Home / mortgage processing flow checklist templates / FedRAMP System Security Plan (SSP) Moderate Baseline …
FedRAMP System Security Plan (SSP) Moderate Baseline … - mortgage processing flow checklist templates
FedRAMP System Security Plan (SSP) Moderate Baseline Template Cloud Service Provider NameInformation System NameVersion #Version Datelefttop00Instruction: This template contains a number of features to facilitate data entry. As you go through the template entering data, you will see prompts for you to enter different types of data.Repeatable FieldSome multiple-occurring data fields have been linked together and you need only enter the data once. Enter the data once; then click outside the data entry field and all occurrences of that field will be populated. For example, when you see “Information System Abbreviation” and replace it with your system abbreviation, all instances of the abbreviation throughout the document will be replaced with the value you entered. This document contains the following repeatable fields:CSP NameInformation System NameVersion NumberVersion Date Information System AbbreviationIf you find a data field from the above list that has not populated, then press the F9 key to refresh the data. If you make a change to one of the above data fields, you may also have to press the F9 key to refresh the data throughout the document. Remember to save the document after refreshes. The one exception to the repeatable fields is information system names for FedRAMP or leveraged authorizations that are identified as “Leveraged information system name:Date SelectionData fields that must contain a date will present a date selection menu.Item ChoiceData fields that have a limited number of value choices will present a selection list.Number EntryData fields that must have numeric values display “number.”Text EntryMany data fields, particularly in tables, that can contain any text display “Enter text” or “Click here to enter text.”Delete this instruction from your final version of this document.System Security PlanPrepared byIdentification of Organization that Prepared this DocumentOrganization Name<Enter Company/Organization>.Street Address<Enter Street Address>Suite/Room/Building<Enter Suite/Room/Building>City, State Zip<Enter Zip Code>Prepared for Identification of Cloud Service ProviderOrganization Name<Enter Company/Organization>.Street Address<Enter Street Address>Suite/Room/Building<Enter Suite/Room/Building>City, State Zip<Enter Zip Code>Template Revision HistoryDateDescription1/21/2013Original publication6/6/2014Major revision for SP800-53 Revision 4. Includes new template and formatting changes. 6/6/2018Revised controls for language consistency and updated Attachment 36/20/2016Reformatted to FedRAMP Document Standard, added repeated text schema and content fields to tables that were not Control Tables. Revised cover page, changed document designation to Controlled Unclassified Information (CUI), Removed front matter section How This Document is Organized, Instructions re-written, Corrected section numbering to match SSP v1.0, Revised Section 9 Table 9-1 Personnel Roles and Privileges, Removed Section 10 inventory tables (see Attachment 13 FedRAMP Inventory Workbook). Global verbiage change, Authorizing Official (AO) changed to JAB/AO; e-Authentication, e-authentication and E-authentication changed to E-Authentication.Added attachments 10 FIPS 199, 11 Separation of Duties Matrix, 12 FedRAMP Laws and Regulations, 13 FedRAMP Inventory Workbook.Changes to the following controls: AC-02 (05), AC-05, AC-17 (09), AU-03 (01), AU-05, AU-06, CA-02 (03), CA-7, CM-02 (01), IA-02 (11), MP-03, PL-08, SA-09 (01), SC-15, SI-04 (04)10/21/2016Removed tables in Sec 15.12 FedRAMP Laws and RegulationsRemoved revision history tables in all of Sec 15Removed Acronyms - see FedRAMP Master Acronyms and Glossary resource documentAdded PTA to Sec 15.4 PTA and PIAAdded E-Authentication to Sec 15.3 Added FIPs to Sec 15.10 FIPS 199 Changed Inventory instruction and guidance Sec 10 and Attachment 13Removed chapter numbers from AttachmentsRemoved 3 questions from Sec 2.3 E-Authentication Determination3/6/2017Document renamed from "FedRAMP System Security Plan (SSP) Moderate Baseline Master Template to "FedRAMP System Security Plan (SSP) Moderate Baseline Template”6/6/2017Updated logo8/28/2018Revised controls for language consistency, updated section 2.3 and Attachment 3, added guidance to SA -9, updated requirements in RA-55/18/2021Revised SA-4 Additional FedRAMP Requirements and GuidanceDocument Revision HistoryDateDescriptionVersion of SSPAuthor<Date><Revision Description><Version><Author><Date><Revision Description><Version><Author><Date><Revision Description><Version><Author>How to contact usFor questions about FedRAMP, or for technical questions about this document including how to use it, contact info@FedRAMP.gov For more information about the FedRAMP project, see www.FedRAMP.govInstruction: The System Security Plan is the main document in which the Cloud Service Provider (CSP) describes all the security controls in use on the information system and their implementation.This document is released in template format. Once populated with content, this document will include detailed information about service provider information security controls. This document is intended to be used by service providers who are applying for a Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) or an Agency Authorization to Operate (ATO) through the Federal Risk and Authorization Management Program (FedRAMP). In the sections that follow, describe the information security control as it is implemented on the system. All controls originate from a system or from a business process. It is important to describe where the control originates from so that it is clear whose responsibility it is to implement, manage and monitor the control. In some cases, the responsibility is shared by a CSP and by the customer. Use the definitions in the table that follows to indicate where each security control originates from. Note that “-1” Controls (AC-1, AU-1, SC-1, etc.)* cannot be inherited and must be described in some way by the service provider.*Access Control (AC), Audit and Accountability (AU), System and Communications Protection (SC)Throughout this SSP, policies and procedures must be explicitly referenced (title and date or version) so that it is clear which document is being referred to. Section numbers or similar mechanisms should allow the reviewer to easily find the reference. For System as a Service (SaaS) and Platform as a Service (PaaS) systems that are inheriting controls from an Infrastructure as a Service (IaaS) (or anything lower in the stack), the “inherited” check box must be checked and the implementation description must simply say “inherited.” FedRAMP reviewers will determine whether the control-set is appropriate or not.In Section 13, the National Institute of Standards and Technology (NIST) term "organization defined" must be interpreted as being the CSP's responsibility unless otherwise indicated. In some cases the JAB has chosen to define or provide parameters, in others they have left the decision up to the CSP.Delete this instruction from your final version of this document.TABLE OF CONTENTS TOC \o "1-4" \h \z \t "Heading Appendix,2" 1.Information System Name/Title PAGEREF _Toc522700393 \h 12.Information System Categorization PAGEREF _Toc522700394 \h 12.1.Information Types PAGEREF _Toc522700395 \h 12.2.Security Objectives Categorization (FIPS 199) PAGEREF _Toc522700396 \h 32.3.Digital Identity Determination PAGEREF _Toc522700397 \h 43.Information System Owner PAGEREF _Toc522700398 \h 44.Authorizing Official PAGEREF _Toc522700399 \h 45.Other Designated Contacts PAGEREF _Toc522700400 \h 56.Assignment of Security Responsibility PAGEREF _Toc522700401 \h 67.Information System Operational Status PAGEREF _Toc522700402 \h 78.Information System Type PAGEREF _Toc522700403 \h 78.1.Cloud Service Models PAGEREF _Toc522700404 \h 78.2.Cloud Deployment Models PAGEREF _Toc522700405 \h 88.3.Leveraged Authorizations PAGEREF _Toc522700406 \h 99.General System Description PAGEREF _Toc522700407 \h 99.1.System Function or Purpose PAGEREF _Toc522700408 \h 99.2.Information System Components and Boundaries PAGEREF _Toc522700409 \h 109.3.Types of Users PAGEREF _Toc522700410 \h 119.4.Network Architecture PAGEREF _Toc522700411 \h 1210.System Environment And Inventory PAGEREF _Toc522700412 \h 1210.1.Data Flow PAGEREF _Toc522700413 \h 1410.2.Ports, Protocols and Services PAGEREF _Toc522700414 \h 1411.System Interconnections PAGEREF _Toc522700415 \h 1612.Laws, Regulations, Standards and Guidance PAGEREF _Toc522700416 \h 1812.1.Applicable Laws and Regulations PAGEREF _Toc522700417 \h 1812.2.Applicable Standards and Guidance PAGEREF _Toc522700418 \h 1813.Minimum Security Controls PAGEREF _Toc522700419 \h 1913.1.Access Control (AC) PAGEREF _Toc522700420 \h 26AC-1 Access Control Policy and Procedures Requirements (L) (M) PAGEREF _Toc522700421 \h 26AC-2 Account Management (L) (M) PAGEREF _Toc522700422 \h 27AC-2 (1) Control Enhancement (M) (H) PAGEREF _Toc522700423 \h 29AC-2 (2) Control Enhancement (M) PAGEREF _Toc522700424 \h 30AC-2 (3) Control Enhancement (M) PAGEREF _Toc522700425 \h 30AC-2 (4) Control Enhancement (M) PAGEREF _Toc522700426 \h 31AC-2 (5) Control Enhancement (M) PAGEREF _Toc522700427 \h 32AC-2 (7) Control Enhancement (M) PAGEREF _Toc522700428 \h 33AC-2 (9) Control Enhancement (M) PAGEREF _Toc522700429 \h 33AC-2 (10) Control Enhancement (M) (H) PAGEREF _Toc522700430 \h 34AC-2 (12) Control Enhancement (M) PAGEREF _Toc522700431 \h 35AC-3 Access Enforcement (L) (M) (H) PAGEREF _Toc522700432 \h 36AC-4 Information Flow Enforcement (M) (H) PAGEREF _Toc522700433 \h 36AC-4 (21) Control Enhancement (M) (H) PAGEREF _Toc522700434 \h 37AC-5 Separation of Duties (M) (H) PAGEREF _Toc522700435 \h 38AC-6 Least Privilege (M) (H) PAGEREF _Toc522700436 \h 39AC-6 (1) Control Enhancement (M) PAGEREF _Toc522700437 \h 39AC-6 (2) Control Enhancement (M) (H) PAGEREF _Toc522700438 \h 40AC 6 (5) Control Enhancement (M) (H) PAGEREF _Toc522700439 \h 41AC-6 (9) Control Enhancement (M) (H) PAGEREF _Toc522700440 \h 42AC-6 (10) Control Enhancement (M) (H) PAGEREF _Toc522700441 \h 42AC-7 Unsuccessful Login Attempts (L) (M) PAGEREF _Toc522700442 \h 43AC-8 System Use Notification (L) (M) (H) PAGEREF _Toc522700443 \h 44AC-10 Concurrent Session Control (M) (H) PAGEREF _Toc522700444 \h 46AC-11 Session Lock (M) (H) PAGEREF _Toc522700445 \h 47AC-11 (1) Control Enhancement (M) (H) PAGEREF _Toc522700446 \h 48AC-12 Session Termination (M) (H) PAGEREF _Toc522700447 \h 49AC-14 Permitted Actions without Identification or Authentication (L) (M) (H) PAGEREF _Toc522700448 \h 49AC-17 Remote Access (L) (M) (H) PAGEREF _Toc522700449 \h 50AC-17 (1) Control Enhancement (M) (H) PAGEREF _Toc522700450 \h 51AC-17 (2) Control Enhancement (M) (H) PAGEREF _Toc522700451 \h 52AC-17 (3) Control Enhancement (M) (H) PAGEREF _Toc522700452 \h 52AC-17 (4) Control Enhancement (M) (H) PAGEREF _Toc522700453 \h 53AC-17 (9) Control Enhancement (M) (H) PAGEREF _Toc522700454 \h 54AC-18 Wireless Access Restrictions (L) (M) (H) PAGEREF _Toc522700455 \h 54AC-18 (1) Control Enhancement (M) (H) PAGEREF _Toc522700456 \h 55AC-19 Access Control for Portable and Mobile Systems (L) (M) (H) PAGEREF _Toc522700457 \h 56AC-19 (5) Control Enhancement (M) (H) PAGEREF _Toc522700458 \h 57AC-20 Use of External Information Systems (L) (M) (H) PAGEREF _Toc522700459 \h 57AC-20 (1) Control Enhancement (M) (H) PAGEREF _Toc522700460 \h 58AC-20 (2) Control Enhancement (M) (H) PAGEREF _Toc522700461 \h 59AC-21 Information Sharing (M) (H) PAGEREF _Toc522700462 \h 60AC-22 Publicly Accessible Content (L) (M) (H) PAGEREF _Toc522700463 \h 6113.2.Awareness and Training (AT) PAGEREF _Toc522700464 \h 62AT-1 Security Awareness and Training Policy and Procedures (L) (M) PAGEREF _Toc522700465 \h 62AT-2 Security Awareness (L) (M) (H) PAGEREF _Toc522700466 \h 63AT-2 (2) Control Enhancement (M) (H) PAGEREF _Toc522700467 \h 63AT-3 Role-Based Security Training (L) (M) (H) PAGEREF _Toc522700468 \h 64AT-4 Security Training Records (L) (M) PAGEREF _Toc522700469 \h 6513.3.Audit and Accountability (AU) PAGEREF _Toc522700470 \h 66AU-1 Audit and Accountability Policy and Procedures (L) (M) PAGEREF _Toc522700471 \h 66AU-2 Audit Events (L) (M) (H) PAGEREF _Toc522700472 \h 67AU-2 (3) Control Enhancement (M) (H) PAGEREF _Toc522700473 \h 68AU-3 Content of Audit Records (L) (M) (H) PAGEREF _Toc522700474 \h 69AU-3 (1) Control Enhancement (M) PAGEREF _Toc522700475 \h 69AU-4 Audit Storage Capacity (L) (M) (H) PAGEREF _Toc522700476 \h 70AU-5 Response to Audit Processing Failures (L) (M) (H) PAGEREF _Toc522700477 \h 71AU-6 Audit Review, Analysis, and Reporting (L) (M) (H) PAGEREF _Toc522700478 \h 72AU-6 (1) Control Enhancement (M) (H) PAGEREF _Toc522700479 \h 73AU-6 (3) Control Enhancement (M) (H) PAGEREF _Toc522700480 \h 73AU-7 Audit Reduction and Report Generation (M) (H) PAGEREF _Toc522700481 \h 74AU-7 (1) Control Enhancement (M) (H) PAGEREF _Toc522700482 \h 75AU-8 Time Stamps (L) (M) (H) PAGEREF _Toc522700483 \h 76AU-8 (1) Control Enhancement (M) (H) PAGEREF _Toc522700484 \h 76AU-9 Protection of Audit Information (L) (M) (H) PAGEREF _Toc522700485 \h 78AU-9 (2) Control Enhancement (M) (H) PAGEREF _Toc522700486 \h 78AU-9 (4) Control Enhancement (M) (H) PAGEREF _Toc522700487 \h 79AU-11 Audit Record Retention (M) PAGEREF _Toc522700488 \h 80AU-12 Audit Generation (L) (M) (H) PAGEREF _Toc522700489 \h 8013.4.Security Assessment and Authorization (CA) PAGEREF _Toc522700490 \h 81CA-1 Certification, Authorization, Security Assessment Policy and Procedures (L) (M) PAGEREF _Toc522700491 \h 81CA-2 Security Assessments (L) (M) (H) PAGEREF _Toc522700492 \h 82CA-2 (1) Control Enhancement (L) (M) (H) PAGEREF _Toc522700493 \h 84CA-2 (2) Control Enhancement (M) (H) PAGEREF _Toc522700494 \h 84CA-2 (3) Control Enhancement (M) (H) PAGEREF _Toc522700495 \h 85CA-3 System Interconnections (L) (M) (H) PAGEREF _Toc522700496 \h 86CA-3 (3) Control Enhancement (M) (H) PAGEREF _Toc522700497 \h 88CA-3 (5) Control Enhancement (M) PAGEREF _Toc522700498 \h 88CA-5 Plan of Action and Milestones (L) (M) (H) PAGEREF _Toc522700499 \h 89CA-6 Security Authorization (L) (M) (H) PAGEREF _Toc522700500 \h 90CA-7 Continuous Monitoring (L) (M) (H) PAGEREF _Toc522700501 \h 91CA-7 (1) Control Enhancement (M) (H) PAGEREF _Toc522700502 \h 94CA-8 Penetration Testing (M) (H) PAGEREF _Toc522700503 \h 94CA-8 (1) Control Enhancement (M) (H) PAGEREF _Toc522700504 \h 95CA-9 Internal System Connections (L) (M) (H) PAGEREF _Toc522700505 \h 9613.5.Configuration Management (CM) PAGEREF _Toc522700506 \h 97CM-1 Configuration Management Policies and Procedures (L) (M) PAGEREF _Toc522700507 \h 97CM-2 Baseline Configuration (L) (M) (H) PAGEREF _Toc522700508 \h 98CM-2 (1) Control Enhancement (M) PAGEREF _Toc522700509 \h 98CM-2 (2) Control Enhancement (M) (H) PAGEREF _Toc522700510 \h 99CM-2 (3) Control Enhancement (M) PAGEREF _Toc522700511 \h 100CM-2 (7) Control Enhancement (M) (H) PAGEREF _Toc522700512 \h 100CM-3 Configuration Change Control (M) (H) PAGEREF _Toc522700513 \h 101CM-4 Security Impact Analysis (L) (M) (H) PAGEREF _Toc522700514 \h 103CM-5 Access Restrictions for Change (M) (H) PAGEREF _Toc522700515 \h 103CM-5 (1) Control Enhancement (M) (H) PAGEREF _Toc522700516 \h 104CM-5 (3) Control Enhancement (M) (H) PAGEREF _Toc522700517 \h 105CM-5 (5) Control Enhancement (M) (H) PAGEREF _Toc522700518 \h 105CM-6 Configuration Settings (L) (M) (H) PAGEREF _Toc522700519 \h 106CM-6 (1) Control Enhancement (M) (H) PAGEREF _Toc522700520 \h 108CM-7 Least Functionality (L) (M) (H) PAGEREF _Toc522700521 \h 108CM-7 (1) Control Enhancement (M) (H) PAGEREF _Toc522700522 \h 109CM-7 (2) Control Enhancement (M) (H) PAGEREF _Toc522700523 \h 110CM-7 (5) Control Enhancement (M) PAGEREF _Toc522700524 \h 111CM-8 Information System Component Inventory (L) (M) (H) PAGEREF _Toc522700525 \h 112CM-8 (1) Control Enhancement (M) (H) PAGEREF _Toc522700526 \h 113CM-8 (3) Control Enhancement (M) (H) PAGEREF _Toc522700527 \h 114CM-8 (5) Control Enhancement (M) (H) PAGEREF _Toc522700528 \h 115CM-9 Configuration Management Plan (M) (H) PAGEREF _Toc522700529 \h 115CM-10 Software Usage Restrictions (L) (M) (H) PAGEREF _Toc522700530 \h 116CM-10 (1) Control Enhancement (M) (H) PAGEREF _Toc522700531 \h 117CM-11 User-Installed Software (M) (H) PAGEREF _Toc522700532 \h 11813.6.Contingency Planning (CP) PAGEREF _Toc522700533 \h 119CP-1 Contingency Planning Policy and Procedures (L) (M) PAGEREF _Toc522700534 \h 119CP-2 Contingency Plan (L) (M) (H) PAGEREF _Toc522700535 \h 120CP-2 (1) Control Enhancement (M) (H) PAGEREF _Toc522700536 \h 121CP-2 (2) Control Enhancement (M) (H) PAGEREF _Toc522700537 \h 122CP-2 (3) Control Enhancement (M) (H) PAGEREF _Toc522700538 \h 123CP-2 (8) Control Enhancement (M) (H) PAGEREF _Toc522700539 \h 123CP-3 Contingency Training (L) (M) (H) PAGEREF _Toc522700540 \h 124CP-4 Contingency Plan Testing (M) PAGEREF _Toc522700541 \h 125CP-4 (1) Control Enhancement (M) (H) PAGEREF _Toc522700542 \h 126CP-6 Alternate Storage Site (M) (H) PAGEREF _Toc522700543 \h 127CP-6 (1) Control Enhancement (M) (H) PAGEREF _Toc522700544 \h 127CP-6 (3) Control Enhancement (M) (H) PAGEREF _Toc522700545 \h 128CP-7 Alternate Processing Site (M) (H) PAGEREF _Toc522700546 \h 129CP-7 (1) Control Enhancement (M) (H) PAGEREF _Toc522700547 \h 130CP-7 (2) Control Enhancement (M) (H) PAGEREF _Toc522700548 \h 131CP-7 (3) Control Enhancement (M) (H) PAGEREF _Toc522700549 \h 131CP-8 Telecommunications Services (M) (H) PAGEREF _Toc522700550 \h 132CP-8 (1) Control Enhancement (M) (H) PAGEREF _Toc522700551 \h 133CP-8 (2) Control Enhancement (M) (H) PAGEREF _Toc522700552 \h 134CP-9 Information System Backup (L) (M) (H) PAGEREF _Toc522700553 \h 134CP-9 (1) Control Enhancement (M) PAGEREF _Toc522700554 \h 136CP-9 (3) Control Enhancement (M) (H) PAGEREF _Toc522700555 \h 136CP-10 Information System Recovery and Reconstitution (L) (M) (H) PAGEREF _Toc522700556 \h 137CP-10 (2) Control Enhancement (M) (H) PAGEREF _Toc522700557 \h 13813.7.Identification and Authentication (IA) PAGEREF _Toc522700558 \h 138IA-1 Identification and Authentication Policy and Procedures (L) (M) PAGEREF _Toc522700559 \h 138IA-2 User Identification and Authentication (L) (M) (H) PAGEREF _Toc522700560 \h 139IA-2 (1) Control Enhancement (L) (M) (H) PAGEREF _Toc522700561 \h 140IA-2 (2) Control Enhancement (M) (H) PAGEREF _Toc522700562 \h 141IA-2 (3) Control Enhancement (M) (H) PAGEREF _Toc522700563 \h 141IA-2 (5) Control Enhancement (M) (H) PAGEREF _Toc522700564 \h 142IA-2 (8) Control Enhancement (M) (H) PAGEREF _Toc522700565 \h 143IA-2 (11) Control Enhancement (M) (H) PAGEREF _Toc522700566 \h 143IA-2 (12) Control Enhancement (L) (M) (H) PAGEREF _Toc522700567 \h 144IA-3 Device Identification and Authentication (M) (H) PAGEREF _Toc522700568 \h 145IA-4 Identifier Management (L) (M) PAGEREF _Toc522700569 \h 146IA-4 (4) Control Enhancement (M) (H) PAGEREF _Toc522700570 \h 147IA-5 Authenticator Management (L) (M) PAGEREF _Toc522700571 \h 148IA-5 (1) Control Enhancement (L) (M) PAGEREF _Toc522700572 \h 149IA-5 (2) Control Enhancement (M) (H) PAGEREF _Toc522700573 \h 150IA-5 (3) Control Enhancement (M) (H) PAGEREF _Toc522700574 \h 151IA-5 (4) Control Enhancement (M) PAGEREF _Toc522700575 \h 152IA-5 (6) Control Enhancement (M) (H) PAGEREF _Toc522700576 \h 153IA-5 (7) Control Enhancement (M) (H) PAGEREF _Toc522700577 \h 154IA-5 (11) Control Enhancement (L) (M) (H) PAGEREF _Toc522700578 \h 154IA-6 Authenticator Feedback (L) (M) (H) PAGEREF _Toc522700579 \h 155IA-7 Cryptographic Module Authentication (L) (M) (H) PAGEREF _Toc522700580 \h 156IA-8 Identification and Authentication (Non-Organizational Users) (L) (M) (H) PAGEREF _Toc522700581 \h 156IA-8 (1) Control Enhancement (L) (M) (H) PAGEREF _Toc522700582 \h 157IA-8 (2) Control Enhancement (L) (M) (H) PAGEREF _Toc522700583 \h 158IA-8 (3) Control Enhancement (L) (M) (H) PAGEREF _Toc522700584 \h 158IA-8 (4) Control Enhancement (L) (M) (H) PAGEREF _Toc522700585 \h 15913.8.Incident Response (IR) PAGEREF _Toc522700586 \h 160IR-1 Incident Response Policy and Procedures (L) (M) PAGEREF _Toc522700587 \h 160IR-2 Incident Response Training (L) (M) PAGEREF _Toc522700588 \h 161IR-3 Incident Response Testing (M) PAGEREF _Toc522700589 \h 161IR-3 (2) Control Enhancement (M) (H) PAGEREF _Toc522700590 \h 162IR-4 Incident Handling (L) (M) (H) PAGEREF _Toc522700591 \h 163IR-4 (1) Control Enhancement (M) (H) PAGEREF _Toc522700592 \h 164IR-5 Incident Monitoring (L) (M) (H) PAGEREF _Toc522700593 \h 165IR-6 Incident Reporting (L) (M) (H) PAGEREF _Toc522700594 \h 165IR-6 (1) Control Enhancement (M) (H) PAGEREF _Toc522700595 \h 166IR-7 Incident Response Assistance (L) (M) (H) PAGEREF _Toc522700596 \h 167IR-7 (1) Control Enhancement (M) (H) PAGEREF _Toc522700597 \h 168IR-7 (2) Control Enhancement (M) (H) PAGEREF _Toc522700598 \h 168IR-8 Incident Response Plan (L) (M) (H) PAGEREF _Toc522700599 \h 169IR-9 Information Spillage Response (M) (H) PAGEREF _Toc522700600 \h 171IR-9 (1) Control Enhancement (M) (H) PAGEREF _Toc522700601 \h 172IR-9 (2) Control Enhancement (M) PAGEREF _Toc522700602 \h 172IR-9 (3) Control Enhancement (M) (H) PAGEREF _Toc522700603 \h 173IR-9 (4) Control Enhancement (M) (H) PAGEREF _Toc522700604 \h 17413.9.Maintenance (MA) PAGEREF _Toc522700605 \h 175MA-1 System Maintenance Policy and Procedures (L) (M) PAGEREF _Toc522700606 \h 175MA-2 Controlled Maintenance (L) (M) (H) PAGEREF _Toc522700607 \h 176MA-3 Maintenance Tools (M) (H) PAGEREF _Toc522700608 \h 177MA-3 (1) Control Enhancement (M) (H) PAGEREF _Toc522700609 \h 177MA-3 (2) Control Enhancement (M) (H) PAGEREF _Toc522700610 \h 178MA-3 (3) Control Enhancement (M) (H) PAGEREF _Toc522700611 \h 179MA-4 Remote Maintenance (L) (M) (H) PAGEREF _Toc522700612 \h 180MA-4 (2) Control Enhancement (M) (H) PAGEREF _Toc522700613 \h 181MA-5 Maintenance Personnel (L) (M) (H) PAGEREF _Toc522700614 \h 181MA-5 (1) Control Enhancement (L) (M) PAGEREF _Toc522700615 \h 182MA-6 Timely Maintenance (M) (H) PAGEREF _Toc522700616 \h 18313.10.Media Protection (MP) PAGEREF _Toc522700617 \h 184MP-1 Media Protection Policy and Procedures (L) (M) PAGEREF _Toc522700618 \h 184MP-2 Media Access (L) (M) PAGEREF _Toc522700619 \h 185MP-3 Media Labeling (M) (H) PAGEREF _Toc522700620 \h 186MP-4 Media Storage (M) (H) PAGEREF _Toc522700621 \h 187MP-5 Media Transport (M) (H) PAGEREF _Toc522700622 \h 188MP-5 (4) Control Enhancement (M) (H) PAGEREF _Toc522700623 \h 189MP-6 Media Sanitization and Disposal (L) (M) PAGEREF _Toc522700624 \h 189MP-6 (2) Control Enhancement (M) PAGEREF _Toc522700625 \h 190MP-7 Media Use (L) (M) (H) PAGEREF _Toc522700626 \h 191MP-7 (1) Control Enhancement (M) (H) PAGEREF _Toc522700627 \h 19213.11.Physical and Environmental Protection (PE) PAGEREF _Toc522700628 \h 192PE-1 Physical and Environmental Protection Policy and Procedures (L) (M) PAGEREF _Toc522700629 \h 192PE-2 Physical Access Authorizations (L) (M) PAGEREF _Toc522700630 \h 193PE-3 Physical Access Control (L) (M) (H) PAGEREF _Toc522700631 \h 194PE-4 Access Control for Transmission Medium (M) (H) PAGEREF _Toc522700632 \h 196PE-5 Access Control for Output Devices (M) (H) PAGEREF _Toc522700633 \h 197PE-6 Monitoring Physical Access (L) (M) (H) PAGEREF _Toc522700634 \h 197PE-6 (1) Control Enhancement (M) (H) PAGEREF _Toc522700635 \h 198PE-8 Visitor Access Records (L) (M) (H) PAGEREF _Toc522700636 \h 199PE-9 Power Equipment and Cabling (M) (H) PAGEREF _Toc522700637 \h 200PE-10 Emergency Shutoff (M) (H) PAGEREF _Toc522700638 \h 200PE-11 Emergency Power (M) (H) PAGEREF _Toc522700639 \h 201PE-12 Emergency Lighting (L) (M) (H) PAGEREF _Toc522700640 \h 202PE-13 Fire Protection (L) (M) (H) PAGEREF _Toc522700641 \h 203PE-13 (2) Control Enhancement (M) (H) PAGEREF _Toc522700642 \h 203PE-13 (3) Control Enhancement (M) (H) PAGEREF _Toc522700643 \h 204PE-14 Temperature and Humidity Controls (L) (M) (H) PAGEREF _Toc522700644 \h 205PE-14 (2) Control Enhancement (M) (H) PAGEREF _Toc522700645 \h 206PE-15 Water Damage Protection (L) (M) (H) PAGEREF _Toc522700646 \h 206PE-16 Delivery and Removal (L) (M) (H) PAGEREF _Toc522700647 \h 207PE-17 Alternate Work Site (M) (H) PAGEREF _Toc522700648 \h 20813.12.Planning (PL) PAGEREF _Toc522700649 \h 208PL-1 Security Planning Policy and Procedures (L) (M) PAGEREF _Toc522700650 \h 208PL-2 System Security Plan (L) (M) (H) PAGEREF _Toc522700651 \h 209PL-2 (3) Control Enhancement (M) (H) PAGEREF _Toc522700652 \h 211PL-4 Rules of Behavior (L) (M) PAGEREF _Toc522700653 \h 211PL-4 (1) Control Enhancement (M) (H) PAGEREF _Toc522700654 \h 213PL-8 Information Security Architecture (M) (H) PAGEREF _Toc522700655 \h 21313.13.Personnel Security (PS) PAGEREF _Toc522700656 \h 214PS-1 Personnel Security Policy and Procedures (L) (M) PAGEREF _Toc522700657 \h 214PS-2 Position Categorization (L) (M) PAGEREF _Toc522700658 \h 215PS-3 Personnel Screening (L) (M) (H) PAGEREF _Toc522700659 \h 216PS-3 (3) Control Enhancement (M) (H) PAGEREF _Toc522700660 \h 217PS-4 Personnel Termination (L) (M) PAGEREF _Toc522700661 \h 218PS-5 Personnel Transfer (L) (M) PAGEREF _Toc522700662 \h 219PS-6 Access Agreements (L) (M) PAGEREF _Toc522700663 \h 220PS-7 Third-Party Personnel Security (L) (M) PAGEREF _Toc522700664 \h 221PS-8 Personnel Sanctions (L) (M) PAGEREF _Toc522700665 \h 22213.14.Risk Assessment (RA) PAGEREF _Toc522700666 \h 223RA-1 Risk Assessment Policy and Procedures (L) (M) PAGEREF _Toc522700667 \h 223RA-2 Security Categorization (L) (M) (H) PAGEREF _Toc522700668 \h 224RA-3 Risk Assessment (L) (M) PAGEREF _Toc522700669 \h 225RA-5 Vulnerability Scanning (L) (M) (H) PAGEREF _Toc522700670 \h 226RA-5 (1) Control Enhancement (M) (H) PAGEREF _Toc522700671 \h 228RA-5 (2) Control Enhancement (M) (H) PAGEREF _Toc522700672 \h 229RA-5 (3) Control Enhancement (M) (H) PAGEREF _Toc522700673 \h 229RA-5 (5) Control Enhancement (M) (H) PAGEREF _Toc522700674 \h 230RA-5 (6) Control Enhancement (M) (H) PAGEREF _Toc522700675 \h 231RA-5 (8) Control Enhancement (L) (M) (H) PAGEREF _Toc522700676 \h 23113.15.System and Services Acquisition (SA) PAGEREF _Toc522700677 \h 232SA-1 System and Services Acquisition Policy and Procedures (L) (M) PAGEREF _Toc522700678 \h 232SA-2 Allocation of Resources (L) (M) (H) PAGEREF _Toc522700679 \h 233SA-3 System Development Life Cycle (L) (M) (H) PAGEREF _Toc522700680 \h 234SA-4 Acquisitions Process (L) (M) (H) PAGEREF _Toc522700681 \h 235SA-4 (1) Control Enhancement (M) (H) PAGEREF _Toc522700682 \h 236SA-4 (2) Control Enhancement (L) (M) PAGEREF _Toc522700683 \h 237SA-4 (8) Control Enhancement (M) (H) PAGEREF _Toc522700684 \h 238SA-4 (9) Control Enhancement (M) (H) PAGEREF _Toc522700685 \h 239SA-4 (10) Control Enhancement (M) (H) PAGEREF _Toc522700686 \h 239SA-5 Information System Documentation (L) (M) PAGEREF _Toc522700687 \h 240SA-8 Security Engineering Principles (M) (H) PAGEREF _Toc522700688 \h 241SA-9 External Information System Services (L) (M) (H) PAGEREF _Toc522700689 \h 242SA-9 (1) Control Enhancement (M) (H) PAGEREF _Toc522700690 \h 243SA-9 (2) Control Enhancement (M) (H) PAGEREF _Toc522700691 \h 244SA-9 (4) Control Enhancement (M) (H) PAGEREF _Toc522700692 \h 245SA-9 (5) Control Enhancement (M) (H) PAGEREF _Toc522700693 \h 245SA-10 Developer Configuration Management (M) (H) PAGEREF _Toc522700694 \h 246SA-10 (1) Control Enhancement (M) (H) PAGEREF _Toc522700695 \h 247SA-11 Developer Security Testing and Evaluation (M) (H) PAGEREF _Toc522700696 \h 248SA-11 (1) Control Enhancement (M) (H) PAGEREF _Toc522700697 \h 249SA-11 (2) Control Enhancement (M) (H) PAGEREF _Toc522700698 \h 250SA-11 (8) Control Enhancement (M) (H) PAGEREF _Toc522700699 \h 25113.16.System and Communications Protection (SC) PAGEREF _Toc522700700 \h 251SC-1 System and Communications Protection Policy and Procedures (L) (M) PAGEREF _Toc522700701 \h 251SC-2 Application Partitioning (M) (H) PAGEREF _Toc522700702 \h 252SC-4 Information in Shared Resources (M) (H) PAGEREF _Toc522700703 \h 253SC-5 Denial of Service Protection (L) (M) (H) PAGEREF _Toc522700704 \h 254SC-6 Resource Availability (M) (H) PAGEREF _Toc522700705 \h 254SC-7 Boundary Protection (L) (M) (H) PAGEREF _Toc522700706 \h 255SC-7 (3) Control Enhancement (M) (H) PAGEREF _Toc522700707 \h 256SC-7 (4) Control Enhancement (M) PAGEREF _Toc522700708 \h 257SC-7 (5) Control Enhancement (M) (H) PAGEREF _Toc522700709 \h 258SC-7 (7) Control Enhancement (M) (H) PAGEREF _Toc522700710 \h 258SC-7 (8) Control Enhancement (M) (H) PAGEREF _Toc522700711 \h 259SC-7 (12) Control Enhancement (M) PAGEREF _Toc522700712 \h 260SC-7 (13) Control Enhancement (M) PAGEREF _Toc522700713 \h 261SC-7 (18) Control Enhancement (M) (H) PAGEREF _Toc522700714 \h 261SC-8 Transmission confidentiality and Integrity (M) (H) PAGEREF _Toc522700715 \h 262SC-8 (1) Control Enhancement (M) (H) PAGEREF _Toc522700716 \h 263SC-10 Network Disconnect (M) PAGEREF _Toc522700717 \h 264SC-12 Cryptographic Key Establishment & Management (L) (M) (H) PAGEREF _Toc522700718 \h 264SC-12 (2) Control Enhancement (M) (H) PAGEREF _Toc522700719 \h 265SC-12 (3) Control Enhancement (M) (H) PAGEREF _Toc522700720 \h 266SC-13 Use of Cryptography (L) (M) (H) PAGEREF _Toc522700721 \h 266SC-15 Collaborative Computing Devices (M) (H) PAGEREF _Toc522700722 \h 267SC-17 Public Key Infrastructure Certificates (M) (H) PAGEREF _Toc522700723 \h 269SC-18 Mobile Code (M) (H) PAGEREF _Toc522700724 \h 269SC-19 Voice Over Internet Protocol (M) (H) PAGEREF _Toc522700725 \h 270SC-20 Secure Name / Address Resolution Service (Authoritative Source) (L) (M) (H) PAGEREF _Toc522700726 \h 271SC-21 Secure Name / Address Resolution Service (Recursive or Caching Resolver) (L) (M) (H) PAGEREF _Toc522700727 \h 272SC-22 Architecture and Provisioning for Name / Address Resolution Service (L) (M) (H) PAGEREF _Toc522700728 \h 273SC-23 Session Authenticity (M) (H) PAGEREF _Toc522700729 \h 273SC-28 Protection of Information at Rest (M) (H) PAGEREF _Toc522700730 \h 274SC-28 (1) Control Enhancement (M) PAGEREF _Toc522700731 \h 275SC-39 Process Isolation (L) (M) (H) PAGEREF _Toc522700732 \h 27513.17.System and Information Integrity (SI) PAGEREF _Toc522700733 \h 276SI-1 System and Information Integrity Policy and Procedures (L) (M) PAGEREF _Toc522700734 \h 276SI-2 Flaw Remediation (L) (M) (H) PAGEREF _Toc522700735 \h 277SI-2 (2) Control Enhancement (M) (H) PAGEREF _Toc522700736 \h 278SI-2 (3) Control Enhancement (M) (H) PAGEREF _Toc522700737 \h 279SI-3 Malicious Code Protection (L) (M) PAGEREF _Toc522700738 \h 280SI-3 (1) Control Enhancement (M) (H) PAGEREF _Toc522700739 \h 281SI-3 (2) Control Enhancement (M) (H) PAGEREF _Toc522700740 \h 281SI-3 (7) Control Enhancement (M) (H) PAGEREF _Toc522700741 \h 282SI-4 Information System Monitoring (L) (M) (H) PAGEREF _Toc522700742 \h 283SI-4 (1) Control Enhancement (M) (H) PAGEREF _Toc522700743 \h 284SI-4 (2) Control Enhancement (M) (H) PAGEREF _Toc522700744 \h 285SI-4 (4) Control Enhancement (M) (H) PAGEREF _Toc522700745 \h 285SI-4 (5) Control Enhancement (M) (H) PAGEREF _Toc522700746 \h 286SI-4 (14) Control Enhancement (M) (H) PAGEREF _Toc522700747 \h 287SI-4 (16) Control Enhancement (M) (H) PAGEREF _Toc522700748 \h 288SI-4 (23) Control Enhancement (M) (H) PAGEREF _Toc522700749 \h 288SI-5 Security Alerts & Advisories (L) (M) (H) PAGEREF _Toc522700750 \h 289SI-6 Security Functionality Verification (M) (H) PAGEREF _Toc522700751 \h 290SI-7 Software & Information Integrity (M) (H) PAGEREF _Toc522700752 \h 291SI-7 (1) Control Enhancement (M) (H) PAGEREF _Toc522700753 \h 292SI-7 (7) Control Enhancement (M) (H) PAGEREF _Toc522700754 \h 293SI-8 Spam Protection (M) (H) PAGEREF _Toc522700755 \h 293SI-8 (1) Control Enhancement (M) (H) PAGEREF _Toc522700756 \h 294SI-8 (2) Control Enhancement (M) (H) PAGEREF _Toc522700757 \h 295SI-10 Information Input Validation (M) (H) PAGEREF _Toc522700758 \h 295SI-11 Error Handling (M) (H) PAGEREF _Toc522700759 \h 296SI-12 Information Output Handling and Retention (L) (M) (H) PAGEREF _Toc522700760 \h 297SI-16 Memory Protection (M) (H) PAGEREF _Toc522700761 \h 29814.Acronyms PAGEREF _Toc522700762 \h 299SYSTEMS SECURITY PLAN ATTACHMENTS PAGEREF _Toc522700763 \h 30015.Attachments PAGEREF _Toc522700764 \h 300Attachment 1Information Security Policies and Procedures PAGEREF _Toc522700765 \h 301Attachment 2User Guide PAGEREF _Toc522700766 \h 302Attachment 3Digital Identity Worksheet PAGEREF _Toc522700767 \h 303Introduction and Purpose PAGEREF _Toc522700768 \h 303Information System Name/Title PAGEREF _Toc522700769 \h 303Digital Identity Level Definitions PAGEREF _Toc522700770 \h 303Review Maximum Potential Impact Levels PAGEREF _Toc522700771 \h 304Digital Identity Level Selection PAGEREF _Toc522700772 \h 305Attachment 4PTA / PIA PAGEREF _Toc522700773 \h 306Privacy Overview and Point of Contact (POC) PAGEREF _Toc522700774 \h 306Applicable Laws and Regulations PAGEREF _Toc522700775 \h 306Applicable Standards and Guidance PAGEREF _Toc522700776 \h 307Personally Identifiable Information (PII) PAGEREF _Toc522700777 \h 307Privacy Threshold Analysis PAGEREF _Toc522700778 \h 308Qualifying Questions PAGEREF _Toc522700779 \h 308Designation PAGEREF _Toc522700780 \h 308Attachment 5Rules of Behavior PAGEREF _Toc522700781 \h 309Attachment 6Information System Contingency Plan PAGEREF _Toc522700782 \h 310Attachment 7Configuration Management Plan PAGEREF _Toc522700783 \h 311Attachment 8Incident Response Plan PAGEREF _Toc522700784 \h 312Attachment 9CIS Workbook PAGEREF _Toc522700785 \h 313Attachment 10FIPS 199 PAGEREF _Toc522700786 \h 314Introduction and Purpose PAGEREF _Toc522700787 \h 314Scope PAGEREF _Toc522700788 \h 314System Description PAGEREF _Toc522700789 \h 314Methodology PAGEREF _Toc522700790 \h 315Attachment 11Separation of Duties Matrix PAGEREF _Toc522700791 \h 317Attachment 12FedRAMP Laws and Regulations PAGEREF _Toc522700792 \h 318Attachment 13FedRAMP Inventory Workbook PAGEREF _Toc522700793 \h 319List of Figures TOC \h \z \c "Figure" Figure 91 Authorization Boundary Diagram PAGEREF _Toc522700825 \h 10Figure 92 Network Diagram PAGEREF _Toc522700826 \h 12Figure 101 Data Flow Diagram PAGEREF _Toc522700827 \h 14List of Tables TOC \h \z \c "Table" Table 11. Information System Name and Title PAGEREF _Toc522700794 \h 1Table 21. Security Categorization PAGEREF _Toc522700795 \h 1Table 22. Sensitivity Categorization of Information Types PAGEREF _Toc522700796 \h 3Table 23. Security Impact Level PAGEREF _Toc522700797 \h 3Table 24. Baseline Security Configuration PAGEREF _Toc522700798 \h 4Table 31. Information System Owner PAGEREF _Toc522700799 \h 4Table 51. Information System Management Point of Contact PAGEREF _Toc522700800 \h 5Table 52. Information System Technical Point of Contact PAGEREF _Toc522700801 \h 5Table 61. CSP Name Internal ISSO (or Equivalent) Point of Contact PAGEREF _Toc522700802 \h 6Table 62. AO Point of Contact PAGEREF _Toc522700803 \h 6Table 71. System Status PAGEREF _Toc522700804 \h 7Table 81. Service Layers Represented in this SSP PAGEREF _Toc522700805 \h 8Table 82. Cloud Deployment Model Represented in this SSP PAGEREF _Toc522700806 \h 9Table 83. Leveraged Authorizations PAGEREF _Toc522700807 \h 9Table 91. Personnel Roles and Privileges PAGEREF _Toc522700808 \h 11Table 101 Ports, Protocols and Services PAGEREF _Toc522700809 \h 15Table 111. System Interconnections PAGEREF _Toc522700810 \h 16Table 121. Information System Name Laws and Regulations PAGEREF _Toc522700811 \h 18Table 122. Information System Name Standards and Guidance PAGEREF _Toc522700812 \h 19Table 131. Summary of Required Security Controls PAGEREF _Toc522700813 \h 19Table 132. Control Origination and Definitions PAGEREF _Toc522700814 \h 25Table 133. CA-3 Authorized Connections PAGEREF _Toc522700815 \h 86Table 151. Names of Provided Attachments PAGEREF _Toc522700816 \h 300Table 152. Information System Name and Title PAGEREF _Toc522700817 \h 303Table 153. Mapping FedRAMP Levels to NIST SP 800-63-3 Levels PAGEREF _Toc522700818 \h 304Table 154. Potential Impacts for Assurance Levels PAGEREF _Toc522700819 \h 305Table 155. Digital Identity Level PAGEREF _Toc522700820 \h 305Table 156. - Information System Name; Privacy POC PAGEREF _Toc522700821 \h 306Table 157. <Information System Name> Laws and Regulations PAGEREF _Toc522700822 \h 307Table 158. <Information System Name> Standards and Guidance PAGEREF _Toc522700823 \h 307Table 159. CSP Applicable Information Types with Security Impact Levels Using NIST SP 800-60 V2 R1 PAGEREF _Toc522700824 \h 316System Security Plan ApprovalsCloud Service Provider SignaturesName<Enter Name>Date<Select Date>Title<Enter Title>Cloud Service ProviderCSP NameName<Enter Name>Date<Select Date>Title<Enter Title>Cloud Service ProviderCSP NameName<Enter Name>Date<Select Date>Title<Enter Title>Cloud Service ProviderCSP NameInformation System Name/TitleThis System Security Plan provides an overview of the security requirements for the Information System Name (Enter Information System Abbreviation) and describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed or stored by the system. Information security is vital to our critical infrastructure and its effective performance and protection is a key component of our national security program. Proper management of information technology systems is essential to ensure the confidentiality, integrity and availability of the data transmitted, processed or stored by the Enter Information System Abbreviation information system. The security safeguards implemented for the Enter Information System Abbreviation system meet the policy and control requirements set forth in this System Security Plan. All systems are subject to monitoring consistent with applicable laws, regulations, agency policies, procedures and practices. Table STYLEREF 1 \s 1 SEQ Table \* ARABIC \s 1 1. Information System Name and TitleUnique IdentifierInformation System NameInformation System Abbreviation<Enter FedRAMP Application Number>Information System NameEnter Information System AbbreviationInformation System CategorizationThe overall information system sensitivity categorization is recorded in REF _Ref444952106 \h Table 21 Security Categorization that follows. Directions for attaching the FIPS 199 document may be found in the following section: REF _Ref437326350 \h ATTACHMENT 10 - FIPS 199.Table STYLEREF 1 \s 2 SEQ Table \* ARABIC \s 1 1. Security Categorization System Sensitivity Level: Choose level.Information TypesThis section describes how the information types used by the information system are categorized for confidentiality, integrity and availability sensitivity levels. The following tables identify the information types that are input, stored, processed and/or output from Enter Information System Abbreviation. The selection of the information types is based on guidance provided by Office of Management and Budget (OMB) Federal Enterprise Architecture Program Management Office Business Reference Model 2.0 and FIPS Pub 199, Standards for Security Categorization of Federal Information and Information Systems which is based on NIST Special Publication (SP) 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The tables also identify the security impact levels for confidentiality, integrity and availability for each of the information types expressed as low, moderate, or high. The security impact levels are based on the potential impact definitions for each of the security objectives (i.e., confidentiality, integrity and availability) discussed in NIST SP 800-60 and FIPS Pub 199. The potential impact is low if— The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. The potential impact is moderate if— The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.The potential impact is high if— The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Instruction: Record your information types in the tables that follow. Record the sensitivity level for Confidentiality, Integrity and Availability as High, Moderate, or Low. Add more rows as needed to add more information types. Use NIST SP 800-60 Guide for Mapping Types of Information and Systems to Security Categories, Volumes I & II, Revision 1 for guidance. Delete this instruction from your final version of this document.Example:Information Type (Use only information types from NIST SP 800-60, Volumes I and II as amended) NIST 800-60 identifier for Associated Information TypeConfidentialityIntegrityAvailabilitySystem Development C.3.5.1LowModerateLowTable STYLEREF 1 \s 2 SEQ Table \* ARABIC \s 1 2. Sensitivity Categorization of Information TypesInformation Type (Use only information types from NIST SP 800-60, Volumes I and II as amended) NIST 800-60 identifier for Associated Information TypeConfidentialityIntegrityAvailability<Enter Information Type><Enter NIST Identifier>Choose level.Choose level.Choose level.<Enter Information Type><Enter NIST Identifier>Choose level.Choose level.Choose level.<Enter Information Type><Enter NIST Identifier>Choose level.Choose level.Choose level.Security Objectives Categorization (FIPS 199)Based on the information provided in REF _Ref437326815 \h Table 22 Sensitivity Categorization of Information Types, for the Enter Information System Abbreviation, default to the high-water mark for the Information Types as identified in REF _Ref437326642 \h Table 23 Security Impact Level below. Table STYLEREF 1 \s 2 SEQ Table \* ARABIC \s 1 3. Security Impact LevelSecurity ObjectiveLow, Moderate or HighConfidentialityChoose level.IntegrityChoose level.AvailabilityChoose level.Through review and analysis, it has been determined that the baseline security categorization for the Enter Information System Abbreviation system is listed in the REF _Ref437326739 \h \* MERGEFORMAT Table 24 Baseline Security Configuration that follows. Table STYLEREF 1 \s 2 SEQ Table \* ARABIC \s 1 4. Baseline Security ConfigurationEnter Information System Abbreviation Security CategorizationChoose levelUsing this categorization, in conjunction with the risk assessment and any unique security requirements, we have established the security controls for this system, as detailed in this SSP. Digital Identity Determination The digital identity information may be found in REF _Ref437328181 \h ATTACHMENT 3 – Digital Identity Worksheet Note: NIST SP 800-63-3, Digital Identity Guidelines, does not recognize the four Levels of Assurance model previously used by federal agencies and described in OMB M-04-04, instead requiring agencies to individually select levels corresponding to each function being performed. The digital identity level is Choose an item.Additional digital identity information can be found in Section REF _Ref462656381 \r \h 15 REF _Ref462656367 \h Attachments REF _Ref462656327 \h Digital Identity Level Selection.Information System Owner The following individual is identified as the system owner or functional proponent/advocate for this system. Table STYLEREF 1 \s 3 SEQ Table \* ARABIC \s 1 1. Information System OwnerInformation System Owner InformationName<Enter Name>Title<Enter Title>Company / Organization<Enter Company/Organization>.Address<Enter Address, City, State and Zip>Phone Number<555-555-5555>Email Address<Enter email address>Authorizing OfficialInstruction: The Authorizing Official is determined by the path that the CSP is using to obtain an authorization.JAB P-ATO: FedRAMP, JAB, as comprised of member representatives from the General Services Administration (GSA), Department of Defense (DoD) and Department of Homeland Security (DHS)Agency Authority to Operate (ATO): Agency Authorizing Official name, title and contact informationDelete this and all other instructions from your final version of this document.The Authorizing Official (AO) or Designated Approving Authority (DAA) for this information system is the Insert AO information as instructed above.Other Designated ContactsInstruction: AOs should use the following section to identify points of contact that understand the technical implementations of the identified cloud system. AOs should edit, add, or modify the contacts in this section as they see fit. Delete this and all other instructions from your final version of this document.The following individual(s) identified below possess in-depth knowledge of this system and/or its functions and operation. Table STYLEREF 1 \s 5 SEQ Table \* ARABIC \s 1 1. Information System Management Point of ContactInformation System Management Point of ContactName<Enter Name>Title<Enter Title>Company / Organization<Enter Company/Organization>.Address<Enter Address, City, State and Zip>Phone Number<555-555-5555>Email Address<Enter email address>Table STYLEREF 1 \s 5 SEQ Table \* ARABIC \s 1 2. Information System Technical Point of ContactInformation System Technical Point of ContactName<Enter Name>Title<Enter Title>Company / Organization<Enter Company/Organization>.Address<Enter Address, City, State and Zip>Phone Number<555-555-5555>Email Address<Enter email address>Instruction: Add more tables as needed.Delete this and all other instructions from your final version of this document.Point of ContactName<Enter Name>Title<Enter Title>Company / Organization<Enter Company/Organization>.Address<Enter Address, City, State and Zip>Phone Number<555-555-5555>Email Address<Enter email address>Assignment of Security ResponsibilityThe Information System Security Officers (ISSO), or their equivalent, identified below, have been appointed in writing and are deemed to have significant cyber and operational role responsibilities. Table STYLEREF 1 \s 6 SEQ Table \* ARABIC \s 1 1. CSP Name Internal ISSO (or Equivalent) Point of ContactCSP Name Internal ISSO (or Equivalent) Point of Contact Name<Enter Name>Title<Enter Title>Company / Organization<Enter Company/Organization>.Address<Enter Address, City, State and Zip>Phone Number<555-555-5555>Email Address<Enter email address>Table STYLEREF 1 \s 6 SEQ Table \* ARABIC \s 1 2. AO Point of ContactAO Point of ContactName<Enter Name>Title<Enter Title>Organization<Enter Company/Organization>.Address<Enter Address, City, State and Zip>Phone Number<555-555-5555>Email Address<Enter email address>Information System Operational StatusThe system is currently in the life-cycle phase shown in REF _Ref437329600 \h Table 71 System Status that follows. (Only operational systems can be granted an ATO).Table STYLEREF 1 \s 7 SEQ Table \* ARABIC \s 1 1. System StatusSystem Status?OperationalThe system is operating and in production.?Under DevelopmentThe system is being designed, developed, or implemented?Major ModificationThe system is undergoing a major change, development, or transition.?OtherExplain: Click here to enter text.Instruction: Select as many status indicators as apply. If more than one status is selected, list which components of the system are covered under each status indicator.Delete this and all other instructions from your final version of this document.Information System TypeThe Enter Information System Abbreviation makes use of unique managed service provider architecture layer(s). Cloud Service ModelsInformation systems, particularly those based on cloud architecture models, are made up of different service layers. Below are some questions that help the system owner determine if their system is a cloud followed by specific questions to help the system owner determine the type of cloud.Question (Yes/No)ConclusionDoes the system use virtual machines?A no response means that system is most likely not a cloud. Does the system have the ability to expand its capacity to meet customer demand?A no response means that the system is most likely not a cloud. Does the system allow the consumer to build anything other than servers?A no response means that the system is an IaaS. A yes response means that the system is either a PaaS or a SaaS. Does the system offer the ability to create databases?A yes response means that the system is a PaaS. Does the system offer various developer toolkits and APIs? A yes response means that the system is a PaaS. Does the system offer only applications that are available by obtaining a login?A yes response means that system is a SaaS. A no response means that the system is either a PaaS or an IaaS. The layers of the Enter Information System Abbreviation defined in this SSP are indicated in REF _Ref437332823 \h Table 81 Service Layers Represented in this SSP that follows. Instruction: Check all layers that apply.Delete this and all other instructions from your final version of this document.Table STYLEREF 1 \s 8 SEQ Table \* ARABIC \s 1 1. Service Layers Represented in this SSPService Provider Architecture Layers?Software as a Service (SaaS)Major Application?Platform as a Service (PaaS)Major Application ?Infrastructure as a Service (IaaS)General Support System?OtherExplain: Click here to enter text.Note: Refer to NIST SP 800-145 for information on cloud computing architecture models. Cloud Deployment ModelsInformation systems are made up of different deployment models. The deployment models of the Enter Information System Abbreviation that are defined in this SSP and are not leveraged by any other FedRAMP Authorizations, are indicated in REF _Ref437333152 \h Table 82 Cloud Deployment Model Represented in this SSP that follows.Instruction: Check deployment model that applies.Delete this and all other instructions from your final version of this document.Table STYLEREF 1 \s 8 SEQ Table \* ARABIC \s 1 2. Cloud Deployment Model Represented in this SSPService Provider Cloud Deployment Model?PublicCloud services and infrastructure supporting multiple organizations and agency clients?PrivateCloud services and infrastructure dedicated to a specific organization/agency and no other clients?Government Only CommunityCloud services and infrastructure shared by several organizations/agencies with same policy and compliance considerations?HybridExplain: (e.g., cloud services and infrastructure that provides private cloud for secured applications and data where required and public cloud for other applications and data)Click here to enter text.Leveraged AuthorizationsInstruction: The FedRAMP program qualifies different service layers for Authorizations. One or multiple service layers can be qualified in one System Security Plan. If a lower level layer has been granted an Authorization and another higher-level layer represented by this SSP plans to leverage a lower layer’s Authorization, this System Security Plan must clearly state that intention. If an information system does not leverage any pre-existing Authorizations, write “None” in the first column of the table that follows. Add as many rows as necessary in the table that follows.Delete this and all other instructions from your final version of this document.The Enter Information System Abbreviation Choose an item leverages a pre-existing FedRAMP Authorization. FedRAMP Authorizations leveraged by this Enter Information System Abbreviation are listed in REF _Ref437333287 \h Table 83 Leveraged Authorizations that follows.Table STYLEREF 1 \s 8 SEQ Table \* ARABIC \s 1 3. Leveraged AuthorizationsLeveraged Information System NameLeveraged Service Provider Owner Date Granted<Enter Leveraged information system name1><Enter service provider owner1><Date><Enter Leveraged information system name2><Enter service provider owner2><Date><Enter Leveraged information system name3><Enter service provider owner3><Date>General System DescriptionThis section includes a general description of the Enter Information System Abbreviation. System Function or PurposeInstruction: In the space that follows, describe the purpose and functions of this system.Delete this and all other instructions from your final version of this document.Information System Components and BoundariesInstruction: In the space that follows, provide an explicit definition of the system’s Authorization Boundary. Provide a diagram that portrays this Authorization Boundary and all its connections and components, including the means for monitoring and controlling communications at the external boundary and at key internal boundaries within the system. Address all components and managed interfaces of the information system authorized for operation (e.g., routers, firewalls). The diagram must include a predominant border drawn around all system components and services included in the authorization boundary. The diagram must be easy to read and understand.Formal names of components as they are known at the service provider organization in functional specifications, configuration guides, other documents and live configurations shall be named on the diagram and described. Components identified in the Boundary diagram should be consistent with the Network diagram and the inventory(ies). Provide a key to symbols used. Ensure consistency between the boundary and network diagrams and respective descriptions (Section 9.4) and the appropriate Security Controls [AC-20, CA-3(1)]. Additional FedRAMP Requirements and Guidance:Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> FedRAMP Authorization Boundary Guidance https://www.fedramp.gov/documents/Delete this and all other instructions from your final version of this document.A detailed and explicit definition of the system authorization boundary diagram is represented in REF _Ref437333565 \h Figure 91 Authorization Boundary Diagram below.Figure STYLEREF 1 \s 9 SEQ Figure \* ARABIC \s 1 1 Authorization Boundary DiagramTypes of UsersAll personnel have their status categorized with a sensitivity level in accordance with PS-2. Personnel (employees or contractors) of service providers are considered Internal Users. All other users are considered External Users. User privileges (authorization permission after authentication takes place) are described in REF _Ref437334635 \h Table 91 Personnel Roles and Privileges that follows.Instruction: For an External User, write “Not Applicable” in the Sensitivity Level Column. This table must include all roles including systems administrators and database administrators as a role types. (Also include web server administrators, network administrators and firewall administrators if these individuals have the ability to configure a device or host that could impact the CSP service offering.)This table must also include whether these roles are fulfilled by foreign nationals or systems outside the United States.Delete this and all other instructions from your final version of this document.Table STYLEREF 1 \s 9 SEQ Table \* ARABIC \s 1 1. Personnel Roles and PrivilegesRoleInternal or ExternalPrivileged (P), Non-Privileged (NP), or No Logical Access (NLA)Sensitivity Level Authorized PrivilegesFunctions PerformedUNIX System AdministratorInternalPModerate Full administrative access (root)Add/remove users and hardware, install and configure software, OS updates, patches and hotfixes, perform backupsClient AdministratorExternalNPN/APortal administrationAdd/remote client users. Create, modify and delete client applicationsProgram DirectorInternalNLALimitedN/AReviews, approves and enforces policyChoose an item.Choose an item.Choose an item.Choose an item.Choose an item.Choose an item.Choose an item.Choose an item.Choose an item.Choose an item.Choose an item.Choose an item.There are currently <number> internal personnel and <number> external personnel. Within one year, it is anticipated that there will be <number> internal personnel and <number> external personnel.Network ArchitectureInstruction: Insert a network architectural diagram in the space that follows. Ensure that the following items are labeled on the diagram: hostnames, Domain Name System (DNS) servers, DHCP servers, authentication and access control servers, directory servers, firewalls, routers, switches, database servers, major applications, storage, Internet connectivity providers, telecom circuit numbers, network interfaces and numbers, VLANs. Major security components should be represented. If necessary, include multiple network diagrams.Delete this and all other instructions from your final version of this document.Assessors should be able to easily map hardware, software and network inventories back to this diagram. The logical network topology is shown in REF _Ref437334843 \h Figure 92 Network Diagram mapping the data flow between components. The following REF _Ref437334843 \h Figure 92 Network Diagram(s) provides a visual depiction of the system network components that constitute Enter Information System Abbreviation.Figure STYLEREF 1 \s 9 SEQ Figure \* ARABIC \s 1 2 Network DiagramSystem Environment And InventoryDirections for attaching the FedRAMP Inventory Workbook may be found in the following section: REF _Ref444603969 \h ATTACHMENT 13 – FedRAMP Inventory Workbook.Instruction: In the space that follows, provide a general description of the technical system environment. Include information about all system environments that are used, e.g., production environment, test environment, staging or QA environments. Include the specific location of the alternate, backup and operational facilities. In your description, also include a reference to Attachment 13, the system’s Integrated Inventory Workbook, which should provide a complete listing of the system’s components (operating systems/infrastructure, web applications/software, and databases). The Integrated Inventory Workbook should be maintained and updated monthly by the CSP, as part of continuous monitoring efforts. Instructions for completing the Integrated Inventory Workbook are provided within the Integrated Inventory Workbook. Delete this and all other instructions from your final version of this document.Data Flow Instruction: In the space that follows, describe the flow of data in and out of system boundaries and insert a data flow diagram. Describe protections implemented at all entry and exit points in the data flow as well as internal controls between customer and project users. Include data flows for privileged and non-privileged authentication/authorization to the system for internal and external users. If necessary, include multiple data flow diagrams.Delete this and all other instructions from your final version of this document.The data flow in and out of the system boundaries is represented in REF _Ref437335377 \h Figure 101 Data Flow Diagram below.Figure STYLEREF 1 \s 10 SEQ Figure \* ARABIC \s 1 1 Data Flow DiagramPorts, Protocols and Services REF _Ref437339350 \h Table 101 Ports, Protocols and Services below lists the ports, protocols and services enabled in this information system. Instruction: In the column labeled “Used By” please indicate the components of the information system that make use of the ports, protocols and services. In the column labeled “Purpose” indicate the purpose for the service (e.g., system logging, HTTP redirector, load balancing). This table should be consistent with CM-6 and CM-7. You must fill out this table, even if you are leveraging a pre-existing FedRAMP Authorization. Add more rows as needed.Delete this and all other instructions from your final version of this document.Table STYLEREF 1 \s 10 SEQ Table \* ARABIC \s 1 1 Ports, Protocols and ServicesPorts (TCP/UDP)*ProtocolsServicesPurposeUsed By<Enter Port><Enter Protocols><Enter Services><Enter Purpose><Enter Used By><Enter Port><Enter Protocols><Enter Services><Enter Purpose><Enter Used By><Enter Port><Enter Protocols><Enter Services><Enter Purpose><Enter Used By><Enter Port><Enter Protocols><Enter Services><Enter Purpose><Enter Used By><Enter Port><Enter Protocols><Enter Services><Enter Purpose><Enter Used By><Enter Port><Enter Protocols><Enter Services><Enter Purpose><Enter Used By>* Transmission Control Protocol (TCP), User Diagram Protocol (UDP)System InterconnectionsInstruction: List all interconnected systems. Provide the IP address and interface identifier (eth0, eth1, eth2) for the CSP system that provides the connection. Name the external organization and the IP address of the external system. Provide a point of contact and phone number for the external organization. For Connection Security indicate how the connection is being secured. For Data Direction, indicate which direction the packets are flowing. For Information Being Transmitted, describe what type of data is being transmitted. If a dedicated telecom line is used, indicate the circuit number. Add additional rows as needed. This table must be consistent with REF _Ref437345123 \h \* MERGEFORMAT Table 133 CA-3 Authorized Connections.Additional FedRAMP Requirements and Guidance:Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> FedRAMP Authorization Boundary Guidancehttps://www.fedramp.gov/documents/Delete this and all other instructions from your final version of this document.The REF _Ref437345183 \h Table 111 System Interconnections below is consistent with REF _Ref437345123 \h Table 133 CA-3 Authorized Connections.Table STYLEREF 1 \s 11 SEQ Table \* ARABIC \s 1 1. System InterconnectionsSP* IP Address and InterfaceExternal Organization Name and IP Address of SystemExternal Point of Contact and Phone NumberConnection Security (IPSec VPN, SSL, Certificates, Secure File Transfer, etc.)