{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "FedRAMP.schema.json", "info": { "name": "Key Security Indicators", "short_name": "KSI", "effective": { "rev5": { "is": "no" }, "20x": { "is": "required", "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", "current_status": "Phase 2 Pilot", "start_date": "2025-11-18", "end_date": "2026-03-31", "comments": [ "Phase 1 pilot authorizations have one year from authorization to fully address this policy but must demonstrate continuous quarterly progress.", "Phase 2 Pilot participants must demonstrate significant progress towards addressing this policy prior to submission for authorization review." ] } }, "releases": [ { "id": "25.11B", "published_date": "2025-11-24", "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", "public_comment": false }, { "id": "25.11A", "published_date": "2025-11-18", "description": "Updates Key Security Indicators for the FedRAMP 20x Phase Two pilot, including underlying structural changes to machine-readable docs; Renamed KSI \"indicator\" property to \"theme\" and KSI \"requirements\" property to \"indicators\" to match current naming conventions..", "public_comment": true, "related_rfcs": [ { "start_date": "2025-09-10", "end_date": "2025-11-17", "id": "0015", "url": "https://www.fedramp.gov/rfcs/0015/", "discussion_url": "https://github.com/FedRAMP/community/discussions/84", "short_name": "rfc-0015-recommended-secure-configuration", "full_name": "FedRAMP RFC-0015: Recommended Secure Configuration Standard" } ] }, { "id": "25.10A", "published_date": "2025-10-17", "description": "Minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.", "public_comment": false }, { "id": "25.05D", "published_date": "2025-08-24", "description": "Minor non-breaking updates to align term definitions and highlighted terms across updated materials (no changes to KSIs, definitions are now in FRD-ALL).", "public_comment": false }, { "id": "25.05C", "published_date": "2025-06-28", "description": "Key Security Indicators in this release are unchanged from previously releases. 25.05C adds references for each KSI to underlying SP 800-53 controls.", "public_comment": false }, { "id": "25.05B", "published_date": "2025-06-18", "description": "Initial release of Key Security Indicators from 25.05; the previous 25.05A release contained errors during conversion to JSON that are fixed in this release, the KSIs should now be identical to the original 25.05 paper release of the KSIs released on 2025-05-30. FRR-KSI-AY rules were converted to FRR-KSI rules, but otherwise unchanged.", "public_comment": false }, { "id": "25.05A", "published_date": "2025-05-30", "description": "Initial release of Key Security Indicators", "public_comment": true, "related_rfcs": [ { "start_date": "2025-04-24", "end_date": "2025-05-24", "id": "0006", "url": "https://www.fedramp.gov/rfcs/0006/", "discussion_url": "https://github.com/FedRAMP/community/discussions/3", "short_name": "rfc-0006-key-security-indicators", "full_name": "FedRAMP RFC-0006: 20x Phase One Key Security Indicators" } ] } ], "front_matter": { "authority": [ { "reference": "OMB Circular A-130", "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", "description": "Appendix I states \"Agencies may also develop overlays for specific types of information or communities of interest (e.g., all web-based applications, all health care-related systems) as part of the security control selection process. Overlays provide a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information as part of the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay may be more stringent or less stringent than the original security control baseline and can be applied to multiple information systems.\"" }, { "reference": "NIST SP 800-53B", "reference_url": "https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final", "description": "Section 2.5 states \"As the number of controls in [SP 800-53] grows in response to an increasingly sophisticated threat space, it is important for organizations to have the ability to describe key capabilities needed to protect organizational missions and business functions, and to subsequently select controls that—if properly designed, developed, and implemented—produce such capabilities. The use of capabilities simplifies how the protection problem is viewed conceptually. Using the construct of a capability provides a method of grouping controls that are employed for a common purpose or to achieve a common objective.\" This section later states \"Ultimately, authorization decisions (i.e., risk acceptance decisions) are made based on the degree to which the desired capabilities have been effectively achieved.\"" }, { "reference": "NIST SP 800-53A", "reference_url": "https://csrc.nist.gov/pubs/sp/800/53/a/r5/final", "description": "Section 3.5 states \"When organizations employ the concept of capabilities, automated and manual assessments account for all security and privacy controls that comprise the security and privacy capabilities. Assessors are aware of how the controls work together to provide such capabilities.\"" }, { "reference": "FedRAMP Authorization Act (44 USC § 3609 (a) (1))", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3609", "description": "requires that the Administrator of the General Services Administration shall \"in consultation with the [DHS] Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services...\" 44 USC § 3609 (c) (2) further states that \"the [GSA] Administrator shall establish a means for the automation of security assessments and reviews.\"", "delegation": "These responsibilities are delegated to the FedRAMP Director", "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" } ], "purpose": "Modern cloud services use automated or code-driven configuration management and control planes to ensure predictable, repeatable, reliable, and secure outcomes during deployment and operation. The majority of a service security assessment can take place continuously via automated validation for simple cloud-native services if the need for a traditional control-by-control narrative approach is removed.", "expected_outcomes": [ "Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with the application of simple changes and automated capabilities", "Third-party independent assessors will have a simpler framework to assess security and implementation decisions based on engineering decisions in context", "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorization to operate decisions based on their planned use case" ] } }, "FRR": { "KSI": { "base": { "application": "These requirements apply ALWAYS to ALL FedRAMP 20x authorizations based on the Effective Date(s) and Overall Applicability.", "id": "FRR-KSI", "name": "Requirements & Recommendations", "requirements": [ { "id": "FRR-KSI-01", "statement": "Cloud service providers SHOULD apply ALL Key Security Indicators to ALL aspects of their _cloud