects", - "prose" : "Automated mechanisms implementing system use notification" } } ], - "controls" : - { "id" : "ac-8.fr", - "class" : "SP800-53", - "title" : "AC-8 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "AC-8 Req" }, - "parts" : - { "id" : "ac-8.fr_smt", - "name" : "statement", - "parts" : - [ - { "id" : "ac-8.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB\/AO." }, - - { "id" : "ac-8.fr_smt.2", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB\/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." }, - - { "id" : "ac-8.fr_smt.3", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB\/AO." } ] } } }, + "prose" : "Automated mechanisms implementing system use notification" } } ] }, { "id" : "ac-14", "class" : "SP800-53", @@ -1863,7 +1835,7 @@ { "id" : "ac-19_obj", "name" : "objective", - "prose" : " Determine if the organization:", + "prose" : "Determine if the organization:", "parts" : [ { "id" : "ac-19.a_obj", @@ -5626,43 +5598,7 @@ { "method" : "TEST" }, "parts" : { "name" : "objects", - "prose" : "Mechanisms implementing continuous monitoring" } } ], - "controls" : - { "id" : "ca-7.fr", - "class" : "SP800-53-enhancement", - "title" : "Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "CA-7 Req" }, - "parts" : - { "id" : "ca-7.fr_smt", - "name" : "statement", - "parts" : - [ - { "id" : "ca-7.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement 1:" }, - "prose" : "Operating System Scans: at least monthly" }, - - { "id" : "ca-7.fr_smt.2", - "name" : "item", - "properties" : - { "label" : "Requirement 2:" }, - "prose" : "Database and Web Application Scans: at least monthly" }, - - { "id" : "ca-7.fr_smt.3", - "name" : "item", - "properties" : - { "label" : "Requirement 3:" }, - "prose" : "All scans performed by Independent Assessor: at least annually" }, - - { "id" : "ca-7.fr_gdn.1", - "name" : "guidance", - "prose" : "CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates." }, - - { "id" : "ca-7.fr_gdn.2", - "name" : "guidance", - "prose" : "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https:\/\/www.FedRAMP.gov\/documents\/](https:\/\/www.FedRAMP.gov\/documents\/)" } ] } } }, + "prose" : "Mechanisms implementing continuous monitoring" } } ] }, { "id" : "ca-9", "class" : "SP800-53", @@ -19908,19 +19844,7 @@ { "method" : "TEST" }, "parts" : { "name" : "objects", - "prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ], - "controls" : - { "id" : "sc-15.fr", - "class" : "SP800-53-enhancement", - "title" : "SC-15 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "SC-15 Req" }, - "parts" : - { "id" : "sc-15.fr_smt", - "name" : "statement", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." } } }, + "prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ] }, { "id" : "sc-20", "class" : "SP800-53", diff --git a/baselines/json/FedRAMP_LOW-baseline_profile.json b/baselines/json/FedRAMP_LOW-baseline_profile.json index cc9d806f2..fc59e1757 100644 --- a/baselines/json/FedRAMP_LOW-baseline_profile.json +++ b/baselines/json/FedRAMP_LOW-baseline_profile.json @@ -1,10 +1,10 @@ { "profile" : - { "id" : "uuid-eda582b6-d61f-42a4-8165-9637ea1e8a33", + { "id" : "uuid-2bb4b4e9-b350-4ce3-9dec-6768214e4f2f", "metadata" : { "title" : "FedRAMP Low Baseline", - "published" : "2019-12-17T00:00:00.000-05:00", - "last-modified" : "2019-12-16T10:00:00.000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T10:00:00.000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -26,276 +26,265 @@ "contact" : { "party-ids" : "fedramp" } } }, "imports" : - [ - { "href" : "https:\/\/raw.githubusercontent.com\/usnistgov\/OSCAL\/master\/content\/nist.gov\/SP800-53\/rev4\/xml\/NIST_SP-800-53_rev4_catalog.xml", - "include" : - { "id-selectors" : - [ - { "control-id" : "ac-1" }, - - { "control-id" : "ac-2" }, - - { "control-id" : "ac-3" }, - - { "control-id" : "ac-7" }, - - { "control-id" : "ac-8" }, - - { "control-id" : "ac-14" }, - - { "control-id" : "ac-17" }, - - { "control-id" : "ac-18" }, - - { "control-id" : "ac-19" }, - - { "control-id" : "ac-20" }, - - { "control-id" : "ac-22" }, - - { "control-id" : "at-1" }, - - { "control-id" : "at-2" }, - - { "control-id" : "at-3" }, - - { "control-id" : "at-4" }, - - { "control-id" : "au-1" }, - - { "control-id" : "au-2" }, - - { "control-id" : "au-3" }, - - { "control-id" : "au-4" }, - - { "control-id" : "au-5" }, - - { "control-id" : "au-6" }, - - { "control-id" : "au-8" }, - - { "control-id" : "au-9" }, - - { "control-id" : "au-11" }, - - { "control-id" : "au-12" }, - - { "control-id" : "ca-1" }, - - { "control-id" : "ca-2" }, - - { "control-id" : "ca-2.1" }, - - { "control-id" : "ca-3" }, - - { "control-id" : "ca-5" }, - - { "control-id" : "ca-6" }, - - { "control-id" : "ca-7" }, - - { "control-id" : "ca-9" }, - - { "control-id" : "cm-1" }, - - { "control-id" : "cm-2" }, - - { "control-id" : "cm-4" }, - - { "control-id" : "cm-6" }, - - { "control-id" : "cm-7" }, - - { "control-id" : "cm-8" }, - - { "control-id" : "cm-10" }, - - { "control-id" : "cm-11" }, - - { "control-id" : "cp-1" }, - - { "control-id" : "cp-2" }, - - { "control-id" : "cp-3" }, - - { "control-id" : "cp-4" }, - - { "control-id" : "cp-9" }, - - { "control-id" : "cp-10" }, - - { "control-id" : "ia-1" }, - - { "control-id" : "ia-2" }, - - { "control-id" : "ia-2.1" }, - - { "control-id" : "ia-2.12" }, - - { "control-id" : "ia-4" }, - - { "control-id" : "ia-5" }, - - { "control-id" : "ia-5.1" }, - - { "control-id" : "ia-5.11" }, - - { "control-id" : "ia-6" }, - - { "control-id" : "ia-7" }, - - { "control-id" : "ia-8" }, - - { "control-id" : "ia-8.1" }, - - { "control-id" : "ia-8.2" }, - - { "control-id" : "ia-8.3" }, - - { "control-id" : "ia-8.4" }, - - { "control-id" : "ir-1" }, - - { "control-id" : "ir-2" }, - - { "control-id" : "ir-4" }, - - { "control-id" : "ir-5" }, - - { "control-id" : "ir-6" }, - - { "control-id" : "ir-7" }, - - { "control-id" : "ir-8" }, - - { "control-id" : "ma-1" }, - - { "control-id" : "ma-2" }, - - { "control-id" : "ma-4" }, - - { "control-id" : "ma-5" }, - - { "control-id" : "mp-1" }, - - { "control-id" : "mp-2" }, - - { "control-id" : "mp-6" }, - - { "control-id" : "mp-7" }, - - { "control-id" : "pe-1" }, - - { "control-id" : "pe-2" }, - - { "control-id" : "pe-3" }, - - { "control-id" : "pe-6" }, - - { "control-id" : "pe-8" }, - - { "control-id" : "pe-12" }, - - { "control-id" : "pe-13" }, - - { "control-id" : "pe-14" }, - - { "control-id" : "pe-15" }, - - { "control-id" : "pe-16" }, - - { "control-id" : "pl-1" }, - - { "control-id" : "pl-2" }, - - { "control-id" : "pl-4" }, - - { "control-id" : "ps-1" }, - - { "control-id" : "ps-2" }, - - { "control-id" : "ps-3" }, - - { "control-id" : "ps-4" }, - - { "control-id" : "ps-5" }, - - { "control-id" : "ps-6" }, - - { "control-id" : "ps-7" }, - - { "control-id" : "ps-8" }, - - { "control-id" : "ra-1" }, - - { "control-id" : "ra-2" }, - - { "control-id" : "ra-3" }, - - { "control-id" : "ra-5" }, - - { "control-id" : "sa-1" }, - - { "control-id" : "sa-2" }, - - { "control-id" : "sa-3" }, - - { "control-id" : "sa-4" }, - - { "control-id" : "sa-5" }, - - { "control-id" : "sa-9" }, - - { "control-id" : "sc-1" }, - - { "control-id" : "sc-5" }, - - { "control-id" : "sc-7" }, - - { "control-id" : "sc-12" }, - - { "control-id" : "sc-13" }, - - { "control-id" : "sc-15" }, - - { "control-id" : "sc-20" }, - - { "control-id" : "sc-21" }, - - { "control-id" : "sc-22" }, - - { "control-id" : "sc-39" }, - - { "control-id" : "si-1" }, - - { "control-id" : "si-2" }, - - { "control-id" : "si-3" }, - - { "control-id" : "si-4" }, - - { "control-id" : "si-5" }, - - { "control-id" : "si-12" }, - - { "control-id" : "si-16" } ] } }, - - { "href" : "https:\/\/raw.githubusercontent.com\/gsa\/fedramp-automation\/master\/baselines\/xml\/FedRAMP_catalog.xml", - "include" : - { "id-selectors" : - [ - { "control-id" : "ac-8.fr" }, - - { "control-id" : "ca-7.fr" }, - - { "control-id" : "sc-15.fr" } ] } } ], + { "href" : "https:\/\/raw.githubusercontent.com\/usnistgov\/OSCAL\/master\/content\/nist.gov\/SP800-53\/rev4\/xml\/NIST_SP-800-53_rev4_catalog.xml", + "include" : + { "id-selectors" : + [ + { "control-id" : "ac-1" }, + + { "control-id" : "ac-2" }, + + { "control-id" : "ac-3" }, + + { "control-id" : "ac-7" }, + + { "control-id" : "ac-8" }, + + { "control-id" : "ac-14" }, + + { "control-id" : "ac-17" }, + + { "control-id" : "ac-18" }, + + { "control-id" : "ac-19" }, + + { "control-id" : "ac-20" }, + + { "control-id" : "ac-22" }, + + { "control-id" : "at-1" }, + + { "control-id" : "at-2" }, + + { "control-id" : "at-3" }, + + { "control-id" : "at-4" }, + + { "control-id" : "au-1" }, + + { "control-id" : "au-2" }, + + { "control-id" : "au-3" }, + + { "control-id" : "au-4" }, + + { "control-id" : "au-5" }, + + { "control-id" : "au-6" }, + + { "control-id" : "au-8" }, + + { "control-id" : "au-9" }, + + { "control-id" : "au-11" }, + + { "control-id" : "au-12" }, + + { "control-id" : "ca-1" }, + + { "control-id" : "ca-2" }, + + { "control-id" : "ca-2.1" }, + + { "control-id" : "ca-3" }, + + { "control-id" : "ca-5" }, + + { "control-id" : "ca-6" }, + + { "control-id" : "ca-7" }, + + { "control-id" : "ca-9" }, + + { "control-id" : "cm-1" }, + + { "control-id" : "cm-2" }, + + { "control-id" : "cm-4" }, + + { "control-id" : "cm-6" }, + + { "control-id" : "cm-7" }, + + { "control-id" : "cm-8" }, + + { "control-id" : "cm-10" }, + + { "control-id" : "cm-11" }, + + { "control-id" : "cp-1" }, + + { "control-id" : "cp-2" }, + + { "control-id" : "cp-3" }, + + { "control-id" : "cp-4" }, + + { "control-id" : "cp-9" }, + + { "control-id" : "cp-10" }, + + { "control-id" : "ia-1" }, + + { "control-id" : "ia-2" }, + + { "control-id" : "ia-2.1" }, + + { "control-id" : "ia-2.12" }, + + { "control-id" : "ia-4" }, + + { "control-id" : "ia-5" }, + + { "control-id" : "ia-5.1" }, + + { "control-id" : "ia-5.11" }, + + { "control-id" : "ia-6" }, + + { "control-id" : "ia-7" }, + + { "control-id" : "ia-8" }, + + { "control-id" : "ia-8.1" }, + + { "control-id" : "ia-8.2" }, + + { "control-id" : "ia-8.3" }, + + { "control-id" : "ia-8.4" }, + + { "control-id" : "ir-1" }, + + { "control-id" : "ir-2" }, + + { "control-id" : "ir-4" }, + + { "control-id" : "ir-5" }, + + { "control-id" : "ir-6" }, + + { "control-id" : "ir-7" }, + + { "control-id" : "ir-8" }, + + { "control-id" : "ma-1" }, + + { "control-id" : "ma-2" }, + + { "control-id" : "ma-4" }, + + { "control-id" : "ma-5" }, + + { "control-id" : "mp-1" }, + + { "control-id" : "mp-2" }, + + { "control-id" : "mp-6" }, + + { "control-id" : "mp-7" }, + + { "control-id" : "pe-1" }, + + { "control-id" : "pe-2" }, + + { "control-id" : "pe-3" }, + + { "control-id" : "pe-6" }, + + { "control-id" : "pe-8" }, + + { "control-id" : "pe-12" }, + + { "control-id" : "pe-13" }, + + { "control-id" : "pe-14" }, + + { "control-id" : "pe-15" }, + + { "control-id" : "pe-16" }, + + { "control-id" : "pl-1" }, + + { "control-id" : "pl-2" }, + + { "control-id" : "pl-4" }, + + { "control-id" : "ps-1" }, + + { "control-id" : "ps-2" }, + + { "control-id" : "ps-3" }, + + { "control-id" : "ps-4" }, + + { "control-id" : "ps-5" }, + + { "control-id" : "ps-6" }, + + { "control-id" : "ps-7" }, + + { "control-id" : "ps-8" }, + + { "control-id" : "ra-1" }, + + { "control-id" : "ra-2" }, + + { "control-id" : "ra-3" }, + + { "control-id" : "ra-5" }, + + { "control-id" : "sa-1" }, + + { "control-id" : "sa-2" }, + + { "control-id" : "sa-3" }, + + { "control-id" : "sa-4" }, + + { "control-id" : "sa-5" }, + + { "control-id" : "sa-9" }, + + { "control-id" : "sc-1" }, + + { "control-id" : "sc-5" }, + + { "control-id" : "sc-7" }, + + { "control-id" : "sc-12" }, + + { "control-id" : "sc-13" }, + + { "control-id" : "sc-15" }, + + { "control-id" : "sc-20" }, + + { "control-id" : "sc-21" }, + + { "control-id" : "sc-22" }, + + { "control-id" : "sc-39" }, + + { "control-id" : "si-1" }, + + { "control-id" : "si-2" }, + + { "control-id" : "si-3" }, + + { "control-id" : "si-4" }, + + { "control-id" : "si-5" }, + + { "control-id" : "si-12" }, + + { "control-id" : "si-16" } ] } }, "merge" : { "combine" : { "method" : "keep" }, "as-is" : true }, "modify" : - { "settings" : + { "parameter-settings" : { "ac-1_prm_2" : { "constraints" : { "detail" : "at least every 3 years" } }, diff --git a/baselines/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json b/baselines/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json index 0960f84f3..7848a1ae0 100644 --- a/baselines/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json +++ b/baselines/json/FedRAMP_MODERATE-baseline-resolved-profile_catalog.json @@ -1,10 +1,10 @@ { "catalog" : - { "id" : "7723d8ef-9667-4ae5-8316-0ce2d81a67d0", + { "id" : "ab28b535-6379-48c9-b5d6-463a39aa7576", "metadata" : { "title" : "FedRAMP Moderate Baseline [RESOLVED]", - "published" : "2019-12-17T00:00:00.000-05:00", - "last-modified" : "2019-12-17T00:35:11.000000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T14:25:50.000000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -2383,9 +2383,9 @@ { "id" : "ac-7_prm_3", "select" : { "alternatives" : - [ "locks the account\/node for an {{ ac-7_prm_4 }} ", + [ "locks the account\/node for an {{ ac-7_prm_4 }}", "locks the account\/node until released by an administrator", - "delays next logon prompt according to {{ ac-7_prm_5 }} " ] } }, + "delays next logon prompt according to {{ ac-7_prm_5 }}" ] } }, { "id" : "ac-7_prm_4", "depends-on" : "ac-7_prm_3", @@ -2754,35 +2754,7 @@ { "method" : "TEST" }, "parts" : { "name" : "objects", - "prose" : "Automated mechanisms implementing system use notification" } } ], - "controls" : - { "id" : "ac-8.fr", - "class" : "SP800-53", - "title" : "AC-8 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "AC-8 Req" }, - "parts" : - { "id" : "ac-8.fr_smt", - "name" : "statement", - "parts" : - [ - { "id" : "ac-8.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB\/AO." }, - - { "id" : "ac-8.fr_smt.2", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB\/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." }, - - { "id" : "ac-8.fr_smt.3", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB\/AO." } ] } } }, + "prose" : "Automated mechanisms implementing system use notification" } } ] }, { "id" : "ac-10", "class" : "SP800-53", @@ -2813,7 +2785,7 @@ { "id" : "ac-10_obj", "name" : "objective", - "prose" : " Determine if:", + "prose" : "Determine if:", "parts" : [ { "id" : "ac-10_obj.1", @@ -2901,7 +2873,7 @@ { "id" : "ac-11_obj", "name" : "objective", - "prose" : " Determine if:", + "prose" : "Determine if:", "parts" : [ { "id" : "ac-11.a_obj", @@ -4021,7 +3993,7 @@ { "id" : "ac-19_obj", "name" : "objective", - "prose" : " Determine if the organization:", + "prose" : "Determine if the organization:", "parts" : [ { "id" : "ac-19.a_obj", @@ -9321,94 +9293,57 @@ { "name" : "objects", "prose" : "Mechanisms implementing continuous monitoring" } } ], "controls" : - [ - { "id" : "ca-7.1", - "class" : "SP800-53-enhancement", - "title" : "Independent Assessment", - "parameters" : - { "id" : "ca-7.1_prm_1", - "label" : "organization-defined level of independence" }, - "properties" : - [ - { "label" : "CA-7(1)" }, - - { "sort-id" : "ca-07.01" } ], - "parts" : - [ - { "id" : "ca-7.1_smt", - "name" : "statement", - "prose" : "The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information system on an ongoing basis." }, - - { "id" : "ca-7.1_gdn", - "name" : "guidance", - "prose" : "Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services." }, - - { "id" : "ca-7.1_obj", - "name" : "objective", - "prose" : "Determine if the organization:", - "parts" : - [ - { "id" : "ca-7.1_obj.1", - "name" : "objective", - "properties" : - { "label" : "CA-7(1)[1]" }, - "prose" : "defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and" }, - - { "id" : "ca-7.1_obj.2", - "name" : "objective", - "properties" : - { "label" : "CA-7(1)[2]" }, - "prose" : "employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis." } ] }, - - { "name" : "assessment", - "properties" : - { "method" : "EXAMINE" }, - "parts" : - { "name" : "objects", - "prose" : "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records" } }, - - { "name" : "assessment", - "properties" : - { "method" : "INTERVIEW" }, - "parts" : - { "name" : "objects", - "prose" : "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities" } } ] }, - - { "id" : "ca-7.fr", - "class" : "SP800-53-enhancement", - "title" : "Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "CA-7 Req" }, - "parts" : - { "id" : "ca-7.fr_smt", + { "id" : "ca-7.1", + "class" : "SP800-53-enhancement", + "title" : "Independent Assessment", + "parameters" : + { "id" : "ca-7.1_prm_1", + "label" : "organization-defined level of independence" }, + "properties" : + [ + { "label" : "CA-7(1)" }, + + { "sort-id" : "ca-07.01" } ], + "parts" : + [ + { "id" : "ca-7.1_smt", "name" : "statement", + "prose" : "The organization employs assessors or assessment teams with {{ ca-7.1_prm_1 }} to monitor the security controls in the information system on an ongoing basis." }, + + { "id" : "ca-7.1_gdn", + "name" : "guidance", + "prose" : "Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services." }, + + { "id" : "ca-7.1_obj", + "name" : "objective", + "prose" : "Determine if the organization:", "parts" : [ - { "id" : "ca-7.