**Data Direction(incoming, outgoing, or both)Information Being TransmittedPort or Circuit Numbers<SP IP Address/Interface><External Org/IP><External Org POC><Phone 555-555-5555><Enter Connection Security>Choose an item.<Information Transmitted><Port/Circuit Numbers><SP IP Address/Interface><External Org/IP><External Org POC><Phone 555-555-5555><Enter Connection Security>Choose an item.<Information Transmitted><Port/Circuit Numbers><SP IP Address/Interface><External Org/IP><External Org POC><Phone 555-555-5555><Enter Connection Security>Choose an item.<Information Transmitted><Port/Circuit Numbers><SP IP Address/Interface><External Org/IP><External Org POC><Phone 555-555-5555><Enter Connection Security>Choose an item.<Information Transmitted><Port/Circuit Numbers><SP IP Address/Interface><External Org/IP><External Org POC><Phone 555-555-5555><Enter Connection Security>Choose an item.<Information Transmitted><Port/Circuit Numbers><SP IP Address/Interface><External Org/IP><External Org POC><Phone 555-555-5555><Enter Connection Security>Choose an item.<Information Transmitted><Port/Circuit Numbers>*Service Processor**Internet Protocol Security (IPSec), Virtual Private Network (VPN), Secure Sockets Layer (SSL)Laws, Regulations, Standards and GuidanceA summary of FedRAMP Laws and Regulations is included in REF _Ref444604179 \h ATTACHMENT 12 – FedRAMP Laws and Regulations.Applicable Laws and RegulationsThe FedRAMP Laws and Regulations can be found on this web page: Templates. REF _Ref443482246 \h Table 121 Information System Name Laws and Regulations includes additional laws and regulations specific to Information System Name.Instruction: The information system name is a repeatable field that is populated when the Title Page is completed. If the CSP does not have additional laws and regulations that it must follow, please specify "N/A" in the table. Delete this and all other instructions from your final version of this document.Table STYLEREF 1 \s 12 SEQ Table \* ARABIC \s 1 1. Information System Name Laws and RegulationsIdentification NumberTitleDateLink<Reference ID><Reference Title><Ref Date><Reference Link><Reference ID><Reference Title><Ref Date><Reference Link><Reference ID><Reference Title><Ref Date><Reference Link>Applicable Standards and Guidance The FedRAMP Standards and Guidance be found on this web page: Templates REF _Ref443482628 \h Table 122 Information System Name Standards and Guidance includes in this section any additional standards and guidance specific to Information System Name.Instruction: The information system name is a repeatable field that is populated when the Title Page is completed. If the CSP does not have additional standards or guidance that it must follow, please specify "N/A" in the table. Delete this and all other instructions from your final version of this document.Table STYLEREF 1 \s 12 SEQ Table \* ARABIC \s 1 2. Information System Name Standards and GuidanceIdentification NumberTitleDateLink<Reference ID><Reference Title><Ref Date><Reference Link><Reference ID><Reference Title><Ref Date><Reference Link><Reference ID><Reference Title><Ref Date><Reference Link>Minimum Security ControlsSecurity controls must meet minimum security control baseline requirements. Upon categorizing a system as Low, Moderate, or High sensitivity in accordance with FIPS 199, the corresponding security control baseline standards apply. Some of the control baselines have enhanced controls which are indicated in parentheses. Security controls that are representative of the sensitivity of Enter Information System Abbreviation are described in the sections that follow. Security controls that are designated as “Not Selected” or “Withdrawn by NIST” are not described unless they have additional FedRAMP controls. Guidance on how to describe the implemented standard can be found in NIST 800-53, Rev 4. Control enhancements are marked in parentheses in the sensitivity columns. Systems that are categorized as FIPS 199 Low use the controls designated as Low, systems categorized as FIPS 199 Moderate use the controls designated as Moderate and systems categorized as FIPS 199 High use the controls designated as High. A summary of which security standards pertain to which sensitivity level is found in REF _Ref437339713 \h Table 131 Summary of Required Security Controls that follows.Table STYLEREF 1 \s 13 SEQ Table \* ARABIC \s 1 1. Summary of Required Security ControlsIDControl DescriptionSensitivity LevelLowModerateHighACAccess ControlAC-1Access Control Policy and ProceduresAC-1AC-1AC-1AC-2Account ManagementAC-2AC-2 (1) (2) (3) (4) (5) (7) (9) (10) (12)AC-2 (1) (2) (3) (4) (5) (7) (9) (10) (11) (12) (13)AC-3Access EnforcementAC-3AC-3AC-3AC-4Information Flow EnforcementNot SelectedAC-4 (21)AC-4 (8) (21)AC-5Separation of DutiesNot SelectedAC-5AC-5AC-6Least PrivilegeNot SelectedAC-6 (1) (2) (5) (9) (10) AC-6 (1) (2) (3) (5) (7) (8) (9) (10)AC-7Unsuccessful Logon AttemptsAC-7AC-7AC-7 (2)AC-8System Use NotificationAC-8AC-8AC-8AC-10Concurrent Session ControlNot SelectedAC-10AC-10AC-11Session LockNot SelectedAC-11 (1)AC-11 (1)AC-12Session TerminationNot SelectedAC-12AC-12 (1)AC-14Permitted Actions Without Identification or AuthenticationAC-14AC-14AC-14AC-17Remote AccessAC-17AC-17 (1) (2) (3) (4) (9)AC-17 (1) (2) (3) (4) (9)AC-18Wireless AccessAC-18AC-18 (1)AC-18 (1) (3) (4) (5)AC-19Access Control For Mobile DevicesAC-19AC-19 (5)AC-19 (5)AC-20Use of External Information SystemsAC-20AC-20 (1) (2)AC-20 (1) (2)AC-21Information SharingNot SelectedAC-21AC-21AC-22Publicly Accessible ContentAC-22AC-22AC-22ATAwareness and Training AT-1Security Awareness and Training Policy and ProceduresAT-1AT-1AT-1AT-2Security Awareness TrainingAT-2AT-2 (2)AT-2 (2)AT-3Role-Based Security TrainingAT-3AT-3 AT-3 (3) (4)AT-4Security Training RecordsAT-4AT-4AT-4AUAudit and Accountability AU-1Audit and Accountability Policy and ProceduresAU-1AU-1AU-1AU-2Audit EventsAU-2AU-2 (3)AU-2 (3)AU-3Content of Audit RecordsAU-3AU-3 (1)AU-3 (1) (2)AU-4Audit Storage CapacityAU-4AU-4AU-4AU-5Response to Audit Processing FailuresAU-5AU-5AU-5 (1) (2)AU-6Audit Review, Analysis and ReportingAU-6AU-6 (1) (3)AU-6 (1) (3) (4) (5) (6) (7) (10)AU-7Audit Reduction and Report GenerationNot SelectedAU-7 (1)AU-7 (1)AU-8Time StampsAU-8AU-8 (1)AU-8 (1)AU-9Protection of Audit InformationAU-9AU-9 (2) (4)AU-9 (2) (3) (4)AU-10Non-repudiationNot SelectedNot SelectedAU-10AU-11Audit Record RetentionAU-11AU-11AU-11AU-12Audit GenerationAU-12AU-12AU-12 (1) (3)CASecurity Assessment and Authorization CA-1Security Assessment and Authorization Policies and ProceduresCA-1CA-1CA-1CA-2Security AssessmentsCA-2 (1)CA-2 (1) (2) (3)CA-2 (1) (2) (3)CA-3System InterconnectionsCA-3CA-3 (3) (5)CA-3 (3) (5)CA-5Plan of Action and MilestonesCA-5CA-5CA-5CA-6Security AuthorizationCA-6CA-6CA-6CA-7Continuous MonitoringCA-7CA-7 (1)CA-7 (1) (3)CA-8Penetration TestingNot SelectedCA-8 (1)CA-8 (1)CA-9Internal System ConnectionsCA-9CA-9CA-9CMConfiguration Management CM-1Configuration Management Policy and ProceduresCM-1CM-1CM-1CM-2Baseline ConfigurationCM-2CM-2 (1) (2) (3) (7)CM-2 (1) (2) (3) (7)CM-3Configuration Change ControlNot SelectedCM-3 (2)CM-3 (1) (2) (4) (6)CM-4Security Impact AnalysisCM-4CM-4CM-4 (1)CM-5Access Restrictions For ChangeNot SelectedCM-5 (1) (3) (5)CM-5 (1) (2) (3) (5)CM-6Configuration SettingsCM-6CM-6 (1)CM-6 (1) (2)CM-7Least FunctionalityCM-7CM-7 (1) (2) (5)*CM-7 (1) (2) (5)CM-8Information System Component InventoryCM-8CM-8 (1) (3) (5)CM-8 (1) (2) (3) (4) (5)CM-9Configuration Management PlanNot SelectedCM-9CM-9CM-10Software Usage RestrictionsCM-10CM-10 (1)CM-10 (1)CM-11User-Installed SoftwareCM-11CM-11CM-11 (1)*FedRAMP does not include CM-7 (4) in the Moderate Baseline. NIST supplemental guidance states that CM-7 (4) is not required if (5) is implemented.CPContingency Planning CP-1Contingency Planning Policy and ProceduresCP-1CP-1CP-1CP-2Contingency PlanCP-2CP-2 (1) (2) (3) (8)CP-2 (1) (2) (3) (4) (5) (8)CP-3Contingency TrainingCP-3CP-3CP-3 (1)CP-4Contingency Plan TestingCP-4CP-4 (1)CP-4 (1) (2)CP-6Alternate Storage SiteNot SelectedCP-6 (1) (3)CP-6 (1) (2) (3)CP-7Alternate Processing SiteNot SelectedCP-7 (1) (2) (3)CP-7 (1) (2) (3) (4)CP-8Telecommunications ServicesNot SelectedCP-8 (1) (2)CP-8 (1) (2) (3) (4)CP-9Information System BackupCP-9CP-9 (1) (3)CP-9 (1) (2) (3) (5)CP-10Information System Recovery and ReconstitutionCP-10CP-10 (2)CP-10 (2) (4)IAIdentification and Authentication IA-1Identification and Authentication Policy and ProceduresIA-1IA-1IA-1IA-2Identification and Authentication (Organizational Users)IA-2 (1) (12)IA-2 (1) (2) (3) (5) (8) (11) (12)IA-2 (1) (2) (3) (4) (5) (8) (9) (11) (12)IA-3Device Identification and AuthenticationNot SelectedIA-3IA-3IA-4Identifier ManagementIA-4IA-4 (4)IA-4 (4)IA-5Authenticator ManagementIA-5 (1) (11)IA-5 (1) (2) (3) (4) (6) (7) (11)IA-5 (1) (2) (3) (4) (6) (7) (8) (11) (13)IA-6Authenticator FeedbackIA-6IA-6IA-6IA-7Cryptographic Module AuthenticationIA-7IA-7IA-7IA-8Identification and Authentication (Non-Organizational Users)IA-8 (1) (2) (3) (4)IA-8 (1) (2) (3) (4)IA-8 (1) (2) (3) (4)IRIncident ResponseIR-1Incident Response Policy and ProceduresIR-1IR-1IR-1IR-2Incident Response TrainingIR-2IR-2IR-2 (1) (2)IR-3Incident Response TestingNot SelectedIR-3 (2)IR-3 (2)IR-4Incident HandlingIR-4IR-4 (1)IR-4 (1) (2) (3) (4) (6) (8)IR-5Incident MonitoringIR-5IR-5IR-5 (1)IR-6Incident ReportingIR-6IR-6 (1)IR-6 (1) IR-7Incident Response AssistanceIR-7IR-7 (1) (2)IR-7 (1) (2)IR-8Incident Response PlanIR-8IR-8IR-8IR-9Information Spillage ResponseNot SelectedIR-9 (1) (2) (3) (4)IR-9 (1) (2) (3) (4)MAMaintenanceMA-1System Maintenance Policy and ProceduresMA-1MA-1MA-1MA-2Controlled MaintenanceMA-2MA-2MA-2 (2)MA-3Maintenance ToolsNot SelectedMA-3 (1) (2) (3)MA-3 (1) (2) (3)MA-4Nonlocal MaintenanceMA-4MA-4 (2)MA-4 (2) (3) (6)MA-5Maintenance PersonnelMA-5MA-5 (1)MA-5 (1)MA-6Timely MaintenanceNot SelectedMA-6MA-6MPMedia ProtectionMP-1Media Protection Policy and ProceduresMP-1MP-1MP-1MP-2Media AccessMP-2MP-2MP-2MP-3Media MarkingNot SelectedMP-3MP-3MP-4Media StorageNot SelectedMP-4MP-4MP-5Media TransportNot SelectedMP-5 (4)MP-5 (4)MP-6Media SanitizationMP-6MP-6 (2)MP-6 (1) (2) (3)MP-7Media UseMP-7MP-7 (1)MP-7 (1)PEPhysical and Environmental ProtectionPE-1Physical and Environmental Protection Policy and ProceduresPE-1PE-1PE-1PE-2Physical Access AuthorizationsPE-2PE-2PE-2PE-3Physical Access ControlPE-3PE-3PE-3 (1)PE-4Access Control For Transmission MediumNot SelectedPE-4PE-4PE-5Access Control For Output DevicesNot SelectedPE-5PE-5PE-6Monitoring Physical AccessPE-6PE-6 (1)PE-6 (1) (4)PE-8Visitor Access RecordsPE-8PE-8PE-8 (1)PE-9Power Equipment and CablingNot SelectedPE-9PE-9PE-10Emergency ShutoffNot SelectedPE-10PE-10PE-11Emergency PowerNot SelectedPE-11PE-11 (1)PE-12Emergency LightingPE-12PE-12PE-12PE-13Fire ProtectionPE-13PE-13 (2) (3)PE-13 (1) (2) (3)PE-14Temperature and Humidity ControlsPE-14PE-14 (2)PE-14 (2)PE-15Water Damage ProtectionPE-15PE-15PE-15 (1)PE-16Delivery and RemovalPE-16PE-16PE-16PE-17Alternate Work SiteNot SelectedPE-17PE-17PE-18Location of Information System ComponentsNot SelectedNot SelectedPE-18PLPlanningPL-1Security Planning Policy and ProceduresPL-1PL-1PL-1PL-2System Security PlanPL-2PL-2 (3)PL-2 (3)PL-4Rules of BehaviorPL-4PL-4 (1)PL-4 (1)PL-8Information Security ArchitectureNot SelectedPL-8PL-8PSPersonnel SecurityPS-1Personnel Security Policy and ProceduresPS-1PS-1PS-1PS-2Position Risk DesignationPS-2PS-2PS-2PS-3Personnel ScreeningPS-3PS-3 (3)PS-3 (3)PS-4Personnel TerminationPS-4PS-4PS-4 (2)PS-5Personnel TransferPS-5PS-5PS-5PS-6Access AgreementsPS-6PS-6PS-6PS-7Third-Party Personnel SecurityPS-7PS-7PS-7PS-8Personnel SanctionsPS-8PS-8PS-8RARisk AssessmentRA-1Risk Assessment Policy and ProceduresRA-1RA-1RA-1RA-2Security CategorizationRA-2RA-2RA-2RA-3Risk AssessmentRA-3RA-3RA-3RA-5Vulnerability ScanningRA-5RA-5 (1) (2) (3) (5) (6) (8)RA-5 (1) (2) (3) (4) (5) (6) (8) (10)SASystem and Services AcquisitionSA-1System and Services Acquisition Policy and ProceduresSA-1SA-1SA-1SA-2Allocation of ResourcesSA-2SA-2SA-2SA-3System Development Life CycleSA-3SA-3SA-3SA-4Acquisition ProcessSA-4 (10)SA-4 (1) (2) (8) (9) (10)SA-4 (1) (2) (8) (9) (10)SA-5Information System DocumentationSA-5SA-5SA-5SA-8Security Engineering PrinciplesNot SelectedSA-8SA-8SA-9External Information System ServicesSA-9SA-9 (1) (2) (4) (5)SA-9 (1) (2) (4) (5)SA-10Developer Configuration ManagementNot SelectedSA-10 (1)SA-10 (1)SA-11Developer Security Testing and EvaluationNot SelectedSA-11 (1) (2) (8)SA-11 (1) (2) (8)SA-12Supply Chain ProtectionNot SelectedNot SelectedSA-12SA-15Development Process, Standards and ToolsNot SelectedNot SelectedSA-15SA-16Developer-Provided TrainingNot SelectedNot SelectedSA-16SA-17Developer Security Architecture and DesignNot SelectedNot SelectedSA-17SCSystem and Communications ProtectionSC-1System and Communications Protection Policy and ProceduresSC-1SC-1SC-1SC-2Application PartitioningNot SelectedSC-2SC-2SC-3Security Function IsolationNot SelectedNot SelectedSC-3SC-4Information In Shared ResourcesNot SelectedSC-4SC-4SC-5Denial of Service ProtectionSC-5SC-5SC-5SC-6Resource AvailabilityNot SelectedSC-6SC-6SC-7Boundary ProtectionSC-7SC-7 (3) (4) (5) (7) (8) (12) (13) (18)SC-7 (3) (4) (5) (7) (8) (10) (12) (13) (18) (20) (21)SC-8Transmission Confidentiality and IntegrityNot SelectedSC-8 (1)SC-8 (1)SC-10Network DisconnectNot SelectedSC-10SC-10SC-12Cryptographic Key Establishment and ManagementSC-12SC-12 (2) (3)SC-12 (1) (2) (3)SC-13Cryptographic ProtectionSC-13SC-13SC-13SC-15Collaborative Computing DevicesSC-15SC-15SC-15SC-17Public Key Infrastructure CertificatesNot SelectedSC-17SC-17SC-18Mobile CodeNot SelectedSC-18SC-18SC-19Voice Over Internet ProtocolNot SelectedSC-19SC-19SC-20Secure Name / Address Resolution Service (Authoritative Source)SC-20SC-20SC-20SC-21Secure Name / Address Resolution Service (Recursive or Caching Resolver)SC-21SC-21SC-21SC-22Architecture and Provisioning for Name / Address Resolution ServiceSC-22SC-22SC-22SC-23Session AuthenticityNot SelectedSC-23SC-23 (1)SC-24Fail in Known StateNot SelectedNot SelectedSC-24SC-28Protection of Information At RestNot SelectedSC-28 (1)SC-28 (1)SC-39Process IsolationSC-39SC-39SC-39SISystem and Information IntegritySI-1System and Information Integrity Policy and ProceduresSI-1SI-1SI-1SI-2Flaw RemediationSI-2SI-2 (2) (3)SI-2 (1) (2) (3)SI-3Malicious Code ProtectionSI-3SI-3 (1) (2) (7)SI-3 (1) (2) (7)SI-4Information System MonitoringSI-4SI-4 (1) (2) (4) (5) (14) (16) (23)SI-4 (1) (2) (4) (5) (11) (14) (16) (18) (19) (20) (22) (23) (24)SI-5Security Alerts, Advisories and DirectivesSI-5SI-5SI-5 (1)SI-6Security Function VerificationNot SelectedSI-6SI-6SI-7Software, Firmware and Information IntegrityNot SelectedSI-7 (1) (7)SI-7 (1) (2) (5) (7) (14)SI-8Spam ProtectionNot SelectedSI-8 (1) (2)SI-8 (1) (2)SI-10Information Input ValidationNot SelectedSI-10SI-10SI-11Error HandlingNot SelectedSI-11SI-11SI-12Information Handling and RetentionSI-12SI-12SI-12SI-16Memory ProtectionSI-16SI-16SI-16Note: The -1 Controls (AC-1, AU-1, SC-1, etc.) cannot be inherited and must be provided in some way by the service provider.Instruction: In the sections that follow, describe the information security control as it is implemented on the system. All controls originate from a system or from a business process. It is important to describe where the control originates from so that it is clear whose responsibility it is to implement, manage and monitor the control. In some cases, the responsibility is shared by a CSP and by the customer. Use the definitions in the table that follows to indicate where each security control originates from. Throughout this SSP, policies and procedures must be explicitly referenced (title and date or version) so that it is clear which document is being referred to. Section numbers or similar mechanisms should allow the reviewer to easily find the reference. For SaaS and PaaS systems that are inheriting controls from an IaaS (or anything lower in the stack), the “inherited” check box must be checked and the implementation description must simply say “inherited.” FedRAMP reviewers will determine whether the control-set is appropriate or not.In Section 13, the NIST term "organization defined" must be interpreted as being the CSP's responsibility unless otherwise indicated. In some cases the JAB has chosen to define or provide parameters, in others they have left the decision up to the CSP.Please note: CSPs should not modify the control requirement text, including the parameter assignment instructions and additional FedRAMP requirements. CSP responses must be documented in the “Control Summary Information” and “What is the solution and how is it implemented?” tables.Delete this and all other instructions from your final version of this document.The definitions in REF _Ref444406523 \h Table 132. Control Origination and Definitions indicate where each security control originates. Table STYLEREF 1 \s 13 SEQ Table \* ARABIC \s 1 2. Control Origination and DefinitionsControl OriginationDefinitionExampleService Provider CorporateA control that originates from the CSP Name corporate network. DNS from the corporate network provides address resolution services for the information system and the service offering. Service Provider System SpecificA control specific to a particular system at the CSP Name and the control is not part of the standard corporate controls. A unique host-based intrusion detection system (HIDs) is available on the service offering platform but is not available on the corporate network. Service Provider HybridA control that makes use of both corporate controls and additional controls specific to a particular system at the CSP Name.There are scans of the corporate network infrastructure; scans of databases and web-based application are system specific.Configured by CustomerA control where the customer needs to apply a configuration in order to meet the control requirement. User profiles, policy/audit configurations, enabling/disabling key switches (e.g., enable/disable http* or https, etc.), entering an IP range specific to their organization are configurable by the customer. Provided by CustomerA control where the customer needs to provide additional hardware or software in order to meet the control requirement. The customer provides a SAML SSO solution to implement two-factor authentication.SharedA control that is managed and implemented partially by the CSP Name and partially by the customer. Security awareness training must be conducted by both the CSPN and the customer. Inherited from pre-existing FedRAMP AuthorizationA control that is inherited from another CSP Name system that has already received a FedRAMP Authorization.A PaaS or SaaS provider inherits PE controls from an IaaS provider.*Hyper Text Transport Protocol (http)Responsible Role indicates the role of CSP employee who can best respond to questions about the particular control that is described.Access Control (AC) AC-1 Access Control Policy and Procedures Requirements (L) (M)The organization:Develops, documents and disseminates to [Assignment: organization-defined personnel or roles]:An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the access control policy and associated access controls; andReviews and updates the current:Access control policy [FedRAMP Assignment: at least every 3 years]; andAccess control procedures [FedRAMP Assignment: at least annually].AC-1Control Summary InformationResponsible Role: Parameter AC-1(a): Parameter AC-1(b)(1): Parameter AC-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) AC-1 What is the solution and how is it implemented?Part aPart b1Part b2AC-2 Account Management (L) (M)The organization:Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];Assigns account managers for information system accounts;Establishes conditions for group and role membership;Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];Monitors the use of information system accounts;Notifies account managers:When accounts are no longer required;When users are terminated or transferred; andWhen individual information system usage or need-to-know changes;Authorizes access to the information system based on:A valid access authorization;Intended system usage; andOther attributes as required by the organization or associated missions/business functions;Reviews accounts for compliance with account management requirements [FedRAMP Assignment: at least annually]; andEstablishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.AC-2Control Summary InformationResponsible Role: Parameter AC-2(a): Parameter AC-2(e): Parameter AC-2(f): Parameter AC-2(j): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gPart hPart iPart jPart kAC-2 (1) Control Enhancement (M) (H)The organization employs automated mechanisms to support the management of information system accounts.AC-2 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply): ? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (1) What is the solution and how is it implemented?AC-2 (2) Control Enhancement (M)The information system automatically [Selection: removes; disables] temporary and emergency accounts after [FedRAMP Assignment: no more than 30 days for temporary and emergency account types].AC-2 (2)Control Summary InformationResponsible Role: Parameter AC-2(2)1: Parameter AC-2(2)2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (2) What is the solution and how is it implemented?AC-2 (3) Control Enhancement (M)The information system automatically disables inactive accounts after [FedRAMP Assignment: ninety (90) days for user accounts].AC-2 (3) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the Joint Authorization Board (JAB)/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available.AC-2 (3)Control Enhancement Summary InformationResponsible Role: Parameter AC-2(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (3) What is the solution and how is it implementedAC-2 (4) Control Enhancement (M)The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].AC-2 (4)Control Summary InformationResponsible Role: Parameter AC-2(4): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (4) What is the solution and how is it implemented?AC-2 (5) Control Enhancement (M)The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].AC-2 (5) Additional FedRAMP Requirements and Guidance:Guidance: Should use a shorter timeframe than AC-12AC-2 (5)Control Summary InformationResponsible Role: Parameter AC-2(5): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (5) What is the solution and how is it implemented?AC-2 (7) Control Enhancement (M)The organization:Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;Monitors privileged role assignments; andTakes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.AC-2 (7)Control Summary InformationResponsible Role: Parameter AC-2(7)(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (7) What is the solution and how is it implemented?Part aPart bPart cAC-2 (9) Control Enhancement (M)The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts].AC-2 (9) Additional FedRAMP Requirements and Guidance: Required if shared/group accounts are deployed.AC-2 (9)Control Summary InformationResponsible Role: Parameter AC-2(9): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (9) What is the solution and how is it implemented?AC-2 (10) Control Enhancement (M) (H)The information system terminates shared/group account credentials when members leave the group.AC-2 (10) Additional FedRAMP Requirements and Guidance: Required if shared/group accounts are deployed.AC-2 (10)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (10) What is the solution and how is it implemented?AC-2 (12) Control Enhancement (M) The organization:Monitors information system accounts for [Assignment: organization-defined atypical use]; andReports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance: Required for privileged accounts. AC-2 (12)Control Summary InformationResponsible Role: Parameter AC-2(12)(a): Parameter AC-2(12)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-2 (12) What is the solution and how is it implemented?Part aPart bAC-3 Access Enforcement (L) (M) (H)The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.AC-3Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-3 What is the solution and how is it implemented?AC-4 Information Flow Enforcement (M) (H)The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].AC-4Control Summary InformationResponsible Role: Parameter AC-4: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-4 What is the solution and how is it implemented?AC-4 (21) Control Enhancement (M) (H)The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].AC-4 (21)Control Summary InformationResponsible Role: Parameter AC-4(21)-1: Parameter AC-4(21)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-4 (21) What is the solution and how is it implemented?AC-5 Separation of Duties (M) (H)The organization:Separates [Assignment: organization-defined duties of individuals];Documents separation of duties of individuals; and Defines information system access authorizations to support separation of duties.AC-5 Additional FedRAMP Requirements and Guidance: Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP. Directions for attaching the Separation of Duties Matrix document may be found in Section REF _Ref444598918 \r \h \* MERGEFORMAT 15.11 REF _Ref444598945 \h \* MERGEFORMAT ATTACHMENT 11 - Separation of Duties Matrix. AC-5Control Summary InformationResponsible Role: Parameter AC-5(a): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-5 What is the solution and how is it implemented?Part aPart bPart cAC-6 Least Privilege (M) (H)The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.AC-6Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-6 What is the solution and how is it implemented?AC-6 (1) Control Enhancement (M)The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].AC-6 (1)Control Summary InformationResponsible Role: Parameter AC-6(1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-6 (1) What is the solution and how is it implemented?AC-6 (2) Control Enhancement (M) (H)The organization requires that users of information system accounts, or roles, with access to [FedRAMP Assignment: all security functions], use non-privileged accounts or roles, when accessing non-security functions.AC-6 (2) Additional FedRAMP Requirements and Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.AC-6 (2)Control Summary InformationResponsible Role: Parameter AC-6(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Date of Authorization , AC-6 (2) What is the solution and how is it implemented?AC 6 (5) Control Enhancement (M) (H)The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].AC-6 (5)Control Summary InformationResponsible Role: Parameter AC-6 (5): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-6 (5) What is the solution and how is it implemented?AC-6 (9) Control Enhancement (M) (H)The information system audits the execution of privileged functions.AC-6 (9)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-6 (9) What is the solution and how is it implemented?AC-6 (10) Control Enhancement (M) (H)The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.AC-6 (10)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-6 (10) What is the solution and how is it implemented?AC-7 Unsuccessful Login Attempts (L) (M)The organization:Enforces a limit of [FedRAMP Assignment: not more than three (3)] consecutive invalid logon attempts by a user during a [FedRAMP Assignment: fifteen (15) minutes]; andAutomatically [Selection: locks the account/node for a [FedRAMP Assignment: thirty (30) minutes]; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.AC-7Control Summary InformationResponsible Role: Parameter AC-7(a)-1: Parameter AC-7(a)-2: Parameter AC-7(b)-1: Parameter AC-7(b)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-7 What is the solution and how is it implemented?Part aPart bAC-8 System Use Notification (L) (M) (H)The information system:Displays to users [Assignment: organization-defined system use notification message or banner (FedRAMP Assignment: see additional Requirements and Guidance)] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:Users are accessing a U.S. Government information system;Information system usage may be monitored, recorded, and subject to audit;Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; andUse of the information system indicates consent to monitoring and recording;Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; andFor publicly accessible systems:Displays system use information [Assignment: organization-defined conditions (FedRAMP Assignment: see additional Requirements and Guidance)], before granting further access;Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; andIncludes a description of the authorized uses of the system.AC-8 Additional FedRAMP Requirements and Guidance: Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.AC-8Control Summary InformationResponsible Role: Parameter AC-8(a): Parameter AC-8(c)-1: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-8 What is the solution and how is it implemented?Part aPart bPart cAdditional FedRAMP Requirements and GuidanceRequirement 1: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.Requirement 2: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.Requirement 3: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.AC-8 Req.Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-8 What is the solution and how is it implemented?Req. 1Req. 2Req. 3AC-10 Concurrent Session Control (M) (H)The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access].AC-10Control Summary InformationResponsible Role: Parameter AC-10-1: Parameter AC-10-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-10 What is the solution and how is it implemented?AC-11 Session Lock (M) (H)The information system:Prevents further access to the system by initiating a session lock after [FedRAMP Assignment: fifteen (15) minutes] of inactivity or upon receiving a request from a user; andRetains the session lock until the user reestablishes access using established identification and authentication procedures.AC-11Control Summary InformationResponsible Role: Parameter AC-11(a): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-11 What is the solution and how is it implemented?Part aPart bAC-11 (1) Control Enhancement (M) (H)The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.AC-11 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-11 (1) What is the solution and how is it implemented?AC-12 Session Termination (M) (H)The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].AC-12Control Summary InformationResponsible Role: Parameter AC-12: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-12 What is the solution and how is it implemented?AC-14 Permitted Actions without Identification or Authentication (L) (M) (H)The organization:Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; andDocuments and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.AC-14Control Summary InformationResponsible Role: Parameter AC-14(a): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-14 What is the solution and how is it implemented?Part aPart bAC-17 Remote Access (L) (M) (H)The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; andAuthorizes remote access to the information system prior to allowing such connections.AC-17Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-17 What is the solution and how is it implemented?Part aPart bAC-17 (1) Control Enhancement (M) (H)The information system monitors and controls remote access methods.AC-17 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-17 (1) What is the solution and how is it implemented?AC-17 (2) Control Enhancement (M) (H)The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.AC-17 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-17 (2) What is the solution and how is it implemented?AC-17 (3) Control Enhancement (M) (H)The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.AC-17 (3)Control Summary InformationResponsible Role: Parameter AC-17(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-17 (3) What is the solution and how is it implemented?AC-17 (4) Control Enhancement (M) (H)The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; andDocuments the rationale for such access in the security plan for the information system.AC-17 (4)Control Summary InformationResponsible Role: Parameter AC-17(4)(a): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-17 (4) What is the solution and how is it implemented?Part aPart bAC-17 (9) Control Enhancement (M) (H)The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [FedRAMP Assignment: fifteen (15) minutes].AC-17 (9)Control Summary InformationResponsible Role: Parameter AC-17(9): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-17 (9) What is the solution and how is it implemented?AC-18 Wireless Access Restrictions (L) (M) (H)The organization:Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; andAuthorizes wireless access to the information system prior to allowing such connections.AC-18Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-18 What is the solution and how is it implemented?Part aPart bAC-18 (1) Control Enhancement (M) (H)The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. AC-18 (1)Control Summary InformationResponsible Role: Parameter AC-18 (1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-18 (1) What is the solution and how is it implemented?AC-19 Access Control for Portable and Mobile Systems (L) (M) (H)The organization:Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; andAuthorizes the connection of mobile devices to organizational information systems.AC-19Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-19 What is the solution and how is it implemented?Part aPart bAC-19 (5) Control Enhancement (M) (H)The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].AC-19 (5)Control Summary InformationResponsible Role: Parameter AC-19(5)-1: Parameter AC-19(5)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-19 (5) What is the solution and how is it implemented?AC-20 Use of External Information Systems (L) (M) (H)The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:Access the information system from external information systems; andProcess, store, or transmit organization-controlled information using external information systems.AC-20Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-20 What is the solution and how is it implemented?Part aPart bAC-20 (1) Control Enhancement (M) (H)The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; orRetains approved information system connection or processing agreements with the organizational entity hosting the external information system.AC-20 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-20 (1) What is the solution and how is it implemented?Part aPart bAC-20 (2) Control Enhancement (M) (H)The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.AC-20 (2)Control Summary InformationResponsible Role: Parameter AC-20(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-20 (2) What is the solution and how is it implemented?AC-21 Information Sharing (M) (H)The organization:Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; andEmploys [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.AC-21Control Summary InformationResponsible Role: Parameter AC-21(a): Parameter AC-21(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-21 What is the solution and how is it implemented?Part aPart bAC-22 Publicly Accessible Content (L) (M) (H)The organization:Designates individuals authorized to post information onto a publicly accessible information system;Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; andReviews the content on the publicly accessible information system for nonpublic information [FedRAMP Assignment: at least quarterly] and removes such information, if discovered.AC-22Control Summary InformationResponsible Role: Parameter AC-22: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AC-22 What is the solution and how is it implemented?Part aPart bPart cPart dAwareness and Training (AT) AT-1 Security Awareness and Training Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; andReviews and updates the current:Security awareness and training policy [FedRAMP Assignment: at least every 3 years]; andSecurity awareness and training procedures [FedRAMP Assignment: at least annually].AT-1Control Summary InformationResponsible Role: Parameter AT-1(a): Parameter AT-1(b)(1): Parameter AT-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)AT-1 What is the solution and how is it implemented?Part aPart bAT-2 Security Awareness (L) (M) (H)The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):As part of initial training for new users;When required by information system changes; and[FedRAMP Assignment: at least annually] thereafter.AT-2Control Summary InformationResponsible Role: Parameter AT-2(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AT-2 What is the solution and how is it implemented?Part aPart bPart cAT-2 (2) Control Enhancement (M) (H)The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.AT-2 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AT-2 (2) What is the solution and how is it implemented?AT-3 Role-Based Security Training (L) (M) (H)The organization provides role-based security training to personnel with assigned security roles and responsibilities:Before authorizing access to the information system or performing assigned duties;When required by information system changes; and[FedRAMP Assignment: at least annually] thereafter.AT-3Control Summary InformationResponsible Role: Parameter AT-3(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AT-3 What is the solution and how is it implemented?Part aPart bPart cAT-4 Security Training Records (L) (M) The organization:Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; andRetains individual training records for [FedRAMP Assignment: at least one year].AT-4Control Summary InformationResponsible Role: Parameter AT-4(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AT-4 What is the solution and how is it implemented?Part aPart bAudit and Accountability (AU)AU-1 Audit and Accountability Policy and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; andReviews and updates the current:Audit and accountability policy [FedRAMP Assignment: at every 3 years]; andAudit and accountability procedures [FedRAMP Assignment: at least annually].AU-1Control Summary InformationResponsible Role: Parameter AU-1(a): Parameter AU-1(b)(1): Parameter AU-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)AU-1 What is the solution and how is it implemented?Part aPart bAU-2 Audit Events (L) (M) (H)The organization:Determines that the information system is capable of auditing the following events: [FedRAMP Assignment: [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes];Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; andDetermines that the following events are to be audited within the information system: [FedRAMP Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited continually for each identified event].AU-2 Additional FedRAMP Requirements and Guidance: Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.AU-2Control Summary InformationResponsible Role: Parameter AU-2(a): Parameter AU-2(d): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-2 What is the solution and how is it implemented?Part aPart bPart cPart dAU-2 (3) Control Enhancement (M) (H)The organization reviews and updates the audited events [FedRAMP Assignment: annually or whenever there is a change in the threat environment].AU-2 (3) Additional FedRAMP Requirements and Guidance: Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.AU-2 (3)Control Summary InformationResponsible Role: Parameter AU-2(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-2 (3) What is the solution and how is it implemented?AU-3 Content of Audit Records (L) (M) (H)The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. AU-3Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-3 What is the solution and how is it implemented?AU-3 (1) Control Enhancement (M)The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].AU-3 (1) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines audit record types [FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon]. The audit record types are approved and accepted by the JAB.Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry. AU-3 (1)Control Summary InformationResponsible Role: Parameter AU-3(1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-3 (1) What is the solution and how is it implemented?AU-4 Audit Storage Capacity (L) (M) (H)The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. AU-4Control Summary InformationResponsible Role: Parameter AU-4: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-4 What is the solution and how is it implemented?AU-5 Response to Audit Processing Failures (L) (M) (H)The information system:Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; andTakes the following additional actions: [FedRAMP Assignment: organization-defined actions to be taken; (overwrite oldest record)].AU-5Control Summary InformationResponsible Role: Parameter AU-5(a): Parameter AU-5(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-5 What is the solution and how is it implemented?Part aPart bAU-6 Audit Review, Analysis, and Reporting (L) (M) (H) The organization:Reviews and analyzes information system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; andReports findings to [Assignment: organization-defined personnel or roles].AU-6 Additional FedRAMP Requirements and Guidance: Requirement: Coordination between service provider and consumer shall be documented and accepted by the Authorizing Official. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.AU-6Control Summary InformationResponsible Role: Parameter AU-6(a)-1: Parameter AU-6(a)-2: Parameter AU-6(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-6 What is the solution and how is it implemented?Part aPart bAU-6 (1) Control Enhancement (M) (H)The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.AU-6 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-6 (1) What is the solution and how is it implemented?AU-6 (3) Control Enhancement (M) (H)The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.AU-6 (3)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-6 (3) What is the solution and how is it implemented?AU-7 Audit Reduction and Report Generation (M) (H)The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; andDoes not alter the original content or time ordering of audit records.AU-7Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-7 What is the solution and how is it implemented?Part aPart bAU-7 (1) Control Enhancement (M) (H)The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].AU-7 (1)Control Summary InformationResponsible Role: Parameter AU-7(1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-7 (1) What is the solution and how is it implemented?AU-8 Time Stamps (L) (M) (H) The information system:Uses internal system clocks to generate time stamps for audit records; andRecords time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: one second granularity of time measurement].AU-8Control Summary InformationResponsible Role: Parameter AU-8(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-8 What is the solution and how is it implemented?Part aPart bAU-8 (1) Control Enhancement (M) (H)The information system:Compares the internal information system clocks with [FedRAMP Assignment: authoritative time source: [http://tf.nist.gov/tf-cgi/servers.cgi] [at least hourly]]; andSynchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].AU-8 (1) Additional FedRAMP Requirements and Guidance: Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server.Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.Guidance: The service provider selects primary and secondary time servers used by the NIST Internet time service, or by a Stratum-1 time server. The secondary server is selected from a different geographic region than the primary server. If using Windows Active Directory, all servers should synchronize time with the time source for the Windows Domain Controller. If using some other directory services (e.g., LDAP), all servers should synchronize time with the time source for the directory server. Synchronization of system clocks improves the accuracy of log analysis.AU-8 (1)Control Summary InformationResponsible Role: Parameter AU-8(1)(a)-1: Parameter AU-8(1)(a)-2: Parameter AU-8(1)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-8 (1) What is the solution and how is it implemented?Part aPart bAU-9 Protection of Audit Information (L) (M) (H)The information system protects audit information and audit tools from unauthorized access, modification, and deletion.AU-9Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-9 What is the solution and how is it implemented?AU-9 (2) Control Enhancement (M) (H)The information system backs up audit records [FedRAMP Assignment: at least weekly] onto a physically different system or system component than the system or component being audited.AU-9 (2)Control Summary InformationResponsible Role: Parameter AU-9(2):Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-9 (2) What is the solution and how is it implemented?AU-9 (4) Control Enhancement (M) (H)The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].AU-9 (4)Control Summary InformationResponsible Role: Parameter AU-9(4): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-9 (4) What is the solution and how is it implemented?AU-11 Audit Record Retention (M)The organization retains audit records for [FedRAMP Assignment: at least ninety (90) days] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.AU-11 Additional FedRAMP Requirements and Guidance: Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirementsAU-11Control Summary InformationResponsible Role: Parameter AU-11: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-11 What is the solution and how is it implemented?AU-12 Audit Generation (L) (M) (H)The information system:Provides audit record generation capability for the auditable events defined in AU-2 a. at [FedRAMP Assignment: all information system components where audit capability is deployed/available];Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; andGenerates audit records for the events defined in AU-2 d. with the content defined in AU-3.AU-12Control Summary InformationResponsible Role: Parameter AU-12(a): Parameter AU-12(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization AU-12 What is the solution and how is it implemented?Part aPart bPart cSecurity Assessment and Authorization (CA)CA-1 Certification, Authorization, Security Assessment Policy and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; andReviews and updates the current:Security assessment and authorization policy [FedRAMP Assignment: at least every three (3) years]; andSecurity assessment and authorization procedures [FedRAMP Assignment: at least annually].CA-1Control Summary InformationResponsible Role: Parameter CA-1(a): Parameter CA-1(b)(1): Parameter CA-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)CA-1 What is the solution and how is it implemented?Part aPart bCA-2 Security Assessments (L) (M) (H)The organization:Develops a security assessment plan that describes the scope of the assessment including:Security controls and control enhancements under assessment;Assessment procedures to be used to determine security control effectiveness; andAssessment environment, assessment team, and assessment roles and responsibilities;Assesses the security controls in the information system and its environment of operation [FedRAMP Assignment: at least annually] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;Produces a security assessment report that documents the results of the assessment; andProvides the results of the security control assessment to [FedRAMP Assignment: individuals or roles to include the FedRAMP Program Management Office (PMO)].CA-2 Additional FedRAMP Requirements and Guidance Guidance: See the FedRAMP Documents page under Key Cloud ServiceProvider (CSP) Documents> Annual Assessment Guidance https://www.fedramp.gov/documents/CA-2Control Summary InformationResponsible Role: Parameter CA-2(b): Parameter CA-2(d): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. Date of Authorization, CA-2 What is the solution and how is it implemented?Part aPart bPart cPart dCA-2 (1) Control Enhancement (L) (M) (H)The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.CA-2 (1) Additional FedRAMP Requirements and Guidance: Requirement: For JAB Authorization, must use an accredited Third Party Assessment Organization (3PAO).CA-2 (1)Control Summary InformationResponsible Role: Parameter CA-2(1):Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-2 (1) What is the solution and how is it implemented?CA-2 (2) Control Enhancement (M) (H)The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].CA-2 (2) Additional FedRAMP Requirements and Guidance: Requirement: To include 'announced', 'vulnerability scanning’ to occur at least annually.CA-2 (2)Control Summary InformationResponsible Role: Parameter CA-2(2)-1: Parameter CA-2(2)-2: Parameter CA-2(2)-3: Parameter CA-2(2)-4: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-2 (2) What is the solution and how is it implemented?CA-2 (3) Control Enhancement (M) (H)The organization accepts the results of an assessment of [FedRAMP Assignment: organization-defined information system] performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository].CA-2 (3)Control Summary InformationResponsible Role: Parameter CA-2(3)-1: Parameter CA-2(3)-2: Parameter CA-2(3)-3: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-2 (3) What is the solution and how is it implemented?CA-3 System Interconnections (L) (M) (H)The organization:Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; andReviews and updates Interconnection Security Agreements [FedRAMP Assignment: at least annually and on input from FedRAMP].Table STYLEREF 1 \s 13 SEQ Table \* ARABIC \s 1 3. CA-3 Authorized ConnectionsAuthorized Connections Information System NameName of Organization CSP Name System Connects ToRole and Name of Person Who Signed Connection AgreementName and Date of Interconnection Agreement<Authorized Connections System Name><Name Org CSP System Connects To><Role and Name Signed Connection Agreement><Name and Date of Interconnection Agreement><Authorized Connections System Name><Name Org CSP System Connects To><Role and Name Signed Connection Agreement><Name and Date of Interconnection Agreement><Authorized Connections System Name><Name Org CSP System Connects To><Role and Name Signed Connection Agreement><Name and Date of Interconnection Agreement><Authorized Connections System Name><Name Org CSP System Connects To><Role and Name Signed Connection Agreement><Name and Date of Interconnection Agreement><Authorized Connections System Name><Name Org CSP System Connects To><Role and Name Signed Connection Agreement><Name and Date of Interconnection Agreement><Authorized Connections System Name><Name Org CSP System Connects To><Role and Name Signed Connection Agreement><Name and Date of Interconnection Agreement>CA-3Control Summary InformationResponsible Role: Parameter CA-3(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-3 What is the solution and how is it implemented?Part aSee § REF _Ref443636902 \r \h \* MERGEFORMAT 11 for information about implementation. Part bSee REF _Ref443637111 \h \* MERGEFORMAT Table 132 Control Origination and Definitions and REF _Ref437345183 \h \* MERGEFORMAT Table 111 System Interconnections for information about implementation. Part cCA-3 (3) Control Enhancement (M) (H)The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [FedRAMP Assignment: boundary protections which meet Trusted Internet Connection (TIC) requirements].CA-3 (3) Additional FedRAMP Requirements and Guidance: Guidance: Refer to Appendix H – Cloud Considerations of the TIC Reference Architecture document. Link: https://www.dhs.gov/publication/tic-reference-architecture-22CA-3 (3)Control Summary InformationResponsible Role: Parameter CA-3(3)-1: Parameter CA-3(3)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-3 (3) What is the solution and how is it implemented?CA-3 (5) Control Enhancement (M)The organization employs [Selection: allow-all, deny-by-exception, deny-all, permit by exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.CA-3 (5) Additional FedRAMP Requirements and Guidance: Guidance: For JAB Authorization, CSPs shall include details of this control in their architecture briefing.CA-3 (5)Control Summary InformationResponsible Role: Parameter CA-3(5)-1: Parameter CA-3(5)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-3 (5) What is the solution and how is it implemented?CA-5 Plan of Action and Milestones (L) (M) (H) The organization:Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; andUpdates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.CA-5 Additional FedRAMP Requirements and Guidance: Requirement: Plan of Action & Milestones (POA&M) must be provided at least monthly. Guidance: See the FedRAMP Documents page under Key Cloud ServiceProvider (CSP) Documents> Plan of Action and Milestones (POA&M) Template Completion Guidehttps://www.FedRAMP.gov/documents/CA-5Control Summary InformationResponsible Role: Parameter CA-5(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-5 What is the solution and how is it implemented?Part aPart bCA-6 Security Authorization (L) (M) (H)The organization:Assigns a senior-level executive or manager as the authorizing official for the information system;Ensures that the authorizing official authorizes the information system for processing before commencing operations; andUpdates the security authorization [FedRAMP Assignment: in accordance with OMB A-130 requirements or when a significant change occurs].CA-6c Additional FedRAMP Requirements and Guidance: Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F (SP 800-37). The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the JAB/AO.CA-6Control Summary InformationResponsible Role: Parameter CA-6(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-6 What is the solution and how is it implemented?Part aPart bPart cCA-7 Continuous Monitoring (L) (M) (H) The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:Establishment of [Assignment: organization-defined metrics] to be monitored;Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;Correlation and analysis of security-related information generated by assessments and monitoring;Response actions to address results of the analysis of security-related information; andReporting the security status of organization and the information system to [FedRAMP Assignment: to meet Federal and FedRAMP requirements] [Assignment: organization-defined frequency].CA-7 Additional FedRAMP Requirements and Guidance: Requirement: Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually.Guidance: CSPs must provide evidence of closure and remediation of a high vulnerability within the timeframe for standard POA&M updates. Guidance: See the FedRAMP Documents page under Key Cloud ServiceProvider (CSP) Documents> Continuous Monitoring Strategy Guidehttps://www.fedramp.gov/documents/CA-7Control Summary InformationResponsible Role: Parameter CA-7(a): Parameter CA-7(b)-1: Parameter CA-7(b)-2: Parameter CA-7(g)-1: Parameter CA-7(g)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-7 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gCA-7 Additional FedRAMP Requirements and Guidance: Requirement 1: Operating System Scans: at least monthlyRequirement 2: Database and Web Application Scans: at least monthlyRequirement 3: All scans performed by Independent Assessor: at least annuallyCA-7 Req.Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-7 What is the solution and how is it implemented?Req. 1Req. 2Req. 3CA-7 (1) Control Enhancement (M) (H)The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.CA-7 (1)Control Summary InformationResponsible Role: Parameter CA-7(1):Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-7 (1) What is the solution and how is it implemented?CA-8 Penetration Testing (M) (H)The organization conducts penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined information systems or system components]. CA-8 Additional FedRAMP Requirements and Guidance Guidance: See the FedRAMP Documents page under Key Cloud ServiceProvider (CSP) Documents> Penetration Test Guidancehttps://www.fedramp.gov/documents/CA-8Control Summary InformationResponsible Role: Parameter CA-8-1: Parameter CA-8-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-8 What is the solution and how is it implemented?CA-8 (1) Control Enhancement (M) (H)The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.CA-8 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-8 (1) What is the solution and how is it implemented?CA-9 Internal System Connections (L) (M) (H)The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; andDocuments, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.CA-9Control Summary InformationResponsible Role: Parameter CA-9(a):Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CA-9 What is the solution and how is it implemented?Part aPart bConfiguration Management (CM)CM-1 Configuration Management Policies and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the configuration management policy and associated configuration management controls; andReviews and updates the current:Configuration management policy [FedRAMP Assignment: at least every three (3) years]; andConfiguration management procedures [FedRAMP Assignment: at least annually].CM-1Control Summary InformationResponsible Role: Parameter CM-1(a): Parameter CM-1(b)(1): Parameter CM-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)CM-1 What is the solution and how is it implemented?Part aPart bCM-2 Baseline Configuration (L) (M) (H)The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.CM-2Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-2 What is the solution and how is it implemented?CM-2 (1) Control Enhancement (M)The organization reviews and updates the baseline configuration of the information system:[FedRAMP Assignment: at least annually];When required due to [FedRAMP Assignment: to include when directed by the JAB]; andAs an integral part of information system component installations and upgrades.CM-2 (1)Control Summary InformationResponsible Role: Parameter CM-2(1)(a): Parameter CM-2(1)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-2 (1) What is the solution and how is it implemented?Part aPart bPart cCM-2 (2) Control Enhancement (M) (H)The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.CM-2 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-2 (2) What is the solution and how is it implemented?CM-2 (3) Control Enhancement (M) The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.CM-2 (3)Control Summary InformationResponsible Role: Parameter CM-2(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-2 (3) What is the solution and how is it implemented?CM-2 (7) Control Enhancement (M) (H)The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; andApplies [Assignment: organization-defined security safeguards] to the devices when the individuals return.CM-2 (7)Control Summary InformationResponsible Role: Parameter CM-2(7)(a)-1: Parameter CM-2(7)(a)-2: Parameter CM-2(7)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-2 (7) What is the solution and how is it implemented?Part aPart bCM-3 Configuration Change Control (M) (H)The organization:Determines the types of changes to the information system that are configuration-controlled; Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; Documents configuration change decisions associated with the information system; Implements approved configuration-controlled changes to the information system; Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3 (e) Additional FedRAMP Requirements and Guidance: Guidance: In accordance with record retention policies and procedures.Audits and reviews activities associated with configuration-controlled changes to the information system; and Coordinates and provides oversight for configuration change control activities through [FedRAMP Assignment: see additional FedRAMP requirements and guidance] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. CM-3 Additional FedRAMP Requirements and Guidance: Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.CM-3Control Summary InformationResponsible Role: Parameter CM-3(e): Parameter CM-3(g)-1: Parameter CM-3(g)-2: Parameter