service offering_ that are within the FedRAMP Minimum Assessment Scope.", "name": "Application of Key Security Indicators", "affects": ["Providers"], "primary_key_word": "SHOULD", "impact": { "low": true, "moderate": true } }, { "id": "FRR-KSI-02", "statement": "Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:", "following_information": [ "Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability", "The consolidated _information resources_ that will be validated (this should include consolidated summaries such as \"all employees with privileged access that are members of the Admin group\")", "The machine-based processes for validation and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)", "The non-machine-based processes for validation and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)", "Current implementation status", "Any clarifications or responses to the assessment summary" ], "name": "Implementation Summaries", "affects": ["Providers"], "primary_key_word": "MUST", "impact": { "low": true, "moderate": true } } ] } } }, "KSI": { "AFR": { "id": "KSI-AFR", "name": "Authorization by FedRAMP", "theme": "A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers.", "indicators": [ { "id": "KSI-AFR-01", "name": "Minimum Assessment Scope", "statement": "Apply the FedRAMP Minimum Assessment Standard (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Minimum Assessment Scope", "reference_url": "https://fedramp.gov/docs/minimum-assessment-scope" }, { "id": "KSI-AFR-02", "name": "Key Security Indicators", "statement": "Set security goals for the cloud service offering based on FedRAMP 20x Phase Two Key Security Indicators (KSIs - you are here), develop automated validation of status and progress to the greatest extent possible, and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Key Security Indicators", "reference_url": "https://fedramp.gov/docs/key-security-indicators" }, { "id": "KSI-AFR-03", "name": "Authorization Data Sharing", "statement": "Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) standard and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Authorization Data Sharing", "reference_url": "https://fedramp.gov/docs/authorization-data-sharing", "controls": [ { "control_id": "ac-3", "title": "Access Enforcement" }, { "control_id": "ac-4", "title": "Information Flow Enforcement" }, { "control_id": "au-2", "title": "Event Logging" }, { "control_id": "au-3", "title": "Content of Audit Records" }, { "control_id": "au-6", "title": "Audit Record Review, Analysis, and Reporting" }, { "control_id": "ca-2", "title": "Control Assessments" }, { "control_id": "ir-4", "title": "Incident Handling" }, { "control_id": "ra-5", "title": "Vulnerability Monitoring and Scanning" }, { "control_id": "sc-8", "title": "Transmission Confidentiality and Integrity" } ] }, { "id": "KSI-AFR-04", "name": "Vulnerability Detection and Response", "statement": "Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) standard and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Vulnerability Detection and Response", "reference_url": "https://fedramp.gov/docs/vulnerability-detection-and-response", "controls": [ { "control_id": "ca-2", "title": "Control Assessments" }, { "control_id": "ca-7", "title": "Continuous Monitoring" }, { "control_id": "ca-7.6", "title": "Automation Support for Monitoring" }, { "control_id": "ir-1", "title": "Policy and Procedures" }, { "control_id": "ir-4", "title": "Incident Handling" }, { "control_id": "ir-4.1", "title": "Automated Incident Handling Processes" }, { "control_id": "ir-5", "title": "Incident Monitoring" }, { "control_id": "ir-5.1", "title": "Automated Tracking, Data Collection, and Analysis" }, { "control_id": "ir-6", "title": "Incident Reporting" }, { "control_id": "ir-6.1", "title": "Automated Reporting" }, { "control_id": "ir-6.2", "title": "Vulnerabilities Related to Incidents" }, { "control_id": "pm-3", "title": "Information Security and Privacy Resources" }, { "control_id": "pm-5", "title": "System Inventory" }, { "control_id": "pm-31", "title": "Continuous Monitoring Strategy" }, { "control_id": "ra-2", "title": "Security Categorization" }, { "control_id": "ra-2.1", "title": "Impact-level Prioritization" }, { "control_id": "ra-3", "title": "Risk Assessment" }, { "control_id": "ra-3.3", "title": "Dynamic Threat Awareness" }, { "control_id": "ra-5", "title": "Vulnerability Monitoring and Scanning" }, { "control_id": "ra-5.2", "title": "Update Vulnerabilities to Be Scanned" }, { "control_id": "ra-5.3", "title": "Breadth and Depth of Coverage" }, { "control_id": "ra-5.4", "title": "Discoverable Information" }, { "control_id": "ra-5.5", "title": "Privileged Access" }, { "control_id": "ra-5.6", "title": "Automated Trend Analyses" }, { "control_id": "ra-5.7", "title": "Automated Detection and Notification of Unauthorized Components" }, { "control_id": "ra-5.11", "title": "Public Disclosure Program" }, { "control_id": "ra-9", "title": "Criticality Analysis" }, { "control_id": "ra-10", "title": "Threat Hunting" }, { "control_id": "si-2", "title": "Flaw Remediation" }, { "control_id": "si-2.1", "title": "Central Management" }, { "control_id": "si-2.2", "title": "Automated Flaw Remediation Status" }, { "control_id": "si-2.4", "title": "Automated Patch Management Tools" }, { "control_id": "si-2.5", "title": "Automatic Software and Firmware Updates" }, { "control_id": "si-3", "title": "Malicious Code Protection" }, { "control_id": "si-3.1", "title": "Central Management" }, { "control_id": "si-3.2", "title": "Automatic Updates" }, { "control_id": "si-4", "title": "System Monitoring" }, { "control_id": "si-4.2", "title": "Automated Tools and Mechanisms for Real-time Analysis" }, { "control_id": "si-4.3", "title": "Automated Tool and Mechanism Integration" }, { "control_id": "si-4.7", "title": "Automated Response to Suspicious Events" } ] }, { "id": "KSI-AFR-05", "name": "Significant Change Notifications", "statement": "Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) standard and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Significant Change Notifications", "reference_url": "https://fedramp.gov/docs/significant-change-notifications", "controls": [ { "control_id": "ca-7.4", "title": "Risk Monitoring" }, { "control_id": "cm-3.4", "title": "Security and Privacy Representatives" }, { "control_id": "cm-4", "title": "Impact Analyses" }, { "control_id": "cm-7.1", "title": "Periodic Review" }, { "control_id": "au-5", "title": "Response to Audit Logging Process Failures" }, { "control_id": "ca-5", "title": "Plan of Action and Milestones" }, { "control_id": "ca-7", "title": "Continuous Monitoring" }, { "control_id": "ra-5", "title": "Vulnerability Monitoring and Scanning" }, { "control_id": "ra-5.2", "title": "Update Vulnerabilities to Be Scanned" }, { "control_id": "sa-22", "title": "Unsupported System Components" }, { "control_id": "si-2", "title": "Flaw Remediation" }, { "control_id": "si-2.2", "title": "Automated