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement 1:" }, - "prose" : "Operating System Scans: at least monthly" }, - - { "id" : "ca-7.fr_smt.2", - "name" : "item", + { "id" : "ca-7.1_obj.1", + "name" : "objective", "properties" : - { "label" : "Requirement 2:" }, - "prose" : "Database and Web Application Scans: at least monthly" }, + { "label" : "CA-7(1)[1]" }, + "prose" : "defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and" }, - { "id" : "ca-7.fr_smt.3", - "name" : "item", + { "id" : "ca-7.1_obj.2", + "name" : "objective", "properties" : - { "label" : "Requirement 3:" }, - "prose" : "All scans performed by Independent Assessor: at least annually" }, - - { "id" : "ca-7.fr_gdn.1", - "name" : "guidance", - "prose" : "CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates." }, - - { "id" : "ca-7.fr_gdn.2", - "name" : "guidance", - "prose" : "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https:\/\/www.FedRAMP.gov\/documents\/](https:\/\/www.FedRAMP.gov\/documents\/)" } ] } } ] }, + { "label" : "CA-7(1)[2]" }, + "prose" : "employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis." } ] }, + + { "name" : "assessment", + "properties" : + { "method" : "EXAMINE" }, + "parts" : + { "name" : "objects", + "prose" : "Security assessment and authorization policy\\n\\nprocedures addressing continuous monitoring of information system security controls\\n\\nsecurity plan\\n\\nsecurity assessment report\\n\\nplan of action and milestones\\n\\ninformation system monitoring records\\n\\nsecurity impact analyses\\n\\nstatus reports\\n\\nother relevant documents or records" } }, + + { "name" : "assessment", + "properties" : + { "method" : "INTERVIEW" }, + "parts" : + { "name" : "objects", + "prose" : "Organizational personnel with continuous monitoring responsibilities\\n\\norganizational personnel with information security responsibilities" } } ] } }, { "id" : "ca-8", "class" : "SP800-53", @@ -12373,7 +12308,7 @@ "alternatives" : [ "disables network access by such components", "isolates the components", - "notifies {{ cm-8.3_prm_3 }} " ] } }, + "notifies {{ cm-8.3_prm_3 }}" ] } }, { "id" : "cm-8.3_prm_3", "depends-on" : "cm-8.3_prm_2", @@ -34066,19 +34001,7 @@ { "method" : "TEST" }, "parts" : { "name" : "objects", - "prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ], - "controls" : - { "id" : "sc-15.fr", - "class" : "SP800-53-enhancement", - "title" : "SC-15 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "SC-15 Req" }, - "parts" : - { "id" : "sc-15.fr_smt", - "name" : "statement", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." } } }, + "prose" : "Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\\n\\nautomated mechanisms providing an indication of use of collaborative computing devices" } } ] }, { "id" : "sc-17", "class" : "SP800-53", @@ -37575,7 +37498,7 @@ { "how-many" : "one or more", "alternatives" : [ "at startup", - "at {{ si-7.1_prm_3 }} ", + "at {{ si-7.1_prm_3 }}", "\n {{ si-7.1_prm_4 }}\n " ] } }, { "id" : "si-7.1_prm_3", diff --git a/baselines/json/FedRAMP_MODERATE-baseline_profile.json b/baselines/json/FedRAMP_MODERATE-baseline_profile.json index 6c75ea5d2..abec7c76c 100644 --- a/baselines/json/FedRAMP_MODERATE-baseline_profile.json +++ b/baselines/json/FedRAMP_MODERATE-baseline_profile.json @@ -1,10 +1,10 @@ { "profile" : - { "id" : "uuid-87ae6162-8387-4418-8df2-c2673f73886d", + { "id" : "uuid-c869ec01-ffd8-44ac-aae1-0f8fc13ab591", "metadata" : { "title" : "FedRAMP Moderate Baseline", - "published" : "2019-12-17T00:00:00.000-05:00", - "last-modified" : "2019-12-16T10:00:00.000-05:00", + "published" : "2020-02-02T00:00:00.000-05:00", + "last-modified" : "2020-01-28T10:00:00.000-05:00", "version" : "1.2", "oscal-version" : "1.0.0-milestone2", "roles" : @@ -26,676 +26,665 @@ "contact" : { "party-ids" : "fedramp" } } }, "imports" : - [ - { "href" : "https:\/\/raw.githubusercontent.com\/usnistgov\/OSCAL\/master\/content\/nist.gov\/SP800-53\/rev4\/xml\/NIST_SP-800-53_rev4_catalog.xml", - "include" : - { "id-selectors" : - [ - { "control-id" : "ac-1" }, - - { "control-id" : "ac-2" }, - - { "control-id" : "ac-2.1" }, - - { "control-id" : "ac-2.2" }, - - { "control-id" : "ac-2.3" }, - - { "control-id" : "ac-2.4" }, - - { "control-id" : "ac-2.5" }, - - { "control-id" : "ac-2.7" }, - - { "control-id" : "ac-2.9" }, - - { "control-id" : "ac-2.10" }, - - { "control-id" : "ac-2.12" }, - - { "control-id" : "ac-3" }, - - { "control-id" : "ac-4" }, - - { "control-id" : "ac-4.21" }, - - { "control-id" : "ac-5" }, - - { "control-id" : "ac-6" }, - - { "control-id" : "ac-6.1" }, - - { "control-id" : "ac-6.2" }, - - { "control-id" : "ac-6.5" }, - - { "control-id" : "ac-6.9" }, - - { "control-id" : "ac-6.10" }, - - { "control-id" : "ac-7" }, - - { "control-id" : "ac-8" }, - - { "control-id" : "ac-10" }, - - { "control-id" : "ac-11" }, - - { "control-id" : "ac-11.1" }, - - { "control-id" : "ac-12" }, - - { "control-id" : "ac-14" }, - - { "control-id" : "ac-17" }, - - { "control-id" : "ac-17.1" }, - - { "control-id" : "ac-17.2" }, - - { "control-id" : "ac-17.3" }, - - { "control-id" : "ac-17.4" }, - - { "control-id" : "ac-17.9" }, - - { "control-id" : "ac-18" }, - - { "control-id" : "ac-18.1" }, - - { "control-id" : "ac-19" }, - - { "control-id" : "ac-19.5" }, - - { "control-id" : "ac-20" }, - - { "control-id" : "ac-20.1" }, - - { "control-id" : "ac-20.2" }, - - { "control-id" : "ac-21" }, - - { "control-id" : "ac-22" }, - - { "control-id" : "at-1" }, - - { "control-id" : "at-2" }, - - { "control-id" : "at-2.2" }, - - { "control-id" : "at-3" }, - - { "control-id" : "at-4" }, - - { "control-id" : "au-1" }, - - { "control-id" : "au-2" }, - - { "control-id" : "au-2.3" }, - - { "control-id" : "au-3" }, - - { "control-id" : "au-3.1" }, - - { "control-id" : "au-4" }, - - { "control-id" : "au-5" }, - - { "control-id" : "au-6" }, - - { "control-id" : "au-6.1" }, - - { "control-id" : "au-6.3" }, - - { "control-id" : "au-7" }, - - { "control-id" : "au-7.1" }, - - { "control-id" : "au-8" }, - - { "control-id" : "au-8.1" }, - - { "control-id" : "au-9" }, - - { "control-id" : "au-9.2" }, - - { "control-id" : "au-9.4" }, - - { "control-id" : "au-11" }, - - { "control-id" : "au-12" }, - - { "control-id" : "ca-1" }, - - { "control-id" : "ca-2" }, - - { "control-id" : "ca-2.1" }, - - { "control-id" : "ca-2.2" }, - - { "control-id" : "ca-2.3" }, - - { "control-id" : "ca-3" }, - - { "control-id" : "ca-3.3" }, - - { "control-id" : "ca-3.5" }, - - { "control-id" : "ca-5" }, - - { "control-id" : "ca-6" }, - - { "control-id" : "ca-7" }, - - { "control-id" : "ca-7.1" }, - - { "control-id" : "ca-8" }, - - { "control-id" : "ca-8.1" }, - - { "control-id" : "ca-9" }, - - { "control-id" : "cm-1" }, - - { "control-id" : "cm-2" }, - - { "control-id" : "cm-2.1" }, - - { "control-id" : "cm-2.2" }, - - { "control-id" : "cm-2.3" }, - - { "control-id" : "cm-2.7" }, - - { "control-id" : "cm-3" }, - - { "control-id" : "cm-4" }, - - { "control-id" : "cm-5" }, - - { "control-id" : "cm-5.1" }, - - { "control-id" : "cm-5.3" }, - - { "control-id" : "cm-5.5" }, - - { "control-id" : "cm-6" }, - - { "control-id" : "cm-6.1" }, - - { "control-id" : "cm-7" }, - - { "control-id" : "cm-7.1" }, - - { "control-id" : "cm-7.2" }, - - { "control-id" : "cm-7.5" }, - - { "control-id" : "cm-8" }, - - { "control-id" : "cm-8.1" }, - - { "control-id" : "cm-8.3" }, - - { "control-id" : "cm-8.5" }, - - { "control-id" : "cm-9" }, - - { "control-id" : "cm-10" }, - - { "control-id" : "cm-10.1" }, - - { "control-id" : "cm-11" }, - - { "control-id" : "cp-1" }, - - { "control-id" : "cp-2" }, - - { "control-id" : "cp-2.1" }, - - { "control-id" : "cp-2.2" }, - - { "control-id" : "cp-2.3" }, - - { "control-id" : "cp-2.8" }, - - { "control-id" : "cp-3" }, - - { "control-id" : "cp-4" }, - - { "control-id" : "cp-4.1" }, - - { "control-id" : "cp-6" }, - - { "control-id" : "cp-6.1" }, - - { "control-id" : "cp-6.3" }, - - { "control-id" : "cp-7" }, - - { "control-id" : "cp-7.1" }, - - { "control-id" : "cp-7.2" }, - - { "control-id" : "cp-7.3" }, - - { "control-id" : "cp-8" }, - - { "control-id" : "cp-8.1" }, - - { "control-id" : "cp-8.2" }, - - { "control-id" : "cp-9" }, - - { "control-id" : "cp-9.1" }, - - { "control-id" : "cp-9.3" }, - - { "control-id" : "cp-10" }, - - { "control-id" : "cp-10.2" }, - - { "control-id" : "ia-1" }, - - { "control-id" : "ia-2" }, - - { "control-id" : "ia-2.1" }, - - { "control-id" : "ia-2.2" }, - - { "control-id" : "ia-2.3" }, - - { "control-id" : "ia-2.5" }, - - { "control-id" : "ia-2.8" }, - - { "control-id" : "ia-2.11" }, - - { "control-id" : "ia-2.12" }, - - { "control-id" : "ia-3" }, - - { "control-id" : "ia-4" }, - - { "control-id" : "ia-4.4" }, - - { "control-id" : "ia-5" }, - - { "control-id" : "ia-5.1" }, - - { "control-id" : "ia-5.2" }, - - { "control-id" : "ia-5.3" }, - - { "control-id" : "ia-5.4" }, - - { "control-id" : "ia-5.6" }, - - { "control-id" : "ia-5.7" }, - - { "control-id" : "ia-5.11" }, - - { "control-id" : "ia-6" }, - - { "control-id" : "ia-7" }, - - { "control-id" : "ia-8" }, - - { "control-id" : "ia-8.1" }, - - { "control-id" : "ia-8.2" }, - - { "control-id" : "ia-8.3" }, - - { "control-id" : "ia-8.4" }, - - { "control-id" : "ir-1" }, - - { "control-id" : "ir-2" }, - - { "control-id" : "ir-3" }, - - { "control-id" : "ir-3.2" }, - - { "control-id" : "ir-4" }, - - { "control-id" : "ir-4.1" }, - - { "control-id" : "ir-5" }, - - { "control-id" : "ir-6" }, - - { "control-id" : "ir-6.1" }, - - { "control-id" : "ir-7" }, - - { "control-id" : "ir-7.1" }, - - { "control-id" : "ir-7.2" }, - - { "control-id" : "ir-8" }, - - { "control-id" : "ir-9" }, - - { "control-id" : "ir-9.1" }, - - { "control-id" : "ir-9.2" }, - - { "control-id" : "ir-9.3" }, - - { "control-id" : "ir-9.4" }, - - { "control-id" : "ma-1" }, - - { "control-id" : "ma-2" }, - - { "control-id" : "ma-3" }, - - { "control-id" : "ma-3.1" }, - - { "control-id" : "ma-3.2" }, - - { "control-id" : "ma-3.3" }, - - { "control-id" : "ma-4" }, - - { "control-id" : "ma-4.2" }, - - { "control-id" : "ma-5" }, - - { "control-id" : "ma-5.1" }, - - { "control-id" : "ma-6" }, - - { "control-id" : "mp-1" }, - - { "control-id" : "mp-2" }, - - { "control-id" : "mp-3" }, - - { "control-id" : "mp-4" }, - - { "control-id" : "mp-5" }, - - { "control-id" : "mp-5.4" }, - - { "control-id" : "mp-6" }, - - { "control-id" : "mp-6.2" }, - - { "control-id" : "mp-7" }, - - { "control-id" : "mp-7.1" }, - - { "control-id" : "pe-1" }, - - { "control-id" : "pe-2" }, - - { "control-id" : "pe-3" }, - - { "control-id" : "pe-4" }, - - { "control-id" : "pe-5" }, - - { "control-id" : "pe-6" }, - - { "control-id" : "pe-6.1" }, - - { "control-id" : "pe-8" }, - - { "control-id" : "pe-9" }, - - { "control-id" : "pe-10" }, - - { "control-id" : "pe-11" }, - - { "control-id" : "pe-12" }, - - { "control-id" : "pe-13" }, - - { "control-id" : "pe-13.2" }, - - { "control-id" : "pe-13.3" }, - - { "control-id" : "pe-14" }, - - { "control-id" : "pe-14.2" }, - - { "control-id" : "pe-15" }, - - { "control-id" : "pe-16" }, - - { "control-id" : "pe-17" }, - - { "control-id" : "pl-1" }, - - { "control-id" : "pl-2" }, - - { "control-id" : "pl-2.3" }, - - { "control-id" : "pl-4" }, - - { "control-id" : "pl-4.1" }, - - { "control-id" : "pl-8" }, - - { "control-id" : "ps-1" }, - - { "control-id" : "ps-2" }, - - { "control-id" : "ps-3" }, - - { "control-id" : "ps-3.3" }, - - { "control-id" : "ps-4" }, - - { "control-id" : "ps-5" }, - - { "control-id" : "ps-6" }, - - { "control-id" : "ps-7" }, - - { "control-id" : "ps-8" }, - - { "control-id" : "ra-1" }, - - { "control-id" : "ra-2" }, - - { "control-id" : "ra-3" }, - - { "control-id" : "ra-5" }, - - { "control-id" : "ra-5.1" }, - - { "control-id" : "ra-5.2" }, - - { "control-id" : "ra-5.3" }, - - { "control-id" : "ra-5.5" }, - - { "control-id" : "ra-5.6" }, - - { "control-id" : "ra-5.8" }, - - { "control-id" : "sa-1" }, - - { "control-id" : "sa-2" }, - - { "control-id" : "sa-3" }, - - { "control-id" : "sa-4" }, - - { "control-id" : "sa-4.1" }, - - { "control-id" : "sa-4.2" }, - - { "control-id" : "sa-4.8" }, - - { "control-id" : "sa-4.9" }, - - { "control-id" : "sa-4.10" }, - - { "control-id" : "sa-5" }, - - { "control-id" : "sa-8" }, - - { "control-id" : "sa-9" }, - - { "control-id" : "sa-9.1" }, - - { "control-id" : "sa-9.2" }, - - { "control-id" : "sa-9.4" }, - - { "control-id" : "sa-9.5" }, - - { "control-id" : "sa-10" }, - - { "control-id" : "sa-10.1" }, - - { "control-id" : "sa-11" }, - - { "control-id" : "sa-11.1" }, - - { "control-id" : "sa-11.2" }, - - { "control-id" : "sa-11.8" }, - - { "control-id" : "sc-1" }, - - { "control-id" : "sc-2" }, - - { "control-id" : "sc-4" }, - - { "control-id" : "sc-5" }, - - { "control-id" : "sc-6" }, - - { "control-id" : "sc-7" }, - - { "control-id" : "sc-7.3" }, - - { "control-id" : "sc-7.4" }, - - { "control-id" : "sc-7.5" }, - - { "control-id" : "sc-7.7" }, - - { "control-id" : "sc-7.8" }, - - { "control-id" : "sc-7.12" }, - - { "control-id" : "sc-7.13" }, - - { "control-id" : "sc-7.18" }, - - { "control-id" : "sc-8" }, - - { "control-id" : "sc-8.1" }, - - { "control-id" : "sc-10" }, - - { "control-id" : "sc-12" }, - - { "control-id" : "sc-12.2" }, - - { "control-id" : "sc-12.3" }, - - { "control-id" : "sc-13" }, - - { "control-id" : "sc-15" }, - - { "control-id" : "sc-17" }, - - { "control-id" : "sc-18" }, - - { "control-id" : "sc-19" }, - - { "control-id" : "sc-20" }, - - { "control-id" : "sc-21" }, - - { "control-id" : "sc-22" }, - - { "control-id" : "sc-23" }, - - { "control-id" : "sc-28" }, - - { "control-id" : "sc-28.1" }, - - { "control-id" : "sc-39" }, - - { "control-id" : "si-1" }, - - { "control-id" : "si-2" }, - - { "control-id" : "si-2.2" }, - - { "control-id" : "si-2.3" }, - - { "control-id" : "si-3" }, - - { "control-id" : "si-3.1" }, - - { "control-id" : "si-3.2" }, - - { "control-id" : "si-3.7" }, - - { "control-id" : "si-4" }, - - { "control-id" : "si-4.1" }, - - { "control-id" : "si-4.2" }, - - { "control-id" : "si-4.4" }, - - { "control-id" : "si-4.5" }, - - { "control-id" : "si-4.14" }, - - { "control-id" : "si-4.16" }, - - { "control-id" : "si-4.23" }, - - { "control-id" : "si-5" }, - - { "control-id" : "si-6" }, - - { "control-id" : "si-7" }, - - { "control-id" : "si-7.1" }, - - { "control-id" : "si-7.7" }, - - { "control-id" : "si-8" }, - - { "control-id" : "si-8.1" }, - - { "control-id" : "si-8.2" }, - - { "control-id" : "si-10" }, - - { "control-id" : "si-11" }, - - { "control-id" : "si-12" }, - - { "control-id" : "si-16" } ] } }, - - { "href" : "https:\/\/raw.githubusercontent.com\/gsa\/fedramp-automation\/master\/baselines\/xml\/FedRAMP_catalog.xml", - "include" : - { "id-selectors" : - [ - { "control-id" : "ac-8.fr" }, - - { "control-id" : "ca-7.fr" }, - - { "control-id" : "sc-15.fr" } ] } } ], + { "href" : "https:\/\/raw.githubusercontent.com\/usnistgov\/OSCAL\/master\/content\/nist.gov\/SP800-53\/rev4\/xml\/NIST_SP-800-53_rev4_catalog.xml", + "include" : + { "id-selectors" : + [ + { "control-id" : "ac-1" }, + + { "control-id" : "ac-2" }, + + { "control-id" : "ac-2.1" }, + + { "control-id" : "ac-2.2" }, + + { "control-id" : "ac-2.3" }, + + { "control-id" : "ac-2.4" }, + + { "control-id" : "ac-2.5" }, + + { "control-id" : "ac-2.7" }, + + { "control-id" : "ac-2.9" }, + + { "control-id" : "ac-2.10" }, + + { "control-id" : "ac-2.12" }, + + { "control-id" : "ac-3" }, + + { "control-id" : "ac-4" }, + + { "control-id" : "ac-4.21" }, + + { "control-id" : "ac-5" }, + + { "control-id" : "ac-6" }, + + { "control-id" : "ac-6.1" }, + + { "control-id" : "ac-6.2" }, + + { "control-id" : "ac-6.5" }, + + { "control-id" : "ac-6.9" }, + + { "control-id" : "ac-6.10" }, + + { "control-id" : "ac-7" }, + + { "control-id" : "ac-8" }, + + { "control-id" : "ac-10" }, + + { "control-id" : "ac-11" }, + + { "control-id" : "ac-11.1" }, + + { "control-id" : "ac-12" }, + + { "control-id" : "ac-14" }, + + { "control-id" : "ac-17" }, + + { "control-id" : "ac-17.1" }, + + { "control-id" : "ac-17.2" }, + + { "control-id" : "ac-17.3" }, + + { "control-id" : "ac-17.4" }, + + { "control-id" : "ac-17.9" }, + + { "control-id" : "ac-18" }, + + { "control-id" : "ac-18.1" }, + + { "control-id" : "ac-19" }, + + { "control-id" : "ac-19.5" }, + + { "control-id" : "ac-20" }, + + { "control-id" : "ac-20.1" }, + + { "control-id" : "ac-20.2" }, + + { "control-id" : "ac-21" }, + + { "control-id" : "ac-22" }, + + { "control-id" : "at-1" }, + + { "control-id" : "at-2" }, + + { "control-id" : "at-2.2" }, + + { "control-id" : "at-3" }, + + { "control-id" : "at-4" }, + + { "control-id" : "au-1" }, + + { "control-id" : "au-2" }, + + { "control-id" : "au-2.3" }, + + { "control-id" : "au-3" }, + + { "control-id" : "au-3.1" }, + + { "control-id" : "au-4" }, + + { "control-id" : "au-5" }, + + { "control-id" : "au-6" }, + + { "control-id" : "au-6.1" }, + + { "control-id" : "au-6.3" }, + + { "control-id" : "au-7" }, + + { "control-id" : "au-7.1" }, + + { "control-id" : "au-8" }, + + { "control-id" : "au-8.1" }, + + { "control-id" : "au-9" }, + + { "control-id" : "au-9.2" }, + + { "control-id" : "au-9.4" }, + + { "control-id" : "au-11" }, + + { "control-id" : "au-12" }, + + { "control-id" : "ca-1" }, + + { "control-id" : "ca-2" }, + + { "control-id" : "ca-2.1" }, + + { "control-id" : "ca-2.2" }, + + { "control-id" : "ca-2.3" }, + + { "control-id" : "ca-3" }, + + { "control-id" : "ca-3.3" }, + + { "control-id" : "ca-3.5" }, + + { "control-id" : "ca-5" }, + + { "control-id" : "ca-6" }, + + { "control-id" : "ca-7" }, + + { "control-id" : "ca-7.1" }, + + { "control-id" : "ca-8" }, + + { "control-id" : "ca-8.1" }, + + { "control-id" : "ca-9" }, + + { "control-id" : "cm-1" }, + + { "control-id" : "cm-2" }, + + { "control-id" : "cm-2.1" }, + + { "control-id" : "cm-2.2" }, + + { "control-id" : "cm-2.3" }, + + { "control-id" : "cm-2.7" }, + + { "control-id" : "cm-3" }, + + { "control-id" : "cm-4" }, + + { "control-id" : "cm-5" }, + + { "control-id" : "cm-5.1" }, + + { "control-id" : "cm-5.3" }, + + { "control-id" : "cm-5.5" }, + + { "control-id" : "cm-6" }, + + { "control-id" : "cm-6.1" }, + + { "control-id" : "cm-7" }, + + { "control-id" : "cm-7.1" }, + + { "control-id" : "cm-7.2" }, + + { "control-id" : "cm-7.5" }, + + { "control-id" : "cm-8" }, + + { "control-id" : "cm-8.1" }, + + { "control-id" : "cm-8.3" }, + + { "control-id" : "cm-8.5" }, + + { "control-id" : "cm-9" }, + + { "control-id" : "cm-10" }, + + { "control-id" : "cm-10.1" }, + + { "control-id" : "cm-11" }, + + { "control-id" : "cp-1" }, + + { "control-id" : "cp-2" }, + + { "control-id" : "cp-2.1" }, + + { "control-id" : "cp-2.2" }, + + { "control-id" : "cp-2.3" }, + + { "control-id" : "cp-2.8" }, + + { "control-id" : "cp-3" }, + + { "control-id" : "cp-4" }, + + { "control-id" : "cp-4.1" }, + + { "control-id" : "cp-6" }, + + { "control-id" : "cp-6.1" }, + + { "control-id" : "cp-6.3" }, + + { "control-id" : "cp-7" }, + + { "control-id" : "cp-7.1" }, + + { "control-id" : "cp-7.2" }, + + { "control-id" : "cp-7.3" }, + + { "control-id" : "cp-8" }, + + { "control-id" : "cp-8.1" }, + + { "control-id" : "cp-8.2" }, + + { "control-id" : "cp-9" }, + + { "control-id" : "cp-9.1" }, + + { "control-id" : "cp-9.3" }, + + { "control-id" : "cp-10" }, + + { "control-id" : "cp-10.2" }, + + { "control-id" : "ia-1" }, + + { "control-id" : "ia-2" }, + + { "control-id" : "ia-2.1" }, + + { "control-id" : "ia-2.2" }, + + { "control-id" : "ia-2.3" }, + + { "control-id" : "ia-2.5" }, + + { "control-id" : "ia-2.8" }, + + { "control-id" : "ia-2.11" }, + + { "control-id" : "ia-2.12" }, + + { "control-id" : "ia-3" }, + + { "control-id" : "ia-4" }, + + { "control-id" : "ia-4.4" }, + + { "control-id" : "ia-5" }, + + { "control-id" : "ia-5.1" }, + + { "control-id" : "ia-5.2" }, + + { "control-id" : "ia-5.3" }, + + { "control-id" : "ia-5.4" }, + + { "control-id" : "ia-5.6" }, + + { "control-id" : "ia-5.7" }, + + { "control-id" : "ia-5.11" }, + + { "control-id" : "ia-6" }, + + { "control-id" : "ia-7" }, + + { "control-id" : "ia-8" }, + + { "control-id" : "ia-8.1" }, + + { "control-id" : "ia-8.2" }, + + { "control-id" : "ia-8.3" }, + + { "control-id" : "ia-8.4" }, + + { "control-id" : "ir-1" }, + + { "control-id" : "ir-2" }, + + { "control-id" : "ir-3" }, + + { "control-id" : "ir-3.2" }, + + { "control-id" : "ir-4" }, + + { "control-id" : "ir-4.1" }, + + { "control-id" : "ir-5" }, + + { "control-id" : "ir-6" }, + + { "control-id" : "ir-6.1" }, + + { "control-id" : "ir-7" }, + + { "control-id" : "ir-7.1" }, + + { "control-id" : "ir-7.2" }, + + { "control-id" : "ir-8" }, + + { "control-id" : "ir-9" }, + + { "control-id" : "ir-9.1" }, + + { "control-id" : "ir-9.2" }, + + { "control-id" : "ir-9.3" }, + + { "control-id" : "ir-9.4" }, + + { "control-id" : "ma-1" }, + + { "control-id" : "ma-2" }, + + { "control-id" : "ma-3" }, + + { "control-id" : "ma-3.1" }, + + { "control-id" : "ma-3.2" }, + + { "control-id" : "ma-3.3" }, + + { "control-id" : "ma-4" }, + + { "control-id" : "ma-4.2" }, + + { "control-id" : "ma-5" }, + + { "control-id" : "ma-5.1" }, + + { "control-id" : "ma-6" }, + + { "control-id" : "mp-1" }, + + { "control-id" : "mp-2" }, + + { "control-id" : "mp-3" }, + + { "control-id" : "mp-4" }, + + { "control-id" : "mp-5" }, + + { "control-id" : "mp-5.4" }, + + { "control-id" : "mp-6" }, + + { "control-id" : "mp-6.2" }, + + { "control-id" : "mp-7" }, + + { "control-id" : "mp-7.1" }, + + { "control-id" : "pe-1" }, + + { "control-id" : "pe-2" }, + + { "control-id" : "pe-3" }, + + { "control-id" : "pe-4" }, + + { "control-id" : "pe-5" }, + + { "control-id" : "pe-6" }, + + { "control-id" : "pe-6.1" }, + + { "control-id" : "pe-8" }, + + { "control-id" : "pe-9" }, + + { "control-id" : "pe-10" }, + + { "control-id" : "pe-11" }, + + { "control-id" : "pe-12" }, + + { "control-id" : "pe-13" }, + + { "control-id" : "pe-13.2" }, + + { "control-id" : "pe-13.3" }, + + { "control-id" : "pe-14" }, + + { "control-id" : "pe-14.2" }, + + { "control-id" : "pe-15" }, + + { "control-id" : "pe-16" }, + + { "control-id" : "pe-17" }, + + { "control-id" : "pl-1" }, + + { "control-id" : "pl-2" }, + + { "control-id" : "pl-2.3" }, + + { "control-id" : "pl-4" }, + + { "control-id" : "pl-4.1" }, + + { "control-id" : "pl-8" }, + + { "control-id" : "ps-1" }, + + { "control-id" : "ps-2" }, + + { "control-id" : "ps-3" }, + + { "control-id" : "ps-3.3" }, + + { "control-id" : "ps-4" }, + + { "control-id" : "ps-5" }, + + { "control-id" : "ps-6" }, + + { "control-id" : "ps-7" }, + + { "control-id" : "ps-8" }, + + { "control-id" : "ra-1" }, + + { "control-id" : "ra-2" }, + + { "control-id" : "ra-3" }, + + { "control-id" : "ra-5" }, + + { "control-id" : "ra-5.1" }, + + { "control-id" : "ra-5.2" }, + + { "control-id" : "ra-5.3" }, + + { "control-id" : "ra-5.5" }, + + { "control-id" : "ra-5.6" }, + + { "control-id" : "ra-5.8" }, + + { "control-id" : "sa-1" }, + + { "control-id" : "sa-2" }, + + { "control-id" : "sa-3" }, + + { "control-id" : "sa-4" }, + + { "control-id" : "sa-4.1" }, + + { "control-id" : "sa-4.2" }, + + { "control-id" : "sa-4.8" }, + + { "control-id" : "sa-4.9" }, + + { "control-id" : "sa-4.10" }, + + { "control-id" : "sa-5" }, + + { "control-id" : "sa-8" }, + + { "control-id" : "sa-9" }, + + { "control-id" : "sa-9.1" }, + + { "control-id" : "sa-9.2" }, + + { "control-id" : "sa-9.4" }, + + { "control-id" : "sa-9.5" }, + + { "control-id" : "sa-10" }, + + { "control-id" : "sa-10.1" }, + + { "control-id" : "sa-11" }, + + { "control-id" : "sa-11.1" }, + + { "control-id" : "sa-11.2" }, + + { "control-id" : "sa-11.8" }, + + { "control-id" : "sc-1" }, + + { "control-id" : "sc-2" }, + + { "control-id" : "sc-4" }, + + { "control-id" : "sc-5" }, + + { "control-id" : "sc-6" }, + + { "control-id" : "sc-7" }, + + { "control-id" : "sc-7.3" }, + + { "control-id" : "sc-7.4" }, + + { "control-id" : "sc-7.5" }, + + { "control-id" : "sc-7.7" }, + + { "control-id" : "sc-7.8" }, + + { "control-id" : "sc-7.12" }, + + { "control-id" : "sc-7.13" }, + + { "control-id" : "sc-7.18" }, + + { "control-id" : "sc-8" }, + + { "control-id" : "sc-8.1" }, + + { "control-id" : "sc-10" }, + + { "control-id" : "sc-12" }, + + { "control-id" : "sc-12.2" }, + + { "control-id" : "sc-12.3" }, + + { "control-id" : "sc-13" }, + + { "control-id" : "sc-15" }, + + { "control-id" : "sc-17" }, + + { "control-id" : "sc-18" }, + + { "control-id" : "sc-19" }, + + { "control-id" : "sc-20" }, + + { "control-id" : "sc-21" }, + + { "control-id" : "sc-22" }, + + { "control-id" : "sc-23" }, + + { "control-id" : "sc-28" }, + + { "control-id" : "sc-28.1" }, + + { "control-id" : "sc-39" }, + + { "control-id" : "si-1" }, + + { "control-id" : "si-2" }, + + { "control-id" : "si-2.2" }, + + { "control-id" : "si-2.3" }, + + { "control-id" : "si-3" }, + + { "control-id" : "si-3.1" }, + + { "control-id" : "si-3.2" }, + + { "control-id" : "si-3.7" }, + + { "control-id" : "si-4" }, + + { "control-id" : "si-4.1" }, + + { "control-id" : "si-4.2" }, + + { "control-id" : "si-4.4" }, + + { "control-id" : "si-4.5" }, + + { "control-id" : "si-4.14" }, + + { "control-id" : "si-4.16" }, + + { "control-id" : "si-4.23" }, + + { "control-id" : "si-5" }, + + { "control-id" : "si-6" }, + + { "control-id" : "si-7" }, + + { "control-id" : "si-7.1" }, + + { "control-id" : "si-7.7" }, + + { "control-id" : "si-8" }, + + { "control-id" : "si-8.1" }, + + { "control-id" : "si-8.2" }, + + { "control-id" : "si-10" }, + + { "control-id" : "si-11" }, + + { "control-id" : "si-12" }, + + { "control-id" : "si-16" } ] } }, "merge" : { "combine" : { "method" : "keep" }, "as-is" : true }, "modify" : - { "settings" : + { "parameter-settings" : { "ac-1_prm_2" : { "constraints" : { "detail" : "at least every 3 years" } }, diff --git a/baselines/json/FedRAMP_catalog.json b/baselines/json/FedRAMP_catalog.json deleted file mode 100644 index dc7b09c2a..000000000 --- a/baselines/json/FedRAMP_catalog.json +++ /dev/null @@ -1,136 +0,0 @@ - - { "catalog" : - { "id" : "uuid-ed364452-47f8-4e70-b3a4-ef54de5f46e3", - "metadata" : - { "title" : "FedRAMP Additional Controls", - "published" : "2019-12-17T00:00:00.000-05:00", - "last-modified" : "2019-12-16T14:48:00.000-05:00", - "version" : "1.0", - "oscal-version" : "1.0.0-milestone2", - "properties" : - { "keywords" : "FedRAMP, Assurance, computer security, FISMA, Privacy Act, Risk Management Framework, security controls, security requirements" }, - "roles" : - [ - { "id" : "creator", - "title" : "Document creator" }, - - { "id" : "contact", - "title" : "Contact" } ], - "parties" : - { "id" : "fedramp", - "org" : - { "org-name" : "Federal Risk and Authorization Management Program (FedRAMP)", - "email-addresses" : "info@fedramp.gov", - "URLs" : "https:\/\/fedramp.gov" } }, - "responsible-parties" : - { "creator" : - { "party-ids" : "fedramp" }, - "contact" : - { "party-ids" : "fedramp" } } }, - "groups" : - [ - { "id" : "ac", - "class" : "family", - "title" : "Access Control", - "controls" : - { "id" : "ac-8", - "class" : "SP800-53", - "title" : "System Use Notification", - "controls" : - { "id" : "ac-8.fr", - "class" : "SP800-53", - "title" : "AC-8 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "AC-8 Req" }, - "parts" : - { "id" : "ac-8.fr_smt", - "name" : "statement", - "parts" : - [ - { "id" : "ac-8.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB\/AO." }, - - { "id" : "ac-8.fr_smt.2", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB\/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." }, - - { "id" : "ac-8.fr_smt.3", - "name" : "item", - "properties" : - { "label" : "Requirement:" }, - "prose" : "If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB\/AO." } ] } } } }, - - { "id" : "ca", - "class" : "family", - "title" : "CA-7 Security Assessment and Authorization", - "controls" : - { "id" : "ca-7", - "class" : "SP800-53", - "title" : "Continuous Monitoring", - "controls" : - { "id" : "ca-7.fr", - "class" : "SP800-53-enhancement", - "title" : "Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "CA-7 Req" }, - "parts" : - { "id" : "ca-7.fr_smt", - "name" : "statement", - "parts" : - [ - { "id" : "ca-7.fr_smt.1", - "name" : "item", - "properties" : - { "label" : "Requirement 1:" }, - "prose" : "Operating System Scans: at least monthly" }, - - { "id" : "ca-7.fr_smt.2", - "name" : "item", - "properties" : - { "label" : "Requirement 2:" }, - "prose" : "Database and Web Application Scans: at least monthly" }, - - { "id" : "ca-7.fr_smt.3", - "name" : "item", - "properties" : - { "label" : "Requirement 3:" }, - "prose" : "All scans performed by Independent Assessor: at least annually" }, - - { "id" : "ca-7.fr_gdn.1", - "name" : "guidance", - "prose" : "CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates." }, - - { "id" : "ca-7.fr_gdn.2", - "name" : "guidance", - "prose" : "See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https:\/\/www.FedRAMP.gov\/documents\/](https:\/\/www.FedRAMP.gov\/documents\/)" } ] } } } }, - - { "id" : "sc", - "class" : "family", - "title" : "System and Communications Protection", - "controls" : - { "id" : "sc-15", - "class" : "SP800-53", - "title" : "Collaborative Computing Devices", - "controls" : - { "id" : "sc-15.fr", - "class" : "SP800-53-enhancement", - "title" : "SC-15 Additional FedRAMP Requirements and Guidance", - "properties" : - { "label" : "SC-15 Req" }, - "parts" : - { "id" : "sc-15.fr_smt", - "name" : "statement", - "properties" : - { "label" : "Requirement:" }, - "prose" : "The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use." } } } } ], - "back-matter" : - { "resources" : - { "id" : "fedramp-conmon-guide", - "rlinks" : - { "href" : "https:\/\/www.fedramp.gov\/assets\/resources\/documents\/CSP_Continuous_Monitoring_Strategy_Guide.pdf", - "media-type" : "application\/pdf" } } } } } \ No newline at end of file diff --git a/baselines/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml b/baselines/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml index ef1c3f854..934d26dbb 100644 --- a/baselines/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml +++ b/baselines/xml/FedRAMP_HIGH-baseline-resolved-profile_catalog.xml @@ -1,9 +1,9 @@ - + FedRAMP High Baseline [RESOLVED] - 2019-12-17T00:00:00.000-05:00 - 2019-12-17T00:35:46.000000-05:00 + 2020-02-02T00:00:00.000-05:00 + 2020-01-28T14:25:14.000000-05:00 1.2 1.0.0-milestone2 @@ -2070,9 +2070,9 @@ @@ -2400,24 +2400,6 @@

