💼 FedRAMP Moderate Security Controls

• Contextual name: 💼 FedRAMP Moderate Security Controls
• ID: /frameworks/fedramp-moderate-security-controls

Description

Empty...

Similar

• Internal
  • ID: dec-a-955a2536

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 Access Control	18
💼 AC-1 Policy and Procedures (L)(M)(H)
💼 AC-2 Account Management (L)(M)(H)	9		3
💼 AC-2(1) Automated System Account Management (M)(H)			16
💼 AC-2(2) Automated Temporary and Emergency Account Management (M)(H)
💼 AC-2(3) Disable Accounts (M)(H)			4
💼 AC-2(4) Automated Audit Actions (M)(H)			13
💼 AC-2(5) Inactivity Logout (M)(H)
💼 AC-2(7) Privileged User Accounts (M)(H)			7
💼 AC-2(9) Restrictions on Use of Shared and Group Accounts (M)(H)			2
💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)			2
💼 AC-2(13) Disable Accounts for High-risk Individuals (M)(H)
💼 AC-3 Access Enforcement (L)(M)(H)			46
💼 AC-4 Information Flow Enforcement (M)(H)	1		27
💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			38
💼 AC-5 Separation of Duties (M)(H)			1
💼 AC-6 Least Privilege (M)(H)	6		7
💼 AC-6(1) Authorize Access to Security Functions (M)(H)			4
💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)			4
💼 AC-6(5) Privileged Accounts (M)(H)			5
💼 AC-6(7) Review of User Privileges (M)(H)			2
💼 AC-6(9) Log Use of Privileged Functions (M)(H)			23
💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)			3
💼 AC-7 Unsuccessful Logon Attempts (L)(M)(H)			1
💼 AC-8 System Use Notification (L)(M)(H)
💼 AC-10 Concurrent Session Control (H)
💼 AC-11 Device Lock (M)(H)	1
💼 AC-11(1) Pattern-hiding Displays (M)(H)
💼 AC-12 Session Termination (M)(H)
💼 AC-14 Permitted Actions Without Identification or Authentication (L)(M)(H)
💼 AC-17 Remote Access (L)(M)(H)	4
💼 AC-17(1) Monitoring and Control (M)(H)			1
💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			13
💼 AC-17(3) Managed Access Control Points (M)(H)
💼 AC-17(4) Privileged Commands and Access (M)(H)
💼 AC-18 Wireless Access (L)(M)(H)	2
💼 AC-18(1) Authentication and Encryption (M)(H)
💼 AC-18(3) Disable Wireless Networking (M)(H)
💼 AC-19 Access Control for Mobile Devices (L)(M)(H)	1
💼 AC-19(5) Full Device or Container-based Encryption (M)(H)
💼 AC-20 Use of External Systems (L)(M)(H)	2
💼 AC-20(1) Limits on Authorized Use (M)(H)
💼 AC-20(2) Portable Storage Devices — Restricted Use (M)(H)
💼 AC-21 Information Sharing (M)(H)			2
💼 AC-22 Publicly Accessible Content (L)(M)(H)
💼 Assessment, Authorization, and Monitoring	8
💼 CA-1 Policy and Procedures (L)(M)(H)
💼 CA-2 Control Assessments (L)(M)(H)	2
💼 CA-2(1) Independent Assessors (L)(M)(H)
💼 CA-2(3) Leveraging Results from External Organizations (M)(H)
💼 CA-3 Information Exchange (L)(M)(H)
💼 CA-5 Plan of Action and Milestones (L)(M)(H)
💼 CA-6 Authorization (L)(M)(H)
💼 CA-7 Continuous Monitoring (L)(M)(H)	2		8
💼 CA-7(1) Independent Assessment (M)(H)
💼 CA-7(4) Risk Monitoring (L)(M)(H)
💼 CA-8 Penetration Testing (L)(M)(H)	2
💼 CA-8(1) Independent Penetration Testing Agent or Team (M)(H)
💼 CA-8(2) Red Team Exercises (M)(H)
💼 CA-9 Internal System Connections (L)(M)(H)
💼 Audit and Accountability	11
💼 AU-1 Policy and Procedures (L)(M)(H)
💼 AU-2 Event Logging (L)(M)(H)			6
💼 AU-3 Content of Audit Records (L)(M)(H)	1		6
💼 AU-3(1) Additional Audit Information (M)(H)			14