Flaw Remediation Status" }, { "control_id": "si-3", "title": "Malicious Code Protection" }, { "control_id": "si-5", "title": "Security Alerts, Advisories, and Directives" }, { "control_id": "si-7.7", "title": "Integration of Detection and Response" }, { "control_id": "si-10", "title": "Information Input Validation" }, { "control_id": "si-11", "title": "Error Handling" } ] }, { "id": "KSI-AFR-06", "name": "Collaborative Continuous Monitoring", "statement": "Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) standard and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Collaborative Continuous Monitoring", "reference_url": "https://fedramp.gov/docs/collaborative-continuous-monitoring" }, { "id": "KSI-AFR-07", "name": "Recommended Secure Configuration", "statement": "Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Recommended Secure Configuration (RSC) guidance standard and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Recommended Secure Configuration", "reference_url": "https://fedramp.gov/docs/recommended-secure-configuration" }, { "id": "KSI-AFR-08", "name": "FedRAMP Security Inbox", "statement": "Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "FedRAMP Security Inbox", "reference_url": "https://fedramp.gov/docs/fedramp-security-inbox" }, { "id": "KSI-AFR-09", "name": "Persistent Validation and Assessment", "statement": "Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) standard, and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Persistent Validation and Assessment", "reference_url": "https://fedramp.gov/docs/persistent-validation-and-assessment" }, { "id": "KSI-AFR-10", "name": "Incident Communications Procedures", "statement": "Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Incident Communications Procedures", "reference_url": "https://fedramp.gov/docs/incident-communications-procedures" }, { "id": "KSI-AFR-11", "name": "Using Cryptographic Modules", "statement": "Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) policy and persistently address all related requirements and recommendations.", "impact": { "low": true, "moderate": true }, "reference": "Using Cryptographic Modules", "reference_url": "https://fedramp.gov/docs/using-cryptographic-modules" } ] }, "CED": { "id": "KSI-CED", "name": "Cybersecurity Education", "theme": "A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them _regularly_ to ensure their knowledge is satisfactory.", "indicators": [ { "id": "KSI-CED-01", "name": "General Education", "statement": "Require and monitor the effectiveness of training given to all employees on policies, procedures, and security-related topics.", "controls": [ { "control_id": "at-2", "title": "Literacy Training and Awareness" }, { "control_id": "at-2.2", "title": "Insider Threat" }, { "control_id": "at-2.3", "title": "Social Engineering and Mining" }, { "control_id": "at-3.5", "title": "Processing Personally Identifiable Information" }, { "control_id": "at-4", "title": "Training Records" }, { "control_id": "ir-2.3", "title": "Breach" } ], "impact": { "low": true, "moderate": true } }, { "id": "KSI-CED-02", "name": "Role-Specific Education", "statement": "Require and monitor the effectiveness of role-specific training for high risk roles, including at least roles with privileged access.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "at-2", "title": "Literacy Training and Awareness" }, { "control_id": "at-2.3", "title": "Social Engineering and Mining" }, { "control_id": "at-3", "title": "Role-based Training" }, { "control_id": "sr-11.1", "title": "Anti-counterfeit Training" } ] }, { "id": "KSI-CED-03", "name": "Development and Engineering Education", "statement": "Require and monitor the effectiveness of role-specific training provided to development and engineering staff that covers best practices for delivering secure software.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cp-3", "title": "Contingency Training" }, { "control_id": "ir-2", "title": "Incident Response Training" }, { "control_id": "ps-6", "title": "Access Agreements" } ] }, { "id": "KSI-CED-04", "name": "Incident Response and Disaster Recovery Education", "statement": "Require and monitor the effectiveness of role-specific training to staff involved with incident response or disaster recovery.", "impact": { "low": true, "moderate": true }, "controls": [] } ] }, "CMT": { "id": "KSI-CMT", "name": "Change Management", "theme": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly.", "indicators": [ { "id": "KSI-CMT-01", "name": "Log and Monitor Changes", "statement": "Log and monitor modifications to the cloud service offering.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "au-2", "title": "Event Logging" }, { "control_id": "cm-3", "title": "Configuration Change Control" }, { "control_id": "cm-3.2", "title": "Testing, Validation, and Documentation of Changes" }, { "control_id": "cm-4.2", "title": "Verification of Controls" }, { "control_id": "cm-6", "title": "Configuration Settings" }, { "control_id": "cm-8.3", "title": "Automated Unauthorized Component Detection" }, { "control_id": "ma-2", "title": "Controlled Maintenance" } ] }, { "id": "KSI-CMT-02", "name": "Redeployment", "statement": "Execute changes though redeployment of version controlled immutable resources rather than direct modification wherever possible", "controls": [ { "control_id": "cm-2", "title": "Baseline Configuration" }, { "control_id": "cm-3", "title": "Configuration Change Control" }, { "control_id": "cm-5", "title": "Access Restrictions for Change" }, { "control_id": "cm-6", "title": "Configuration Settings" }, { "control_id": "cm-7", "title": "Least Functionality" }, { "control_id": "cm-8.1", "title": "Updates During Installation and Removal" }, { "control_id": "si-3", "title": "Malicious Code Protection" } ], "impact": { "low": true, "moderate": true } }, { "id": "KSI-CMT-03", "name": "Automated Testing and Validation", "statement": "Automate persistent testing and validation of changes throughout deployment.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cm-3", "title": "Configuration Change Control" }, { "control_id": "cm-3.2", "title": "Testing, Validation, and Documentation of Changes" }, { "control_id": "cm-4.2", "title": "Verification of Controls" }, { "control_id": "si-2", "title": "Flaw Remediation" } ] }, { "id": "KSI-CMT-04", "name": "Change Management Procedure", "statement": "Always follow a documented change management procedure.