FedRAMP Rev.

4 Baseline

FedRAMP Control
Quick Guide
Control requirements are identified in the
FedRAMP SSP
ID

Family

Low

Moderate

AC

Access Control

11

18 (25)

AT

Awareness and Training

Certification, Accreditation, & Sec. Assessment (CA)

Access Control (AC)

Control #

4 (1)

Control Name

AC-2

Access Control Policy and Procedures

Account Management

AC-3
AC-4

Access Enforcement
Information Flow Enforcement

AC-5

Separation of Duties

AC-6

Least Privilege

AC-1

Control Baseline
Low
Moderate
L
M
L

M(1,2,3,4,5,7,
9,10,12)

Additional
Req.

M(21)
M

M (1,2,5,9,10)

CA-2
CA-3
CA-5
CA-6
CA-7
CA-8
CA-9

11 (8)

AC-7

Unsuccessful Logon Attempts

AC-8

System Use Notification

8 (7)

AC-10

Concurrent Session Control

AC-11

Session Lock

M (1)

Control #

CM

Certification, Accreditation, and Securi- 7 (1)

ty Assessment
Configuration Management
8

AC-12
AC-14

M
M

CM-1

CP

Contingency Planning

9 (15)

AC-17

Session Termination
Permitted Actions Without Identifica- L
tion or Authentication
L
Remote Access

M (1,2,3,4,9)

Wireless Access

M (1)

CM-2
CM-3

Configuration Management Policy

and Procedures
Baseline Configuration
Configuration Change Control

M (5)

CM-4

Security Impact Analysis

CM-5
CM-6
CM-7
CM-8

Access Restrictions For Change

Configuration Settings
Least Functionality
Information System Component
Inventory
Configuration Management Plan
Software Usage Restrictions
User-Installed Software

Audit and Accountability

CA

10

11 (15)

CA-1

Control Name
Security Assessment and Authorization Policies and Procedures
Security Assessments
System Interconnections
Plan of Action and Milestones
Security Authorization
Continuous Monitoring
Penetration Testing
Internal System Connections

AU

Control #

IA

Identification and Authentication

7 (8)

8 (19)

AC-18
AC-19

Access Control For Mobile Devices

IR

Incident Response

9 (9)

AC-20

Use of External Information Systems L

M (1,2)

AC-21

Information Sharing

AC-22

Publicly Accessible Content

MA

Maintenance

6 (5)

MP

Media Protection

7 (3)

PE

Physical and Environmental Protection 10

16 (4)

PL

Planning

4 (2)

PS

Personnel Security

8 (1)

RA

Risk Assessment

4 (6)

SA

System and Services Acquisition

6 (1)

9 (13)

Control #

SC

System and Communications Protection

System and Information Integrity

10

20 (12)

AT-1

12 (16)

125

325

AT-2
AT-3
AT-4

SI

Totals (Controls and Enhancements):

AU-2
AU-3
AU-4
AU-5
AU-6

Impact Level: L = Low / M = Moderate

Enhancements: (#, #)
Additional FedRAMP Requirements =
FedRAMP Guidance = G

M (1)
M

G
G
G

Control Name

Control Baseline
Low
Moderate
L
M
L

M (1,2,3,7)
M

L
L
L

M (1,3,5)
M (1)
M (1,2,5)
M (1,3,5)

Additional
Req.

G
G
G
G

M
L
L

M (1)
M

Contingency Planning (CP)

Awareness and Training (AT)

AU-1

AU-7

Note: Controls
and
Enhancements
added by
FedRAMP are in
Bold.

M (1,2,3)
M (3,5)
M
M
M (1)

Configuration Management (CM)

Control Name

Control Baseline
Low
Moderate
Security Awareness and Training Policy L
M
and Procedures
Security Awareness
L
M(2)
Security Training
L
M
Security Training Records
L
M

Control #
Additional
Req.

Audit and Accountability (AU)

Count = # of controls (#of enhancements)

L (1)
L
L
L
L

Additional
Req.

