diff --git a/profiles/fedramp_rev5_high/profile.json b/profiles/fedramp_rev5_high/profile.json index 46b2044..12ce86b 100644 --- a/profiles/fedramp_rev5_high/profile.json +++ b/profiles/fedramp_rev5_high/profile.json @@ -3,8 +3,8 @@ "uuid": "9af0a7d3-252c-4f18-9baf-4f10e82bfac8", "metadata": { "title": "FedRAMP Rev 5 High Baseline", - "published": "2023-06-15T00:00:00+00:00", - "last-modified": "2023-06-15T00:00:00+00:00", + "published": "2023-08-31T00:00:00+00:00", + "last-modified": "2023-08-31T00:00:00+00:00", "version": "fedramp-2.0.0-oscal1.0.4", "oscal-version": "1.0.4", "roles": [ @@ -531,7 +531,7 @@ "param-id": "ac-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -579,7 +579,7 @@ "param-id": "ac-02.02_odp.01", "constraints": [ { - "description": "Selection: disables " + "description": "Selection: disables" } ] }, @@ -747,7 +747,7 @@ "param-id": "at-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -755,7 +755,7 @@ "param-id": "at-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -811,7 +811,7 @@ "param-id": "au-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -819,7 +819,7 @@ "param-id": "au-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -995,7 +995,7 @@ "param-id": "ca-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1003,7 +1003,7 @@ "param-id": "ca-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1019,7 +1019,7 @@ "param-id": "ca-02_odp.01", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1107,7 +1107,7 @@ "param-id": "cm-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1115,7 +1115,7 @@ "param-id": "cm-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1155,7 +1155,7 @@ "param-id": "cm-03.01_odp.03", "constraints": [ { - "description": "organization agreed upon time period " + "description": "organization agreed upon time period" } ] }, @@ -1267,7 +1267,7 @@ "param-id": "cp-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1419,7 +1419,7 @@ "param-id": "ia-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1427,7 +1427,7 @@ "param-id": "ia-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1475,7 +1475,7 @@ "param-id": "ia-04_odp.01", "constraints": [ { - "description": "at a minimum, the ISSO (or similar role within the organization) " + "description": "at a minimum, the ISSO (or similar role within the organization)" } ] }, @@ -1507,7 +1507,7 @@ "param-id": "ir-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1515,7 +1515,7 @@ "param-id": "ir-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1619,7 +1619,7 @@ "param-id": "ma-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1659,7 +1659,7 @@ "param-id": "mp-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1667,7 +1667,7 @@ "param-id": "mp-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1723,7 +1723,7 @@ "param-id": "mp-05_odp.01", "constraints": [ { - "description": "all media with sensitive information " + "description": "all media with sensitive information" } ] }, @@ -1755,7 +1755,7 @@ "param-id": "pe-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1763,7 +1763,7 @@ "param-id": "pe-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1915,7 +1915,7 @@ "param-id": "pl-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1923,7 +1923,7 @@ "param-id": "pl-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1987,7 +1987,7 @@ "param-id": "ps-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -1995,7 +1995,7 @@ "param-id": "ps-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2051,7 +2051,7 @@ "param-id": "ps-05_odp.02", "constraints": [ { - "description": "twenty-four (24) hours " + "description": "twenty-four (24) hours" } ] }, @@ -2123,7 +2123,7 @@ "param-id": "ra-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2131,7 +2131,7 @@ "param-id": "ra-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2219,7 +2219,7 @@ "param-id": "sa-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2227,7 +2227,7 @@ "param-id": "sa-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2243,7 +2243,7 @@ "param-id": "sa-04.02_odp.01", "constraints": [ { - "description": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram; \n\norganization-defined design/implementation information" + "description": "at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;\n\norganization-defined design/implementation information" } ] }, @@ -2339,7 +2339,7 @@ "param-id": "sc-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2347,7 +2347,7 @@ "param-id": "sc-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2499,7 +2499,7 @@ "param-id": "si-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2507,7 +2507,7 @@ "param-id": "si-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2531,7 +2531,7 @@ "param-id": "si-02.02_odp.02", "constraints": [ { - "description": "at least monthly " + "description": "at least monthly" } ] }, @@ -2675,7 +2675,7 @@ "param-id": "sr-01_odp.05", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -2683,7 +2683,7 @@ "param-id": "sr-01_odp.07", "constraints": [ { - "description": "at least annually " + "description": "at least annually" } ] }, @@ -3048,7 +3048,7 @@ "value": "Guidance:" } ], - "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. " + "prose": "If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided." } ] } @@ -3549,7 +3549,7 @@ "value": "Guidance:" } ], - "prose": "See the FedRAMP Documents page> Penetration Test Guidance \n\nhttps://www.FedRAMP.gov/documents/" + "prose": "See the FedRAMP Documents page> Penetration Test Guidance\n\nhttps://www.FedRAMP.gov/documents/" } ] } @@ -5369,7 +5369,7 @@ "value": "Guidance:" } ], - "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n \n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work – e.g. log collection, scanning, etc.\n\n\n \n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters \n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information] " + "prose": "For each instance of data in transit, confidentiality AND integrity should be through cryptography as specified in SC-8 (1), physical means as specified in SC-8 (5), or in combination.\n\n\n\nFor clarity, this control applies to all data in transit. Examples include the following data flows:\n\n* Crossing the system boundary\n* Between compute instances - including containers\n* From a compute instance to storage\n* Replication between availability zones\n* Transmission of backups to storage\n* From a load balancer to a compute instance\n* Flows from management tools required for their work – e.g. log collection, scanning, etc.\n\n\n\n\nThe following applies only when choosing SC-8 (5) in lieu of SC-8 (1).\n\nFedRAMP-Defined Assignment / Selection Parameters\n\nSC-8 (5)-1 [a hardened or alarmed carrier Protective Distribution System (PDS) when outside of Controlled Access Area (CAA)]\n\nSC-8 (5)-2 [prevent unauthorized disclosure of information AND detect changes to information]" }, { "id": "sc-8_fr_gdn.2", @@ -5380,7 +5380,7 @@ "value": "Guidance:" } ], - "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n \n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n \n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n \n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n \n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n \n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf " + "prose": "SC-8 (5) applies when physical protection has been selected as the method to protect confidentiality and integrity. For physical protection, data in transit must be in either a Controlled Access Area (CAA), or a Hardened or alarmed PDS.\n\n\n\nHardened or alarmed PDS: Shall be as defined in SECTION X - CATEGORY 2 PDS INSTALLATION GUIDANCE of CNSSI No.7003, titled PROTECTED DISTRIBUTION SYSTEMS (PDS). Per the CNSSI No. 7003 Section VIII, PDS must originate and terminate in a Controlled Access Area (CAA).\n\n\n\nControlled Access Area (CAA): Data will be considered physically protected, and in a CAA if it meets Section 2.3 of the DHS’s Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. CSPs can meet Section 2.3 of the DHS’ recommended practice by satisfactory implementation of the following controls PE-2 (1), PE-2 (2), PE-2 (3), PE-3 (2), PE-3 (3), PE-6 (2), and PE-6 (3).\n\n\n\nNote: When selecting SC-8 (5), the above SC-8(5), and the above referenced PE controls must be added to the SSP.\n\n\n\nCNSSI No.7003 can be accessed here:\n\nhttps://www.dcsa.mil/Portals/91/documents/ctp/nao/CNSSI_7003_PDS_September_2015.pdf\n\n\n\nDHS Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies can be accessed here:\n\nhttps://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Defense_in_Depth_Strategies_S508C.pdf" } ] } @@ -5522,7 +5522,7 @@ "value": "Guidance:" } ], - "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n \n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" + "prose": "This control applies to all use of cryptography. In addition to encryption, this includes functions such as hashing, random number generation, and key generation. Examples include the following:\n\n* Encryption of data\n* Decryption of data\n* Generation of one time passwords (OTPs) for MFA\n* Protocols such as TLS, SSH, and HTTPS\n\n\n\n\nThe requirement for FIPS 140 validation, as well as timelines for acceptance of FIPS 140-2, and 140-3 can be found at the NIST Cryptographic Module Validation Program (CMVP).\n\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program" }, { "id": "sc-13_fr_gdn.2", @@ -6000,7 +6000,7 @@ "value": "Guidance:" } ], - "prose": "When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.\n\nhttps://cyber.dhs.gov/bod/18-01/ " + "prose": "When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01.\n\nhttps://cyber.dhs.gov/bod/18-01/" }, { "id": "si-8_fr_gdn.2",