Automated mechanisms implementing system use notification

- - AC-8 Additional FedRAMP Requirements and Guidance - AC-8 Req - - - Requirement: -

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

- - - Requirement: -

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

- - - Requirement: -

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

- - - Concurrent Session Control @@ -2437,7 +2419,7 @@

Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.

-

Determine if:

+

Determine if:

AC-10[1]

the organization defines account and/or account types for the information system;

@@ -2502,7 +2484,7 @@ AC-7 -

Determine if:

+

Determine if:

AC-11(a) @@ -3450,7 +3432,7 @@ SI-4 -

Determine if the organization:

+

Determine if the organization:

AC-19(a)

establishes for organization-controlled mobile devices:

@@ -7920,30 +7902,6 @@ - - Additional FedRAMP Requirements and Guidance - CA-7 Req - - - Requirement 1: -

Operating System Scans: at least monthly

- - - Requirement 2: -

Database and Web Application Scans: at least monthly

- - - Requirement 3: -

All scans performed by Independent Assessor: at least annually

- - -

CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates.

- - -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.FedRAMP.gov/documents/

- - - Penetration Testing @@ -10585,7 +10543,7 @@ @@ -28380,14 +28338,6 @@

automated mechanisms providing an indication of use of collaborative computing devices

- - SC-15 Additional FedRAMP Requirements and Guidance - SC-15 Req - - Requirement: -

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

- - Public Key Infrastructure Certificates @@ -30772,7 +30722,7 @@ @@ -31422,7 +31372,7 @@ shuts the information system down restarts the information system - implements + implements diff --git a/baselines/xml/FedRAMP_HIGH-baseline_profile.xml b/baselines/xml/FedRAMP_HIGH-baseline_profile.xml index bda5726a8..02a766b3a 100644 --- a/baselines/xml/FedRAMP_HIGH-baseline_profile.xml +++ b/baselines/xml/FedRAMP_HIGH-baseline_profile.xml @@ -1,2894 +1,2885 @@ - - - - FedRAMP High Baseline - 2019-12-17T00:00:00.000-05:00 - 2019-12-16T10:00:00.000-05:00 - 1.2 - 1.0.0-milestone2 - - - Document creator - - - Contact - - - - Federal Risk and Authorization Management Program (FedRAMP) - info@fedramp.gov - https://fedramp.gov - - - - fedramp - - - fedramp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - true - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - monthly for privileged accessed, every six (6) months for non-privileged access - - - - - Selection: disables - - - 24 hours from last use - - - - 35 days for user accounts - - - - organization and/or service provider system owner - - - - inactivity is anticipated to exceed Fifteen (15) minutes - - - - disables/revokes access within a organization-specified timeframe - - - - organization-defined need with justification statement that explains why such accounts are necessary - - - - - - at a minimum, the ISSO and/or similar role within the organization - - - - one (1) hour - - - - - - - - - - all functions not publicly accessible and all security-relevant information not publicly available - - - - all security functions - - - - all privileged commands - - - - - at a minimum, annually - - - all users with privileges - - - - any software except software explicitly documented - - - - - - not more than three (3) - - - fifteen (15) minutes - - - locks the account/node for a minimum of three (3) hours or until unlocked by an administrator - - - - mobile devices as defined by organization policy - - - three (3) - - - - see additional Requirements and Guidance - - - see additional Requirements and Guidance - - - - three (3) sessions for privileged access and two (2) sessions for non-privileged access - - - - fifteen (15) minutes - - - - - - - - - - - - - fifteen (15) minutes - - - - - - - - - - - - - - - at least quarterly - - - - at least annually or whenever a significant change occurs - - - at least annually or whenever a significant change occurs - - - - at least annually - - - - - at least annually - - - - - malicious code indicators as defined by organization incident policy/capability. - - - - five (5) years or 5 years after completion of a specific training program - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes - - - organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event - - - - annually or whenever there is a change in the threat environment - - - - - session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands - - - - all network, data storage, and computing devices - - - - - organization-defined actions to be taken (overwrite oldest record) - - - - - real-time - - - service provider personnel with authority to address failed audit events - - - audit failure events requiring real-time alerts, as defined by organization audit policy - - - - at least weekly - - - - - - - Possibly to include penetration test data. - - - - - information system process; role; user - - - - - - - one second granularity of time measurement - - - - At least hourly - - - http://tf.nist.gov/tf-cgi/servers.cgi - - - - - at least weekly - - - - - - minimum actions including the addition, modification, deletion, approval, sending, or receiving of data - - - - at least one (1) year - - - - all information system and network components where audit capability is deployed/available - - - - all network, data storage, and computing devices - - - - service provider-defined individuals or roles with audit configuration responsibilities - - - all network, data storage, and computing devices - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - at least annually - - - individuals or roles to include FedRAMP PMO - - - - - at least annually - - - - any FedRAMP Accredited 3PAO - - - any FedRAMP Accredited 3PAO - - - the conditions of the JAB/AO in the FedRAMP Repository - - - - At least annually and on input from FedRAMP - - - - boundary protections which meet the Trusted Internet Connection (TIC) requirements - - - - deny-all, permit by exception - - - any systems - - - - at least monthly - - - - at least every three (3) years or when a significant change occurs - - - - to meet Federal and FedRAMP requirements (See additional guidance) - - - to meet Federal and FedRAMP requirements (See additional guidance) - - - - - - at least annually - - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - - at least annually or when a significant change occurs - - - to include when directed by the JAB - - - - - organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components - - - - - - organization agreed upon time period - - - organization defined configuration management approval authorities - - - - - Configuration control board (CCB) or similar (as defined in CM-3) - - - - All security safeguards that rely on cryptography - - - - - - - - at least every thirty (30) days - - - - - at least quarterly - - - -