💼 AU-4 Audit Log Storage Capacity (L)(M)(H)
💼 AU-5 Response to Audit Logging Process Failures (L)(M)(H)
💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		23
💼 AU-6(1) Automated Process Integration (M)(H)			1
💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			6
💼 AU-7 Audit Record Reduction and Report Generation (M)(H)	1
💼 AU-7(1) Automatic Processing (M)(H)			1
💼 AU-8 Time Stamps (L)(M)(H)
💼 AU-9 Protection of Audit Information (L)(M)(H)	1		11
💼 AU-9(4) Access by Subset of Privileged Users (M)(H)
💼 AU-11 Audit Record Retention (L)(M)(H)			19
💼 AU-12 Audit Record Generation (L)(M)(H)			47
💼 Awareness and Training	4
💼 AT-1 Policy and Procedures (L)(M)(H)
💼 AT-2 Literacy Training and Awareness (L)(M)(H)	2
💼 AT-2(2) Insider Threat (L)(M)(H)
💼 AT-2(3) Social Engineering and Mining (M)(H)
💼 AT-3 Role-based Training (L)(M)(H)
💼 AT-4 Training Records (L)(M)(H)
💼 Configuration Management	12
💼 CM-1 Policy and Procedures (L)(M)(H)
💼 CM-2 Baseline Configuration (L)(M)(H)	3		13
💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			13
💼 CM-2(3) Retention of Previous Configurations (M)(H)			1
💼 CM-2(7) Configure Systems and Components for High-risk Areas (M)(H)
💼 CM-3 Configuration Change Control (M)(H)	2		17
💼 CM-3(2) Testing, Validation, and Documentation of Changes (M)(H)
💼 CM-3(4) Security and Privacy Representatives (M)(H)
💼 CM-4 Impact Analyses (L)(M)(H)	1
💼 CM-4(2) Verification of Controls (M)(H)
💼 CM-5 Access Restrictions for Change (L)(M)(H)	2		8
💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)			9
💼 CM-5(5) Privilege Limitation for Production and Operation (M)(H)			1
💼 CM-6 Configuration Settings (L)(M)(H)	1
💼 CM-6(1) Automated Management, Application, and Verification (M)(H)			1
💼 CM-7 Least Functionality (L)(M)(H)	3		17
💼 CM-7(1) Periodic Review (M)(H)			11
💼 CM-7(2) Prevent Program Execution (M)(H)
💼 CM-7(5) Authorized Software — Allow-by-exception (M)(H)
💼 CM-8 System Component Inventory (L)(M)(H)	2		1
💼 CM-8(1) Updates During Installation and Removal (M)(H)
💼 CM-8(3) Automated Unauthorized Component Detection (M)(H)
💼 CM-9 Configuration Management Plan (M)(H)
💼 CM-10 Software Usage Restrictions (L)(M)(H)
💼 CM-11 User-installed Software (L)(M)(H)			4
💼 CM-12 Information Location (M)(H)	1
💼 CM-12(1) Automated Tools to Support Information Location (M)(H)
💼 Contingency Planning	9
💼 CP-1 Policy and Procedures (L)(M)(H)
💼 CP-2 Contingency Plan (L)(M)(H)	3
💼 CP-2(1) Coordinate with Related Plans (M)(H)
💼 CP-2(3) Resume Mission and Business Functions (M)(H)
💼 CP-2(8) Identify Critical Assets (M)(H)
💼 CP-3 Contingency Training (L)(M)(H)
💼 CP-4 Contingency Plan Testing (L)(M)(H)	1
💼 CP-4(1) Coordinate with Related Plans (M)(H)
💼 CP-6 Alternate Storage Site (M)(H)	2
💼 CP-6(1) Separation from Primary Site (M)(H)
💼 CP-6(3) Accessibility (M)(H)
💼 CP-7 Alternate Processing Site (M)(H)	3
💼 CP-7(1) Separation from Primary Site (M)(H)
💼 CP-7(2) Accessibility (M)(H)
💼 CP-7(3) Priority of Service (M)(H)
💼 CP-8 Telecommunications Services (M)(H)	2
💼 CP-8(1) Priority of Service Provisions (M)(H)
💼 CP-8(2) Single Points of Failure (M)(H)
💼 CP-9 System Backup (L)(M)(H)	2		6
💼 CP-9(1) Testing for Reliability and Integrity (M)(H)
💼 CP-9(8) Cryptographic Protection (M)(H)
💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		2
💼 CP-10(2) Transaction Recovery (M)(H)
💼 Identification and Authentication	10
💼 IA-1 Policy and Procedures (L)(M)(H)
💼 IA-2 Identification and Authentication (Organizational Users) (L)(M)(H)	6		1
💼 IA-2(1) Multi-factor Authentication to Privileged Accounts (L)(M)(H)			2
💼 IA-2(2) Multi-factor Authentication to Non-privileged Accounts (L)(M)(H)			2
💼 IA-2(5) Individual Authentication with Group Authentication (M)(H)
💼 IA-2(6) Access to Accounts —separate Device (M)(H)			2
💼 IA-2(8) Access to Accounts — Replay Resistant (L)(M)(H)			2
💼 IA-2(12) Acceptance of PIV Credentials (L)(M)(H)
💼 IA-3 Device Identification and Authentication (M)(H)
💼 IA-4 Identifier Management (L)(M)(H)	1		1
💼 IA-4(4) Identify User Status (M)(H)
💼 IA-5 Authenticator Management (L)(M)(H)	4		17
💼 IA-5(1) Password-based Authentication (L)(M)(H)			4
💼 IA-5(2) Public Key-based Authentication (M)(H)			1
💼 IA-5(6) Protection of Authenticators (M)(H)
💼 IA-5(7) No Embedded Unencrypted Static Authenticators (M)(H)
💼 IA-6 Authentication Feedback (L)(M)(H)			1
💼 IA-7 Cryptographic Module Authentication (L)(M)(H)
💼 IA-8 Identification and Authentication (Non-organizational Users) (L)(M)(H)	3
💼 IA-8(1) Acceptance of PIV Credentials from Other Agencies (L)(M)(H)
💼 IA-8(2) Acceptance of External Authenticators (L)(M)(H)
💼 IA-8(4) Use of Defined Profiles (L)(M)(H)
💼 IA-11 Re-authentication (L)(M)(H)
💼 IA-12 Identity Proofing (M)(H)	3
💼 IA-12(2) Identity Evidence (M)(H)
💼 IA-12(3) Identity Evidence Validation and Verification (M)(H)
💼 IA-12(5) Address Confirmation (M)(H)
💼 Incident Response	9
💼 IR-1 Policy and Procedures (L)(M)(H)
💼 IR-2 Incident Response Training (L)(M)(H)
💼 IR-3 Incident Response Testing (M)(H)	1
💼 IR-3(2) Coordination with Related Plans (M)(H)
💼 IR-4 Incident Handling (L)(M)(H)	1
💼 IR-4(1) Automated Incident Handling Processes (M)(H)
💼 IR-5 Incident Monitoring (L)(M)(H)
💼 IR-6 Incident Reporting (L)(M)(H)	2
💼 IR-6(1) Automated Reporting (M)(H)			10
💼 IR-6(3) Supply Chain Coordination (M)(H)			2
💼 IR-7 Incident Response Assistance (L)(M)(H)	1
💼 IR-7(1) Automation Support for Availability of Information and Support (M)(H)
💼 IR-8 Incident Response Plan (L)(M)(H)
💼 IR-9 Information Spillage Response (M)(H)	3
💼 IR-9(2) Training (M)(H)
💼 IR-9(3) Post-spill Operations (M)(H)
💼 IR-9(4) Exposure to Unauthorized Personnel (M)(H)
💼 Maintenance	6
💼 MA-1 Policy and Procedures (L)(M)(H)
💼 MA-2 Controlled Maintenance (L)(M)(H)
💼 MA-3 Maintenance Tools (M)(H)	3
💼 MA-3(1) Inspect Tools (M)(H)
💼 MA-3(2) Inspect Media (M)(H)
💼 MA-3(3) Prevent Unauthorized Removal (M)(H)
💼 MA-4 Nonlocal Maintenance (L)(M)(H)
💼 MA-5 Maintenance Personnel (L)(M)(H)	1
💼 MA-5(1) Individuals Without Appropriate Access (M)(H)
💼 MA-6 Timely Maintenance (M)(H)
💼 Media Protection	7
💼 MP-1 Policy and Procedures (L)(M)(H)
💼 MP-2 Media Access (L)(M)(H)
💼 MP-3 Media Marking (M)(H)
💼 MP-4 Media Storage (M)(H)
💼 MP-5 Media Transport (M)(H)
💼 MP-6 Media Sanitization (L)(M)(H)
💼 MP-7 Media Use (L)(M)(H)
💼 Personnel Security	9
💼 PS-1 Policy and Procedures (L)(M)(H)
💼 PS-2 Position Risk Designation (L)(M)(H)
💼 PS-3 Personnel Screening (L)(M)(H)	1
💼 PS-3(3) Information Requiring Special Protective Measures (M)(H)