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cm-3", "title": "Configuration Change Control" }, { "control_id": "cm-3.2", "title": "Testing, Validation, and Documentation of Changes" }, { "control_id": "cm-3.4", "title": "Security and Privacy Representatives" }, { "control_id": "cm-5", "title": "Access Restrictions for Change" }, { "control_id": "cm-7.1", "title": "Periodic Review" }, { "control_id": "cm-9", "title": "Configuration Management Plan" } ] }, { "id": "KSI-CMT-05", "statement": "", "note": "Superseded by KSI-AFR-05 (SCN)", "retired": true, "impact": { "low": false, "moderate": false } } ] }, "CNA": { "id": "KSI-CNA", "name": "Cloud Native Architecture", "theme": "A secure _cloud service offering_ will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system.", "indicators": [ { "id": "KSI-CNA-01", "name": "Restrict Network Traffic", "statement": "Configure all machine-based information resources to limit inbound and outbound network traffic.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-17.3", "title": "Managed Access Control Points" }, { "control_id": "ca-9", "title": "Internal System Connections" }, { "control_id": "cm-7.1", "title": "Periodic Review" }, { "control_id": "sc-7.5", "title": "Deny by Default — Allow by Exception" }, { "control_id": "si-8", "title": "Spam Protection" } ] }, { "id": "KSI-CNA-02", "name": "Minimize the Attack Surface", "statement": "Design systems to minimize the attack surface and minimize lateral movement if compromised.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-17.3", "title": "Managed Access Control Points" }, { "control_id": "ac-18.1", "title": "Authentication and Encryption" }, { "control_id": "ac-18.3", "title": "Disable Wireless Networking" }, { "control_id": "ac-20.1", "title": "Limits on Authorized Use" }, { "control_id": "ca-9", "title": "Internal System Connections" }, { "control_id": "sc-7.3", "title": "Access Points" }, { "control_id": "sc-7.4", "title": "External Telecommunications Services" }, { "control_id": "sc-7.5", "title": "Deny by Default — Allow by Exception" }, { "control_id": "sc-7.8", "title": "Route Traffic to Authenticated Proxy Servers" }, { "control_id": "sc-8", "title": "Transmission Confidentiality and Integrity" }, { "control_id": "sc-10", "title": "Network Disconnect" }, { "control_id": "si-10", "title": "Information Input Validation" }, { "control_id": "si-11", "title": "Error Handling" }, { "control_id": "si-16", "title": "Memory Protection" } ] }, { "id": "KSI-CNA-03", "name": "Enforce Traffic Flow", "statement": "Use logical networking and related capabilities to enforce traffic flow controls.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-12", "title": "Session Termination" }, { "control_id": "ac-17.3", "title": "Managed Access Control Points" }, { "control_id": "ca-9", "title": "Internal System Connections" }, { "control_id": "sc-4", "title": "Information in Shared System Resources" }, { "control_id": "sc-7", "title": "Boundary Protection" }, { "control_id": "sc-7.7", "title": "Split Tunneling for Remote Devices" }, { "control_id": "sc-8", "title": "Transmission Confidentiality and Integrity" }, { "control_id": "sc-10", "title": "Network Disconnect" } ] }, { "id": "KSI-CNA-04", "name": "Immutable Infrastructure", "statement": "Use immutable infrastructure with strictly defined functionality and privileges by default.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cm-2", "title": "Baseline Configuration" }, { "control_id": "si-3", "title": "Malicious Code Protection" } ] }, { "id": "KSI-CNA-05", "name": "Unwanted Activity", "statement": "Protect against denial of service attacks and other unwanted activity.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "sc-5", "title": "Denial-of-service Protection" }, { "control_id": "si-8", "title": "Spam Protection" }, { "control_id": "si-8.2", "title": "Automatic Updates" } ] }, { "id": "KSI-CNA-06", "name": "High Availability", "statement": "Design systems for high availability and rapid recovery.", "impact": { "low": true, "moderate": true }, "controls": [] }, { "id": "KSI-CNA-07", "name": "Best Practices", "statement": "Ensure cloud-native _information resources_ are implemented based on host provider's best practices and documented guidance.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-17.3", "title": "Managed Access Control Points" }, { "control_id": "cm-2", "title": "Baseline Configuration" }, { "control_id": "pl-10", "title": "Baseline Selection" } ] }, { "id": "KSI-CNA-08", "name": "Persistent Assessment and Automated Enforcement", "statement": "Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state.", "impact": { "low": false, "moderate": true }, "controls": [ { "control_id": "ca-2.1", "title": "Independent Assessors" }, { "control_id": "ca-7.1", "title": "Independent Assessment" } ] } ] }, "IAM": { "id": "KSI-IAM", "name": "Identity and Access Management", "theme": "A secure _cloud service offering_ will protect user data, control access, and apply zero trust principles.", "indicators": [ { "id": "KSI-IAM-01", "name": "Phishing-Resistant MFA", "statement": "Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2", "title": "Account Management" }, { "control_id": "ia-2", "title": "Identification and Authentication (Organizational Users)" }, { "control_id": "ia-2.1", "title": "Multi-factor Authentication to Privileged Accounts" }, { "control_id": "ia-2.2", "title": "Multi-factor Authentication to Non-privileged Accounts" }, { "control_id": "ia-2.8", "title": "Access to Accounts — Replay Resistant" }, { "control_id": "ia-5", "title": "Authenticator Management" }, { "control_id": "ia-8", "title": "Identification and Authentication (Non-organizational Users)" }, { "control_id": "sc-23", "title": "Session Authenticity" } ] }, { "id": "KSI-IAM-02", "name": "Passwordless Authentication", "statement": "Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2", "title": "Account Management" }, { "control_id": "ac-3", "title": "Access Enforcement" }, { "control_id": "ia-2.1", "title": "Multi-factor Authentication to Privileged Accounts" }, { "control_id": "ia-2.2", "title": "Multi-factor Authentication to Non-privileged Accounts" }, { "control_id": "ia-2.8", "title": "Access to Accounts — Replay Resistant" }, { "control_id": "ia-5.1", "title": "Password-based Authentication" }, { "control_id": "ia-5.2", "title": "Public Key-based Authentication" }, { "control_id": "ia-5.6", "title": "Protection of Authenticators" }, { "control_id": "ia-6", "title": "Authentication Feedback" } ] }, { "id": "KSI-IAM-03", "name": "Non-User Accounts", "statement": "Enforce appropriately secure authentication methods for non-user accounts and services.