Professional Documents
Culture Documents
4 Baseline
FedRAMP Control
Quick Guide
Control requirements are identified in the
FedRAMP SSP
ID
Family
Low
Moderate
AC
Access Control
11
18 (25)
AT
4 (1)
Control Name
AC-2
AC-3
AC-4
Access Enforcement
Information Flow Enforcement
AC-5
Separation of Duties
AC-6
Least Privilege
AC-1
Control Baseline
Low
Moderate
L
M
L
M(1,2,3,4,5,7,
9,10,12)
Additional
Req.
M(21)
M
M (1,2,5,9,10)
CA-2
CA-3
CA-5
CA-6
CA-7
CA-8
CA-9
11 (8)
AC-7
AC-8
8 (7)
AC-10
AC-11
Session Lock
M (1)
Control #
CM
AC-12
AC-14
M
M
CM-1
CP
Contingency Planning
9 (15)
AC-17
Session Termination
Permitted Actions Without Identifica- L
tion or Authentication
L
Remote Access
M (1,2,3,4,9)
Wireless Access
M (1)
CM-2
CM-3
M (5)
CM-4
CM-5
CM-6
CM-7
CM-8
CA
10
11 (15)
CA-1
Control Name
Security Assessment and Authorization Policies and Procedures
Security Assessments
System Interconnections
Plan of Action and Milestones
Security Authorization
Continuous Monitoring
Penetration Testing
Internal System Connections
AU
Control #
IA
7 (8)
8 (19)
AC-18
AC-19
IR
Incident Response
9 (9)
AC-20
M (1,2)
AC-21
Information Sharing
AC-22
MA
Maintenance
6 (5)
MP
Media Protection
7 (3)
PE
16 (4)
PL
Planning
4 (2)
PS
Personnel Security
8 (1)
RA
Risk Assessment
4 (6)
SA
6 (1)
9 (13)
Control #
SC
10
20 (12)
AT-1
12 (16)
125
325
AT-2
AT-3
AT-4
SI
AU-2
AU-3
AU-4
AU-5
AU-6
M (1)
M
G
G
G
Control Name
Control Baseline
Low
Moderate
L
M
L
M (1,2,3,7)
M
L
L
L
M (1,3,5)
M (1)
M (1,2,5)
M (1,3,5)
Additional
Req.
G
G
G
G
M
L
L
M (1)
M
AU-1
AU-7
Note: Controls
and
Enhancements
added by
FedRAMP are in
Bold.
M (1,2,3)
M (3,5)
M
M
M (1)
Control Name
Control Baseline
Low
Moderate
Security Awareness and Training Policy L
M
and Procedures
Security Awareness
L
M(2)
Security Training
L
M
Security Training Records
L
M
Control #
Additional
Req.
L (1)
L
L
L
L
Additional
Req.
CM-9
CM-10
CM-11
Control #
Legend:
Control Baseline
Low
Moderate
L
M
AU-8
AU-9
AU-11
AU-12
Control Name
Audit and Accountability Policy and
Procedures
Audit Events
Content of Audit Records
Audit Storage Capacity
Response to Audit Processing
Failures
Audit Review, Analysis, and Reporting
Audit Reduction and Report Generation
Time Stamps
Protection of Audit Information
Audit Record Retention
Audit Generation
Control Baseline
Low
Moderate
L
M
L
L
M (3)
M (1)
L
L
M
M
M (1,3)
M (1)
M (2,4)
M
M
CP-2
CP-3
CP-4
CP-6
CP-7
CP-8
CP-9
CP-10
CP-1
Additional
Req.
Control Baseline
Low
Moderate
L
M
L
L
L
Additional
Req.
M (1,2,3,8)
M
M (1)
M (1,3)
M (1,2,3)
M (1,2)
M (1,3)
M (2)
Control #
IA-1
IA-2
Control Name
Identification and Authentication
Policy and Procedures
Identification and Authentication
(Organizational Users)
Control Baseline
Low
Moderate
L
M
L (1,
12)
IA-4
IA-5
Authenticator Management
IA-6
Authenticator Feedback
IA-7
IA-3
M (1)
L
L
L
L
Control Name
IA-8
M (1,2,3,5,8,
11,12)
Additional
Req.