💼 PS-4 Personnel Termination (L)(M)(H)
💼 PS-5 Personnel Transfer (L)(M)(H)
💼 PS-6 Access Agreements (L)(M)(H)
💼 PS-7 External Personnel Security (L)(M)(H)
💼 PS-8 Personnel Sanctions (L)(M)(H)
💼 PS-9 Position Descriptions (L)(M)(H)
💼 Physical and Environmental Protection	16
💼 PE-1 Policy and Procedures (L)(M)(H)
💼 PE-2 Physical Access Authorizations (L)(M)(H)
💼 PE-3 Physical Access Control (L)(M)(H)
💼 PE-4 Access Control for Transmission (M)(H)
💼 PE-5 Access Control for Output Devices (M)(H)
💼 PE-6 Monitoring Physical Access (L)(M)(H)	1
💼 PE-6(1) Intrusion Alarms and Surveillance Equipment (M)(H)
💼 PE-8 Visitor Access Records (L)(M)(H)
💼 PE-9 Power Equipment and Cabling (M)(H)
💼 PE-10 Emergency Shutoff (M)(H)
💼 PE-11 Emergency Power (M)(H)
💼 PE-12 Emergency Lighting (L)(M)(H)
💼 PE-13 Fire Protection (L)(M)(H)	2
💼 PE-13(1) Detection Systems — Automatic Activation and Notification (M)(H)
💼 PE-13(2) Suppression Systems — Automatic Activation and Notification (M)(H)
💼 PE-14 Environmental Controls (L)(M)(H)
💼 PE-15 Water Damage Protection (L)(M)(H)
💼 PE-16 Delivery and Removal (L)(M)(H)
💼 PE-17 Alternate Work Site (M)(H)
💼 Planning	6
💼 PL-1 Policy and Procedures (L)(M)(H)
💼 PL-2 System Security and Privacy Plans (L)(M)(H)
💼 PL-4 Rules of Behavior (L)(M)(H)	1
💼 PL-4(1) Social Media and External Site/Application Usage Restrictions (L)(M)(H)
💼 PL-8 Security and Privacy Architectures (L)(M)(H)
💼 PL-10 Baseline Selection (L)(M)(H)
💼 PL-11 Baseline Tailoring (L)(M)(H)
💼 Risk Assessment	6
💼 RA-1 Policy and Procedures (L)(M)(H)
💼 RA-2 Security Categorization (L)(M)(H)
💼 RA-3 Risk Assessment (L)(M)(H)	1		7
💼 RA-3(1) Supply Chain Risk Assessment (L)(M)(H)
💼 RA-5 Vulnerability Monitoring and Scanning (L)(M)(H)	4		7
💼 RA-5(2) Update Vulnerabilities to Be Scanned (L)(M)(H)
💼 RA-5(3) Breadth and Depth of Coverage (M)(H)
💼 RA-5(5) Privileged Access (M)(H)
💼 RA-5(11) Public Disclosure Program (L)(M)(H)
💼 RA-7 Risk Response (L)(M)(H)
💼 RA-9 Criticality Analysis (M)(H)
💼 Supply Chain Risk Management	9
💼 SR-1 Policy and Procedures (L)(M)(H)
💼 SR-2 Supply Chain Risk Management Plan (L)(M)(H)	1
💼 SR-2(1) Establish SCRM Team (L)(M)(H)
💼 SR-3 Supply Chain Controls and Processes (L)(M)(H)
💼 SR-5 Acquisition Strategies, Tools, and Methods (L)(M)(H)
💼 SR-6 Supplier Assessments and Reviews (M)(H)
💼 SR-8 Notification Agreements (L)(M)(H)
💼 SR-10 Inspection of Systems or Components (L)(M)(H)
💼 SR-11 Component Authenticity (L)(M)(H)	2
💼 SR-11(1) Anti-counterfeit Training (L)(M)(H)
💼 SR-11(2) Configuration Control for Component Service and Repair (L)(M)(H)
💼 SR-12 Component Disposal (L)(M)(H)
💼 System and Communications Protection	19
💼 SC-1 Policy and Procedures (L)(M)(H)
💼 SC-2 Separation of System and User Functionality (M)(H)
💼 SC-4 Information in Shared System Resources (M)(H)
💼 SC-5 Denial-of-service Protection (L)(M)(H)
💼 SC-7 Boundary Protection (L)(M)(H)	7		23
💼 SC-7(3) Access Points (M)(H)			2
💼 SC-7(4) External Telecommunications Services (M)(H)			17
💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)			18
💼 SC-7(7) Split Tunneling for Remote Devices (M)(H)
💼 SC-7(8) Route Traffic to Authenticated Proxy Servers (M)(H)
💼 SC-7(12) Host-based Protection (M)(H)
💼 SC-7(18) Fail Secure (M)(H)
💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		8