CM-9
CM-10
CM-11

Control #

Legend:

Control Baseline
Low
Moderate
L
M

AU-8
AU-9
AU-11
AU-12

Control Name
Audit and Accountability Policy and
Procedures
Audit Events
Content of Audit Records
Audit Storage Capacity
Response to Audit Processing
Failures
Audit Review, Analysis, and Reporting
Audit Reduction and Report Generation
Time Stamps
Protection of Audit Information
Audit Record Retention
Audit Generation

Control Baseline
Low
Moderate
L
M
L
L

M (3)
M (1)

L
L

M
M

M (1,3)

M (1)
M (2,4)
M
M

CP-2
CP-3
CP-4

Contingency Planning Policy and

Procedures
Contingency Plan
Contingency Training
Contingency Plan Testing

CP-6
CP-7
CP-8
CP-9

Alternate Storage Site

Alternate Processing Site
Telecommunications Services
Information System Backup

CP-10

Information System Recovery and

Reconstitution

CP-1

Additional
Req.

Control Baseline
Low
Moderate
L
M
L
L
L

Additional
Req.

M (1,2,3,8)
M
M (1)
M (1,3)
M (1,2,3)
M (1,2)

M (1,3)

M (2)

Identification and Authentication (IA)

G
G

Control #
IA-1
IA-2

Control Name
Identification and Authentication
Policy and Procedures
Identification and Authentication
(Organizational Users)

Control Baseline
Low
Moderate
L
M
L (1,
12)

IA-4

Device Identification and Authentication

L
Identifier Management

IA-5

Authenticator Management

IA-6

Authenticator Feedback

IA-7

Cryptographic Module Authentication

Identification and Authentication
(Non-Organizational Users)

IA-3

M (1)
L
L
L
L

Control Name

IA-8

M (1,2,3,5,8,
11,12)

Additional
Req.

M
M (4)

L (1,
11)
L

M
(1,2,3,4,6,7,11)
M

L(1,2,
3,4)

M (1,2,3,4)

FedRAMP Rev. 4 Baseline

Incident Response (IR)
Control #

Planning (PL)

Control Name

IR-2

Control Baseline
Low
Moderate
Incident Response Policy and Proce- L
M
dures
L
M
Incident Response Training

IR-3
IR-4
IR-5
IR-6
IR-7
IR-8
IR-9

Incident Response Testing

Incident Handling
Incident Monitoring
Incident Reporting
Incident Response Assistance
Incident Response Plan
Information Spillage Response

IR-1

L
L
L
L
L

Additional
Req.

Control #
PL-1
PL-2
PL-4
PL-8

System and Communication Protection (SC)

Control Name

Control Baseline
Low
Moderate
Security Planning Policy and Proce- L
M
dures
L
M (3)
System Security Plan
L
M (1)
Rules of Behavior
M
Information Security Architecture

Additional
Req.

M (1)
M (1,2)
M

SC-8

M (1,2,3,4)

Control #

Maintenance (MA)
MA-1
MA-2
MA-3
MA-4
MA-5
MA-6

Control Name
System Maintenance Policy and
Procedures
Controlled Maintenance
Maintenance Tools
Nonlocal Maintenance
Maintenance Personnel
Timely Maintenance

Control Baseline
Low
Moderate
L
M
L
L
L

Additional
Req.

PS-1

Control Name

Control Baseline
Low
Moderate
Personnel Security Policy and Proce- L
M
dures

PS-2
PS-3

Position Risk Designation

Personnel Screening

L
L

PS-4

Personnel Termination

M (3)
M

M (1,2,3)
M (2)

PS-5
PS-6
PS-7
PS-8

Personnel Transfer
Access Agreements
Third-Party Personnel Security
Personnel Sanctions

L
L
L
L

M
M
M
M

M (1)
M

Additional
Req.

Control #

Control Name

MP-2
MP-3

Media Protection Policy and Procedures

Media Access
Media Marking

MP-4
MP-5
MP-6
MP-7

Media Storage
Media Transport
Media Sanitization
Media Use

Control Baseline
Low
Moderate
L
M
L

M
M

Additional
Req.