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2", "title": "Account Management" }, { "control_id": "ac-2.2", "title": "Automated Temporary and Emergency Account Management" }, { "control_id": "ac-4", "title": "Information Flow Enforcement" }, { "control_id": "ac-6.5", "title": "Privileged Accounts" }, { "control_id": "ia-3", "title": "Device Identification and Authentication" }, { "control_id": "ia-5.2", "title": "Public Key-based Authentication" }, { "control_id": "ra-5.5", "title": "Privileged Access" } ] }, { "id": "KSI-IAM-04", "name": "Just-in-Time Authorization", "statement": "Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2", "title": "Account Management" }, { "control_id": "ac-2.1", "title": "Automated System Account Management" }, { "control_id": "ac-2.2", "title": "Automated Temporary and Emergency Account Management" }, { "control_id": "ac-2.3", "title": "Disable Accounts" }, { "control_id": "ac-2.4", "title": "Automated Audit Actions" }, { "control_id": "ac-2.6", "title": "Dynamic Privilege Management" }, { "control_id": "ac-3", "title": "Access Enforcement" }, { "control_id": "ac-4", "title": "Information Flow Enforcement" }, { "control_id": "ac-5", "title": "Separation of Duties" }, { "control_id": "ac-6", "title": "Least Privilege" }, { "control_id": "ac-6.1", "title": "Authorize Access to Security Functions" }, { "control_id": "ac-6.2", "title": "Non-privileged Access for Nonsecurity Functions" }, { "control_id": "ac-6.5", "title": "Privileged Accounts" }, { "control_id": "ac-6.7", "title": "Review of User Privileges" }, { "control_id": "ac-6.9", "title": "Log Use of Privileged Functions" }, { "control_id": "ac-6.10", "title": "Prohibit Non-privileged Users from Executing Privileged Functions" }, { "control_id": "ac-7", "title": "Unsuccessful Logon Attempts" }, { "control_id": "ac-20.1", "title": "Limits on Authorized Use" }, { "control_id": "ac-17", "title": "Remote Access" }, { "control_id": "au-9.4", "title": "Access by Subset of Privileged Users" }, { "control_id": "cm-5", "title": "Access Restrictions for Change" }, { "control_id": "cm-7", "title": "Least Functionality" }, { "control_id": "cm-7.2", "title": "Prevent Program Execution" }, { "control_id": "cm-7.5", "title": "Authorized Software — Allow-by-exception" }, { "control_id": "cm-9", "title": "Configuration Management Plan" }, { "control_id": "ia-4", "title": "Identifier Management" }, { "control_id": "ia-4.4", "title": "Identify User Status" }, { "control_id": "ia-7", "title": "Cryptographic Module Authentication" }, { "control_id": "ps-2", "title": "Position Risk Designation" }, { "control_id": "ps-3", "title": "Personnel Screening" }, { "control_id": "ps-4", "title": "Personnel Termination" }, { "control_id": "ps-5", "title": "Personnel Transfer" }, { "control_id": "ps-6", "title": "Access Agreements" }, { "control_id": "ps-9", "title": "Position Descriptions" }, { "control_id": "ra-5.5", "title": "Privileged Access" }, { "control_id": "sc-2", "title": "Separation of System and User Functionality" }, { "control_id": "sc-23", "title": "Session Authenticity" }, { "control_id": "sc-39", "title": "Process Isolation" } ] }, { "id": "KSI-IAM-05", "name": "Least Privilege", "statement": "Configure identity and access management with measures that always verify each user or device can only access the resources they need.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2.5", "title": "Inactivity Logout" }, { "control_id": "ac-2.6", "title": "Dynamic Privilege Management" }, { "control_id": "ac-3", "title": "Access Enforcement" }, { "control_id": "ac-4", "title": "Information Flow Enforcement" }, { "control_id": "ac-6", "title": "Least Privilege" }, { "control_id": "ac-12", "title": "Session Termination" }, { "control_id": "ac-14", "title": "Permitted Actions Without Identification or Authentication" }, { "control_id": "ac-17", "title": "Remote Access" }, { "control_id": "ac-17.1", "title": "Monitoring and Control" }, { "control_id": "ac-17.2", "title": "Protection of Confidentiality and Integrity Using Encryption" }, { "control_id": "ac-17.3", "title": "Managed Access Control Points" }, { "control_id": "ac-20", "title": "Use of External Systems" }, { "control_id": "ac-20.1", "title": "Limits on Authorized Use" }, { "control_id": "cm-2.7", "title": "Configure Systems and Components for High-risk Areas" }, { "control_id": "cm-9", "title": "Configuration Management Plan" }, { "control_id": "ia-2", "title": "Identification and Authentication (Organizational Users)" }, { "control_id": "ia-3", "title": "Device Identification and Authentication" }, { "control_id": "ia-4", "title": "Identifier Management" }, { "control_id": "ia-4.4", "title": "Identify User Status" }, { "control_id": "ia-5.2", "title": "Public Key-based Authentication" }, { "control_id": "ia-5.6", "title": "Protection of Authenticators" }, { "control_id": "ia-11", "title": "Re-authentication" }, { "control_id": "ps-2", "title": "Position Risk Designation" }, { "control_id": "ps-3", "title": "Personnel Screening" }, { "control_id": "ps-4", "title": "Personnel Termination" }, { "control_id": "ps-5", "title": "Personnel Transfer" }, { "control_id": "ps-6", "title": "Access Agreements" }, { "control_id": "sc-4", "title": "Information in Shared System Resources" }, { "control_id": "sc-20", "title": "Secure Name/Address Resolution Service (Authoritative Source)" }, { "control_id": "sc-21", "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)" }, { "control_id": "sc-22", "title": "Architecture and Provisioning for Name/Address Resolution Service" }, { "control_id": "sc-23", "title": "Session Authenticity" }, { "control_id": "sc-39", "title": "Process Isolation" }, { "control_id": "si-3", "title": "Malicious Code Protection" } ] }, { "id": "KSI-IAM-06", "name": "Suspicious Activity", "statement": "Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity", "controls": [ { "control_id": "ac-2", "title": "Account Management" }, { "control_id": "ac-2.1", "title": "Automated System Account Management" }, { "control_id": "ac-2.3", "title": "Disable Accounts" }, { "control_id": "ac-2.13", "title": "Disable Accounts for High-risk Individuals" }, { "control_id": "ac-7", "title": "Unsuccessful Logon Attempts" }, { "control_id": "ps-4", "title": "Personnel Termination" }, { "control_id": "ps-8", "title": "Personnel Sanctions" } ], "impact": { "low": true, "moderate": true } }, { "id": "KSI-IAM-07", "name": "Automated Account Management", "statement": "Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2.2", "title": "Automated Temporary and Emergency Account Management" }, { "control_id": "ac-2.3", "title": "Disable Accounts" }, { "control_id": "ac-2.13", "title": "Disable Accounts for High-risk Individuals" }, { "control_id": "ac-6.7", "title": "Review of User Privileges" }, { "control_id": "ia-4.4", "title": "Identify User Status" }, { "control_id": "ia-12", "title": "Identity Proofing" }, { "control_id": "ia-12.2", "title": "Identity Evidence" }, { "control_id": "ia-12.3", "title": "Identity Evidence Validation and Verification" }, { "control_id": "ia-12.5", "title": "Address Confirmation" } ] } ] }, "INR": { "id": "KSI-INR", "name": "Incident Response", "theme": "A secure _cloud service offering_ will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement.", "indicators": [ { "id": "KSI-INR-01", "name": "Incident Response Procedure", "statement": "Always follow a documented incident response procedure.