See CM-6(a) Additional FedRAMP Requirements and Guidance

 - - - - - - United States Government Configuration Baseline (USGCB) - - - - at least monthly - - - - - at least quarterly or when there is a change - - - - at least monthly - - - - - - Continuously, using automated mechanisms with a maximum five-minute delay in detection. - - - - position and role - - - - - - - - Continuously (via CM-7 (5)) - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - at least annually - - - - - - - time period defined in service provider and organization SLA - - - - - - ten (10) days - - - at least annually - - - - - at least annually - - - functional exercises - - - - - - - - - - - - - - - - - - - annually - - - - daily incremental; weekly full - - - daily incremental; weekly full - - - daily incremental; weekly full - - - - at least monthly - - - - - - time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA - - - - - - time period consistent with the restoration time-periods defined in the service provider and organization SLA - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - - - - - - - - - FIPS 140-2, NIAP Certification, or NSA approval - - - - - - at a minimum, the ISSO (or similar role within the organization) - - - at least two (2) years - - - thirty-five (35) days (See additional requirements and guidance.) - - - - contractors; foreign nationals] - - - - - at least fifty percent (50%) - - - twenty four (24) - - - - - All hardware/biometric (multifactor authenticators) - - - in person - - - - complexity as identified in IA-5 (1) Control Enhancement Part (a) - - - - - - different authenticators on different systems - - - - - - - - - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - within ten (10) days - - - at least annually - - - - - - at least every six (6) months - - - - - - - all network, data storage, and computing devices - - - - - - - external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT) - - - - - - US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) - - - - - - - - see additional FedRAMP Requirements and Guidance - - - at least annually - - - see additional FedRAMP Requirements and Guidance - - - - - - at least annually - - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - - - - - - the information owner explicitly authorizing removal of the equipment from the facility - - - - - - - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - any digital and non-digital media deemed sensitive - - - - no removable media types - - - organization-defined security safeguards not applicable - - - - all types of digital and non-digital media with sensitive information - - - see additional FedRAMP requirements and guidance - - - - all media with sensitive information - - - prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container - - - - - techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations - - - - - at least every six (6) months - - - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - at least every ninety (90) days - - - - CSP defined physical access control systems/devices AND guards - - - CSP defined physical access control systems/devices - - - in all circumstances within restricted access area where the information system resides - - - at least annually - - - at least annually - - - - - - - at least monthly - - - - - - for a minimum of one (1) year - - - at least monthly - - - - - - - - - - - service provider building maintenance/physical security personnel - - - service provider emergency responders with incident response responsibilities - - - - - - consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments - - - continuously - - - - - - service provider building maintenance/physical security personnel - - - - all information system components - - - - - physical and environmental hazards identified during threat assessment - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - at least annually - - - - - annually - - - - - at least annually or when a significant change occurs - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - at least annually - - - - for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions - - - - personnel screening criteria - as required by specific information - - - - eight (8) hours - - - - access control personnel responsible for disabling access to the system - - - - twenty-four (24) hours - - - twenty-four (24) hours - - - - at least annually - - - at least annually and any time there is a change to the user's level of access - - - - terminations: immediately; transfers: within twenty-four (24) hours - - - - at a minimum, the ISSO and/or similar role within the organization - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - - security assessment report - - - at least annually or whenever a significant change occurs - - - annually - - - - monthly operating system/infrastructure; monthly web applications and databases - - - high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery - - - - - prior to a new scan - - - - - notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions - - - - operating systems / web applications / databases - - - all scans - - - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - - - - - at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information] - - - - at least the minimum requirement as defined in control CA-7 - - - - - - at a minimum, the ISSO (or similar role within the organization) - - - - - FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system - - - Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored - - - - - all external systems where Federal information is processed or stored - - - - all external systems where Federal information is processed or stored - - - - information processing, information data, AND information services - - - - development, implementation, AND operation - - - - - - - - - organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures - - - - as needed and as dictated by the current threat posture - - - organization and service provider- defined security requirements - - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - - - - - - - - at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions - - - - - - - - Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall - - - - - - - - confidentiality AND integrity - - - - prevent unauthorized disclosure of information AND detect changes to information - - - a hardened or alarmed carrier Protective Distribution System (PDS) - - - - no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions - - - - - - NIST FIPS-compliant - - - - - FIPS-validated or NSA-approved cryptography - - - - no exceptions - - - - - - - - - - - - - confidentiality AND integrity - - - - all information system components storing customer data deemed sensitive - - - - - at least annually - - - at least annually or whenever a significant change occurs - - - - thirty (30) days of release of updates - - - - - at least monthly - - - - - at least weekly - - - to include endpoints - - - to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime - - - - - - - - - - continuously - - - - - - - - - - - - - - to include US-CERT - - - to include system security personnel and administrators with configuration/patch-management responsibilities - - - - - to include upon system startup and/or restart - - - at least monthly - - - to include system administrators and security personnel - - - to include notification of system administrators and security personnel - - - - - selection to include security relevant events - - - at least monthly - - - - - - - - - - - - - - - - - - - - - AC-2 (3) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

- - - - - - - - - - AC-2 (5) Additional FedRAMP Requirements and Guidance - - Guidance: -

Should use a shorter timeframe than AC-12.

- - - - - - - - - - AC-2 (9) Additional FedRAMP Requirements and Guidance - - Guidance: -

Required if shared/group accounts are deployed

- - - - - - - - - AC-2 (10) Additional FedRAMP Requirements and Guidance - - Guidance: -

Required if shared/group accounts are deployed

- - - - - - - - - - AC-2 (12) Additional FedRAMP Requirements and Guidance - - (a) Guidance: -

Required for privileged accounts.

- - - (b) Guidance: -

Required for privileged accounts.

- - - - - - - - - - - - - - AC-5 Additional FedRAMP Requirements and Guidance - - Guidance: -

Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

- - - - - - - - - - - AC-6 (2) Additional FedRAMP Requirements and Guidance - - Guidance: -

Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

- - - - - - - - - - - - - - - - - AC-8 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

- - - Requirement: -

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

- - - Requirement: -

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

- - - - - - - - - - - - - AC-12 (1) Additional FedRAMP Requirements and Guidance - - Guidance: -

https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - AU-2 Additional FedRAMP Requirements and Guidance - - Requirement: -

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

- - - - - - - - - AU-2 (3) Additional FedRAMP Requirements and Guidance - - Guidance: -

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

- - - - - - - - - - AU-3 (1) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider defines audit record types [FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. The audit record types are approved and accepted by the JAB/AO.

- - - Guidance: -

For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

- - - - - - - - - - - - - - AU-6 Additional FedRAMP Requirements and Guidance - - Requirement: -

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

- - - - - - - - - - - - - AU-6 (6) Additional FedRAMP Requirements and Guidance - - Requirement: -

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

- - - - - - - - - - - - - - AU-8 (1) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

- - - Requirement: -

The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

- - - Guidance: -

Synchronization of system clocks improves the accuracy of log analysis.

- - - - - - - - - - - - - - AU-11 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

- - - - - - - - - - - - - CA-2 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

- - - - - - - - - CA-2 (1) Additional FedRAMP Requirements and Guidance - - Requirement: -

For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).

- - - - - - - - - CA-2 (2) Additional FedRAMP Requirements and Guidance - - Requirement: -

To include 'announced', 'vulnerability scanning'

- - - - - - - - - - - CA-3 (3) Additional FedRAMP Requirements and Guidance - - Guidance: -

Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.

- - - - - - - - - CA-3 (5) Additional FedRAMP Requirements and Guidance - - Guidance: -

For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

- - - - - - - - - CA-5 Additional FedRAMP Requirements and Guidance - - Requirement: -

Plan of Action & Milestones (POA&M) must be provided at least monthly.

- - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide https://www.fedramp.gov/documents/

- - - - - - - - - CA-6(c) Additional FedRAMP Requirements and Guidance - - Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

- - - - - - - - - CA-7 Additional FedRAMP Requirements and Guidance - - Requirement: -

Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

- - - Guidance: -

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

- - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

- - - - - - - - - - - CA-8 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance https://www.FedRAMP.gov/documents/

- - - - - - - - - - - - - CM-8 Additional FedRAMP Requirements and Guidance - - (a) Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

- - - - - - - - - - - - CM-3 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

- - - (e) Guidance: -

In accordance with record retention policies and procedures.

- - - - - - - - - - - - - - - - - - CM-5 (3) Additional FedRAMP Requirements and Guidance - - Guidance: -

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

- - - - - - - - - - CM-6(a) Additional FedRAMP Requirements and Guidance - - Requirement 1: -

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

- - - Requirement 2: -

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

- - - Guidance: -

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

- - - - - - - - - - - CM-7 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.

- - - Guidance: -

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. Partially derived from AC-17(8).

- - - - - - - - - - CM-7 (2) Additional FedRAMP Requirements and Guidance - - Guidance: -

This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

- - - - - - - - - - CM-8 Additional FedRAMP Requirements and Guidance - - Requirement: -

Must be provided at least monthly or when there is a change.

- - - - - - - - - - - - - - - - - - - - CP-2 Additional FedRAMP Requirements and Guidance - - CP-2 Requirement: -

For JAB authorizations the contingency lists include designated FedRAMP personnel.

- - - - - - - - - - - - - - - - - CP-4(a) Additional FedRAMP Requirements and Guidance - - CP-4(a) Requirement: -

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

- - - - - - - - - - - - - - - CP-7 Additional FedRAMP Requirements and Guidance - - (a) Requirement: -

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

- - - - - - - - - CP-7 (1) Additional FedRAMP Requirements and Guidance - - Guidance: -

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

- - - - - - - - - - - - CP-8 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

- - - - - - - - - - - - - CP-9 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

- - - CP-9(a) Requirement: -

The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

- - - CP-9(b)Requirement: -

The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

- - - CP-9(c)Requirement: -

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

- - - - - - - - - - - - - - - - - - - - - - - - - IA-2 (11) Additional FedRAMP Requirements and Guidance - - Guidance: -

PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

- - - - - - - - - IA-2 (12) Additional FedRAMP Requirements and Guidance - - Guidance: -

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

- - - - - - - - - - IA-4(e) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider defines the time period of inactivity for device identifiers.

- - - Guidance: -

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.

- - - - - - - - - - IA-5 Additional FedRAMP Requirements and Guidance - - Requirement: -

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3.

- - - - - - - - - IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance - - (a) (d) Guidance: -

If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.

- - - - - - - - - - - IA-5 (4) Additional FedRAMP Requirements and Guidance - - Guidance: -

If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.

- - - - - - - - - - - - - - - - - - - - - - - - - IR-3 Additional FedRAMP Requirements and Guidance - - IR-3 -2 Requirement: -

The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

- - - - - - - - - - - IR-4 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

- - - - - - - - - - - - - - - - - IR-6 Additional FedRAMP Requirements and Guidance - - Requirement: -

Report security incident information according to FedRAMP Incident Communications Procedure.

- - - - - - - - - - - - - IR-8 Additional FedRAMP Requirements and Guidance - - (b) Requirement: -

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

- - - (e) Requirement: -

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - MP-3 Additional FedRAMP Requirements and Guidance - - (b) Guidance: -

Second parameter not-applicable

- - - - - - - - - MP-4 Additional FedRAMP Requirements and Guidance - - (a) Requirement: -

The service provider defines controlled areas within facilities where the information and information system reside.

- - - - - - - - - MP-5 Additional FedRAMP Requirements and Guidance - - (a) Requirement: -

The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.

- - - - - - - - - - - - MP-6 (2) Additional FedRAMP Requirements and Guidance - - (a) Requirement: -

Equipment and procedures may be tested or validated for effectiveness

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PE-14(a) Additional FedRAMP Requirements and Guidance - - (a) Requirement: -

The service provider measures temperature at server inlets and humidity levels by dew point.

- - - - - - - - - - - - - - - - - - - - PL-8(b) Additional FedRAMP Requirements and Guidance - - (b) Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

- - - - - - - - - - - - - - - - - - - - - RA-3 Additional FedRAMP Requirements and Guidance - - Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

- - - RA-3 (d) Requirement: -

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

- - - - - - - - - RA-5(a) Additional FedRAMP Requirements and Guidance - RA-5 (a)Requirement: -

An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

- - - RA-5(e) Additional FedRAMP Requirements and Guidance - RA-5 (e)Requirement: -

To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

- - - RA-5 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

- - - - - - - - - - - - - - RA-5 (6) Additional FedRAMP Requirements and Guidance - - Guidance: -

Include in Continuous Monitoring ISSO digest/report to JAB/AO

- - - - - - - - - RA-5 (8) Additional FedRAMP Requirements and Guidance - - Requirement: -

This enhancement is required for all high vulnerability scan findings.

- - - Guidance: -

While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.

- - - - - - - - - RA-5 (10) Additional FedRAMP Requirements and Guidance - - Guidance: -

If multiple tools are not used, this control is not applicable.

- - - - - - - - - - - - SA-4 Additional FedRAMP Requirements and Guidance - - Guidance: -

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.

- - - - - - - - - - - SA-4 (8) Additional FedRAMP Requirements and Guidance - - Guidance: -

CSP must use the same security standards regardless of where the system component or information system service is acquired.

- - - - - - - - - - - - - - - - - - SA-10 Additional FedRAMP Requirements and Guidance - - (e) Requirement: -

For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

- - - - - - - - - - - SA-11 (1) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

- - - - - - - - - - SA-11 (8) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - SC-7 (13) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.

- - - Guidance: -

Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.

- - - - - - - - - - - - - - - SC-12 Additional FedRAMP Requirements and Guidance - - Guidance: -

Federally approved and validated cryptography.

- - - - - - - - - - - - - SC-15 Additional FedRAMP Requirements and Guidance - - Requirement: -

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

- - - - - - - - - - - - - - - - - - SC-28 Additional FedRAMP Requirements and Guidance - - Guidance: -

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

- - - - - - - - - - - - - - - - - - - - SI-4 Additional FedRAMP Requirements and Guidance - - Guidance: -

See US-CERT Incident Response Reporting Guidelines.

- - - - - - - - - - - - SI-4 (5) Additional FedRAMP Requirements and Guidance - - Guidance: -

In accordance with the incident response plan.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + FedRAMP High Baseline + 2020-02-02T00:00:00.000-05:00 + 2020-01-28T10:00:00.000-05:00 + 1.2 + 1.0.0-milestone2 + + + Document creator + + + Contact + + + + Federal Risk and Authorization Management Program (FedRAMP) + info@fedramp.gov + https://fedramp.gov + + + + fedramp + + + fedramp + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + true + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + monthly for privileged accessed, every six (6) months for non-privileged access + + + + + Selection: disables + + + 24 hours from last use + + + + 35 days for user accounts + + + + organization and/or service provider system owner + + + + inactivity is anticipated to exceed Fifteen (15) minutes + + + + disables/revokes access within a organization-specified timeframe + + + + organization-defined need with justification statement that explains why such accounts are necessary + + + + + + at a minimum, the ISSO and/or similar role within the organization + + + + one (1) hour + + + + + + + + + + all functions not publicly accessible and all security-relevant information not publicly available + + + + all security functions + + + + all privileged commands + + + + + at a minimum, annually + + + all users with privileges + + + + any software except software explicitly documented + + + + + + not more than three (3) + + + fifteen (15) minutes + + + locks the account/node for a minimum of three (3) hours or until unlocked by an administrator + + + + mobile devices as defined by organization policy + + + three (3) + + + + see additional Requirements and Guidance + + + see additional Requirements and Guidance + + + + three (3) sessions for privileged access and two (2) sessions for non-privileged access + + + + fifteen (15) minutes + + + + + + + + + + + + + fifteen (15) minutes + + + + + + + + + + + + + + + at least quarterly + + + + at least annually or whenever a significant change occurs + + + at least annually or whenever a significant change occurs + + + + at least annually + + + + + at least annually + + + + + malicious code indicators as defined by organization incident policy/capability. + + + + five (5) years or 5 years after completion of a specific training program + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes + + + organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event + + + + annually or whenever there is a change in the threat environment + + + + + session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands + + + + all network, data storage, and computing devices + + + + + organization-defined actions to be taken (overwrite oldest record) + + + + + real-time + + + service provider personnel with authority to address failed audit events + + + audit failure events requiring real-time alerts, as defined by organization audit policy + + + + at least weekly + + + + + + + Possibly to include penetration test data. + + + + + information system process; role; user + + + + + + + one second granularity of time measurement + + + + At least hourly + + + http://tf.nist.gov/tf-cgi/servers.cgi + + + + + at least weekly + + + + + + minimum actions including the addition, modification, deletion, approval, sending, or receiving of data + + + + at least one (1) year + + + + all information system and network components where audit capability is deployed/available + + + + all network, data storage, and computing devices + + + + service provider-defined individuals or roles with audit configuration responsibilities + + + all network, data storage, and computing devices + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + at least annually + + + individuals or roles to include FedRAMP PMO + + + + + at least annually + + + + any FedRAMP Accredited 3PAO + + + any FedRAMP Accredited 3PAO + + + the conditions of the JAB/AO in the FedRAMP Repository + + + + At least annually and on input from FedRAMP + + + + boundary protections which meet the Trusted Internet Connection (TIC) requirements + + + + deny-all, permit by exception + + + any systems + + + + at least monthly + + + + at least every three (3) years or when a significant change occurs + + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + + + + at least annually + + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + + at least annually or when a significant change occurs + + + to include when directed by the JAB + + + + + organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components + + + + + + organization agreed upon time period + + + organization defined configuration management approval authorities + + + + + Configuration control board (CCB) or similar (as defined in CM-3) + + + + All security safeguards that rely on cryptography + + + + + + + + at least every thirty (30) days + + + + + at least quarterly + + + +

