Fluid Attacks Database

FedRAMP

Last updated: 2023/09/18

FedRAMP is a U.S. Government program designed to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. It provides a standardized approach to security assessment, authorization and continuous monitoring of cloud-based services. FedRAMP defines a set of security control implementations and security impact level systems based on NIST baseline controls (NIST SP 800-53).

Control-Requirement Mapping

Definition	Requirements
AC-2_3. Account management - Disable inactive accounts	144. Remove inactive accounts periodically 023. Terminate inactive user sessions
AC-2_5. Account management - Inactivity logout	028. Allow users to log out
AC-2_7. Account management - Role-based schemes	095. Define users with privileges 096. Set user's required privileges
AC-2_12. Account management - Account monitoring, atypical usage	376. Register severity level
AC-6_1. Least privilege - Authorize access to security functions	033. Restrict administrative access 035. Manage privilege modifications 096. Set user's required privileges
AC-6_2. Least privilege - Non-privileged access for nonsecurity functions	096. Set user's required privileges
AC-6_3. Least privilege - Network access to privileged commands	033. Restrict administrative access
AC-6_8. Least privilege - Privilege levels for code execution	352. Enable trusted execution
AC-7_2. Unsuccessful logon - Purge, wipe mobile device	210. Delete information from mobile devices
AC-8. System use notification	227. Display access notification
AC-10. Concurrent session control	025. Manage concurrent sessions
AC-11. Session lock	114. Deny access with inactive credentials
AC-22. Publicly accessible content	261. Avoid exposing sensitive information 265. Restrict access to critical processes 325. Protect WSDL files 045. Remove metadata when sharing files
AU-3_2. Centralized management of planned audit record content	377. Store logs based on valid regulation 378. Use of log management system
AU-8. Time stamps	079. Record exact occurrence time of events
AU-8_1. Synchronization with authoritative time source	363. Synchronize system clocks
AU-12_3. Audit regeneration - Changes by authorized individuals	322. Avoid excessive logging 378. Use of log management system 080. Prevent log modification
CA-2_2. Security assessment - Specialized assessments	115. Filter malicious emails 155. Application free of malicious code 340. Use octet stream downloads 376. Register severity level 041. Scan files for malicious code
CA-2_3. Security assessment - External organizations	161. Define secure default options 262. Verify third-party components 314. Provide processing confirmation
CA-3. System interconnections	181. Transmit data using secure protocols 321. Avoid deserializing untrusted data
CA-3_3. Unclassified non-national security system connections	153. Out of band transactions 336. Disable insecure TLS versions
CA-6. Security authorization	095. Define users with privileges
CA-7. Continuous monitoring	376. Register severity level 378. Use of log management system 075. Record exceptional events in logs 078. Disable debugging events 079. Record exact occurrence time of events 080. Prevent log modification
CM-2_1. Baseline configuration - Reviews and updates	353. Schedule firmware updates
CM-3_6. Baseline configuration - Cryptography management	147. Use pre-existent mechanisms 151. Separate keys for encryption and signatures 224. Use secure cryptographic mechanisms
CM-5_5. Access restrictions for change - Limit production, operational privileges	186. Use the principle of least privilege 265. Restrict access to critical processes 035. Manage privilege modifications 096. Set user's required privileges
CM-7. Least functionality	154. Eliminate backdoors 255. Allow access only to the necessary ports
CM-7_5. Least functionality - Authorized software, whitelisting	326. Detect rooted devices 344. Avoid dynamic code execution 352. Enable trusted execution
IA-2_11. Identification and authentication - Remote access, separate device	362. Assign MFA mechanisms to a single account
IA-4. Identifier management	023. Terminate inactive user sessions 030. Avoid object reutilization
IA-5_1. Authenticator management - Password-based authentication	130. Limit password lifespan 131. Deny multiple password changing attempts 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 138. Define lifespan for temporary passwords 139. Set minimum OTP length
IA-5_3. Authenticator management - In-person or trusted third-party registration	137. Change temporary passwords of third parties
IA-5_8. Authenticator management - Multiple information system accounts	025. Manage concurrent sessions
MP-2. Media access	176. Restrict system objects 205. Configure PIN 229. Request access credentials 264. Request authentication 351. Assign unique keys to each device
MP-5. Media transport	153. Out of band transactions 181. Transmit data using secure protocols 335. Define out of band token lifespan
MP-6. Media sanitization	210. Delete information from mobile devices 214. Allow data destruction
PE-3. Physical access control	114. Deny access with inactive credentials 231. Implement a biometric verification component 362. Assign MFA mechanisms to a single account
PE-16. Delivery and removal	160. Encode system outputs 173. Discard unsafe inputs
PS-3_3. Personnel screening - Information with special protection measures	095. Define users with privileges 096. Set user's required privileges
PS-7. Third-party personnel security	137. Change temporary passwords of third parties 262. Verify third-party components 318. Notify third parties of changes
RA-5. Vulnerability scanning	118. Inspect attachments 155. Application free of malicious code 041. Scan files for malicious code 062. Define standard configurations
RA-5_4. Privileged access	095. Define users with privileges
SA-1. System and services acquisition policy and procedures	331. Guarantee legal compliance
SA-9. External information system services	262. Verify third-party components
SA-10. Developer configuration management	062. Define standard configurations
SC-1. System and communications protection policy and procedures	331. Guarantee legal compliance
SC-8. Transmission confidentiality and integrity	176. Restrict system objects 181. Transmit data using secure protocols 321. Avoid deserializing untrusted data 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
SC-8_1. Cryptographic or alternate physical protection	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 250. Manage access points 257. Access based on user credentials
SC-10. Network disconnect	335. Define out of band token lifespan 023. Terminate inactive user sessions
SC-12_2. Cryptographic key establishment and management - Symmetric keys	145. Protect system cryptographic keys 149. Set minimum size of symmetric encryption 372. Proper Use of Initialization Vector (IV)
SC-13. Cryptographic protection	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 224. Use secure cryptographic mechanisms 361. Replace cryptographic keys
SC-28. Protection of information at rest	176. Restrict system objects 329. Keep client-side storage without sensitive data 062. Define standard configurations
SI-3. Malicious code protection	155. Application free of malicious code 340. Use octet stream downloads 041. Scan files for malicious code
SI-5. Security alerts, advisories, and directives	173. Discard unsafe inputs 227. Display access notification 301. Notify configuration changes 318. Notify third parties of changes 358. Notify upcoming expiration dates 075. Record exceptional events in logs

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.