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ir-4", "title": "Incident Handling" }, { "control_id": "ir-4.1", "title": "Automated Incident Handling Processes" }, { "control_id": "ir-6", "title": "Incident Reporting" }, { "control_id": "ir-6.1", "title": "Automated Reporting" }, { "control_id": "ir-6.3", "title": "Supply Chain Coordination" }, { "control_id": "ir-7", "title": "Incident Response Assistance" }, { "control_id": "ir-7.1", "title": "Automation Support for Availability of Information and Support" }, { "control_id": "ir-8", "title": "Incident Response Plan" }, { "control_id": "ir-8.1", "title": "Breaches" }, { "control_id": "si-4.5", "title": "System-generated Alerts" } ] }, { "id": "KSI-INR-02", "name": "Incident Logging", "statement": "Maintain a log of incidents and periodically review past incidents for patterns or vulnerabilities.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ir-3", "title": "Incident Response Testing" }, { "control_id": "ir-4", "title": "Incident Handling" }, { "control_id": "ir-4.1", "title": "Automated Incident Handling Processes" }, { "control_id": "ir-5", "title": "Incident Monitoring" }, { "control_id": "ir-8", "title": "Incident Response Plan" } ] }, { "id": "KSI-INR-03", "name": "Incident After Action Reports", "statement": "Generate after action reports and _regularly_ incorporate lessons learned into operations.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ir-3", "title": "Incident Response Testing" }, { "control_id": "ir-4", "title": "Incident Handling" }, { "control_id": "ir-4.1", "title": "Automated Incident Handling Processes" }, { "control_id": "ir-8", "title": "Incident Response Plan" } ] } ] }, "MLA": { "id": "KSI-MLA", "name": "Monitoring, Logging, and Auditing", "theme": "A secure _cloud service offering_ will monitor, log, and audit all important events, activity, and changes.", "indicators": [ { "id": "KSI-MLA-01", "name": "Security Information and Event Management (SIEM)", "statement": "Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-17.1", "title": "Monitoring and Control" }, { "control_id": "ac-20.1", "title": "Limits on Authorized Use" }, { "control_id": "au-2", "title": "Event Logging" }, { "control_id": "au-3", "title": "Content of Audit Records" }, { "control_id": "au-3.1", "title": "Additional Audit Information" }, { "control_id": "au-4", "title": "Audit Log Storage Capacity" }, { "control_id": "au-5", "title": "Response to Audit Logging Process Failures" }, { "control_id": "au-6.1", "title": "Automated Process Integration" }, { "control_id": "au-6.3", "title": "Correlate Audit Record Repositories" }, { "control_id": "au-7", "title": "Audit Record Reduction and Report Generation" }, { "control_id": "au-7.1", "title": "Automatic Processing" }, { "control_id": "au-8", "title": "Time Stamps" }, { "control_id": "au-9", "title": "Protection of Audit Information" }, { "control_id": "au-11", "title": "Audit Record Retention" }, { "control_id": "ir-4.1", "title": "Automated Incident Handling Processes" }, { "control_id": "si-4.2", "title": "Automated Tools and Mechanisms for Real-time Analysis" }, { "control_id": "si-4.4", "title": "Inbound and Outbound Communications Traffic" }, { "control_id": "si-7.7", "title": "Integration of Detection and Response" } ] }, { "id": "KSI-MLA-02", "name": "Audit Logging", "statement": "_Regularly_ review and audit logs.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2.4", "title": "Automated Audit Actions" }, { "control_id": "ac-6.9", "title": "Log Use of Privileged Functions" }, { "control_id": "au-2", "title": "Event Logging" }, { "control_id": "au-6", "title": "Audit Record Review, Analysis, and Reporting" }, { "control_id": "au-6.1", "title": "Automated Process Integration" }, { "control_id": "si-4", "title": "System Monitoring" }, { "control_id": "si-4.4", "title": "Inbound and Outbound Communications Traffic" } ] }, { "id": "KSI-MLA-03", "statement": "", "note": "Superseded by KSI-AFR-04 (VDR)", "retired": true, "impact": { "low": false, "moderate": false } }, { "id": "KSI-MLA-04", "statement": "", "note": "Superseded by KSI-AFR-04 (VDR)", "retired": true, "impact": { "low": false, "moderate": false } }, { "id": "KSI-MLA-05", "name": "Infrastructure as Code", "statement": "Perform Infrastructure as Code and configuration evaluation and testing.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ca-7", "title": "Continuous Monitoring" }, { "control_id": "cm-2", "title": "Baseline Configuration" }, { "control_id": "cm-6", "title": "Configuration Settings" }, { "control_id": "si-7.7", "title": "Integration of Detection and Response" } ] }, { "id": "KSI-MLA-06", "statement": "", "note": "Superseded by KSI-AFR-04 (VDR)", "retired": true, "impact": { "low": false, "moderate": false } }, { "id": "KSI-MLA-07", "name": "Event Types", "statement": "Maintain a list of information resources and event types that will be monitored, logged, and audited, then do so.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2.4", "title": "Automated Audit Actions" }, { "control_id": "ac-6.9", "title": "Log Use of Privileged Functions" }, { "control_id": "ac-17.1", "title": "Monitoring and Control" }, { "control_id": "ac-20.1", "title": "Limits on Authorized Use" }, { "control_id": "au-2", "title": "Event Logging" }, { "control_id": "au-7.1", "title": "Automatic Processing" }, { "control_id": "au-12", "title": "Audit Record Generation" }, { "control_id": "si-4.4", "title": "Inbound and Outbound Communications Traffic" }, { "control_id": "si-4.5", "title": "System-generated Alerts" }, { "control_id": "si-7.7", "title": "Integration of Detection and Response" } ] }, { "id": "KSI-MLA-08", "name": "Log Data Access", "statement": "Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity.", "impact": { "low": false, "moderate": true }, "controls": [ { "control_id": "si-11", "title": "Error Handling" } ] } ] }, "PIY": { "id": "KSI-PIY", "name": "Policy and Inventory", "theme": "A secure _cloud service offering_ will have intentional, organized, universal guidance for how every _information resource_, including personnel, is secured.", "indicators": [ { "id": "KSI-PIY-01", "name": "Automated Inventory", "statement": "Use authoritative sources to automatically maintain real-time inventories of all information resources.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cm-2.2", "title": "Automation Support for Accuracy and Currency" }, { "control_id": "cm-7.5", "title": "Authorized Software — Allow-by-exception" }, { "control_id": "cm-8", "title": "System Component Inventory" }, { "control_id": "cm-8.1", "title": "Updates During Installation and Removal" }, { "control_id": "cm-12", "title": "Information Location" }, { "control_id": "cm-12.1", "title": "Automated Tools to Support Information Location" }, { "control_id": "cp-2.8", "title": "Identify Critical Assets" } ] }, { "id": "KSI-PIY-02", "name": "Security Objectives and Requirements", "statement": "Document the security objectives and requirements for each information resource or set of information resources.