See CM-6(a) Additional FedRAMP Requirements and Guidance

 + + + + + + United States Government Configuration Baseline (USGCB) + + + + at least monthly + + + + + at least quarterly or when there is a change + + + + at least monthly + + + + + + Continuously, using automated mechanisms with a maximum five-minute delay in detection. + + + + position and role + + + + + + + + Continuously (via CM-7 (5)) + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + at least annually + + + + + + + time period defined in service provider and organization SLA + + + + + + ten (10) days + + + at least annually + + + + + at least annually + + + functional exercises + + + + + + + + + + + + + + + + + + + annually + + + + daily incremental; weekly full + + + daily incremental; weekly full + + + daily incremental; weekly full + + + + at least monthly + + + + + + time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA + + + + + + time period consistent with the restoration time-periods defined in the service provider and organization SLA + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + + + + + + + + + FIPS 140-2, NIAP Certification, or NSA approval + + + + + + at a minimum, the ISSO (or similar role within the organization) + + + at least two (2) years + + + thirty-five (35) days (See additional requirements and guidance.) + + + + contractors; foreign nationals] + + + + + at least fifty percent (50%) + + + twenty four (24) + + + + + All hardware/biometric (multifactor authenticators) + + + in person + + + + complexity as identified in IA-5 (1) Control Enhancement Part (a) + + + + + + different authenticators on different systems + + + + + + + + + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + within ten (10) days + + + at least annually + + + + + + at least every six (6) months + + + + + + + all network, data storage, and computing devices + + + + + + + external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT) + + + + + + US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) + + + + + + + + see additional FedRAMP Requirements and Guidance + + + at least annually + + + see additional FedRAMP Requirements and Guidance + + + + + + at least annually + + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + + + + + + the information owner explicitly authorizing removal of the equipment from the facility + + + + + + + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + any digital and non-digital media deemed sensitive + + + + no removable media types + + + organization-defined security safeguards not applicable + + + + all types of digital and non-digital media with sensitive information + + + see additional FedRAMP requirements and guidance + + + + all media with sensitive information + + + prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container + + + + + techniques and procedures IAW NIST SP 800-88 R1, Appendix A - Minimum Sanitization Recommendations + + + + + at least every six (6) months + + + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + at least every ninety (90) days + + + + CSP defined physical access control systems/devices AND guards + + + CSP defined physical access control systems/devices + + + in all circumstances within restricted access area where the information system resides + + + at least annually + + + at least annually + + + + + + + at least monthly + + + + + + for a minimum of one (1) year + + + at least monthly + + + + + + + + + + + service provider building maintenance/physical security personnel + + + service provider emergency responders with incident response responsibilities + + + + + + consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments + + + continuously + + + + + + service provider building maintenance/physical security personnel + + + + all information system components + + + + + physical and environmental hazards identified during threat assessment + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + at least annually + + + + + annually + + + + + at least annually or when a significant change occurs + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + at least annually + + + + for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions + + + + personnel screening criteria - as required by specific information + + + + eight (8) hours + + + + access control personnel responsible for disabling access to the system + + + + twenty-four (24) hours + + + twenty-four (24) hours + + + + at least annually + + + at least annually and any time there is a change to the user's level of access + + + + terminations: immediately; transfers: within twenty-four (24) hours + + + + at a minimum, the ISSO and/or similar role within the organization + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + + security assessment report + + + at least annually or whenever a significant change occurs + + + annually + + + + monthly operating system/infrastructure; monthly web applications and databases + + + high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery + + + + + prior to a new scan + + + + + notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions + + + + operating systems / web applications / databases + + + all scans + + + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + + + + + at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; [organization-defined design/implementation information] + + + + at least the minimum requirement as defined in control CA-7 + + + + + + at a minimum, the ISSO (or similar role within the organization) + + + + + FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system + + + Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored + + + + + all external systems where Federal information is processed or stored + + + + all external systems where Federal information is processed or stored + + + + information processing, information data, AND information services + + + + development, implementation, AND operation + + + + + + + + + organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures + + + + as needed and as dictated by the current threat posture + + + organization and service provider- defined security requirements + + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + + + + + + + + at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions + + + + + + + + Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall + + + + + + + + confidentiality AND integrity + + + + prevent unauthorized disclosure of information AND detect changes to information + + + a hardened or alarmed carrier Protective Distribution System (PDS) + + + + no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions + + + + + + NIST FIPS-compliant + + + + + FIPS-validated or NSA-approved cryptography + + + + no exceptions + + + + + + + + + + + + + confidentiality AND integrity + + + + all information system components storing customer data deemed sensitive + + + + + at least annually + + + at least annually or whenever a significant change occurs + + + + thirty (30) days of release of updates + + + + + at least monthly + + + + + at least weekly + + + to include endpoints + + + to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime + + + + + + + + + + continuously + + + + + + + + + + + + + + to include US-CERT + + + to include system security personnel and administrators with configuration/patch-management responsibilities + + + + + to include upon system startup and/or restart + + + at least monthly + + + to include system administrators and security personnel + + + to include notification of system administrators and security personnel + + + + + selection to include security relevant events + + + at least monthly + + + + + + + + + + + + + + + + + + + + + AC-2 (3) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.

+ + + + + + + + + + AC-2 (5) Additional FedRAMP Requirements and Guidance + + Guidance: +

Should use a shorter timeframe than AC-12.

+ + + + + + + + + + AC-2 (9) Additional FedRAMP Requirements and Guidance + + Guidance: +

Required if shared/group accounts are deployed

+ + + + + + + + + AC-2 (10) Additional FedRAMP Requirements and Guidance + + Guidance: +

Required if shared/group accounts are deployed

+ + + + + + + + + + AC-2 (12) Additional FedRAMP Requirements and Guidance + + (a) Guidance: +

Required for privileged accounts.

+ + + (b) Guidance: +

Required for privileged accounts.

+ + + + + + + + + + + + + + AC-5 Additional FedRAMP Requirements and Guidance + + Guidance: +

Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

+ + + + + + + + + + + AC-6 (2) Additional FedRAMP Requirements and Guidance + + Guidance: +

Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.

+ + + + + + + + + + + + + + + + + AC-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

+ + + Requirement: +

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

+ + + Requirement: +

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

+ + + + + + + + + + + + + AC-12 (1) Additional FedRAMP Requirements and Guidance + + Guidance: +

https://www.owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-006%29

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + AU-2 Additional FedRAMP Requirements and Guidance + + Requirement: +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

+ + + + + + + + + AU-2 (3) Additional FedRAMP Requirements and Guidance + + Guidance: +

Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.

+ + + + + + + + + + AU-3 (1) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider defines audit record types [FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. The audit record types are approved and accepted by the JAB/AO.

+ + + Guidance: +

For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.

+ + + + + + + + + + + + + + AU-6 Additional FedRAMP Requirements and Guidance + + Requirement: +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

+ + + + + + + + + + + + + AU-6 (6) Additional FedRAMP Requirements and Guidance + + Requirement: +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

+ + + + + + + + + + + + + + AU-8 (1) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.

+ + + Requirement: +

The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.

+ + + Guidance: +

Synchronization of system clocks improves the accuracy of log analysis.

+ + + + + + + + + + + + + + AU-11 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

+ + + + + + + + + + + + + CA-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

+ + + + + + + + + CA-2 (1) Additional FedRAMP Requirements and Guidance + + Requirement: +

For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).

+ + + + + + + + + CA-2 (2) Additional FedRAMP Requirements and Guidance + + Requirement: +

To include 'announced', 'vulnerability scanning'

+ + + + + + + + + + + CA-3 (3) Additional FedRAMP Requirements and Guidance + + Guidance: +

Refer to Appendix H - Cloud Considerations of the TIC 2.0 Reference Architecture document.

+ + + + + + + + + CA-3 (5) Additional FedRAMP Requirements and Guidance + + Guidance: +

For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing

+ + + + + + + + + CA-5 Additional FedRAMP Requirements and Guidance + + Requirement: +

Plan of Action & Milestones (POA&M) must be provided at least monthly.

+ + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide https://www.fedramp.gov/documents/

+ + + + + + + + + CA-6(c) Additional FedRAMP Requirements and Guidance + + Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

+ + + + + + + + + CA-7 Additional FedRAMP Requirements and Guidance + + Requirement: +

Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

+ + + Guidance: +

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

+ + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

+ + + + + + + + + + + CA-8 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Penetration Test Guidance https://www.FedRAMP.gov/documents/

+ + + + + + + + + + + + + CM-8 Additional FedRAMP Requirements and Guidance + + (a) Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

+ + + + + + + + + + + + CM-3 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

+ + + (e) Guidance: +

In accordance with record retention policies and procedures.

+ + + + + + + + + + + + + + + + + + CM-5 (3) Additional FedRAMP Requirements and Guidance + + Guidance: +

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.

+ + + + + + + + + + CM-6(a) Additional FedRAMP Requirements and Guidance + + Requirement 1: +

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

+ + + Requirement 2: +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

+ + + Guidance: +

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

+ + + + + + + + + + + CM-7 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.

+ + + Guidance: +

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. Partially derived from AC-17(8).

+ + + + + + + + + + CM-7 (2) Additional FedRAMP Requirements and Guidance + + Guidance: +

This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.

+ + + + + + + + + + CM-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

Must be provided at least monthly or when there is a change.

+ + + + + + + + + + + + + + + + + + + + CP-2 Additional FedRAMP Requirements and Guidance + + CP-2 Requirement: +

For JAB authorizations the contingency lists include designated FedRAMP personnel.

+ + + + + + + + + + + + + + + + + CP-4(a) Additional FedRAMP Requirements and Guidance + + CP-4(a) Requirement: +

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

+ + + + + + + + + + + + + + + CP-7 Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

+ + + + + + + + + CP-7 (1) Additional FedRAMP Requirements and Guidance + + Guidance: +

The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.

+ + + + + + + + + + + + CP-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider defines a time period consistent with the recovery time objectives and business impact analysis.

+ + + + + + + + + + + + + CP-9 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

+ + + CP-9(a) Requirement: +

The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

+ + + CP-9(b)Requirement: +

The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

+ + + CP-9(c)Requirement: +

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

+ + + + + + + + + + + + + + + + + + + + + + + + + IA-2 (11) Additional FedRAMP Requirements and Guidance + + Guidance: +

PIV=separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials.

+ + + + + + + + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + Guidance: +

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

+ + + + + + + + + + IA-4(e) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider defines the time period of inactivity for device identifiers.

+ + + Guidance: +

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.

+ + + + + + + + + + IA-5 Additional FedRAMP Requirements and Guidance + + Requirement: +

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3.

+ + + + + + + + + IA-5 (1), (a) and (d) Additional FedRAMP Requirements and Guidance + + (a) (d) Guidance: +

If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.

+ + + + + + + + + + + IA-5 (4) Additional FedRAMP Requirements and Guidance + + Guidance: +

If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.

+ + + + + + + + + + + + + + + + + + + + + + + + + IR-3 Additional FedRAMP Requirements and Guidance + + IR-3 -2 Requirement: +

The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.

+ + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

+ + + + + + + + + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance + + Requirement: +

Report security incident information according to FedRAMP Incident Communications Procedure.

+ + + + + + + + + + + + + IR-8 Additional FedRAMP Requirements and Guidance + + (b) Requirement: +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+ + + (e) Requirement: +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + MP-3 Additional FedRAMP Requirements and Guidance + + (b) Guidance: +

Second parameter not-applicable

+ + + + + + + + + MP-4 Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

The service provider defines controlled areas within facilities where the information and information system reside.

+ + + + + + + + + MP-5 Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.

+ + + + + + + + + + + + MP-6 (2) Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

Equipment and procedures may be tested or validated for effectiveness

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PE-14(a) Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

The service provider measures temperature at server inlets and humidity levels by dew point.

+ + + + + + + + + + + + + + + + + + + + PL-8(b) Additional FedRAMP Requirements and Guidance + + (b) Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

+ + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

+ + + RA-3 (d) Requirement: +

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+ + + + + + + + + RA-5(a) Additional FedRAMP Requirements and Guidance + RA-5 (a)Requirement: +

An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

+ + + RA-5(e) Additional FedRAMP Requirements and Guidance + RA-5 (e)Requirement: +

To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+ + + RA-5 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

+ + + + + + + + + + + + + + RA-5 (6) Additional FedRAMP Requirements and Guidance + + Guidance: +

Include in Continuous Monitoring ISSO digest/report to JAB/AO

+ + + + + + + + + RA-5 (8) Additional FedRAMP Requirements and Guidance + + Requirement: +

This enhancement is required for all high vulnerability scan findings.

+ + + Guidance: +

While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.

+ + + + + + + + + RA-5 (10) Additional FedRAMP Requirements and Guidance + + Guidance: +

If multiple tools are not used, this control is not applicable.

+ + + + + + + + + + + + SA-4 Additional FedRAMP Requirements and Guidance + + Guidance: +

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.

+ + + + + + + + + + + SA-4 (8) Additional FedRAMP Requirements and Guidance + + Guidance: +

CSP must use the same security standards regardless of where the system component or information system service is acquired.

+ + + + + + + + + + + + + + + + + + SA-10 Additional FedRAMP Requirements and Guidance + + (e) Requirement: +

For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.

+ + + + + + + + + + + SA-11 (1) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

+ + + + + + + + + + SA-11 (8) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + SC-7 (13) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.

+ + + Guidance: +

Examples include: information security tools, mechanisms, and support components such as, but not limited to PKI, patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; Demilitarized Zones (DMZs), Server farms/computing centers, centralized audit log servers etc.

+ + + + + + + + + + + + + + + SC-12 Additional FedRAMP Requirements and Guidance + + Guidance: +

Federally approved and validated cryptography.

+ + + + + + + + + + + + + SC-15 Additional FedRAMP Requirements and Guidance + + Requirement: +

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

+ + + + + + + + + + + + + + + + + + SC-28 Additional FedRAMP Requirements and Guidance + + Guidance: +

The organization supports the capability to use cryptographic mechanisms to protect information at rest.

+ + + + + + + + + + + + + + + + + + + + SI-4 Additional FedRAMP Requirements and Guidance + + Guidance: +

See US-CERT Incident Response Reporting Guidelines.