L
L

M (2)
M (1)

RA-1
RA-2
RA-3
RA-5

Physical and Environmental Protection (PE)

Control #

Control Name

Control Baseline
Low
Moderate
L
M

PE-2

Physical and Environmental Protection Policy and Procedures

Physical Access Authorizations

PE-3

Physical Access Control

PE-4
PE-5

Access Control For Transmission

Medium
Access Control For Output Devices

PE-6

Monitoring Physical Access

M (1)

PE-8

Visitor Access Records

PE-9

Power Equipment and Cabling

PE-10

Emergency Shutoff

PE-11

Emergency Power

PE-12

Emergency Lighting

PE-13

Fire Protection

M (2,3)

PE-14
PE-15

Temperature and Humidity Controls

Water Damage Protection

L
L

M (2)
M

PE-16

Delivery and Removal

PE-17

Alternate Work Site

PE-1

M
M
M

SC-13
SC-15
SC-17
SC-18

Public Key Infrastructure Certificates

Mobile Code

SC-19
SC-20

Voice Over Internet Protocol

Secure Name / Address Resolution
Service (Authoritative Source)
Secure Name / Address Resolution
Service (Recursive or Caching
Resolver)
Architecture and Provisioning for
Name / Address Resolution Service

SC-21
SC-22
SC-23
SC-28

Session Authenticity
Protection of Information At Rest

SC-39

Process Isolation

Control Name
Risk Assessment Policy and Procedures
Security Categorization
Risk Assessment
Vulnerability Scanning

Control Baseline
Low
Moderate
L
M

Additional
Req.

M
M
M

M
M (3,4,5,7, 8,
12,13,18)
M (1)

M
L

M (2,3)

L
L

M
M

G
G

M
M
L

M
M

M
M
M(1)

L
L
L

M
M
M (1,2,3,5,6,8)

Additional
Req.

G
G

System and Information Integrity (SI)

System and Services Acquisition (SA)

Additional
Req.
G

Control Baseline
Low
Moderate
L
M

Risk Assessment (RA)

Control #

M
M (4)

Control Name
System and Communications Protection Policy and Procedures
Application Partitioning
Information In Shared Resources
Denial of Service Protection
Resource Availability
Boundary Protection
Transmission Confidentiality and
Integrity
Network Disconnect
Cryptographic Key Establishment
and Management
Cryptographic Protection
Collaborative Computing Devices

SC-10
SC-12

Media Protection (MP)

MP-1

SC-1
SC-2
SC-4
SC-5
SC-6
SC-7

M (2)
M (1)
M

Personnel Security (PS)

Control #

Control #

Control #

Control Name

SA-2
SA-3
SA-4

System and Services Acquisition

Policy and Procedures
Allocation of Resources
System Development Life Cycle
Acquisition Process

SA-5

Information System Documentation

SA-8
SA-9

Security Engineering Principles

External Information System Services
Developer Configuration Management
Developer Security Testing and
Evaluation

SA-1

SA-10
SA-11

Control Baseline
Low
Moderate
L
M
L
L
L (10)

M
M

M (1,2,8,9,10)

Additional
Req.

Control #
SI-1
SI-2
SI-3
SI-4

M
L

M (1,2,4,5)

SI-5

M (1)

SI-6

M (1,2,8)

SI-7
SI-8
SI-10
SI-11
SI-12
SI-16

Control Name
System and Information Integrity
Policy and Procedures
Flaw Remediation
Malicious Code Protection
Information System Monitoring

Security Alerts, Advisories, and

Directives
Security Function Verification
Software, Firmware, and Information
Integrity
Spam Protection
Information Input Validation
Error Handling
Information Handling and Retention
Memory Protection

Control Baseline
Low
Moderate
L
M
L
L
L

M (2,3)
M (1,2,7)
M
(1,2,4,5,14,16,
23)

M
M
M (1,7)

M (1,2)
M
M
M
M

Additional
Req.