M
M (4)
L (1,
11)
L
M
(1,2,3,4,6,7,11)
M
L(1,2,
3,4)
M (1,2,3,4)
Planning (PL)
Control Name
IR-2
Control Baseline
Low
Moderate
Incident Response Policy and Proce- L
M
dures
L
M
Incident Response Training
IR-3
IR-4
IR-5
IR-6
IR-7
IR-8
IR-9
IR-1
L
L
L
L
L
Additional
Req.
Control #
PL-1
PL-2
PL-4
PL-8
Control Name
Control Baseline
Low
Moderate
Security Planning Policy and Proce- L
M
dures
L
M (3)
System Security Plan
L
M (1)
Rules of Behavior
M
Information Security Architecture
Additional
Req.
M (1)
M (1,2)
M
SC-8
M (1,2,3,4)
Control #
Maintenance (MA)
MA-1
MA-2
MA-3
MA-4
MA-5
MA-6
Control Name
System Maintenance Policy and
Procedures
Controlled Maintenance
Maintenance Tools
Nonlocal Maintenance
Maintenance Personnel
Timely Maintenance
Control Baseline
Low
Moderate
L
M
L
L
L
Additional
Req.
PS-1
Control Name
Control Baseline
Low
Moderate
Personnel Security Policy and Proce- L
M
dures
PS-2
PS-3
L
L
PS-4
Personnel Termination
M (3)
M
M (1,2,3)
M (2)
PS-5
PS-6
PS-7
PS-8
Personnel Transfer
Access Agreements
Third-Party Personnel Security
Personnel Sanctions
L
L
L
L
M
M
M
M
M (1)
M
Additional
Req.
Control #
Control Name
MP-2
MP-3
MP-4
MP-5
MP-6
MP-7
Media Storage
Media Transport
Media Sanitization
Media Use
Control Baseline
Low
Moderate
L
M
L
M
M
Additional
Req.
L
L
M (2)
M (1)
RA-1
RA-2
RA-3
RA-5
Control Name
Control Baseline
Low
Moderate
L
M
PE-2
PE-3
PE-4
PE-5
PE-6
M (1)
PE-8
PE-9
PE-10
Emergency Shutoff
PE-11
Emergency Power
PE-12
Emergency Lighting
PE-13
Fire Protection
M (2,3)
PE-14
PE-15
L
L
M (2)
M
PE-16
PE-17
PE-1
M
M
M
SC-13
SC-15
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-28
Session Authenticity
Protection of Information At Rest
SC-39
Process Isolation
Control Name
Risk Assessment Policy and Procedures
Security Categorization
Risk Assessment
Vulnerability Scanning
Control Baseline
Low
Moderate
L
M
Additional
Req.
M
M
M
M
M (3,4,5,7, 8,
12,13,18)
M (1)
M
L
M (2,3)
L
L
M
M
G
G
M
M
L
M
M
M
M
M(1)
L
L
L
M
M
M (1,2,3,5,6,8)
Additional
Req.
G
G
Control Baseline
Low
Moderate
L
M
M
M (4)
Control Name
System and Communications Protection Policy and Procedures
Application Partitioning
Information In Shared Resources
Denial of Service Protection
Resource Availability
Boundary Protection
Transmission Confidentiality and
Integrity
Network Disconnect
Cryptographic Key Establishment
and Management
Cryptographic Protection
Collaborative Computing Devices
SC-10
SC-12
SC-1
SC-2
SC-4
SC-5
SC-6
SC-7
M (2)
M (1)
M
Control #
Control #
Control #
Control Name
SA-2
SA-3
SA-4
SA-5
SA-8
SA-9
SA-1
SA-10
SA-11
Control Baseline
Low
Moderate
L
M
L
L
L (10)
M
M
M (1,2,8,9,10)
Additional
Req.
Control #
SI-1
SI-2
SI-3
SI-4
M
L
M (1,2,4,5)
SI-5
M (1)
SI-6
M (1,2,8)
SI-7
SI-8
SI-10
SI-11
SI-12
SI-16
Control Name
System and Information Integrity
Policy and Procedures
Flaw Remediation
Malicious Code Protection
Information System Monitoring
Control Baseline
Low
Moderate
L
M
L
L
L
M (2,3)
M (1,2,7)
M
(1,2,4,5,14,16,
23)
M
M
M (1,7)
M (1,2)
M
M
M
M
Additional
Req.