+ + + + + + + + + + + + SI-4 (5) Additional FedRAMP Requirements and Guidance + + Guidance: +

In accordance with the incident response plan.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/baselines/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml b/baselines/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml index 26a23e9cb..31df8af11 100644 --- a/baselines/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml +++ b/baselines/xml/FedRAMP_LI-SaaS-baseline-resolved-profile_catalog.xml @@ -1,9 +1,9 @@ - + FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline [RESOLVED] - 2019-11-27T00:00:00.000-05:00 - 2019-11-25T22:23:42.000000-05:00 + 2020-02-02T00:00:00.000-05:00 + 2020-01-28T14:26:33.000000-05:00 1.2 1.0.0-milestone2 @@ -194,9 +194,9 @@ diff --git a/baselines/xml/FedRAMP_LI-SaaS-baseline_profile.xml b/baselines/xml/FedRAMP_LI-SaaS-baseline_profile.xml index 65f99eb07..debfcd257 100644 --- a/baselines/xml/FedRAMP_LI-SaaS-baseline_profile.xml +++ b/baselines/xml/FedRAMP_LI-SaaS-baseline_profile.xml @@ -1,1516 +1,1515 @@ - - - FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline - 2019-11-27T00:00:00.000-05:00 - 2019-11-24T10:00:00.000-05:00 - 1.2 - 1.0.0-milestone2 - - Author - - - Federal Risk and Authorization Management Program (FedRAMP) - info@fedramp.gov - https://fedramp.gov - - - - fedramp - -

This is a DRAFT OSCAL profile intended to reflect the FedRAMP Tailored Baseline for Low Impact Software as a Service (LI-SaaS). Currently this reflects FedRAMP's parameters, additional requirements/guidance, and control designations (Fed, NSO, Attest, etc.) Assessment objectives and actions have not been vetted and may not align. This also has not been peer reviewed. Use with caution. FedRAMP is not responsible for inaccuracies resulting from the use of this draft profile.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - true - - - - - at least quarterly - - - - organization-defined actions to be taken (overwrite oldest record) - - - - at least weekly - - - - at least annually - - - individuals or roles to include FedRAMP PMO - - - - - at least annually and on input from FedRAMP - - - - at least monthly - - - - at least every three years or when a significant change occurs - - - - to meet Federal and FedRAMP requirements (See additional guidance) - - - to meet Federal and FedRAMP requirements (See additional guidance) - - - - see CM-6(a) Additional FedRAMP Requirements and Guidance - - - - at least monthly - - - - daily incremental; weekly full - - - daily incremental; weekly full - - - daily incremental; weekly full - - - - US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) - - - - at least annually - - - - CSP defined physical access control systems/devices AND guards - - - in all circumstances within restricted access area where the information system resides - - - at least annually - - - at least annually - - - - at least monthly - - - - for a minimum of one (1) year - - - at least monthly - - - - consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments - - - continuously - - - - all information system components - - - - at least annually - - - - For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions. - - - - security assessment report - - - at least every three (3) years or when a significant change occurs - - - at least every three (3) years or when a significant change occurs - - - - monthly operating system/infrastructure; monthly web applications and databases - - - [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery. - - - - FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system - - - Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored - - - - FIPS-validated or NSA-approved cryptography - - - - within 30 days of release of updates - - - - at least weekly - - - to include endpoints - - - to include alerting administrator or defined security personnel - - - - - - - - - - - - - - - - - - - - - - - - - AC-2 Additional FedRAMP Requirements and Guidance - - Guidance: -

Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored for LI-SaaS.

- - - - - - - - - - - - - - - - - - - -

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

 - - - - - - - - -

FED - This is related to agency data and agency policy solution.

 - - - - - - - - -

FED - This is related to agency data and agency policy solution.

 - - - - - - - - - - - - - - - - -

NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

 - - - - - - - - -

NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

 - - - - - - - - - - - - - - - - - - - - - - - - - - CA-2 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

- - - - - - - - - - - - - - - - - - -

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: - 1) Identify the interface/connection. - 2) Detail what data is involved and its sensitivity. - 3) Determine whether the connection is one-way or bi-directional. - 4) Identify how the connection is secured.

 - - - - - - - - -

Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

 - - - - - - - - - - CA-6(c) Additional FedRAMP Requirements and Guidance - - Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the Authorizing Official.

- - - - - - - - - - - - CA-7 Additional FedRAMP Requirements and Guidance - - Guidance: -

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

- - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

- - - - - - - - - - -

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: - 1) Identify the interface/connection. - 2) Detail what data is involved and its sensitivity. - 3) Determine whether the connection is one-way or bi-directional. - 4) Identify how the connection is secured.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Required - Specifically include details of least functionality.

 - - CM-6(a) Additional FedRAMP Requirements and Guidance - - Requirement 1: -

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

- - - Requirement 2: -

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

- - - Guidance: -

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

- - - - - - - - - - - - - - - - - - - - CM-8 Additional FedRAMP Requirements and Guidance - - Requirement: -

Must be provided at least monthly or when there is a change.

- - - - - - - - - - -

NSO- Not directly related to protection of the data.

 - - - - - - - - -

NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

 - - - - - - - - - - - - - - - - -

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 - - - - - - - - -

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 - - - - - - - - -

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 - - - - - - - - - - CP-9 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

- - - CP-9(a) Requirement: -

The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

- - - CP-9(b)Requirement: -

The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

- - - CP-9(c)Requirement: -

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

- - - - - - - - - - -

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 - - - - - - - - - - - - - - - - - -

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

 - - - - - - - - - - - - - - - - -

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

 - - IA-2 (12) Additional FedRAMP Requirements and Guidance - - Guidance: -

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

FED - for Federal privileged users. Condition - Must document and assess for privileged users. May attest to this control for non-privileged users.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

 - - - - - - - - -

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IR-4 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

- - - - - - - - - - - - - - - - - - - - IR-6 Additional FedRAMP Requirements and Guidance - - Requirement: -

Report security incident information according to FedRAMP Incident Communications Procedure.

- - - - - - - - - - - - - - - - - - -

Attestation - Specifically attest to US-CERT compliance.

 - - - - - - - - -

Attestation - Specifically describe information spillage response processes.

 - - - - - - - - - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - PE-14(a) Additional FedRAMP Requirements and Guidance - - (a) Requirement: -

The service provider measures temperature at server inlets and humidity levels by dew point.

- - - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - -

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - RA-3 Additional FedRAMP Requirements and Guidance - - Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

- - - RA-3 (d) Requirement: -

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

- - - - - - - - - - - - RA-5(a) Additional FedRAMP Requirements and Guidance - RA-5 (a)Requirement: -

An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

- - - RA-5(e) Additional FedRAMP Requirements and Guidance - RA-5 (e)Requirement: -

To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

- - - RA-5 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Condition: If availability is a requirement, define protections in place as per control requirement.

 - - - - - - - - - - - - - - - - - - SC-12 Additional FedRAMP Requirements and Guidance - - Guidance: -

Federally approved cryptography.

- - - - - - - - - - -

Condition: If implementing need to detail how they meet it or don't meet it.

 - - - - - - - - -

NSO - Not directly related to the security of the SaaS.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

 - - - - + + + FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Baseline + 2020-02-02T00:00:00.000-05:00 + 2020-01-28T10:00:00.000-05:00 + 1.2 + 1.0.0-milestone2 + + Author + + + Federal Risk and Authorization Management Program (FedRAMP) + info@fedramp.gov + https://fedramp.gov + + + + fedramp + +

This is a DRAFT OSCAL profile intended to reflect the FedRAMP Tailored Baseline for Low Impact Software as a Service (LI-SaaS). Currently this reflects FedRAMP's parameters, additional requirements/guidance, and control designations (Fed, NSO, Attest, etc.) Assessment objectives and actions have not been vetted and may not align. This also has not been peer reviewed. Use with caution. FedRAMP is not responsible for inaccuracies resulting from the use of this draft profile.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + true + + + + + at least quarterly + + + + organization-defined actions to be taken (overwrite oldest record) + + + + at least weekly + + + + at least annually + + + individuals or roles to include FedRAMP PMO + + + + + at least annually and on input from FedRAMP + + + + at least monthly + + + + at least every three years or when a significant change occurs + + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + + see CM-6(a) Additional FedRAMP Requirements and Guidance + + + + at least monthly + + + + daily incremental; weekly full + + + daily incremental; weekly full + + + daily incremental; weekly full + + + + US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) + + + + at least annually + + + + CSP defined physical access control systems/devices AND guards + + + in all circumstances within restricted access area where the information system resides + + + at least annually + + + at least annually + + + + at least monthly + + + + for a minimum of one (1) year + + + at least monthly + + + + consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments + + + continuously + + + + all information system components + + + + at least annually + + + + For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions. + + + + security assessment report + + + at least every three (3) years or when a significant change occurs + + + at least every three (3) years or when a significant change occurs + + + + monthly operating system/infrastructure; monthly web applications and databases + + + [high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery. + + + + FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system + + + Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored + + + + FIPS-validated or NSA-approved cryptography + + + + within 30 days of release of updates + + + + at least weekly + + + to include endpoints + + + to include alerting administrator or defined security personnel + + + + + + + + + + + + + + + + + + + + + + + + + AC-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored for LI-SaaS.

+ + + + + + + + + + + + + + + + + + + +

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

 + + + + + + + + +

FED - This is related to agency data and agency policy solution.

 + + + + + + + + +

FED - This is related to agency data and agency policy solution.

 + + + + + + + + + + + + + + + + +

NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

 + + + + + + + + +

NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

 + + + + + + + + + + + + + + + + + + + + + + + + + + CA-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

+ + + + + + + + + + + + + + + + + + +

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: + 1) Identify the interface/connection. + 2) Detail what data is involved and its sensitivity. + 3) Determine whether the connection is one-way or bi-directional. + 4) Identify how the connection is secured.

 + + + + + + + + +

Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

 + + + + + + + + + + CA-6(c) Additional FedRAMP Requirements and Guidance + + Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the Authorizing Official.

+ + + + + + + + + + + + CA-7 Additional FedRAMP Requirements and Guidance + + Guidance: +

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

+ + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

+ + + + + + + + + + +

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: + 1) Identify the interface/connection. + 2) Detail what data is involved and its sensitivity. + 3) Determine whether the connection is one-way or bi-directional. + 4) Identify how the connection is secured.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Required - Specifically include details of least functionality.

 + + CM-6(a) Additional FedRAMP Requirements and Guidance + + Requirement 1: +

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

+ + + Requirement 2: +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

+ + + Guidance: +

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

+ + + + + + + + + + + + + + + + + + + + CM-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

Must be provided at least monthly or when there is a change.

+ + + + + + + + + + +

NSO- Not directly related to protection of the data.

 + + + + + + + + +

NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

 + + + + + + + + + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 + + + + + + + + + + CP-9 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

+ + + CP-9(a) Requirement: +

The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

+ + + CP-9(b)Requirement: +

The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

+ + + CP-9(c)Requirement: +

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

+ + + + + + + + + + +

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

 + + + + + + + + + + + + + + + + + +

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

 + + + + + + + + + + + + + + + + +

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

 + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + Guidance: +

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

FED - for Federal privileged users. Condition - Must document and assess for privileged users. May attest to this control for non-privileged users.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

 + + + + + + + + +

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

+ + + + + + + + + + + + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance + + Requirement: +

Report security incident information according to FedRAMP Incident Communications Procedure.

+ + + + + + + + + + + + + + + + + + +

Attestation - Specifically attest to US-CERT compliance.

 + + + + + + + + +

Attestation - Specifically describe information spillage response processes.

 + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + PE-14(a) Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

The service provider measures temperature at server inlets and humidity levels by dew point.

+ + + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + +

Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

+ + + RA-3 (d) Requirement: +

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+ + + + + + + + + + + + RA-5(a) Additional FedRAMP Requirements and Guidance + RA-5 (a)Requirement: +

An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

+ + + RA-5(e) Additional FedRAMP Requirements and Guidance + RA-5 (e)Requirement: +

To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+ + + RA-5 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Condition: If availability is a requirement, define protections in place as per control requirement.

 + + + + + + + + + + + + + + + + + + SC-12 Additional FedRAMP Requirements and Guidance + + Guidance: +

Federally approved cryptography.

+ + + + + + + + + + +

Condition: If implementing need to detail how they meet it or don't meet it.

 + + + + + + + + +

NSO - Not directly related to the security of the SaaS.

 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Attestation - Specifically related to US-CERT and FedRAMP communications procedures.

 + + + + \ No newline at end of file diff --git a/baselines/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml b/baselines/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml index f49b19e12..aef424b95 100644 --- a/baselines/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml +++ b/baselines/xml/FedRAMP_LOW-baseline-resolved-profile_catalog.xml @@ -1,9 +1,9 @@ - + FedRAMP Low Baseline [RESOLVED] - 2019-12-17T00:00:00.000-05:00 - 2019-12-17T00:34:48.000000-05:00 + 2020-02-02T00:00:00.000-05:00 + 2020-01-28T14:26:08.000000-05:00 1.2 1.0.0-milestone2 @@ -554,9 +554,9 @@ @@ -813,24 +813,6 @@

Automated mechanisms implementing system use notification

- - AC-8 Additional FedRAMP Requirements and Guidance - AC-8 Req - - - Requirement: -

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

- - - Requirement: -

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

- - - Requirement: -

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

- - - Permitted Actions Without Identification or Authentication @@ -1129,7 +1111,7 @@ SI-4 -

Determine if the organization:

+

Determine if the organization:

AC-19(a)

establishes for organization-controlled mobile devices:

@@ -3508,30 +3490,6 @@

Mechanisms implementing continuous monitoring

 - - Additional FedRAMP Requirements and Guidance - CA-7 Req - - - Requirement 1: -

Operating System Scans: at least monthly

- - - Requirement 2: -

Database and Web Application Scans: at least monthly

- - - Requirement 3: -

All scans performed by Independent Assessor: at least annually

- - -

CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates.

- - -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.FedRAMP.gov/documents/

- - - Internal System Connections @@ -12702,14 +12660,6 @@

automated mechanisms providing an indication of use of collaborative computing devices

- - SC-15 Additional FedRAMP Requirements and Guidance - SC-15 Req - - Requirement: -

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

- - Secure Name / Address Resolution Service (authoritative Source) diff --git a/baselines/xml/FedRAMP_LOW-baseline_profile.xml b/baselines/xml/FedRAMP_LOW-baseline_profile.xml index 6acf2c40f..2a9f0791c 100644 --- a/baselines/xml/FedRAMP_LOW-baseline_profile.xml +++ b/baselines/xml/FedRAMP_LOW-baseline_profile.xml @@ -1,1165 +1,1158 @@ - - - - FedRAMP Low Baseline - 2019-12-17T00:00:00.000-05:00 - 2019-12-16T10:00:00.000-05:00 - 1.2 - 1.0.0-milestone2 - - - Document creator - - - Contact - - - - Federal Risk and Authorization Management Program (FedRAMP) - info@fedramp.gov - https://fedramp.gov - - - - fedramp - - - fedramp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - true - - - - - at least every 3 years - - - at least annually - - - - at least annually - - - - - not more than three (3) - - - fifteen (15) minutes - - - thirty (30) minutes - - - - see additional Requirements and Guidance - - - see additional Requirements and Guidance - - - - - - - - - at least quarterly - - - - at least every 3 years - - - at least annually - - - - at least annually - - - - at least annually - - - - At least one year - - - - at least every 3 years - - - at least annually - - - - Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes - - - organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event - - - - - - organization-defined actions to be taken (overwrite oldest record) - - - - at least weekly - - - - - - at least ninety days - - - - all information system and network components where audit capability is deployed/available - - - - at least every 3 years - - - at least annually - - - - at least annually - - - individuals or roles to include FedRAMP PMO - - - - - at least annually and on input from FedRAMP - - - - at least monthly - - - - at least every three years or when a significant change occurs - - - - to meet Federal and FedRAMP requirements (See additional guidance) - - - to meet Federal and FedRAMP requirements (See additional guidance) - - - - - at least every 3 years - - - at least annually - - - - - - United States Government Configuration Baseline (USGCB) - - - - United States Government Configuration Baseline (USGCB) - - - - at least monthly - - - - - Continuously (via CM-7 (5)) - - - - at least every 3 years - - - at least annually - - - - at least annually - - - - ten (10) days - - - at least annually - - - - at least every three years - - - classroom exercises/table top written tests - - - - daily incremental; weekly full - - - daily incremental; weekly full - - - daily incremental; weekly full - - - - - at least every 3 years - - - at least annually - - - - - - - IA-4 (d) [at least two years] - - - ninety days for user identifiers (See additional requirements and guidance) - - - - - at least one - - - twenty four - - - - - - - - - - - - at least every 3 years - - - at least annually - - - - at least annually - - - - - - US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) - - - - - see additional FedRAMP Requirements and Guidance - - - at least annually - - - see additional FedRAMP Requirements and Guidance - - - - at least every 3 years - - - at least annually - - - - - - - at least every 3 years - - - at least annually - - - - - - - at least every 3 years - - - at least annually - - - - at least annually - - - - CSP defined physical access control systems/devices AND guards - - - CSP defined physical access control systems/devices - - - in all circumstances within restricted access area where the information system resides - - - at least annually - - - at least annually - - - - at least monthly - - - - for a minimum of one (1) year - - - at least monthly - - - - - - consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments - - - continuously - - - - - all information system components - - - - at least every 3 years - - - at least annually - - - - at least annually - - - - At least every 3 years - - - - at least every 3 years - - - at least annually - - - - at least every three years - - - - For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions. - - - - same day - - - - five days of the time period following the formal transfer action (DoD 24 hours) - - - - at least annually - - - at least annually - - - - organization-defined time period - same day - - - - - at least every 3 years - - - at least annually - - - - - security assessment report - - - at least every three (3) years or when a significant change occurs - - - at least every three (3) years or when a significant change occurs - - - - monthly operating system/infrastructure; monthly web applications and databases - - - [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery. - - - - at least every 3 years - - - at least annually - - - - - - - - FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system - - - Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored - - - - at least every 3 years - - - at least annually - - - - - - - FIPS-validated or NSA-approved cryptography - - - - no exceptions - - - - - - - - at least every 3 years - - - at least annually - - - - within 30 days of release of updates - - - - at least weekly - - - to include endpoints - - - to include alerting administrator or defined security personnel - - - - - to include US-CERT - - - to include system security personnel and administrators with configuration/patch-management responsibilities - - - - - - - - - - - - AC-8 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

- - - Requirement: -

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

- - - Requirement: -

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

- - - - - - - - - - - - - - - - - - - - AU-2 Additional FedRAMP Requirements and Guidance - - Requirement: -

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

- - - - - - - - - - - - AU-6 Additional FedRAMP Requirements and Guidance - - Requirement: -

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

- - - - - - - - - - - AU-11 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

- - - - - - - - - - - CA-2 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

- - - - - - - - - CA-2 (1) Additional FedRAMP Requirements and Guidance - - Requirement: -

For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).