CM-3(g)-3: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-3 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gCM-4 Security Impact Analysis (L) (M) (H)The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. CM-4Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-4 What is the solution and how is it implemented?CM-5 Access Restrictions for Change (M) (H)The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.CM-5Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-5 What is the solution and how is it implemented?CM-5 (1) Control Enhancement (M) (H)The information system enforces access restrictions and supports auditing of the enforcement actions.CM-5 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-5 (1) What is the solution and how is it implemented?CM-5 (3) Control Enhancement (M) (H)The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.CM-5 (3) Additional FedRAMP Requirements and Guidance: Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be used.CM-5 (3)Control Summary InformationResponsible Role: Parameter CM-5(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-5 (3) What is the solution and how is it implemented?CM-5 (5) Control Enhancement (M) (H)The organization:Limits privileges to change information system components and system-related information within a production or operational environment; and Reviews and reevaluates privileges [FedRAMP Assignment: at least quarterly]. CM-5 (5)Control Summary InformationResponsible Role: Parameter CM-5(5)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-5 (5) What is the solution and how is it implemented?Part aPart bCM-6 Configuration Settings (L) (M) (H)The organization: Establishes and documents configuration settings for information technology products employed within the information system using [FedRAMP Assignment: see CM-6(a) Additional FedRAMP Requirements and Guidance] that reflect the most restrictive mode consistent with operational requirements; CM-6(a) Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.Implements the configuration settings;Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. CM-6Control Summary InformationResponsible Role: Parameter CM-6(a)-1: Parameter CM-6(a)-2:Parameter CM-6(c)-1: Parameter CM-6(c)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-6 What is the solution and how is it implemented?Part aPart bPart cPart dCM-6 (1) Control Enhancement (M) (H)The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].CM-6 (1)Control Summary InformationResponsible Role: Parameter CM-6(1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-6 (1) What is the solution and how is it implemented?CM-7 Least Functionality (L) (M) (H)The organization:Configures the information system to provide only essential capabilities; andProhibits or restricts the use of the following functions, ports, protocols, and/or services [FedRAMP Assignment: United States Government Configuration Baseline (USGCB)]CM-7 Additional FedRAMP Requirements and Guidance: Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline Partially derived from AC-17 (8). CM-7Control Summary InformationResponsible Role: Parameter CM-7(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. Date of Authorization, CM-7 What is the solution and how is it implemented?Part aPart bCM-7 (1) Control Enhancement (M) (H)The organization:Reviews the information system [FedRAMP Assignment: at least Monthly] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. CM-7 (1)Control Summary InformationResponsible Role: Parameter CM-7(1)(a): Parameter CM-7(1)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-7 (1) What is the solution and how is it implemented?Part aPart bCM-7 (2) Control Enhancement (M) (H)The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].CM-7 (2) Additional FedRAMP Requirements and Guidance: Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e., white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run.CM-7 (2)Control Summary InformationResponsible Role: Parameter CM-7(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-7 (2) What is the solution and how is it implemented?CM-7 (5) Control Enhancement (M)The organization: Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and Reviews and updates the list of authorized software programs [FedRAMP Assignment: at least annually or when there is a change]. CM-7 (5)Control Summary InformationResponsible Role: Parameter CM-7(5)(a): Parameter CM-7(5)(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-7 (5) What is the solution and how is it implemented?Part aPart bPart cCM-8 Information System Component Inventory (L) (M) (H)The organization:Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly]. CM-8 Additional FedRAMP Requirements and Guidance: Requirement: Must be provided at least monthly or when there is a change.CM-8Control Summary InformationResponsible Role: Parameter CM-8(a)(4): Parameter CM-8(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-8 What is the solution and how is it implemented?Part aPart bCM-8 (1) Control Enhancement (M) (H)The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.Instruction: A description of the inventory information is documented in Section 10. It is not necessary to re-document it here.Delete this and all other instructions from your final version of this document.CM-8 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-8 (1) What is the solution and how is it implemented?CM-8 (3) Control Enhancement (M) (H)The organization:Employs automated mechanisms [FedRAMP Assignment: Continuously, using automated mechanisms with a maximum five-minute delay in detection] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].CM-8 (3)Control Summary InformationResponsible Role: Parameter CM-8(3)(a): Parameter CM-8(3)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-8 (3) What is the solution and how is it implemented?Part aPart bCM-8 (5) Control Enhancement (M) (H)The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. CM-8 (5)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-8 (5) What is the solution and how is it implemented?CM-9 Configuration Management Plan (M) (H)The organization develops, documents, and implements a configuration management plan for the information system that:Addresses roles, responsibilities, and configuration management processes and procedures;Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;Defines the configuration items for the information system and places the configuration items under configuration management; andProtects the configuration management plan for unauthorized disclosure and modification.CM-9Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-9 What is the solution and how is it implemented?Part aPart bPart cPart dCM-10 Software Usage Restrictions (L) (M) (H)The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws;Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; andControls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.CM-10Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-10 What is the solution and how is it implemented?Part aPart bPart cCM-10 (1) Control Enhancement (M) (H)The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions].CM-10 (1)Control Summary InformationResponsible Role: Parameter CM-10(1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-10 (1) What is the solution and how is it implemented?CM-11 User-Installed Software (M) (H)The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users;Enforces software installation policies through [Assignment: organization-defined methods]; andMonitors policy compliance [FedRAMP Assignment: Continuously (via CM-7 (5))].CM-11Control Summary InformationResponsible Role: Parameter CM-11(a): Parameter CM-11(b): Parameter CM-11(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CM-11 What is the solution and how is it implemented?Part aPart bPart cContingency Planning (CP)CP-1 Contingency Planning Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and Reviews and updates the current: Contingency planning policy [FedRAMP Assignment: at least every three (3) years].; and Contingency planning procedures [FedRAMP Assignment: at least annually].CP-1Control Summary InformationResponsible Role: Parameter CP-1(a): Parameter CP-1(b)(1): Parameter CP-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)CP-1 What is the solution and how is it implemented?Part aPart bCP-2 Contingency Plan (L) (M) (H)The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and Is reviewed and approved by [Assignment: organization-defined personnel or roles]; Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; Coordinates contingency planning activities with incident handling activities;Reviews the contingency plan for the information system [FedRAMP Assignment: at least annually];Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; andProtects the contingency plan from unauthorized disclosure and modification.CP-2 Additional FedRAMP Requirements and Guidance:Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel.CP-2Control Summary InformationResponsible Role: Parameter CP-2(a)(6): Parameter CP-2(b): Parameter CP-2(d): Parameter CP-2(f): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-2 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gCP-2 (1) Control Enhancement (M) (H)The organization coordinates contingency plan development with organizational elements responsible for related plans.CP-2 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-2 (1) What is the solution and how is it implemented?CP-2 (2) Control Enhancement (M) (H)The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. CP-2 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-2 (2) What is the solution and how is it implemented?CP-2 (3) Control Enhancement (M) (H)The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.CP-2 (3)Control Summary InformationResponsible Role: Parameter CP-2(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-2 (3) What is the solution and how is it implemented?CP-2 (8) Control Enhancement (M) (H)The organization identifies critical information system assets supporting essential missions and business functions.CP-2 (8)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-2 (8) What is the solution and how is it implemented?CP-3 Contingency Training (L) (M) (H)The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [FedRAMP Assignment: ten (10) days] of assuming a contingency role or responsibility; When required by information system changes; and [FedRAMP Assignment: at least annually] thereafter.CP-3Control Summary InformationResponsible Role: Parameter CP-3(a): Parameter CP-3(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-3 What is the solution and how is it implemented?CP-4 Contingency Plan Testing (M)The organization: Tests the contingency plan for the information system [FedRAMP Assignment: at least annually] using [FedRAMP Assignment: functional exercises] to determine the effectiveness of the plan and the organizational readiness to execute the plan; CP-4(a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended) and provides plans to FedRAMP prior to initiating testing. Test plans are approved and accepted by the JAB/AO prior to initiating testing.Reviews the contingency plan test results; and Initiates corrective actions, if needed. CP-4Control Summary InformationResponsible Role: Parameter CP-4(a)-1: Parameter CP-4(a)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-4 What is the solution and how is it implemented?Part aPart bPart cCP-4 (1) Control Enhancement (M) (H)The organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.CP-4 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-4 (1) What is the solution and how is it implemented?CP-6 Alternate Storage Site (M) (H)The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. CP-6Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-6 What is the solution and how is it implemented?Part aPart bCP-6 (1) Control Enhancement (M) (H)The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.CP-6 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-6 (1) What is the solution and how is it implemented?CP-6 (3) Control Enhancement (M) (H)The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.CP-6 (3)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-6 (3) What is the solution and how is it implemented?CP-7 Alternate Processing Site (M) (H)The organization:Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [FedRAMP Assignment: see additional FedRAMP requirements and guidance] when the primary processing capabilities are unavailable; CP-7a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; andEnsures that the alternate processing site provides information security safeguards equivalent to that of the primary site. CP-7Control Summary InformationResponsible Role: Parameter CP-7(a)-1: Parameter CP-7(a)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-7 What is the solution and how is it implemented?Part aPart bPart cCP-7 (1) Control Enhancement (M) (H)The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.CP-7 (1) Additional FedRAMP Requirements and Guidance Guidance: The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber-attack), the degree of separation between sites will be less relevant.CP-7 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-7 (1) What is the solution and how is it implemented?CP-7 (2) Control Enhancement (M) (H)The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.CP-7 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-7 (2) What is the solution and how is it implemented?CP-7 (3) Control Enhancement (M) (H)The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). CP-7 (3)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-7 (3) What is the solution and how is it implemented?CP-8 Telecommunications Services (M) (H)The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [FedRAMP Assignment: See CP-8 additional FedRAMP requirements and guidance] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.CP-8 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis. CP-8Control Summary InformationResponsible Role: Parameter CP-8-1: Parameter CP-8-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-8 What is the solution and how is it implemented?CP-8 (1) Control Enhancement (M) (H)The organization:Develops primary and alternate telecommunications service agreements that contain priority- of-service provisions in accordance with organizational availability requirements (including recovery time objectives); andRequests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.CP-8 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-8 (1) What is the solution and how is it implemented?Part aPart bCP-8 (2) Control Enhancement (M) (H)The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.CP-8 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-8 (2) What is the solution and how is it implemented?CP-9 Information System Backup (L) (M) (H)The organization: CP-9 Additional FedRAMP Requirements and Guidance: Requirement: The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check.Conducts backups of user-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]CP-9 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online).Conducts backups of system-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; CP-9 (b) Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online).Conducts backups of information system documentation including security-related documentation [FedRAMP Assignment: daily incremental; weekly full ]; and CP-9 (c) Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online).Protects the confidentiality, integrity, and availability of backup information at storage locations. CP-9Control Summary InformationResponsible Role: Parameter CP-9(a): Parameter CP-9(b): Parameter CP-9(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-9 What is the solution and how is it implemented?Part aPart bPart cPart dCP-9 (1) Control Enhancement (M)The organization tests backup information [FedRAMP Assignment: at least annually] to verify media reliability and information integrity.CP-9 (1)Control Summary InformationResponsible Role: Parameter CP-9 (1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-9 (1) What is the solution and how is it implemented?CP-9 (3) Control Enhancement (M) (H)The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.CP-9 (3)Control Summary InformationResponsible Role: Parameter CP-9(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-9 (3) What is the solution and how is it implemented?CP-10 Information System Recovery and Reconstitution (L) (M) (H)The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.CP-10Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-10 What is the solution and how is it implemented?CP-10 (2) Control Enhancement (M) (H)The information system implements transaction recovery for systems that are transaction-based.CP-10 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization CP-10 (2) What is the solution and how is it implemented?Identification and Authentication (IA)IA-1 Identification and Authentication Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; andReviews and updates the current:Identification and authentication policy [FedRAMP Assignment: at least every three (3) years]; andIdentification and authentication procedures [FedRAMP Assignment: at least annually].IA-1Control Summary InformationResponsible Role: Parameter IA-1(a): Parameter IA-1(a): Parameter IA-1(b)(1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)IA-1 What is the solution and how is it implemented?Part aPart bIA-2 User Identification and Authentication (L) (M) (H)The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).IA-2Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 What is the solution and how is it implemented?IA-2 (1) Control Enhancement (L) (M) (H)The information system implements multifactor authentication for network access to privileged accounts.IA-2 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 (1) What is the solution and how is it implemented?IA-2 (2) Control Enhancement (M) (H)The information system implements multifactor authentication for network access to non-privileged accounts.IA-2 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 (2) What is the solution and how is it implemented?IA-2 (3) Control Enhancement (M) (H)The information system implements multifactor authentication for local access to privileged accounts.IA-2 (3)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 (3) What is the solution and how is it implemented?IA-2 (5) Control Enhancement (M) (H)The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.IA-2 (5)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 (5) What is the solution and how is it implemented?IA-2 (8) Control Enhancement (M) (H)The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.IA-2 (8)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 (8) What is the solution and how is it implemented?IA-2 (11) Control Enhancement (M) (H)The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [FedRAMP Assignment: FIPS 140-2, NIAP* Certification, or NSA approval].*National Information Assurance Partnership (NIAP)Additional FedRAMP Requirements and Guidance: Guidance: PIV = separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. FIPS 140-2 means validated by the Cryptographic Module Validation Program (CMVP).IA-2 (11)Control Summary InformationResponsible Role: Parameter IA-2(11): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 (11) What is the solution and how is it implemented?IA-2 (12) Control Enhancement (L) (M) (H)The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.IA-2 (12) Additional FedRAMP Requirements and Guidance: Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.IA-2 (12)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-2 (12) What is the solution and how is it implemented?IA-3 Device Identification and Authentication (M) (H)The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.IA-3Control Summary InformationResponsible Role: Parameter IA-3-1: Parameter IA-3-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-3 What is the solution and how is it implemented?IA-4 Identifier Management (L) (M) The organization manages information system identifiers for users and devices by:Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;Selecting an identifier that identifies an individual, group, role, or device;Assigning the identifier to the intended individual, group, role, or device;Preventing reuse of identifiers for [FedRAMP Assignment: at least two (2) years]; andDisabling the identifier after [FedRAMP Assignment: ninety days for user identifiers (see additional requirements and guidance)] IA-4e Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the time period of inactivity for device identifiers.Guidance: For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.IA-4Control Summary InformationResponsible Role: Parameter IA-4(a): Parameter IA-4(d): Parameter IA-4(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-4 What is the solution and how is it implemented?Part aPart bPart cPart dPart eIA-4 (4) Control Enhancement (M) (H)The organization manages individual identifiers by uniquely identifying each individual as [FedRAMP Assignment: contractors; foreign nationals].IA-4 (4)Control Summary InformationResponsible Role: Parameter IA-4 (4): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-4 (4) What is the solution and how is it implemented?IA-5 Authenticator Management (L) (M)The organization manages information system authenticators by:Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;Establishing initial authenticator content for authenticators defined by the organization;Ensuring that authenticators have sufficient strength of mechanism for their intended use;Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;Changing default content of authenticators prior to information system installation;Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type].Protecting authenticator content from unauthorized disclosure and modification;Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; andChanging authenticators for group/role accounts when membership to those accounts changes.IA-5 Additional FedRAMP Requirements and Guidance: Requirement: Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3.IA-5Control Summary InformationResponsible Role: Parameter IA-5(g): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gPart hPart iPart jIA-5 (1) Control Enhancement (L) (M)The information system, for password-based authentication:Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];Enforces at least the following number of changed characters when new passwords are created: [FedRAMP Assignment: at least one (1)];Stores and transmits only cryptographically-protected passwords;Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];Prohibits password reuse for [FedRAMP Assignment: twenty-four (24)] generations; andAllows the use of a temporary password for system logons with an immediate change to a permanent password.IA-5 (1) a and d Additional FedRAMP Requirements and Guidance:Guidance: If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant.IA-5 (1)Control Summary InformationResponsible Role: Parameter IA-5(1)(a): Parameter IA-5(1)(b): Parameter IA-5(1)(d): Parameter IA-5(1)(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 (1) What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fIA-5 (2) Control Enhancement (M) (H)The information system, for PKI-based authentication:Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;Enforces authorized access to the corresponding private key;Maps the authenticated identity to the account of the individual or group; andImplements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.IA-5 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 (2) What is the solution and how is it implemented?Part aPart bPart cPart dIA-5 (3) Control Enhancement (M) (H)The organization requires that the registration process to receive [FedRAMP Assignment: All hardware/biometric (multifactor authenticators] be conducted [FedRAMP Selection: in person] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].IA-5 (3)Control Summary InformationResponsible Role: Parameter IA-5(3)-1: Parameter IA-5(3)-2: Parameter IA-5(3)-3: Parameter IA-5(3)-4: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 (3) What is the solution and how is it implemented?IA-5 (4) Control Enhancement (M)The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].IA-5 (4) Additional FedRAMP Requirements and Guidance: Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators.IA-5 (4)Control Summary InformationResponsible Role: Parameter IA-5(4): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 (4) What is the solution and how is it implemented?IA-5 (6) Control Enhancement (M) (H)The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.IA-5 (6)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 (6) What is the solution and how is it implemented?IA-5 (7) Control Enhancement (M) (H)The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.IA-5 (7)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 (7) What is the solution and how is it implemented?IA-5 (11) Control Enhancement (L) (M) (H)The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].IA-5 (11)Control Summary InformationResponsible Role: Parameter IA-5(11): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-5 (11) What is the solution and how is it implemented?IA-6 Authenticator Feedback (L) (M) (H)The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.IA-6Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-6 What is the solution and how is it implemented?IA-7 Cryptographic Module Authentication (L) (M) (H)The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.IA-7Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-7 What is the solution and how is it implemented?IA-8 Identification and Authentication (Non-Organizational Users) (L) (M) (H)The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).IA-8Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-8 What is the solution and how is it implemented?IA-8 (1) Control Enhancement (L) (M) (H)The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.IA-8 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-8 (1) What is the solution and how is it implemented?IA-8 (2) Control Enhancement (L) (M) (H)The information system accepts only FICAM-approved third-party credentials.IA-8 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-8 (2) What is the solution and how is it implemented?IA-8 (3) Control Enhancement (L) (M) (H)The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.IA-8 (3)Control Summary InformationResponsible Role: Parameter IA-8(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-8 (3) What is the solution and how is it implemented?IA-8 (4) Control Enhancement (L) (M) (H)The information system conforms to FICAM-issued profiles.IA-8 (4)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IA-8 (4) What is the solution and how is it implemented?Incident Response (IR)IR-1 Incident Response Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and Reviews and updates the current: Incident response policy [FedRAMP Assignment: at least every three (3) years]; and Incident response procedures [FedRAMP Assignment: at least annually].IR-1Control Summary InformationResponsible Role: Parameter IR-1(a): Parameter IR-1(b)(1): Parameter IR-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)IR-1 What is the solution and how is it implemented?Part aPart bIR-2 Incident Response Training (L) (M)The organization provides incident response training to information system users consistent with assigned roles and responsibilities in accordance with NIST SP 800-53 Rev 4: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility; When required by information system changes; and [FedRAMP Assignment: at least annually] thereafter.IR-2Control Summary InformationResponsible Role: Parameter IR-2(a): Parameter IR-2(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-2 What is the solution and how is it implemented?Part aPart bPart cIR-3 Incident Response Testing (M)The organization tests the incident response capability for the information system [FedRAMP Assignment: at least annually] using [FedRAMP Assignment: see additional FedRAMP Requirements and Guidance] to determine the incident response effectiveness and documents the results.IR-3 Additional FedRAMP Requirements and Guidance: Requirements: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to the test commencing.IR-3Control Summary InformationResponsible Role: Parameter IR-3-1: Parameter IR-3-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-3 What is the solution and how is it implemented?IR-3 (2) Control Enhancement (M) (H)The organization coordinates incident response testing with organizational elements responsible for related plans.IR-3 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-3 (2) What is the solution and how is it implemented?IR-4 Incident Handling (L) (M) (H)The organization: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; Coordinates incident handling activities with contingency planning activities; andIncorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.IR-4 Additional FedRAMP Requirements and Guidance: Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.IR-4Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-4 What is the solution and how is it implemented?Part aPart bPart cIR-4 (1) Control Enhancement (M) (H)The organization employs automated mechanisms to support the incident handling process. IR-4 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-4 (1) What is the solution and how is it implemented?IR-5 Incident Monitoring (L) (M) (H)The organization tracks and documents information system security incidents.IR-5Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-5 What is the solution and how is it implemented?IR-6 Incident Reporting (L) (M) (H)The organization:Requires personnel to report suspected security incidents to the organizational incident response capability within [FedRAMP Assignment: US-CERT incident reporting timelines as specified in NIST SP800-61 (as amended)]; andReports security incident information to [Assignment: organization-defined authorities].IR-6 Additional FedRAMP Requirements and Guidance Requirement: Report security incident information according to FedRAMP Incident