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-1", "title": "Policy and Procedures" }, { "control_id": "ac-21", "title": "Information Sharing" }, { "control_id": "at-1", "title": "Policy and Procedures" }, { "control_id": "au-1", "title": "Policy and Procedures" }, { "control_id": "ca-1", "title": "Policy and Procedures" }, { "control_id": "cm-1", "title": "Policy and Procedures" }, { "control_id": "cp-1", "title": "Policy and Procedures" }, { "control_id": "cp-2.1", "title": "Coordinate with Related Plans" }, { "control_id": "cp-2.8", "title": "Identify Critical Assets" }, { "control_id": "cp-4.1", "title": "Coordinate with Related Plans" }, { "control_id": "ia-1", "title": "Policy and Procedures" }, { "control_id": "ir-1", "title": "Policy and Procedures" }, { "control_id": "ma-1", "title": "Policy and Procedures" }, { "control_id": "mp-1", "title": "Policy and Procedures" }, { "control_id": "pe-1", "title": "Policy and Procedures" }, { "control_id": "pl-1", "title": "Policy and Procedures" }, { "control_id": "pl-2", "title": "System Security and Privacy Plans" }, { "control_id": "pl-4", "title": "Rules of Behavior" }, { "control_id": "pl-4.1", "title": "Social Media and External Site/Application Usage Restrictions" }, { "control_id": "ps-1", "title": "Policy and Procedures" }, { "control_id": "ra-1", "title": "Policy and Procedures" }, { "control_id": "ra-9", "title": "Criticality Analysis" }, { "control_id": "sa-1", "title": "Policy and Procedures" }, { "control_id": "sc-1", "title": "Policy and Procedures" }, { "control_id": "si-1", "title": "Policy and Procedures" }, { "control_id": "sr-1", "title": "Policy and Procedures" }, { "control_id": "sr-2", "title": "Supply Chain Risk Management Plan" }, { "control_id": "sr-3", "title": "Supply Chain Controls and Processes" }, { "control_id": "sr-11", "title": "Component Authenticity" } ] }, { "id": "KSI-PIY-03", "name": "Vulnerability Disclosure Program", "statement": "Maintain a vulnerability disclosure program.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ra-5.11", "title": "Public Disclosure Program" } ] }, { "id": "KSI-PIY-04", "name": "CISA Secure By Design", "statement": "Monitor the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-5", "title": "Separation of Duties" }, { "control_id": "au-3.3", "title": "Limit Personally Identifiable Information Elements" }, { "control_id": "cm-3.4", "title": "Security and Privacy Representatives" }, { "control_id": "pl-8", "title": "Security and Privacy Architectures" }, { "control_id": "pm-7", "title": "Enterprise Architecture" }, { "control_id": "sa-3", "title": "System Development Life Cycle" }, { "control_id": "sa-8", "title": "Security and Privacy Engineering Principles" }, { "control_id": "sc-4", "title": "Information in Shared System Resources" }, { "control_id": "sc-18", "title": "Mobile Code" }, { "control_id": "si-10", "title": "Information Input Validation" }, { "control_id": "si-11", "title": "Error Handling" }, { "control_id": "si-16", "title": "Memory Protection" } ] }, { "id": "KSI-PIY-05", "name": "Evaluate Implementations", "statement": "Document methods used to evaluate _information resource_ implementations.", "impact": { "low": true, "moderate": true }, "controls": [] }, { "id": "KSI-PIY-06", "name": "Security Investment Effectiveness", "statement": "Monitor the effectiveness of the organization's investments in achieving security objectives.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-5", "title": "Separation of Duties" }, { "control_id": "ca-2", "title": "Control Assessments" }, { "control_id": "cp-2.1", "title": "Coordinate with Related Plans" }, { "control_id": "cp-4.1", "title": "Coordinate with Related Plans" }, { "control_id": "ir-3.2", "title": "Coordination with Related Plans" }, { "control_id": "pm-3", "title": "Information Security and Privacy Resources" }, { "control_id": "sa-2", "title": "Allocation of Resources" }, { "control_id": "sa-3", "title": "System Development Life Cycle" }, { "control_id": "sr-2.1", "title": "Establish SCRM Team" } ] }, { "id": "KSI-PIY-07", "name": "Supply Chain Risk Management", "statement": "Document risk management decisions for software supply chain security.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ca-7.4", "title": "Risk Monitoring" }, { "control_id": "sc-18", "title": "Mobile Code" } ] }, { "id": "KSI-PIY-08", "name": "Executive Support", "statement": "Regularly measure executive support for achieving the organization’s security objectives.", "impact": { "low": true, "moderate": true }, "controls": [] } ] }, "RPL": { "id": "KSI-RPL", "name": "Recovery Planning", "theme": "A secure _cloud service offering_ will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss during incidents and contingencies.", "indicators": [ { "id": "KSI-RPL-01", "name": "Recovery Objectives", "statement": "Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cp-2.3", "title": "Resume Mission and Business Functions" }, { "control_id": "cp-10", "title": "System Recovery and Reconstitution" } ] }, { "id": "KSI-RPL-02", "name": "Recovery Plan", "statement": "Develop and maintain a recovery plan that aligns with the defined recovery objectives.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cp-2", "title": "Contingency Plan" }, { "control_id": "cp-2.1", "title": "Coordinate with Related Plans" }, { "control_id": "cp-2.3", "title": "Resume Mission and Business Functions" }, { "control_id": "cp-4.1", "title": "Coordinate with Related Plans" }, { "control_id": "cp-6", "title": "Alternate Storage Site" }, { "control_id": "cp-6.1", "title": "Separation from Primary Site" }, { "control_id": "cp-6.3", "title": "Accessibility" }, { "control_id": "cp-7", "title": "Alternate Processing Site" }, { "control_id": "cp-7.1", "title": "Separation from Primary Site" }, { "control_id": "cp-7.2", "title": "Accessibility" }, { "control_id": "cp-7.3", "title": "Priority of Service" }, { "control_id": "cp-8", "title": "Telecommunications Services" }, { "control_id": "cp-8.1", "title": "Priority of Service Provisions" }, { "control_id": "cp-8.2", "title": "Single Points of Failure" }, { "control_id": "cp-10", "title": "System Recovery and Reconstitution" }, { "control_id": "cp-10.2", "title": "Transaction Recovery" } ] }, { "id": "KSI-RPL-03", "name": "System Backups", "statement": "Perform system backups aligned with recovery objectives.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cm-2.3", "title": "Retention of Previous Configurations" }, { "control_id": "cp-6", "title": "Alternate Storage Site" }, { "control_id": "cp-9", "title": "System Backup" }, { "control_id": "cp-10", "title": "System Recovery and Reconstitution" }, { "control_id": "cp-10.2", "title": "Transaction Recovery" }, { "control_id": "si-12", "title": "Information Management and Retention" } ] }, { "id": "KSI-RPL-04", "name": "Recovery Testing", "statement": "_Regularly_ test the capability to recover from incidents and contingencies.