FedRAMP

Summary

FedRAMP is a U.S. Government program designed to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. It provides a standardized approach to security assessment, authorization and continuous monitoring of cloud-based services. FedRAMP defines a set of security control implementations and security impact level systems based on NIST baseline controls (NIST SP 800-53).

Definitions

Definition	Requirements
FEDRAMP-AC-2_3. Account management - Disable inactive accounts	144. Remove inactive accounts periodically 023. Terminate inactive user sessions
FEDRAMP-AC-2_5. Account management - Inactivity logout	028. Allow users to log out
FEDRAMP-AC-2_7. Account management - Role-based schemes	095. Define users with privileges 096. Set user's required privileges
FEDRAMP-AC-2_12. Account management - Account monitoring, atypical usage	376. Register severity level
FEDRAMP-AC-6_1. Least privilege - Authorize access to security functions	033. Restrict administrative access 035. Manage privilege modifications 096. Set user's required privileges
FEDRAMP-AC-6_2. Least privilege - Non-privileged access for nonsecurity functions	096. Set user's required privileges
FEDRAMP-AC-6_3. Least privilege - Network access to privileged commands	033. Restrict administrative access
FEDRAMP-AC-6_8. Least privilege - Privilege levels for code execution	352. Enable trusted execution
FEDRAMP-AC-7_2. Unsuccessful logon - Purge, wipe mobile device	210. Delete information from mobile devices
FEDRAMP-AC-8. System use notification	227. Display access notification
FEDRAMP-AC-10. Concurrent session control	025. Manage concurrent sessions
FEDRAMP-AC-11. Session lock	114. Deny access with inactive credentials
FEDRAMP-AC-22. Publicly accessible content	261. Avoid exposing sensitive information 265. Restrict access to critical processes 325. Protect WSDL files 045. Remove metadata when sharing files
FEDRAMP-AU-3_2. Centralized management of planned audit record content	377. Store logs based on valid regulation 378. Use of log management system
FEDRAMP-AU-8. Time stamps	079. Record exact occurrence time of events
FEDRAMP-AU-8_1. Synchronization with authoritative time source	363. Synchronize system clocks
FEDRAMP-AU-12_3. Audit regeneration - Changes by authorized individuals	322. Avoid excessive logging 378. Use of log management system 080. Prevent log modification
FEDRAMP-CA-2_2. Security assessment - Specialized assessments	115. Filter malicious emails 155. Application free of malicious code 340. Use octet stream downloads 376. Register severity level 041. Scan files for malicious code
FEDRAMP-CA-2_3. Security assessment - External organizations	161. Define secure default options 262. Verify third-party components 314. Provide processing confirmation
FEDRAMP-CA-3. System interconnections	181. Transmit data using secure protocols 321. Avoid deserializing untrusted data
FEDRAMP-CA-3_3. Unclassified non-national security system connections	153. Out of band transactions 336. Disable insecure TLS versions
FEDRAMP-CA-6. Security authorization	095. Define users with privileges
FEDRAMP-CA-7. Continuous monitoring	376. Register severity level 378. Use of log management system 075. Record exceptional events in logs 078. Disable debugging events 079. Record exact occurrence time of events 080. Prevent log modification
FEDRAMP-CM-2_1. Baseline configuration - Reviews and updates	353. Schedule firmware updates
FEDRAMP-CM-3_6. Baseline configuration - Cryptography management	147. Use pre-existent mechanisms 151. Separate keys for encryption and signatures 224. Use secure cryptographic mechanisms
FEDRAMP-CM-5_5. Access restrictions for change - Limit production, operational privileges	186. Use the principle of least privilege 265. Restrict access to critical processes 035. Manage privilege modifications 096. Set user's required privileges
FEDRAMP-CM-7. Least functionality	154. Eliminate backdoors 255. Allow access only to the necessary ports
FEDRAMP-CM-7_5. Least functionality - Authorized software, whitelisting	326. Detect rooted devices 344. Avoid dynamic code execution 352. Enable trusted execution
FEDRAMP-IA-2_11. Identification and authentication - Remote access, separate device	362. Assign MFA mechanisms to a single account
FEDRAMP-IA-4. Identifier management	023. Terminate inactive user sessions 030. Avoid object reutilization
FEDRAMP-IA-5_1. Authenticator management - Password-based authentication	130. Limit password lifespan 131. Deny multiple password changing attempts 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 138. Define lifespan for temporary passwords 139. Set minimum OTP length
FEDRAMP-IA-5_3. Authenticator management - In-person or trusted third-party registration	137. Change temporary passwords of third parties
FEDRAMP-IA-5_8. Authenticator management - Multiple information system accounts	025. Manage concurrent sessions
FEDRAMP-MP-2. Media access	176. Restrict system objects 205. Configure PIN 229. Request access credentials 264. Request authentication 351. Assign unique keys to each device
FEDRAMP-MP-5. Media transport	153. Out of band transactions 181. Transmit data using secure protocols 335. Define out of band token lifespan
FEDRAMP-MP-6. Media sanitization	210. Delete information from mobile devices 214. Allow data destruction
FEDRAMP-PE-3. Physical access control	114. Deny access with inactive credentials 231. Implement a biometric verification component 362. Assign MFA mechanisms to a single account
FEDRAMP-PE-16. Delivery and removal	160. Encode system outputs 173. Discard unsafe inputs
FEDRAMP-PS-3_3. Personnel screening - Information with special protection measures	095. Define users with privileges 096. Set user's required privileges
FEDRAMP-PS-7. Third-party personnel security	137. Change temporary passwords of third parties 262. Verify third-party components 318. Notify third parties of changes
FEDRAMP-RA-5. Vulnerability scanning	118. Inspect attachments 155. Application free of malicious code 041. Scan files for malicious code 062. Define standard configurations
FEDRAMP-RA-5_4. Privileged access	095. Define users with privileges
FEDRAMP-SA-1. System and services acquisition policy and procedures	331. Guarantee legal compliance
FEDRAMP-SA-9. External information system services	262. Verify third-party components
FEDRAMP-SA-10. Developer configuration management	062. Define standard configurations
FEDRAMP-SC-1. System and communications protection policy and procedures	331. Guarantee legal compliance
FEDRAMP-SC-8. Transmission confidentiality and integrity	176. Restrict system objects 181. Transmit data using secure protocols 321. Avoid deserializing untrusted data 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
FEDRAMP-SC-8_1. Cryptographic or alternate physical protection	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 250. Manage access points 257. Access based on user credentials
FEDRAMP-SC-10. Network disconnect	335. Define out of band token lifespan 023. Terminate inactive user sessions
FEDRAMP-SC-12_2. Cryptographic key establishment and management - Symmetric keys	145. Protect system cryptographic keys 149. Set minimum size of symmetric encryption 372. Proper Use of Initialization Vector (IV)
FEDRAMP-SC-13. Cryptographic protection	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 224. Use secure cryptographic mechanisms 361. Replace cryptographic keys
FEDRAMP-SC-28. Protection of information at rest	176. Restrict system objects 329. Keep client-side storage without sensitive data 062. Define standard configurations
FEDRAMP-SI-3. Malicious code protection	155. Application free of malicious code 340. Use octet stream downloads 041. Scan files for malicious code
FEDRAMP-SI-5. Security alerts, advisories, and directives	173. Discard unsafe inputs 227. Display access notification 301. Notify configuration changes 318. Notify third parties of changes 358. Notify upcoming expiration dates 075. Record exceptional events in logs

Last updated

2023/09/18