Communications Procedure. IR-6Control Summary InformationResponsible Role: Parameter IR-6(a): Parameter IR-6(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-6 What is the solution and how is it implemented?Part aPart bIR-6 (1) Control Enhancement (M) (H)The organization employs automated mechanisms to assist in the reporting of security incidents.IR-6 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-6 (1) What is the solution and how is it implemented?IR-7 Incident Response Assistance (L) (M) (H)The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.IR-7Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-7 What is the solution and how is it implemented?IR-7 (1) Control Enhancement (M) (H)The organization employs automated mechanisms to increase the availability of incident response related information and support.IR-7 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-7 (1) What is the solution and how is it implemented?IR-7 (2) Control Enhancement (M) (H)The organization:Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; andIdentifies organizational incident response team members to the external providers.IR-7 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-7 (2) What is the solution and how is it implemented?Part aPart bIR-8 Incident Response Plan (L) (M) (H)The organization:Develops an incident response plan that:Provides the organization with a roadmap for implementing its incident response capability;Describes the structure and organization of the incident response capability;Provides a high-level approach for how the incident response capability fits into the overall organization;Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;Defines reportable incidents;Provides metrics for measuring the incident response capability within the organization;Defines the resources and management support needed to effectively maintain and mature an incident response capability; andIs reviewed and approved by [Assignment: organization-defined personnel or roles];Distributes copies of the incident response plan to [FedRAMP Assignment: see additional FedRAMP Requirements and Guidance].IR-8(b) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.Reviews the incident response plan [FedRAMP Assignment: at least annually];Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;Communicates incident response plan changes to [FedRAMP Assignment: see additional FedRAMP Requirements and Guidance]; andIR-8(e) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.Protects the incident response plan from unauthorized disclosure and modification.IR-8Control Summary InformationResponsible Role: Parameter IR-8(a)(8):Parameter IR-8(b): Parameter IR-8(c): Parameter IR-8(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-8 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fIR-9 Information Spillage Response (M) (H)The organization responds to information spills by: Identifying the specific information involved in the information system contamination; Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; Isolating the contaminated information system or system component; Eradicating the information from the contaminated information system or component; Identifying other information systems or system components that may have been subsequently contaminated; and Performing other [Assignment: organization-defined actions]. IR-9Control Summary InformationResponsible Role: Parameter IR-9(b): Parameter IR-9(f): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-9 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fIR-9 (1) Control Enhancement (M) (H)The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.IR-9 (1)Control Summary InformationResponsible Role: Parameter IR-9(1): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-9 (1) What is the solution and how is it implemented?IR-9 (2) Control Enhancement (M)The organization provides information spillage response training [Assignment: organization- defined frequency].IR-9 (2)Control Summary InformationResponsible Role: Parameter IR-9(2):Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-9 (2) What is the solution and how is it implemented?IR-9 (3) Control Enhancement (M) (H) The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.IR-9 (3)Control Summary InformationResponsible Role: Parameter IR-9(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-9 (3) What is the solution and how is it implemented?IR-9 (4) Control Enhancement (M) (H)The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.IR-9 (4)Control Summary InformationResponsible Role: Parameter IR-9(4): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization IR-9 (4) What is the solution and how is it implemented?Maintenance (MA)MA-1 System Maintenance Policy and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; andReviews and updates the current:System maintenance policy [FedRAMP Assignment: at least every three (3) years]; andSystem maintenance procedures [FedRAMP Assignment: at least annually].MA-1Control Summary InformationResponsible Role: Parameter MA-1(a): Parameter MA-1(b)(1): Parameter MA-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) MA-1 What is the solution and how is it implemented?Part aPart bMA-2 Controlled Maintenance (L) (M) (H)The organization:Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; andIncludes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.MA-2Control Summary InformationResponsible Role: Parameter MA-2(c): Parameter MA-2(f): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-2 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fMA-3 Maintenance Tools (M) (H)The organization approves, controls, and monitors information system maintenance tools.MA-3Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-3 What is the solution and how is it implemented?MA-3 (1) Control Enhancement (M) (H)The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.MA-3 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-3 (1) What is the solution and how is it implemented?MA-3 (2) Control Enhancement (M) (H)The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.MA-3 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-3 (2) What is the solution and how is it implemented?MA-3 (3) Control Enhancement (M) (H)The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:Verifying that there is no organizational information contained on the equipment;Sanitizing or destroying the equipment;Retaining the equipment within the facility; orObtaining an exemption from [FedRAMP Assignment: the information owner explicitly authorizes removal of the equipment from the facility].MA-3 (3)Control Summary InformationResponsible Role: Parameter MA-3(3)(d): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-3 (3) What is the solution and how is it implemented?Part aPart bPart cPart dMA-4 Remote Maintenance (L) (M) (H)The organization:Approves and monitors nonlocal maintenance and diagnostic activities;Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;Maintains records for nonlocal maintenance and diagnostic activities; andTerminates session and network connections when nonlocal maintenance is completed.MA-4Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-4 What is the solution and how is it implemented?Part aPart bPart cPart dPart eMA-4 (2) Control Enhancement (M) (H)The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.MA-4 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-4 (2) What is the solution and how is it implemented?MA-5 Maintenance Personnel (L) (M) (H)The organization:Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; andDesignates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.MA-5Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-5 What is the solution and how is it implemented?Part aPart bPart cMA-5 (1) Control Enhancement (L) (M)The organization:Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; andDevelops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.MA-5 (1) Additional FedRAMP Requirements and Guidance: Requirement: Only MA-5 (1) (a) (1) is required by FedRAMP MA-5 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-5 (1) What is the solution and how is it implemented?Part aPart bMA-6 Timely Maintenance (M) (H)The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.MA-6Control Summary InformationResponsible Role: Parameter MA-6(1): Parameter MA-6(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MA-6 What is the solution and how is it implemented?Media Protection (MP)MP-1 Media Protection Policy and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the media protection policy and associated media protection controls; andReviews and updates the current:Media protection policy [FedRAMP Assignment: at least every three (3) years]; andMedia protection procedures [FedRAMP Assignment: at least annually].MP-1Control Summary InformationResponsible Role: Parameter MP-1(a): Parameter MP-1(b)(1): Parameter MP-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) MP-1 What is the solution and how is it implemented?Part aPart bMP-2 Media Access (L) (M)The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].MP-2Control Summary InformationResponsible Role: Parameter MP-2-1: Parameter MP-2-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-2 What is the solution and how is it implemented?MP-3 Media Labeling (M) (H)The organization:Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; andExempts [FedRAMP Assignment: no removable media types] from marking as long as the media remain within [Assignment: organization-defined controlled areas].MP-3(b) Additional FedRAMP Requirements and Guidance: Guidance: Second parameter in MP-3(b)-2 is not applicable.MP-3Control Summary InformationResponsible Role: Parameter MP-3(b)-1:Parameter MP-3(b)-2: Not applicableImplementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-3 What is the solution and how is it implemented?Part aPart bMP-4 Media Storage (M) (H)The organization:Physically controls and securely stores [FedRAMP Assignment: [all types of digital and non-digital media with sensitive information]] within [FedRAMP Assignment: see additional FedRAMP requirements and guidance]; and MP-4a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines controlled areas within facilities where the information and information system reside.Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.MP-4Control Summary InformationResponsible Role: Parameter MP-4(a)-1: Parameter MP-4(a)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-4 What is the solution and how is it implemented?Part aPart bMP-5 Media Transport (M) (H)The organization:Protects and controls [FedRAMP Assignment: all media with sensitive information] during transport outside of controlled areas using [FedRAMP Assignment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container];MP-5a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.Maintains accountability for information system media during transport outside of controlled areas;Documents activities associated with the transport of information system media; and Restricts the activities associated with transport of information system media to authorized personnel.MP-5Control Summary InformationResponsible Role: Parameter MP-5(a)-1: Parameter MP-5(a)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-5 What is the solution and how is it implemented?Part aPart bPart cPart dMP-5 (4) Control Enhancement (M) (H)The organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.MP-5 (4)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-5 (4) What is the solution and how is it implemented?MP-6 Media Sanitization and Disposal (L) (M) The organization:Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; andEmploys sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.MP-6Control Summary InformationResponsible Role: Parameter MP-6(a)-1: Parameter MP-6(a)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-6 What is the solution and how is it implemented?Part aPart bMP-6 (2) Control Enhancement (M) The organization tests sanitization equipment and procedures [FedRAMP Assignment: at least annually] to verify that the intended sanitization is being achieved.MP-6 (2) Additional FedRAMP Requirements and Guidance: Guidance: Equipment and procedures may be tested or evaluated for effectiveness. MP-6 (2)Control Summary InformationResponsible Role: Parameter MP-6(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-6 (2) What is the solution and how is it implemented?MP-7 Media Use (L) (M) (H)The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].MP-7Control Summary InformationResponsible Role: Parameter MP-7-1: Parameter MP-7-2: Parameter MP-7-3: Parameter MP-7-4: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-7 What is the solution and how is it implemented?MP-7 (1) Control Enhancement (M) (H)The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.MP-7 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization MP-7 (1) is the solution and how is it implemented?Physical and Environmental Protection (PE)PE-1 Physical and Environmental Protection Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and Reviews and updates the current: Physical and environmental protection policy [FedRAMP Assignment: at least every three (3) years]; and Physical and environmental protection procedures [FedRAMP Assignment: at least annually].PE-1Control Summary InformationResponsible Role: Parameter PE-1(a): Parameter PE-1(b)(1): Parameter PE-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)PE-1 What is the solution and how is it implemented?Part aPart bPE-2 Physical Access Authorizations (L) (M) The organization:Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; Issues authorization credentials for facility access; Reviews the access list detailing authorized facility access by individuals [FedRAMP Assignment: at least annually]; and Removes individuals from the facility access list when access is no longer required. PE-2Control Summary InformationResponsible Role: Parameter PE-2(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-2 What is the solution and how is it implemented?Part aPart bPart cPart dPE-3 Physical Access Control (L) (M) (H)The organization:Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress/egress to the facility using [FedRAMP Assignment: CSP defined physical access control systems/devices AND guards]; Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; Escorts visitors and monitors visitor activity [FedRAMP Assignment: in all circumstances within restricted access area where the information system resides]; Secures keys, combinations, and other physical access devices; Inventories [Assignment: organization-defined physical access devices] every [FedRAMP Assignment: at least annually]; andChanges combinations and keys [FedRAMP Assignment: at least annually] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.PE-3Control Summary InformationResponsible Role: Parameter PE-3(a): Parameter PE-3(a)(2): Parameter PE-3(b): Parameter PE-3(c): Parameter PE-3(d): Parameter PE-3(f)-1: Parameter PE-3(f)-2:Parameter PE-3(g): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-3 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gPE-4 Access Control for Transmission Medium (M) (H)The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].PE-4Control Summary InformationResponsible Role: Parameter PE-4-1: Parameter PE-4-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-4 What is the solution and how is it implemented?PE-5 Access Control for Output Devices (M) (H)The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.PE-5Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-5 What is the solution and how is it implemented?PE-6 Monitoring Physical Access (L) (M) (H)The organization:Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;Reviews physical access logs [FedRAMP Assignment: at least monthly] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; andCoordinates results of reviews and investigations with the organization’s incident response capability.PE-6Control Summary InformationResponsible Role: Parameter PE-6(b)-1: Parameter PE-6(b)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-6 What is the solution and how is it implemented?Part aPart bPart cPE-6 (1) Control Enhancement (M) (H)The organization monitors physical intrusion alarms and surveillance equipment.PE-6 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-6 (1) What is the solution and how is it implemented?PE-8 Visitor Access Records (L) (M) (H)The organization:Maintains visitor access records to the facility where the information system resides for [FedRAMP Assignment: for a minimum of one (1) year]; andReviews visitor access records [FedRAMP Assignment: at least monthly]PE-8Control Summary InformationResponsible Role: Parameter PE-8(a): Parameter PE-8(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-8 What is the solution and how is it implemented?Part aPart bPE-9 Power Equipment and Cabling (M) (H)The organization protects power equipment and power cabling for the information system from damage and destruction.PE-9Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-9 What is the solution and how is it implemented?PE-10 Emergency Shutoff (M) (H)The organization:Provides the capability of shutting off power to the information system or individual system components in emergency situations;Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; andProtects emergency power shutoff capability from unauthorized activation.PE-10Control Summary InformationResponsible Role: Parameter PE-10(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-10 What is the solution and how is it implemented?Part aPart bPart cPE-11 Emergency Power (M) (H)The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss. PE-11Control Summary InformationResponsible Role: Parameter PE-11: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-11 What is the solution and how is it implemented?PE-12 Emergency Lighting (L) (M) (H)The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.PE-12Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-12 What is the solution and how is it implemented?PE-13 Fire Protection (L) (M) (H)The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.PE-13Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-13 What is the solution and how is it implemented?PE-13 (2) Control Enhancement (M) (H)The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].PE-13 (2)Control Summary InformationResponsible Role: Parameter PE-13(2)-1: Parameter PE-13(2)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-13 (2) What is the solution and how is it implemented?PE-13 (3) Control Enhancement (M) (H)The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.PE-13 (3)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-13 (3) What is the solution and how is it implemented?PE-14 Temperature and Humidity Controls (L) (M) (H)The organization:Maintains temperature and humidity levels within the facility where the information system resides at [FedRAMP Assignment: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled "Thermal Guidelines for Data Processing Environments]; andPE-14 (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider measures temperature at server inlets and humidity levels by dew point.Monitors temperature and humidity levels [FedRAMP Assignment: continuously]. PE-14Control Summary InformationResponsible Role: Parameter PE-14(a): Parameter PE-14(b): Parameter PE-14(b) Additional: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-14 What is the solution and how is it implemented?Part aPart bPE-14 (2) Control Enhancement (M) (H)The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.PE-14 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-14 (2) What is the solution and how is it implemented?PE-15 Water Damage Protection (L) (M) (H)The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.PE-15Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-15 What is the solution and how is it implemented?PE-16 Delivery and Removal (L) (M) (H)The organization authorizes, monitors, and controls [FedRAMP Assignment: all information system components] entering and exiting the facility and maintains records of those items.PE-16Control Summary InformationResponsible Role: Parameter PE-16: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-16 What is the solution and how is it implemented?PE-17 Alternate Work Site (M) (H)The organization:Employs [Assignment: organization-defined security controls] at alternate work sites;Assesses as feasible, the effectiveness of security controls at alternate work sites; andProvides a means for employees to communicate with information security personnel in case of security incidents or problems.PE-17Control Summary InformationResponsible Role: Parameter PE-17(a): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PE-17 What is the solution and how is it implemented?Part aPart bPart cPlanning (PL)PL-1 Security Planning Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and Reviews and updates the current: Security planning policy [FedRAMP Assignment: at least every three (3) years]; and Security planning procedures [FedRAMP Assignment: at least annually].PL-1Control Summary InformationResponsible Role: Parameter PL-1(a): Parameter PL-1(b)(1): Parameter PL-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) PL-1 What is the solution and how is it implemented?Part aPart bPL-2 System Security Plan (L) (M) (H)The organization:Develops a security plan for the information system that:Is consistent with the organization’s enterprise architecture;Explicitly defines the authorization boundary for the system;Describes the operational context of the information system in terms of missions and business processes;Provides the security categorization of the information system including supporting rationale;Describes the operational environment for the information system and relationships with or connections to other information;Provides an overview of the security requirements for the system;Identifies any relevant overlays, if applicable;Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; andIs reviewed and approved by the authorizing official or designated representative prior to plan implementation;Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];Reviews the security plan for the information system [FedRAMP Assignment: at least annually];Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; andProtects the security plan from unauthorized disclosure and modification.PL-2Control Summary InformationResponsible Role: Parameter PL-2(b): Parameter PL-2(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PL-2 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePL-2 (3) Control Enhancement (M) (H)The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.PL-2 (3)Control Summary InformationResponsible Role: Parameter PL-2(3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PL-2 (3) What is the solution and how is it implemented?PL-4 Rules of Behavior (L) (M)The organization:Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; Reviews and updates the rules of behavior [FedRAMP Assignment: at least every three (3) years]; and Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.PL-4Control Summary InformationResponsible Role: Parameter PL-4(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PL-4 What is the solution and how is it implemented?Part aPart bPart cPart dPL-4 (1) Control Enhancement (M) (H)The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.PL-4 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PL-4 (1) What is the solution and how is it implemented?PL-8 Information Security Architecture (M) (H)The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about, and dependencies on, external services; Reviews and updates the information security architecture [FedRAMP Assignment: at least annually or when a significant change occurs] to reflect updates in the enterprise architecture; andPL-8 (b) Additional FedRAMP Requirements and Guidance: Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, on Page F-8.Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.PL-8Control Summary InformationResponsible Role: Parameter PL-8(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PL-8 What is the solution and how is it implemented?Part aPart bPart cPersonnel Security (PS)PS-1 Personnel Security Policy and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the personnel security policy and associated personnel security controls; andReviews and updates the current:Personnel security policy [FedRAMP Assignment: at least every three (3) years]; andPersonnel security procedures [FedRAMP Assignment: at least annually].PS-1Control Summary InformationResponsible Role: Parameter PS-1(a): Parameter PS-1(b)(1): Parameter PS-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) PS-1 What is the solution and how is it implemented?Part aPart bPS-2 Position Categorization (L) (M)The organization:Assigns a risk designation to all positions;Establishes screening criteria for individuals filling those positions; andReviews and revises position risk designations [FedRAMP Assignment: at least every three (3) years].PS-2Control Summary InformationResponsible Role: Parameter PS-2(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-2 What is the solution and how is it implemented?Part aPart bPart cPS-3 Personnel Screening (L) (M) (H)The organization:Screens individuals prior to authorizing access to the information system; andRescreens individuals according to [FedRAMP Assignment: For national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions].PS-3Control Summary InformationResponsible Role: Parameter PS-3(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-3 What is the solution and how is it implemented?Part aPart bPS-3 (3) Control Enhancement (M) (H)The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:Have valid access authorizations that are demonstrated by assigned official government duties; andSatisfy [FedRAMP Assignment: personnel screening criteria – as required by specific information].PS-3 (3)Control Summary InformationResponsible Role: Parameter PS-3 (3)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-3 (3) What is the solution and how is it implemented?Part aPart bPS-4 Personnel Termination (L) (M)The organization, upon termination of individual employment:Disables information system access within [FedRAMP Assignment: same day];Terminates/revokes any authenticators/credentials associated with the individual;Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];Retrieves all security-related organizational information system-related property;Retains access to organizational information and information systems formerly controlled by terminated individual; andNotifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].PS-4Control Summary InformationResponsible Role: Parameter PS-4(a): Parameter PS-4(c): Parameter PS-4(f)-1: Parameter PS-4(f)-2:Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-4 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPS-5 Personnel Transfer (L) (M) The organization:Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; andNotifies [Assignment: organization-defined personnel or roles] within [FedRAMP Assignment: within five days of the formal transfer action (DoD 24 hours)].PS-5Control Summary InformationResponsible Role: Parameter PS-5(b)-1: Parameter PS-5(b)-2: Parameter PS-5(d)-1: Parameter PS-5(d)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-5 What is the solution and how is it implemented?Part aPart bPart cPart dPS-6 Access Agreements (L) (M)The organization:Develops and documents access agreements for organizational information systems;Reviews and updates the access agreements [FedRAMP Assignment: at least annually]; andEnsures that individuals requiring access to organizational information and information systems:Sign appropriate access agreements prior to being granted access; andRe-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [FedRAMP Assignment: at least annually].PS-6Control Summary InformationResponsible Role: Parameter PS-6(b): Parameter PS-6(c)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-6 What is the solution and how is it implemented?Part aPart bPart cPS-7 Third-Party Personnel Security (L) (M)The organization:Establishes personnel security requirements including security roles and responsibilities for third-party providers;Requires third-party providers to comply with personnel security policies and procedures established by the organization;Documents personnel security requirements;Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [FedRAMP Assignment: same day]; andMonitors provider compliance.PS-7Control Summary InformationResponsible Role: Parameter PS-7(d)-1: Parameter PS-7(d)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-7 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePS-8 Personnel Sanctions (L) (M) The organization:Employs a formal sanctions process for personnel failing to comply with established information security policies and procedures; andNotifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.PS-8Control Summary InformationResponsible Role: Parameter PS-8(b)-1: Parameter PS-8(b)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization PS-8 What is the solution and how is it implemented?Part aPart bRisk Assessment (RA)RA-1 Risk Assessment Policy and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; andReviews and updates the current:Risk assessment policy [FedRAMP Assignment: at least every three (3) years]; andRisk assessment procedures [FedRAMP Assignment: at least annually].RA-1Control Summary InformationResponsible Role: Parameter RA-1(a): Parameter RA-1(b)(1): Parameter RA-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) RA-1 What is the solution and how is it implemented?Part aPart bRA-2 Security Categorization (L) (M) (H)The organization:Categorizes information and the information system in accordance with applicable Federal Laws, Executive Orders, directives, policies, regulations, standards, and guidance;Documents the security categorization results (including supporting rationale) in the security plan for the information system; andEnsures the security categorization decision is reviewed and approved by the AO or authorizing official designated representative.RA-2Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-2 What is the solution and how is it implemented?Part aPart bPart cRA-3 Risk Assessment (L) (M) The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;Documents risk assessment results in [Selection: security plan; risk assessment report; [FedRAMP Assignment: security assessment report]];Reviews risk assessment results [FedRAMP Assignment: in accordance with OMB A-130 requirements or when a significant change occurs];Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; andUpdates the risk assessment [FedRAMP Assignment: in accordance with OMB A-130 requirements or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.RA-3 Additional FedRAMP Requirements and Guidance: Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix FRA-3 (d) Requirement: Include all Authorizing Officials; for JAB authorizations to include FedRAMP.RA-3Control Summary InformationResponsible Role: Parameter RA-3(b): Parameter RA-3(c): Parameter RA-3(d): Parameter RA-3(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-3 What is the solution and how is it implemented?Part aPart bPart cPart dPart eRA-5 Vulnerability Scanning (L) (M) (H)The organization:Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported;RA-5 (a) Additional FedRAMP Requirements and Guidance: Requirement: An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for:Enumerating platforms, software flaws, and improper configurations;Formatting and making transparent, checklists and test procedures; andMeasuring vulnerability impact;Analyzes vulnerability scan reports and results from security control assessmentsRemediates legitimate vulnerabilities; [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; andShares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).RA-5 (e) Additional FedRAMP Requirements and Guidance: Requirement: To include all Authorizing Officials; for JAB authorizations to include FedRAMP.RA-5 Additional FedRAMP Requirements and Guidance Guidance: See the FedRAMP Documents page under Key Cloud ServiceProvider (CSP) Documents> Vulnerability Scanning Requirements https://www.FedRAMP.gov/documents/RA-5Control Summary InformationResponsible Role: Parameter RA-5(a): Parameter RA-5(d): Parameter RA-5(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-5 What is the solution and how is it implemented?Part aPart bPart cPart dPart eRA-5 (1) Control Enhancement (M) (H)The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities to be scanned.RA-5 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-5 (1) What is the solution and how is it implemented?RA-5 (2) Control Enhancement (M) (H)The organization updates the information system vulnerabilities scanned [Selection (one or more): [FedRAMP Assignment: prior to a new scan]].RA-5 (2)Control Summary InformationResponsible Role: Parameter RA-5(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-5 (2) What is the solution and how is it implemented?RA-5 (3) Control Enhancement (M) (H)The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).RA-5 (3)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-5 (3) What is the solution and how is it implemented?RA-5 (5) Control Enhancement (M) (H)The organization includes privileged access authorization to [FedRAMP Assignment: operating systems, databases, web applications] for selected [FedRAMP Assignment: all scans].RA-5 (5)Control Summary InformationResponsible Role: Parameter RA-5(5)-1: Parameter RA-5(5)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-5 (5) What is the solution and how is it implemented?RA-5 (6) Control Enhancement (M) (H)The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.RA-5 (6)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-5 (6) What is the solution and how is it implemented?RA-5 (8) Control Enhancement (L) (M) (H)The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.RA-5 (8) Additional FedRAMP Requirements and Guidance: Requirement: This enhancement is required for all high vulnerability scan findings. Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability.RA-5 (8)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization RA-5 (8) What is the solution and how is it implemented?System and Services Acquisition (SA)SA-1 System and Services Acquisition Policy and Procedures (L) (M)The organization:Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; andProcedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; andReviews and updates the current:System and services acquisition policy [FedRAMP Assignment: at least every three (3) years]; andSystem and services acquisition procedures [FedRAMP Assignment: at least annually].SA-1Control Summary InformationResponsible Role: Parameter SA-1(a): Parameter SA-1(b)(1): Parameter SA-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) SA-1 What is the solution and how is it implemented?Part aPart bSA-2 Allocation of Resources (L) (M) (H)The organization:Determines information security requirements for the information system or information system service in mission/business process planning;Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; andEstablishes a discrete line item for information security in organizational programming and budgeting documentation.SA-2Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-2 What is the solution and how is it implemented?Part aPart bPart cSA-3 System Development Life Cycle (L) (M) (H)The organization:Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;Defines and documents information security roles and responsibilities throughout the system development life cycle;Identifies individuals having information security roles and responsibilities; andIntegrates the organizational information security risk management process into system development life cycle activities.SA-3Control Summary InformationResponsible Role: Parameter SA-3(a): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-3 What is the solution and how is it implemented?Part aPart bPart cPart dSA-4 Acquisitions Process (L) (M) (H)The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:Security functional requirements;Security strength requirements;Security assurance requirements;Security-related documentation requirements;Requirements for protecting security-related documentation;Description of the information system development environment and environment in which the system is intended to operate; andAcceptance criteria.SA-4 Additional FedRAMP Requirements and Guidance: Requirement: The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See https://www.niap-ccevs.org/Product/ SA-4Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-4 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gSA-4 (1) Control Enhancement (M) (H)The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.SA-4 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-4 (1) What is the solution and how is it implemented?SA-4 (2) Control Enhancement (L) (M)The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [FedRAMP Selection (one or more): to include security-relevant external system interfaces, and high-level design]; [Assignment: organization-defined design/implementation information] at [Assignment: organization-defined level of detail].SA-4 (2)Control Summary InformationResponsible Role: Parameter SA-4-1: Parameter SA-4-2: Parameter SA-4-3: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific)? Provided by Customer (Customer System Specific)? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-4 (2) What is the solution and how is it implemented?SA-4 (8) Control Enhancement (M) (H)The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [FedRAMP Assignment: at least the minimum requirement as defined in control CA-7].SA-4 (8) Additional FedRAMP Requirements and Guidance: Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired.SA-4 (8)Control Summary InformationResponsible Role: Parameter SA-4(8): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-4 (8) What is the solution and how is it implemented?SA-4 (9) Control Enhancement (M) (H)The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.SA-4 (9)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-4 (9) What is the solution and how is it implemented?SA-4 (10) Control Enhancement (M) (H)The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.SA-4 (10)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-4 (10) What is the solution and how is it implemented?SA-5 Information System Documentation (L) (M) The organization:Obtains administrator documentation for the information system, system component, or information system service that describes:Secure configuration, installation, and operation of the system, component, or service;Effective use and maintenance of security functions/mechanisms; andKnown vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;Obtains user documentation for the information system, system component, or information system service that describes:User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; andUser responsibilities in maintaining the security of the system, component, or service;Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;Protects documentation as required, in accordance with the risk management strategy; andDistributes documentation to [Assignment: organization-defined personnel or roles)].SA-5Control Summary InformationResponsible Role: Parameter SA-5(c): Parameter SA-5(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-5 What is the solution and how is it implemented?Part aPart bPart cPart dPart eSA-8 Security Engineering Principles (M) (H)The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.SA-8Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-8 What is the solution and how is it implemented?SA-9 External Information System Services (L) (M) (H)The organization:Requires that providers of external information system services comply with organizational information security requirements and employ [FedRAMP Assignment: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;Defines and documents government oversight and user roles and responsibilities with regard to external information system services; andEmploys [FedRAMP Assignment: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored] to monitor security control compliance by external service providers on an ongoing basis.Additional FedRAMP Requirements and GuidanceGuidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guidehttps://www.FedRAMP.gov/documentsGuidance:?Independent Assessors should assess the risk associated with the use of external services.?See the FedRAMP page under?Key Cloud Service Provider (CSP) Documents>FedRAMP Authorization Boundary GuidanceSA-9Control Summary InformationResponsible Role: Parameter SA-9(a): Parameter SA-9(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-9 What is the solution and how is it implemented?Part aPart bPart cSA-9 (1) Control Enhancement (M) (H) The organization:Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; andEnsures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].SA-9 (1)Control Summary InformationResponsible Role: Parameter SA-9(1)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-9 (1) What is the solution and how is it implemented?Part aPart bSA-9 (2) Control Enhancement (M) (H)The organization requires providers of [FedRAMP Assignment: All external systems where Federal information is processed or stored] to identify the functions, ports, protocols, and other services required for the use of such services.SA-9 (2)Control Summary InformationResponsible Role: Parameter SA-9(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-9 (2) What is the solution and how is it implemented?SA-9 (4) Control Enhancement (M) (H)The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [FedRAMP Assignment: All external systems where Federal information is processed or stored] are consistent with and reflect organizational interests.SA-9 (4)Control Summary InformationResponsible Role: Parameter SA-9(4)-1: Parameter SA-9(4)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-9 (4) What is the solution and how is it implemented?SA-9 (5) Control Enhancement (M) (H)The organization restricts the location of [FedRAMP Selection: information processing, information data, AND information services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].Additional FedRAMP Requirements and GuidanceGuidance: System services refer to FTP, Telnet, and TFTP, etc.SA-9 (5)Control Summary InformationResponsible Role: Parameter SA-9(5)-1: Parameter SA-9(5)-2: Parameter SA-9(5)-3: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-9 (5) What is the solution and how is it implemented?SA-10 Developer Configuration Management (M) (H)The organization requires the developer of the information system, system component, or information system service to:Perform configuration management during system, component, or service [FedRAMP Selection: development, implementation, AND operation];Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];Implement only organization-approved changes to the system, component, or service;Document approved changes to the system, component, or service and the potential security impacts of such changes; andTrack security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].SA-10 (e) Additional FedRAMP Requirements and Guidance: Requirement: For JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.SA-10Control Summary InformationResponsible Role: Parameter SA-10(a): Parameter SA-10(b): Parameter SA-10(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-10 What is the solution and how is it implemented?Part aPart bPart cPart dPart eSA-10 (1) Control Enhancement (M) (H)The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.SA-10 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-10 (1) What is the solution and how is it implemented?SA-11 Developer Security Testing and Evaluation (M) (H)The organization requires the developer of the information system, system component, or information system service to:Create and implement a security assessment plan;Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;Implement a verifiable flaw remediation process; andCorrect flaws identified during security testing/evaluation.SA-11Control Summary InformationResponsible Role: Parameter SA-11(b)-1: Parameter SA-11(b)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-11 What is the solution and how is it implemented?Part aPart bPart cPart dPart eSA-11 (1) Control Enhancement (M) (H)The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.SA-11 (1) Additional FedRAMP Requirements and Guidance: Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.SA-11 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-11 (1) What is the solution and how is it implemented?SA-11 (2) Control Enhancement (M) (H)The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.SA-11 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-11 (2) What is the solution and how is it implemented?SA-11 (8) Control Enhancement (M) (H)The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.SA-11 (8)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SA-11 (8) What is the solution and how is it implemented?System and Communications Protection (SC) SC-1 System and Communications Protection Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and Reviews and updates the current: System and communications protection policy [FedRAMP Assignment: at least every three (3) years]; and System and communications protection procedures [FedRAMP Assignment: at least annually]. SC-1Control Summary InformationResponsible Role: Parameter SC-1(a): Parameter SC-1(b)(1): Parameter SC-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) SC-1 What is the solution and how is it implemented?Part aPart bSC-2 Application Partitioning (M) (H)The information system separates user functionality (including user interface services) from information system management functionality.SC-2Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-2 What is the solution and how is it implemented?SC-4 Information in Shared Resources (M) (H)The information system prevents unauthorized and unintended information transfer via shared system resources.SC-4Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-4 What is the solution and how is it implemented?SC-5 Denial of Service Protection (L) (M) (H)The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].SC-5Control Summary InformationResponsible Role: Parameter SC-5-1: Parameter SC-5-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-5 What is the solution and how is it implemented?SC-6 Resource Availability (M) (H)The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].SC-6Control Summary InformationResponsible Role: Parameter SC-6-1: Parameter SC-6-2: Parameter SC-6-3: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-6 What is the solution and how is it implemented?SC-7 Boundary Protection (L) (M) (H)The information system:Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; andImplements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; andConnects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.SC-7Control Summary InformationResponsible Role: Parameter SC-7(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 What is the solution and how is it implemented?Part aPart bPart cSC-7 (3) Control Enhancement (M) (H)The organization limits the number external network connections to the information system.SC-7 (3)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (3) What is the solution and how is it implemented?SC-7 (4) Control Enhancement (M)The organization:Implements a managed interface for each external telecommunication service; Establishes a traffic flow policy for each managed interface; Protects the confidentiality and integrity of the information being transmitted across each interface; Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and Reviews exceptions to the traffic flow policy [FedRAMP Assignment: at least at least annually] and removes exceptions that are no longer supported by an explicit mission/business need.SC-7 (4)Control Summary InformationResponsible Role: Parameter SC-7(4)(e): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (4) What is the solution and how is it implemented?Part aPart bPart cPart dPart eSC-7 (5) Control Enhancement (M) (H)The information system at managed interfaces denies network traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).SC-7 (5)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (5) What is the solution and how is it implemented?SC-7 (7) Control Enhancement (M) (H)The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. SC-7 (7)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (7) What is the solution and how is it implemented?SC-7 (8) Control Enhancement (M) (H)The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.SC-7 (8)Control Summary InformationResponsible Role: Parameter SC-7(8)-1: Parameter SC-7(8)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (8) What is the solution and how is it implemented?SC-7 (12) Control Enhancement (M) The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. SC-7 (12)Control Summary InformationResponsible Role: Parameter SC-7(12)-1: Parameter SC-7(12)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (12) What is the solution and how is it implemented?SC-7 (13) Control Enhancement (M) The organization isolates [FedRAMP Assignment: See SC-7 (13) additional FedRAMP Requirements and Guidance] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.SC-7 (13) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets. SC-7 (13)Control Summary InformationResponsible Role: Parameter SC-7(13): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (13) What is the solution and how is it implemented?SC-7 (18) Control Enhancement (M) (H)The information system fails securely in the event of an operational failure of a boundary protection device.SC-7 (18)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-7 (18) What is the solution and how is it implemented?SC-8 Transmission confidentiality and Integrity (M) (H)The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information.SC-8Control Summary InformationResponsible Role: Parameter SC-8: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-8 What is the solution and how is it implemented?SC-8 (1) Control Enhancement (M) (H)The information system implements cryptographic mechanisms to [FedRAMP Assignment: prevent unauthorized disclosure of information AND detect changes to information] during transmission unless otherwise protected by [FedRAMP Assignment: a hardened or alarmed carrier Protective Distribution System (PDS)]. SC-8 (1)Control Summary InformationResponsible Role: Parameter SC-8 (1)-1: Parameter SC-8 (1)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-8 (1) What is the solution and how is it implemented?SC-10 Network Disconnect (M)The information system terminates the network connection associated with a communications session at the end of the session or after [FedRAMP Assignment: no longer than thirty (30) minutes for RAS-based sessions and no longer than sixty (60) minutes for non-interactive user sessions] of inactivity.SC-10Control Summary InformationResponsible Role: Parameter SC-10: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-10 What is the solution and how is it implemented?SC-12 Cryptographic Key Establishment & Management (L) (M) (H)The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].SC-12 Additional FedRAMP Requirements and Guidance: Guidance: Federally approved and validated cryptography.SC-12Control Summary InformationResponsible Role: Parameter SC-12: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-12 What is the solution and how is it implemented?SC-12 (2) Control Enhancement (M) (H)The organization produces, controls, and distributes symmetric cryptographic keys using [FedRAMP Selection: NIST FIPS-compliant] key management technology and processes. SC-12 (2)Control Summary InformationResponsible Role: Parameter SC-12 (2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-12 (2) What is the solution and how is it implemented?SC-12 (3) Control Enhancement (M) (H)The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key]. SC-12 (3)Control Summary InformationResponsible Role: Parameter SC-12 (3): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-12 (3) What is the solution and how is it implemented?SC-13 Use of Cryptography (L) (M) (H)The information system implements [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.SC-13Control Summary InformationResponsible Role: Parameter SC-13: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-13 What is the solution and how is it implemented?SC-15 Collaborative Computing Devices (M) (H)The information system:Prohibits remote activation of collaborative computing devices with the following exceptions:[FedRAMP Assignment: no exceptions]; andProvides an explicit indication of use to users physically present at the devices.SC-15 Additional FedRAMP Requirements and Guidance: Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.SC-15Control Summary InformationResponsible Role: Parameter SC-15(a): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-15 What is the solution and how is it implemented?Part aPart bSC-15 Additional FedRAMP Requirements and Guidance: Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.SC-15 Req.Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-15 What is the solution and how is it implemented?Req. 1SC-17 Public Key Infrastructure Certificates (M) (H)The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.SC-17Control Summary InformationResponsible Role: Parameter SC-17: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-17 What is the solution and how is it implemented?SC-18 Mobile Code (M) (H)The organization:Defines acceptable and unacceptable mobile code and mobile code technologies;Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; andAuthorizes, monitors, and controls the use of mobile code within the information system.SC-18Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-18 What is the solution and how is it implemented?Part aPart bPart cSC-19 Voice Over Internet Protocol (M) (H)The organization:Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; andAuthorizes, monitors, and controls the use of VoIP within the information system.SC-19Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-19 What is the solution and how is it implemented?Part aPart bSC-20 Secure Name / Address Resolution Service (Authoritative Source) (L) (M) (H)The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. SC-20Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-20 What is the solution and how is it implemented?Part aPart bSC-21 Secure Name / Address Resolution Service (Recursive or Caching Resolver) (L) (M) (H)The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.SC-21Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-21 What is the solution and how is it implemented?SC-22 Architecture and Provisioning for Name / Address Resolution Service (L) (M) (H)The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.SC-22Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-22 What is the solution and how is it implemented?SC-23 Session Authenticity (M) (H)The information system protects the authenticity of communications sessions.SC-23Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-23 What is the solution and how is it implemented?SC-28 Protection of Information at Rest (M) (H)The information system protects the [FedRAMP Selection: confidentiality AND integrity]] of [Assignment: organization-defined information at rest]. SC-28 Additional FedRAMP Requirements and Guidance: Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28Control Summary InformationResponsible Role: Parameter SC-28-1: Parameter SC-28-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-28 What is the solution and how is it implemented?SC-28 (1) Control Enhancement (M)The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]SC-28 (1)Control Summary InformationResponsible Role: Parameter SC-28(1)-1: Parameter SC-28(1)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-28 (1) What is the solution and how is it implemented?SC-39 Process Isolation (L) (M) (H)The information system maintains a separate execution domain for each executing process.SC-39Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SC-39 What is the solution and how is it implemented?System and Information Integrity (SI)SI-1 System and Information Integrity Policy and Procedures (L) (M)The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and Reviews and updates the current: System and information integrity policy [FedRAMP Assignment: at least every three (3) years]; and System and information integrity procedures [FedRAMP Assignment: at least at least annually].SI-1Control Summary InformationResponsible Role: Parameter SI-1(a): Parameter SI-1(b)(1): Parameter SI-1(b)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific) SI-1 What is the solution and how is it implemented?Part aPart bSI-2 Flaw Remediation (L) (M) (H)The organization:Identifies, reports, and corrects information system flaws;Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Installs security-relevant software and firmware updates within [FedRAMP Assignment: thirty 30 days of release of updates] of the release of the updates; andIncorporates flaw remediation into the organizational configuration management process.SI-2Control Summary InformationResponsible Role: Parameter SI-2(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-2 What is the solution and how is it implemented?Part aPart bPart cPart dSI-2 (2) Control Enhancement (M) (H)The organization employs automated mechanisms [FedRAMP Assignment: at least monthly] to determine the state of information system components with regard to flaw remediation.SI-2 (2)Control Summary InformationResponsible Role: Parameter SI-2 (2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-2 (2) What is the solution and how is it implemented?SI-2 (3) Control Enhancement (M) (H)The organization:Measures the time between flaw identification and flaw remediation; andEstablishes [Assignment: organization-defined benchmarks] for taking corrective actions.SI-2 (3)Control Summary InformationResponsible Role: Parameter SI-2(3)(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-2 (3) What is the solution and how is it implemented?Part aPart bSI-3 Malicious Code Protection (L) (M)The organization: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; Configures malicious code protection mechanisms to: Perform periodic scans of the information system [FedRAMP Assignment: at least weekly] and real-time scans of files from external sources at [FedRAMP Assignment: to include endpoints] as the files are downloaded, opened, or executed in accordance with organizational security policy; and [FedRAMP Assignment: to include alerting administrator or defined security personnel] in response to malicious code detection; and Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. SI-3Control Summary InformationResponsible Role: Parameter SI-3(c)(1)-1: Parameter SI-3(c)(1)-2: Parameter SI-3(c)(2): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-3 What is the solution and how is it implemented?Part aPart bPart cPart dSI-3 (1) Control Enhancement (M) (H)The organization centrally manages malicious code protection mechanisms.SI-3 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-3 (1) What is the solution and how is it implemented?SI-3 (2) Control Enhancement (M) (H)The information system automatically updates malicious code protection mechanisms.SI-3 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-3 (2) What is the solution and how is it implemented?SI-3 (7) Control Enhancement (M) (H)The information system implements nonsignature-based malicious code detection mechanisms.SI-3 (7)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-3 (7) What is the solution and how is it implemented?SI-4 Information System Monitoring (L) (M) (H)The organization:Monitors the information system to detect:Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; andUnauthorized local, network, and remote connections; Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];Deploys monitoring devices (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; andProvides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].SI-4 Additional FedRAMP Requirements and Guidance: Guidance: See US-CERT Incident Response Reporting Guidelines.SI-4Control Summary InformationResponsible Role: Parameter SI-4(a)(1): Parameter SI-4(b): Parameter SI-4(g)-1: Parameter SI-4(g)-2: Parameter SI-4(g)-3: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 What is the solution and how is it implemented?Part aPart bPart cPart dPart ePart fPart gSI-4 (1) Control Enhancement (M) (H)The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.SI-4 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 (1) What is the solution and how is it implemented?SI-4 (2) Control Enhancement (M) (H)The organization employs automated tools to support near real-time analysis of events.SI-4 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 (2) What is the solution and how is it implemented?SI-4 (4) Control Enhancement (M) (H)The information system monitors inbound and outbound communications traffic [FedRAMP Assignment: continuously] for unusual or unauthorized activities or conditions.SI-4 (4)Control Summary InformationResponsible Role: Parameter SI-4(4): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 (4) What is the solution and how is it implemented?SI-4 (5) Control Enhancement (M) (H)The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].SI-4(5) Additional FedRAMP Requirements and Guidance: Guidance: In accordance with the incident response plan.SI-4 (5)Control Summary InformationResponsible Role: Parameter SI-4(5)-1: Parameter SI-4(5)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 (5) What is the solution and how is it implemented?SI-4 (14) Control Enhancement (M) (H)The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.SI-4 (14)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 (14) What is the solution and how is it implemented?SI-4 (16) Control Enhancement (M) (H)The organization correlates information from monitoring tools employed throughout the information system.SI-4 (16)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 (16) What is the solution and how is it implemented?SI-4 (23) Control Enhancement (M) (H)The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components].SI-4 (23)Control Summary InformationResponsible Role: Parameter SI-4(23)-1: Parameter SI-4(23)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-4 (23) What is the solution and how is it implemented?SI-5 Security Alerts & Advisories (L) (M) (H)The organization:Receives information system security alerts, advisories, and directives from [FedRAMP Assignment: to include US-CERT] on an ongoing basis;Generates internal security alerts, advisories, and directives as deemed necessary;Disseminates security alerts, advisories, and directives to [FedRAMP Assignment: to include system security personnel and administrators with configuration/patch-management responsibilities]; andImplements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.SI-5Control Summary InformationResponsible Role: Parameter SI-5(a): Parameter SI-5(c): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-5 What is the solution and how is it implemented?Part aPart bPart cPart dSI-6 Security Functionality Verification (M) (H)The information system: Verifies the correct operation of [Assignment: organization-defined security functions]; Performs this verification [FedRAMP Assignment: to include upon system startup and/or restart at least monthly];Notifies [FedRAMP Assignment: to include system administrators and security personnel] of failed security verification tests; and [Selection (one or more): shuts the information system down; restarts the information system; [FedRAMP Assignment: to include notification of system administrators and security personnel] when anomalies are discovered. SI-6Control Summary InformationResponsible Role: Parameter SI-6(a): Parameter SI-6(b): Parameter SI-6(c): Parameter SI-6(d)-1: Parameter SI-6(d)-2: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-6 What is the solution and how is it implemented?Part aPart bPart cPart dSI-7 Software & Information Integrity (M) (H)The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].SI-7Control Summary InformationResponsible Role: Parameter SI-7: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-7 What is the solution and how is it implemented?SI-7 (1) Control Enhancement (M) (H)The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [FedRAMP Selection (one or more): at startup; at [FedRAMP Assignment: to include security-relevant events]; [FedRAMP Assignment: at least monthly]].SI-7 (1)Control Summary InformationResponsible Role: Parameter SI-7(1)-1: Parameter SI-7(1)-2: Parameter SI-7(1)-3: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-7 (1) What is the solution and how is it implemented?SI-7 (7) Control Enhancement (M) (H)The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.SI-7 (7)Control Summary InformationResponsible Role: Parameter SI-7 (7): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-7 (7) What is the solution and how is it implemented?SI-8 Spam Protection (M) (H)The organization: Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policies and procedures. SI-8Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-8 What is the solution and how is it implemented?Part aPart bSI-8 (1) Control Enhancement (M) (H)The organization centrally manages spam protection mechanisms.SI-8 (1)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-8 (1) What is the solution and how is it implemented?SI-8 (2) Control Enhancement (M) (H)The organization automatically updates spam protection mechanisms.SI-8 (2)Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-8 (2) What is the solution and how is it implemented?SI-10 Information Input Validation (M) (H)The information system checks the validity of [Assignment: organization-defined information inputs].SI-10Control Summary InformationResponsible Role: Parameter SI-10: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-10 What is the solution and how is it implemented?SI-11 Error Handling (M) (H)The information system: Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and Reveals error messages only to [Assignment: organization-defined personnel or roles].SI-11Control Summary InformationResponsible Role: Parameter SI-11(b): Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-11 What is the solution and how is it implemented?Part aPart bSI-12 Information Output Handling and Retention (L) (M) (H)The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. SI-12Control Summary InformationResponsible Role: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-12 What is the solution and how is it implemented?SI-16 Memory Protection (M) (H) The information system implements [Assignment: organization-defined fail-safe procedures] to protect its memory from unauthorized code execution.SI-16Control Summary InformationResponsible Role: Parameter SI-16-1: Implementation Status (check all that apply):? Implemented? Partially implemented? Planned? Alternative implementation? Not applicableControl Origination (check all that apply):? Service Provider Corporate? Service Provider System Specific? Service Provider Hybrid (Corporate and System Specific)? Configured by Customer (Customer System Specific) ? Provided by Customer (Customer System Specific) ? Shared (Service Provider and Customer Responsibility)? Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization SI-16 What is the solution and how is it implemented?AcronymsThe master list of FedRAMP acronym and glossary definitions for all FedRAMP templates is available on the FedRAMP website Documents page.Please send suggestions about corrections, additions, or deletions to info@fedramp.gov.SYSTEMS SECURITY PLAN ATTACHMENTSInstruction: Attach any documents that are referred to in the Information System Name (Enter Information System Abbreviation) System Security Plan. Documents and attachments should, provide the title, version and exact file name, including the file extension. All attachments and associated documents must be delivered separately. No embedded documents will be accepted.Delete this and all other instructions from your final version of this document.AttachmentsA recommended attachment file naming convention is <information system abbreviation> <attachment number> <document abbreviation> <version number> (for example, "Information System Abbreviation A8 IRP v1.0"). Use this convention to generate names for the attachments. Enter the appropriate file names and file extensions in Table 15-1 to describe the attachments provided. Make only the following additions/changes to Table 15-1:The first item, Information Security Policies and Procedures (ISPP), may be fulfilled by multiple documents. If that is the case, add lines to REF _Ref444676093 \h Table 151. Attachment File Naming Convention to differentiate between them using the “xx” portion of the File Name. Example Enter Information System Abbreviation A1 ISPP xx v1.0. Delete the “xx” if there is only one document.Enter the file extension for each attachment.Do not change the Version Number in the File Name in REF _Ref444676106 \h Table 151. Attachment File Naming Convention. (Information System Abbreviation, attachment number, document abbreviation, version number)Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 1. Names of Provided AttachmentsAttachmentFile NameFile ExtensionInformation Security Policies and ProceduresEnter Information System Abbreviation A1 ISPP xx v1.0. enter extensionUser GuideEnter Information System Abbreviation A2 UG v1.0. enter extensionDigital Identity WorksheetIncluded in Section 15PTAIncluded in Section 15PIA If needed)Enter Information System Abbreviation A4 PIA v1.0. enter extensionRules of BehaviorEnter Information System Abbreviation A5 ROB v1.0. enter extensionInformation System Contingency PlanEnter Information System Abbreviation A6 ISCP v1.0. enter extensionConfiguration Management PlanEnter Information System Abbreviation A7 CMP v1.0. enter extensionIncident Response PlanEnter Information System Abbreviation A8 IRP v1.0. enter extensionCIS WorkbookEnter Information System Abbreviation A9 CIS Workbook v1.0. enter extensionFIPS 199Included in Section 15InventoryEnter Information System Abbreviation A13 INV v1.0. enter extensionInformation Security Policies and ProceduresAll Authorization Packages must include an Information Security Policies and Procedures attachment, which will be reviewed for quality. User GuideAll Authorization Packages must include a User Guide attachment, which will be reviewed for quality. Digital Identity WorksheetThis Attachment Section has been revised to include the Digital Identity template. Therefore, a separate attachment is not needed. Delete this note and all other instructions from your final version of this document.The Digital Identity section explains the objective for selecting the appropriate Digital Identity levels for the candidate system. Guidance on selecting the system authentication technology solution is available in NIST SP 800-63, Revision 3, Digital Identity Guidelines.Introduction and PurposeThis document provides guidance on digital identity services (Digital Identity, which is the process of establishing confidence in user identities electronically presented to an information system). Authentication focuses on the identity proofing process (IAL), the authentication process (AAL), and the assertion protocol used in a federated environment to communicate authentication and attribute information (if applicable) (FAL). NIST SP 800-63-3, Digital Identity Guidelines, does not recognize the four Levels of Assurance model previously used by federal agencies and described in OMB M-04-04, instead requiring agencies to individually select levels corresponding to each function being performed.NIST SP 800-63-3 can be found at the following URL: NIST SP 800-63-3 Information System Name/TitleThis Digital Identity Plan provides an overview of the security requirements for the (Enter Information System Abbreviation) in accordance with NIST SP 800-63-3. Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 2. Information System Name and TitleUnique IdentifierInformation System NameInformation System AbbreviationEnter FedRAMP Application Number. Enter Information System AbbreviationDigital Identity Level DefinitionsNIST SP 800-63-3 defines three levels in each of the components of identity assurance to categorize a federal information system’s Digital Identity posture. NIST SP 800-63-3 defines the Digital Identity levels as:IAL – refers to the identity proofing process.AAL – refers to the authentication process.FAL – refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information (if applicable) to a relying party (RP).FedRAMP maps its system categorization levels to NIST 800-63-3’s levels as shown in Table 15-3:Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 3. Mapping FedRAMP Levels to NIST SP 800-63-3 LevelsFedRAMP System CategorizationIdentity Assurance Level (IAL)Authenticator Assurance Level (AAL)Federation Assurance Level (FAL)HighIAL3: In-person, or supervised remote identity proofingAAL3: Multi-factor required based on hardware-based cryptographic authenticator and approved cryptographic techniques FAL3: The subscriber (user) must provide proof of possession of a cryptographic key, which is referenced by the assertion. The assertion is signed and encrypted by the identity provider, such that only the relying party can decrypt itModerateIAL2: In-person or remote, potentially involving a “trusted referee”AAL2: Multi-factor required, using approved cryptographic techniquesFAL2: Assertion is signed and encrypted by the identity provider, such that only the relying party can decrypt itLowIAL1: Self-assertedAAL1: Single-factor or multi-factorFAL1: Assertion is digitally signed by the identity providerFedRAMP Tailored LI-SaaSIAL1: Self-assertedAAL1: Single-factor or multi-factorFAL1: Assertion is digitally signed by the identity providerSelecting the appropriate Digital Identity level for a system enables the system owner to determine the right system authentication technology solution for the selected Digital Identity levels. Guidance on selecting the system authentication technology solution is available in NIST SP 800-63-3.Review Maximum Potential Impact LevelsCSP Name has assessed the potential risk from Digital Identity errors, or Digital Identity misuse, related to a user’s asserted identity. CSP Name has taken into consideration the potential for harm (impact) and the likelihood of the occurrence of the harm and has identified an impact profile as found in REF _Ref443964920 \h Table 154 Potential Impacts for Assurance Levels.Assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 4. Potential Impacts for Assurance LevelsAssurance Level Impact ProfilePotential Impact Categories123Inconvenience, distress or damage to standing or reputationLowModHighFinancial loss or agency liabilityLowModHighHarm to agency programs or public interestsN/ALow/ModHighUnauthorized release of sensitive informationN/ALow/ModHighPersonal SafetyN/ALowMod/HighCivil or criminal violationsN/ALow/ModHighDigital Identity Level SelectionInstruction: Select the lowest level that will cover all potential impact identified from REF _Ref443964920 \h \* MERGEFORMAT Table 154 Potential Impacts for Assurance Levels.Delete this instruction from your final version of this document.The CSP Name has identified that they support the Digital Identity Level that has been selected for the <Information System Name> as noted in REF _Ref443965212 \h Table 155 Digital Identity Level. The selected Digital Identity Level indicated is supported for federal agency consumers of the cloud service offering. Implementation details of the Digital Identity mechanisms are provided in the System Security Plan under control IA-2.Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 5. Digital Identity LevelDigital Identity LevelMaximum Impact ProfileSelectionLevel 1: AAL1, IAL1, FAL1Low?Level 2: AAL2, IAL2, FAL2Moderate?Level 3: AAL3, IAL3, FAL3High?PTA / PIAThis Attachment Section has been revised to include the PTA Template. Therefore, a separate PTA attachment is not needed. If any of the answers to Question 1-4 are “Yes” then complete a Privacy Impact Assessment Template and include it as an Attachment.Delete this note and all other instructions from your final version of this document.All Authorization Packages must include a Privacy Threshold Analysis (PTA) and if necessary, the Privacy Impact Assessment (PIA) attachment, which will be reviewed for quality. The PTA is included in this section, and the PIA Template can be found on the following FedRAMP website page: Templates.The PTA and PIA Template includes a summary of laws, regulations and guidance related to privacy issues in REF _Ref444604179 \h ATTACHMENT 12 – FedRAMP Laws and Regulations.Privacy Overview and Point of Contact (POC)The REF _Ref440543404 \h Table 156 - Information System Name; Privacy POC individual is identified as the Information System Name; Privacy Officer and POC for privacy at CSP Name. Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 6. - Information System Name; Privacy POCNameClick here to enter text.TitleClick here to enter text.CSP / OrganizationClick here to enter text.AddressClick here to enter text.Phone NumberClick here to enter text.Email AddressClick here to enter text.Applicable Laws and RegulationsThe FedRAMP Laws and Regulations may be found on: Templates. A summary of FedRAMP Laws and Regulations is included in the System Security Plan (SSP) REF _Ref444604179 \h ATTACHMENT 12 – FedRAMP Laws and Regulations. REF _Ref443482246 \h Table 121 Information System Name Laws and Regulations include additional laws and regulations that are specific to <Information System Name>. These will include laws and regulations from the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB) circulars, Public Law (PL), United States Code (USC), and Homeland Security Presidential Directives (HSPD). Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 7. <Information System Name> Laws and RegulationsIdentification NumberTitleDateLinkClick here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Applicable Standards and GuidanceThe FedRAMP Standards and Guidance may be found on: Templates. The FedRAMP Standards and Guidance is included in the System Security Plan (SSP) ATTACHMENT 12 – FedRAMP Laws and Regulations. For more information, see the FedRAMP website. REF _Ref443482628 \h Table 122 Information System Name Standards and Guidance includes any additional standards and guidance that are specific to <Information System Name>. These will include standards and guidance from Federal Information Processing Standard (FIPS) and National Institute of Standards and Technology (NIST) Special Publications (SP).Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 8. <Information System Name> Standards and GuidanceIdentification NumberTitleDateLinkClick here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Click here to enter text.Personally Identifiable Information (PII)Personally Identifiable Information (PII) as defined in OMB Memorandum M-07-16 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Information that could be tied to more than one person (date of birth) is not considered PII unless it is made available with other types of information that together could render both values as PII (for example, date of birth and street address). A non-exhaustive list of examples of types of PII includes:Social Security numbersPassport numbersDriver’s license numbersBiometric informationDNA informationBank account numbersPII does not refer to business information or government information that cannot be traced back to an individual person.Privacy Threshold AnalysisCSP Name performs a Privacy Threshold Analysis annually to determine if PII is collected by any of the <Information System Name> (Enter Information System Abbreviation) components. If PII is discovered, a Privacy Impact Assessment is performed. The Privacy Impact Assessment template used by CSP Name can be found in Section 3. This section constitutes the Privacy Threshold Analysis and findings.Qualifying QuestionsSelect OneDoes the ISA collect, maintain, or share PII in any identifiable form? Select OneDoes the ISA collect, maintain, or share PII information from or about the public?Select OneHas a Privacy Impact Assessment ever been performed for the ISA? Select OneIs there a Privacy Act System of Records Notice (SORN) for this ISA system? If yes; the SORN identifier and name is: Enter SORN ID/Name.If answers to Questions 1-4 are all “No” then a Privacy Impact Assessment may be omitted. If any of the answers to Question 1-4 are “Yes” then complete a Privacy Impact Assessment. DesignationCheck one.?A Privacy Sensitive System?Not a Privacy Sensitive System (in its current version)The Privacy Impact Assessment Template can be found on the following FedRAMP website page: Templates.Rules of BehaviorAll Authorization Packages must include a Rules of Behavior (RoB) attachment, which will be reviewed for quality. The RoB describes controls associated with user responsibilities and certain expectations of behavior for following security policies, standards and procedures. Security control PL-4 requires a CSP to implement rules of behavior. The Rules of Behavior Template can be found on the following FedRAMP website page: Templates.The Template provides two example sets of rules of behavior: one for Internal Users and one for External Users. The CSP should modify each of these two sets to define the rules of behavior necessary to secure their system.Information System Contingency PlanAll Authorization Packages must include an Information System Contingency Plan attachment, which will be reviewed for quality. The Information System Contingency Plan Template can be found on the following FedRAMP website page: Templates.The Information System Contingency Plan Template is provided for CSPs, 3PAOs, government contractors working on FedRAMP projects, government employees working on FedRAMP projects and any outside organizations that want to make use of the FedRAMP Contingency Planning process.Configuration Management PlanAll Authorization Packages must include a Configuration Management Plan attachment, which will be reviewed for quality. Incident Response PlanAll Authorization Packages must include an Incident Response Plan attachment, which will be reviewed for quality. CIS WorkbookAll Authorization Packages must include Control Implementation Summary (CIS) Workbook attachment, which will be reviewed for quality. The Template can be found on the following FedRAMP website page: Templates.FIPS 199This Attachment Section has been revised to include the FIPS 199 Template. Therefore, a separate PTA attachment is not needed. Delete this note and all other instructions from your final version of this document.All Authorization Packages must include a Federal Information Processing Standard (FIPS) 199 Section, which will be reviewed for quality. The FIPS-199 Categorization report includes the determination of the security impact level for the cloud environment that may host any or all of the service models: IaaS, PaaS and SaaS. The ultimate goal of the security categorization is for the CSP to be able to select and implement the FedRAMP security controls applicable to its environment.Introduction and PurposeThis section is intended to be used by service providers who are applying for an Authorization through the U.S. federal government FedRAMP program.The Federal Information Processing Standard 199 (FIPS 199) Categorization (Security Categorization) report is a key document in the security authorization package developed for submission to the Federal Risk and Authorization Management Program (FedRAMP) authorizing officials. The FIPS199 Categorization report includes the determination of the security impact level for the cloud environment that may host any or all of the service models (Information as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The ultimate goal of the security categorization is for the cloud service provider (CSP) to be able to select and implement the FedRAMP security controls applicable to its environment.The purpose of the FIPS199 Categorization report is for the CSP to assess and complete the categorization of their cloud environment, to provide the categorization to the System Owner/Certifier and the FedRAMP Joint Authorization Board (JAB) and in helping them to make a determination of the CSP’s ability to host systems at that level. The completed security categorization report will aid the CSP in selection and implementation of FedRAMP security controls at the determined categorization level.ScopeThe scope of the FIPS199 Categorization report includes the assessment of the information type categories as defined in the NIST Special Publication 800-60 Volume II Revision 1 Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. System DescriptionThe <Information System Name> system has been determined to have a security categorization of Choose level.Instruction: Insert a brief high-level description of the system, the system environment and the purpose of the system. The description should be consistent with the description found in the System Security Plan (SSP). Delete this instruction from your final version of this document.MethodologyInstruction: The CSP should review the NIST Special Publication 800-60 Volume 2 Revision 1 Appendix C Management and Support Information and Information System Impact Levels and Appendix D Impact Determination for Mission-Based Information and Information Systems to assess the recommended impact level for each of the information types. For more information, the CSP should also consult Appendix D.2. After reviewing the NIST guidance on Information Types, the CSP should fill out REF _Ref443939388 \h \* MERGEFORMAT Table 21 CSP Applicable Information Types with Security Impact Levels Using NIST SP 800-60 V2 R1. Delete this instruction from your final version of this document.Impact levels are determined for each information type based on the security objectives (confidentiality, integrity, availability). The confidentiality, integrity, and availability impact levels define the security sensitivity category of each information type. The FIPS PUB 199 is the high watermark for the impact level of all the applicable information types. The FIPS PUB 199 analysis represents the information type and sensitivity levels of the CSP’s cloud service offering (and is not intended to include sensitivity levels of agency data). Customer agencies will be expected to perform a separate FIPS 199 Categorization report analysis for their own data hosted on the CSP’s cloud environment. The analysis must be added as an appendix to the SSP and drive the results for the Categorization section. Instruction: In the first three columns, put the NIST SP-60 V2 R1 recommended impact level. In the next three columns, put in the CSP determined recommended impact level. If the CSP determined recommended impact level does not match the level recommended by NIST, put in an explanation in the last column as to why this decision was made. Delete this instruction from your final version of this document.The REF _Ref443939388 \h Table 21 CSP Applicable Information Types with Security Impact Levels Using NIST SP 800-60 V2 R1below uses the NIST SP 800-60 V2 R1 Volume II Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories to identify information types with the security impacts.Table STYLEREF 1 \s 15 SEQ Table \* ARABIC \s 1 9. CSP Applicable Information Types with Security Impact Levels Using NIST SP 800-60 V2 R1Information TypeNIST SP 800-60 V2 R1 Recommended Confidentiality Impact LevelNIST SP 800-60 V2 R1 Recommended Integrity Impact LevelNIST SP 800-60 V2 R1 Recommended Availability Impact LevelCSP Selected Confidentiality Impact LevelCSP Selected Integrity Impact LevelCSP Selected Availability Impact LevelStatementfor Impact Adjustment JustificationEnter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Enter text.Separation of Duties MatrixAll Authorization Packages have the option to provide a Separation of Duties Matrix attachment, which will be reviewed for quality. REF _Ref444599180 \h ATTACHMENT 11 - Separation of Duties Matrix is referenced in the following controls. REF _Ref444599029 \h AC-5 Separation of Duties (M) (H) Additional FedRAMP Requirements and GuidanceFedRAMP Laws and RegulationsThe REF _Ref454107245 \h Table 158 FedRAMP Templates that Reference FedRAMP Laws and Regulations Standards and Guidance lists all of the FedRAMP templates in which FedRAMP laws, regulations, standards and guidance are referenced.Table STYLEREF 1 \s 1510. FedRAMP Templates that Reference FedRAMP Laws and Regulations Standards and GuidancePhaseDocument Title Document PhaseSSPSystem Security PlanSSP Attachment 4PTA/PIAPrivacy Threshold Analysis and Privacy Impact AssessmentSSP Attachment 6ISCPInformation System Contingency Plan SSP Attachment 10FIPS 199FIPS 199 CategorizationAssess PhaseSAPSecurity Assessment PlanAuthorize PhaseSARSecurity Assessment ReportThe FedRAMP Laws and Regulations can be submitted as an appendix or an attachment. The attachment can be found on this page: Templates.Note: All NIST Computer Security Publications can be found at the followingURL: http://csrc.nist.gov/publications/PubsSPs.html FedRAMP Inventory WorkbookAll Authorization Packages must the Inventory attachment, which will be reviewed for quality.When completed, FedRAMP will accept this inventory workbook as the inventory information required by the following:System Security Plan Security Assessment PlanSecurity Assessment Report Information System Contingency PlanInitial POAMMonthly Continuous Monitoring (POAM or as a separate document) The FedRAMP Inventory Workbook can be found on the following FedRAMP website page: Templates.Note: A complete and detailed list of the system hardware and software inventory is required per NIST SP 800-53, Rev 4 CM-8.
How to get a mortgage loan out of default? What to Expect After Defaulting on a Mortgage Loan Making Late Payments. The first step on the path to foreclosure is missing a mortgage payment or making it late. ... Negotiating a Deal. If you fail to address your late payment, your lender will quite likely get in touch with you. ... Going Into Default. ... Getting a Notice of Sale. ... Selling at Auction. ... Facing a Judicial Foreclosure. ...