- - - - - - - - - - CA-5 Additional FedRAMP Requirements and Guidance - - Requirement: -

Plan of Action & Milestones (POA&M) must be provided at least monthly.

- - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide https://www.fedramp.gov/documents/

- - - - - - - - - CA-6(c) Additional FedRAMP Requirements and Guidance - - Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

- - - - - - - - - CA-7 Additional FedRAMP Requirements and Guidance - - Requirement: -

Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

- - - Guidance: -

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

- - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

- - - - - - - - - - - - - CM-6(a) Additional FedRAMP Requirements and Guidance - - Requirement 1: -

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

- - - Requirement 2: -

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

- - - Guidance: -

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

- - - - - - - - - CM-7 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.

- - - Guidance: -

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc - Partially derived from AC-17(8).

- - - - - - - - - CM-8 Additional FedRAMP Requirements and Guidance - - Requirement: -

Must be provided at least monthly or when there is a change.

- - - - - - - - - - - - CP-2 Additional FedRAMP Requirements and Guidance - - CP-2 Requirement: -

For JAB authorizations the contingency lists include designated FedRAMP personnel.

- - - - - - - - - - CP-4(a) Additional FedRAMP Requirements and Guidance - - CP-4(a) Requirement: -

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

- - - - - - - - - CP-9 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

- - - CP-9(a) Requirement: -

The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

- - - CP-9(b)Requirement: -

The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

- - - CP-9(c)Requirement: -

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

- - - - - - - - - - - - - IA-2 (12) Additional FedRAMP Requirements and Guidance - - Guidance: -

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

- - - - - - - - - IA-4(e) Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider defines the time period of inactivity for device identifiers.

- - - Guidance: -

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.

- - - - - - - - - IA-5 Additional FedRAMP Requirements and Guidance - - Requirement: -

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3.

- - - - - - - - - IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance - - Guidance (a) (d): -

If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.

- - - - - - - - - - - - - - - - - - - IR-4 Additional FedRAMP Requirements and Guidance - - Requirement: -

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

- - - - - - - - - - IR-6 Additional FedRAMP Requirements and Guidance - - Requirement: -

Report security incident information according to FedRAMP Incident Communications Procedure.

- - - - - - - - - - IR-8 Additional FedRAMP Requirements and Guidance - - (b) Requirement: -

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

- - - (e) Requirement: -

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

- - - - - - - - - - - - - - - - - - - - - - - - PE-14(a) Additional FedRAMP Requirements and Guidance - - (a) Requirement: -

The service provider measures temperature at server inlets and humidity levels by dew point.

- - - - - - - - - - - - - - - - - - - - - - - - RA-3 Additional FedRAMP Requirements and Guidance - - Guidance: -

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

- - - RA-3 (d) Requirement: -

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

- - - - - - - - - RA-5(a) Additional FedRAMP Requirements and Guidance - RA-5 (a)Requirement: -

An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

- - - RA-5(e) Additional FedRAMP Requirements and Guidance - RA-5 (e)Requirement: -

To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

- - - RA-5 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

- - - - - - - - - - - - SA-4 Additional FedRAMP Requirements and Guidance - - Guidance: -

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.

- - - - - - - - - - SA-9 Additional FedRAMP Requirements and Guidance - - Guidance: -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide https://www.FedRAMP.gov/documents

- - - Guidance: -

Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance

- - - - - - - - - - - - SC-12 Additional FedRAMP Requirements and Guidance - - Guidance: -

Federally approved and validated cryptography.

- - - - - - - - - - SC-15 Additional FedRAMP Requirements and Guidance - - Requirement: -

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

- - - - - - - - - - - - - - - - SI-4 Additional FedRAMP Requirements and Guidance - - Guidance: -

See US-CERT Incident Response Reporting Guidelines.

- - - - - - - - - + + + + FedRAMP Low Baseline + 2020-02-02T00:00:00.000-05:00 + 2020-01-28T10:00:00.000-05:00 + 1.2 + 1.0.0-milestone2 + + + Document creator + + + Contact + + + + Federal Risk and Authorization Management Program (FedRAMP) + info@fedramp.gov + https://fedramp.gov + + + + fedramp + + + fedramp + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + true + + + + + at least every 3 years + + + at least annually + + + + at least annually + + + + + not more than three (3) + + + fifteen (15) minutes + + + thirty (30) minutes + + + + see additional Requirements and Guidance + + + see additional Requirements and Guidance + + + + + + + + + at least quarterly + + + + at least every 3 years + + + at least annually + + + + at least annually + + + + at least annually + + + + At least one year + + + + at least every 3 years + + + at least annually + + + + Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes + + + organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event + + + + + + organization-defined actions to be taken (overwrite oldest record) + + + + at least weekly + + + + + + at least ninety days + + + + all information system and network components where audit capability is deployed/available + + + + at least every 3 years + + + at least annually + + + + at least annually + + + individuals or roles to include FedRAMP PMO + + + + + at least annually and on input from FedRAMP + + + + at least monthly + + + + at least every three years or when a significant change occurs + + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + to meet Federal and FedRAMP requirements (See additional guidance) + + + + + at least every 3 years + + + at least annually + + + + + + United States Government Configuration Baseline (USGCB) + + + + United States Government Configuration Baseline (USGCB) + + + + at least monthly + + + + + Continuously (via CM-7 (5)) + + + + at least every 3 years + + + at least annually + + + + at least annually + + + + ten (10) days + + + at least annually + + + + at least every three years + + + classroom exercises/table top written tests + + + + daily incremental; weekly full + + + daily incremental; weekly full + + + daily incremental; weekly full + + + + + at least every 3 years + + + at least annually + + + + + + + IA-4 (d) [at least two years] + + + ninety days for user identifiers (See additional requirements and guidance) + + + + + at least one + + + twenty four + + + + + + + + + + + + at least every 3 years + + + at least annually + + + + at least annually + + + + + + US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) + + + + + see additional FedRAMP Requirements and Guidance + + + at least annually + + + see additional FedRAMP Requirements and Guidance + + + + at least every 3 years + + + at least annually + + + + + + + at least every 3 years + + + at least annually + + + + + + + at least every 3 years + + + at least annually + + + + at least annually + + + + CSP defined physical access control systems/devices AND guards + + + CSP defined physical access control systems/devices + + + in all circumstances within restricted access area where the information system resides + + + at least annually + + + at least annually + + + + at least monthly + + + + for a minimum of one (1) year + + + at least monthly + + + + + + consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments + + + continuously + + + + + all information system components + + + + at least every 3 years + + + at least annually + + + + at least annually + + + + At least every 3 years + + + + at least every 3 years + + + at least annually + + + + at least every three years + + + + For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions. + + + + same day + + + + five days of the time period following the formal transfer action (DoD 24 hours) + + + + at least annually + + + at least annually + + + + organization-defined time period - same day + + + + + at least every 3 years + + + at least annually + + + + + security assessment report + + + at least every three (3) years or when a significant change occurs + + + at least every three (3) years or when a significant change occurs + + + + monthly operating system/infrastructure; monthly web applications and databases + + + [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery. + + + + at least every 3 years + + + at least annually + + + + + + + + FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system + + + Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored + + + + at least every 3 years + + + at least annually + + + + + + + FIPS-validated or NSA-approved cryptography + + + + no exceptions + + + + + + + + at least every 3 years + + + at least annually + + + + within 30 days of release of updates + + + + at least weekly + + + to include endpoints + + + to include alerting administrator or defined security personnel + + + + + to include US-CERT + + + to include system security personnel and administrators with configuration/patch-management responsibilities + + + + + + + + + + + + AC-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

+ + + Requirement: +

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

+ + + Requirement: +

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

+ + + + + + + + + + + + + + + + + + + + AU-2 Additional FedRAMP Requirements and Guidance + + Requirement: +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.

+ + + + + + + + + + + + AU-6 Additional FedRAMP Requirements and Guidance + + Requirement: +

Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.

+ + + + + + + + + + + AU-11 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

+ + + + + + + + + + + CA-2 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance https://www.fedramp.gov/documents/

+ + + + + + + + + CA-2 (1) Additional FedRAMP Requirements and Guidance + + Requirement: +

For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).

+ + + + + + + + + + CA-5 Additional FedRAMP Requirements and Guidance + + Requirement: +

Plan of Action & Milestones (POA&M) must be provided at least monthly.

+ + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Plan of Action & Milestones (POA&M) Template Completion Guide https://www.fedramp.gov/documents/

+ + + + + + + + + CA-6(c) Additional FedRAMP Requirements and Guidance + + Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.

+ + + + + + + + + CA-7 Additional FedRAMP Requirements and Guidance + + Requirement: +

Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

+ + + Guidance: +

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

+ + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.fedramp.gov/documents/

+ + + + + + + + + + + + + CM-6(a) Additional FedRAMP Requirements and Guidance + + Requirement 1: +

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

+ + + Requirement 2: +

The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

+ + + Guidance: +

Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.

+ + + + + + + + + CM-7 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available.

+ + + Guidance: +

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc + Partially derived from AC-17(8).

+ + + + + + + + + CM-8 Additional FedRAMP Requirements and Guidance + + Requirement: +

Must be provided at least monthly or when there is a change.

+ + + + + + + + + + + + CP-2 Additional FedRAMP Requirements and Guidance + + CP-2 Requirement: +

For JAB authorizations the contingency lists include designated FedRAMP personnel.

+ + + + + + + + + + CP-4(a) Additional FedRAMP Requirements and Guidance + + CP-4(a) Requirement: +

The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended); plans are approved by the JAB/AO prior to initiating testing.

+ + + + + + + + + CP-9 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.

+ + + CP-9(a) Requirement: +

The service provider maintains at least three backup copies of user-level information (at least one of which is available online).

+ + + CP-9(b)Requirement: +

The service provider maintains at least three backup copies of system-level information (at least one of which is available online).

+ + + CP-9(c)Requirement: +

The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).

+ + + + + + + + + + + + + IA-2 (12) Additional FedRAMP Requirements and Guidance + + Guidance: +

Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.

+ + + + + + + + + IA-4(e) Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider defines the time period of inactivity for device identifiers.

+ + + Guidance: +

For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.

+ + + + + + + + + IA-5 Additional FedRAMP Requirements and Guidance + + Requirement: +

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3.

+ + + + + + + + + IA-5 (1) (a) and (d) Additional FedRAMP Requirements and Guidance + + Guidance (a) (d): +

If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.

+ + + + + + + + + + + + + + + + + + + IR-4 Additional FedRAMP Requirements and Guidance + + Requirement: +

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.

+ + + + + + + + + + IR-6 Additional FedRAMP Requirements and Guidance + + Requirement: +

Report security incident information according to FedRAMP Incident Communications Procedure.

+ + + + + + + + + + IR-8 Additional FedRAMP Requirements and Guidance + + (b) Requirement: +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+ + + (e) Requirement: +

The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.

+ + + + + + + + + + + + + + + + + + + + + + + + PE-14(a) Additional FedRAMP Requirements and Guidance + + (a) Requirement: +

The service provider measures temperature at server inlets and humidity levels by dew point.

+ + + + + + + + + + + + + + + + + + + + + + + + RA-3 Additional FedRAMP Requirements and Guidance + + Guidance: +

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

+ + + RA-3 (d) Requirement: +

Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+ + + + + + + + + RA-5(a) Additional FedRAMP Requirements and Guidance + RA-5 (a)Requirement: +

An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

+ + + RA-5(e) Additional FedRAMP Requirements and Guidance + RA-5 (e)Requirement: +

To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

+ + + RA-5 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements (https://www.FedRAMP.gov/documents/)

+ + + + + + + + + + + + SA-4 Additional FedRAMP Requirements and Guidance + + Guidance: +

The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.

+ + + + + + + + + + SA-9 Additional FedRAMP Requirements and Guidance + + Guidance: +

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide https://www.FedRAMP.gov/documents

+ + + Guidance: +

Independent Assessors should assess the risk associated with the use of external services. See the FedRAMP page under Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary Guidance

+ + + + + + + + + + + + SC-12 Additional FedRAMP Requirements and Guidance + + Guidance: +

Federally approved and validated cryptography.

+ + + + + + + + + + SC-15 Additional FedRAMP Requirements and Guidance + + Requirement: +

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

+ + + + + + + + + + + + + + + + SI-4 Additional FedRAMP Requirements and Guidance + + Guidance: +

See US-CERT Incident Response Reporting Guidelines.

+ + + + + + + + + diff --git a/baselines/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml b/baselines/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml index 0f484b81c..9dfe45272 100644 --- a/baselines/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml +++ b/baselines/xml/FedRAMP_MODERATE-baseline-resolved-profile_catalog.xml @@ -1,9 +1,9 @@ - + FedRAMP Moderate Baseline [RESOLVED] - 2019-12-17T00:00:00.000-05:00 - 2019-12-17T00:35:11.000000-05:00 + 2020-02-02T00:00:00.000-05:00 + 2020-01-28T14:25:50.000000-05:00 1.2 1.0.0-milestone2 @@ -1688,9 +1688,9 @@ @@ -1947,24 +1947,6 @@

Automated mechanisms implementing system use notification

- - AC-8 Additional FedRAMP Requirements and Guidance - AC-8 Req - - - Requirement: -

The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.

- - - Requirement: -

The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.

- - - Requirement: -

If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.

- - - Concurrent Session Control @@ -1984,7 +1966,7 @@

Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.

-

Determine if:

+

Determine if:

AC-10[1]

the organization defines account and/or account types for the information system;

@@ -2049,7 +2031,7 @@ AC-7 -

Determine if:

+

Determine if:

AC-11(a) @@ -2789,7 +2771,7 @@ SI-4 -

Determine if the organization:

+

Determine if the organization:

AC-19(a)

establishes for organization-controlled mobile devices:

@@ -6389,30 +6371,6 @@ - - Additional FedRAMP Requirements and Guidance - CA-7 Req - - - Requirement 1: -

Operating System Scans: at least monthly

- - - Requirement 2: -

Database and Web Application Scans: at least monthly

- - - Requirement 3: -

All scans performed by Independent Assessor: at least annually

- - -

CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates.

- - -

See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide https://www.FedRAMP.gov/documents/

- - - Penetration Testing @@ -8486,7 +8444,7 @@ @@ -23573,14 +23531,6 @@

automated mechanisms providing an indication of use of collaborative computing devices

- - SC-15 Additional FedRAMP Requirements and Guidance - SC-15 Req - - Requirement: -

The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.

- - Public Key Infrastructure Certificates @@ -26025,7 +25975,7 @@