💼 SC-8(1) Cryptographic Protection (L)(M)(H)			10
💼 SC-10 Network Disconnect (M)(H)
💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)			11
💼 SC-13 Cryptographic Protection (L)(M)(H)			16
💼 SC-15 Collaborative Computing Devices and Applications (L)(M)(H)
💼 SC-17 Public Key Infrastructure Certificates (M)(H)			1
💼 SC-18 Mobile Code (M)(H)
💼 SC-20 Secure Name/Address Resolution Service (Authoritative Source) (L)(M)(H)
💼 SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) (L)(M)(H)
💼 SC-22 Architecture and Provisioning for Name/Address Resolution Service (L)(M)(H)
💼 SC-23 Session Authenticity (M)(H)			7
💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		15
💼 SC-28(1) Cryptographic Protection (L)(M)(H)			12
💼 SC-39 Process Isolation (L)(M)(H)
💼 SC-45 System Time Synchronization (M)(H)	1
💼 SC-45(1) Synchronization with Authoritative Time Source (M)(H)
💼 System and Information Integrity	12
💼 SI-1 Policy and Procedures (L)(M)(H)
💼 SI-2 Flaw Remediation (L)(M)(H)	2		9
💼 SI-2(2) Automated Flaw Remediation Status (M)(H)			1
💼 SI-2(3) Time to Remediate Flaws and Benchmarks for Corrective Actions (M)(H)
💼 SI-3 Malicious Code Protection (L)(M)(H)			7
💼 SI-4 System Monitoring (L)(M)(H)	7		7
💼 SI-4(1) System-wide Intrusion Detection System (M)(H)			1
💼 SI-4(2) Automated Tools and Mechanisms for Real-time Analysis (M)(H)
💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)			8
💼 SI-4(5) System-generated Alerts (M)(H)
💼 SI-4(16) Correlate Monitoring Information (M)(H)
💼 SI-4(18) Analyze Traffic and Covert Exfiltration (M)(H)
💼 SI-4(23) Host-based Devices (M)(H)
💼 SI-5 Security Alerts, Advisories, and Directives (L)(M)(H)
💼 SI-6 Security and Privacy Function Verification (M)(H)
💼 SI-7 Software, Firmware, and Information Integrity (M)(H)	2
💼 SI-7(1) Integrity Checks (M)(H)			1
💼 SI-7(7) Integration of Detection and Response (M)(H)			1
💼 SI-8 Spam Protection (M)(H)	1
💼 SI-8(2) Automatic Updates (M)(H)
💼 SI-10 Information Input Validation (M)(H)
💼 SI-11 Error Handling (M)(H)
💼 SI-12 Information Management and Retention (L)(M)(H)
💼 SI-16 Memory Protection (M)(H)
💼 System and Services Acquisition	11
💼 SA-1 Policy and Procedures (L)(M)(H)
💼 SA-2 Allocation of Resources (L)(M)(H)
💼 SA-3 System Development Life Cycle (L)(M)(H)
💼 SA-4 Acquisition Process (L)(M)(H)	4
💼 SA-4(1) Functional Properties of Controls (M)(H)
💼 SA-4(2) Design and Implementation Information for Controls (M)(H)
💼 SA-4(9) Functions, Ports, Protocols, and Services in Use (M)(H)
💼 SA-4(10) Use of Approved PIV Products (L)(M)(H)
💼 SA-5 System Documentation (L)(M)(H)
💼 SA-8 Security and Privacy Engineering Principles (L)(M)(H)
💼 SA-9 External System Services (L)(M)(H)	3
💼 SA-9(1) Risk Assessments and Organizational Approvals (M)(H)
💼 SA-9(2) Identification of Functions, Ports, Protocols, and Services (M)(H)
💼 SA-9(5) Processing, Storage, and Service Location (M)(H)			1
💼 SA-10 Developer Configuration Management (M)(H)
💼 SA-11 Developer Testing and Evaluation (M)(H)	2
💼 SA-11(1) Static Code Analysis (M)(H)
💼 SA-11(2) Threat Modeling and Vulnerability Analyses (M)(H)
💼 SA-15 Development Process, Standards, and Tools (M)(H)	1
💼 SA-15(3) Criticality Analysis (M)(H)
💼 SA-22 Unsupported System Components (L)(M)(H)