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cp-2.1", "title": "Coordinate with Related Plans" }, { "control_id": "cp-2.3", "title": "Resume Mission and Business Functions" }, { "control_id": "cp-4", "title": "Contingency Plan Testing" }, { "control_id": "cp-4.1", "title": "Coordinate with Related Plans" }, { "control_id": "cp-6", "title": "Alternate Storage Site" }, { "control_id": "cp-6.1", "title": "Separation from Primary Site" }, { "control_id": "cp-9.1", "title": "Testing for Reliability and Integrity" }, { "control_id": "cp-10", "title": "System Recovery and Reconstitution" }, { "control_id": "ir-3", "title": "Incident Response Testing" }, { "control_id": "ir-3.2", "title": "Coordination with Related Plans" } ] } ] }, "SVC": { "id": "KSI-SVC", "name": "Service Configuration", "theme": "A secure _cloud service offering_ will follow FedRAMP encryption policies, continuously verify _information resource_ integrity, and restrict access to _third-party information resources_.", "indicators": [ { "id": "KSI-SVC-01", "name": "Continuous Improvement", "statement": "Implement improvements based on persistent evaluation of information resources for opportunities to improve security.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cm-7.1", "title": "Periodic Review" }, { "control_id": "cm-12.1", "title": "Automated Tools to Support Information Location" }, { "control_id": "ma-2", "title": "Controlled Maintenance" }, { "control_id": "pl-8", "title": "Security and Privacy Architectures" }, { "control_id": "sc-7", "title": "Boundary Protection" }, { "control_id": "sc-39", "title": "Process Isolation" }, { "control_id": "si-2.2", "title": "Automated Flaw Remediation Status" }, { "control_id": "si-4", "title": "System Monitoring" }, { "control_id": "sr-10", "title": "Inspection of Systems or Components" } ] }, { "id": "KSI-SVC-02", "name": "Network Encryption", "statement": "Encrypt or otherwise secure network traffic.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-1", "title": "Policy and Procedures" }, { "control_id": "ac-17.2", "title": "Protection of Confidentiality and Integrity Using Encryption" }, { "control_id": "cp-9.8", "title": "Cryptographic Protection" }, { "control_id": "sc-8", "title": "Transmission Confidentiality and Integrity" }, { "control_id": "sc-8.1", "title": "Cryptographic Protection" }, { "control_id": "sc-13", "title": "Cryptographic Protection" }, { "control_id": "sc-20", "title": "Secure Name/Address Resolution Service (Authoritative Source)" }, { "control_id": "sc-21", "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)" }, { "control_id": "sc-22", "title": "Architecture and Provisioning for Name/Address Resolution Service" }, { "control_id": "sc-23", "title": "Session Authenticity" } ] }, { "id": "KSI-SVC-03", "retired": true, "statement": "", "note": "Superseded by KSI-AFR-11 (UCM)", "impact": { "low": false, "moderate": false } }, { "id": "KSI-SVC-04", "name": "Configuration Automation", "statement": "Manage configuration of machine-based information resources using automation.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-2.4", "title": "Automated Audit Actions" }, { "control_id": "cm-2", "title": "Baseline Configuration" }, { "control_id": "cm-2.2", "title": "Automation Support for Accuracy and Currency" }, { "control_id": "cm-2.3", "title": "Retention of Previous Configurations" }, { "control_id": "cm-6", "title": "Configuration Settings" }, { "control_id": "cm-7.1", "title": "Periodic Review" }, { "control_id": "pl-9", "title": "Central Management" }, { "control_id": "pl-10", "title": "Baseline Selection" }, { "control_id": "sa-5", "title": "System Documentation" }, { "control_id": "si-5", "title": "Security Alerts, Advisories, and Directives" }, { "control_id": "sr-10", "title": "Inspection of Systems or Components" } ] }, { "id": "KSI-SVC-05", "name": "Resource Integrity", "statement": "Use cryptographic methods to validate the integrity of machine-based information resources.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "cm-2.2", "title": "Automation Support for Accuracy and Currency" }, { "control_id": "cm-8.3", "title": "Automated Unauthorized Component Detection" }, { "control_id": "sc-13", "title": "Cryptographic Protection" }, { "control_id": "sc-23", "title": "Session Authenticity" }, { "control_id": "si-7", "title": "Software, Firmware, and Information Integrity" }, { "control_id": "si-7.1", "title": "Integrity Checks" }, { "control_id": "sr-10", "title": "Inspection of Systems or Components" } ] }, { "id": "KSI-SVC-06", "name": "Secret Management", "statement": "Automate management, protection, and regular rotation of digital keys, certificates, and other secrets.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-17.2", "title": "Protection of Confidentiality and Integrity Using Encryption" }, { "control_id": "ia-5.2", "title": "Public Key-based Authentication" }, { "control_id": "ia-5.6", "title": "Protection of Authenticators" }, { "control_id": "sc-12", "title": "Cryptographic Key Establishment and Management" }, { "control_id": "sc-17", "title": "Public Key Infrastructure Certificates" } ] }, { "id": "KSI-SVC-07", "name": "Patching", "statement": "Use a consistent, risk-informed approach for applying security patches.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ca-7.4", "title": "Risk Monitoring" }, { "control_id": "ra-5", "title": "Vulnerability Monitoring and Scanning" }, { "control_id": "ra-7", "title": "Risk Response" } ] }, { "id": "KSI-SVC-08", "name": "Shared Resources", "statement": "Do not introduce or leave behind residual elements that could negatively affect confidentiality, integrity, or availability of _federal customer data_ during operations.", "impact": { "low": false, "moderate": true }, "controls": [ { "control_id": "sc-4", "title": "Information in Shared System Resources" } ] }, { "id": "KSI-SVC-09", "name": "Communication Integrity", "statement": "Persistently validate the authenticity and integrity of communications between _machine-based_ _information resources_ using automation.", "impact": { "low": false, "moderate": true }, "controls": [ { "control_id": "sc-23", "title": "Session Authenticity" }, { "control_id": "si-7.1", "title": "Integrity Checks" } ] }, { "id": "KSI-SVC-10", "name": "Data Destruction", "statement": "Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage.", "impact": { "low": false, "moderate": true }, "controls": [ { "control_id": "si-12.3", "title": "Information Disposal" }, { "control_id": "si-18.4", "title": "Individual Requests" } ] } ] }, "TPR": { "id": "KSI-TPR", "name": "Third-Party Information Resources", "theme": "A secure _cloud service offering_ will understand, monitor, and manage supply chain risks from _third-party information resources_.", "indicators": [ { "id": "KSI-TPR-01", "retired": true, "statement": "", "note": "Superseded by KSI-AFR-01 (MAS)", "impact": { "low": false, "moderate": false } }, { "id": "KSI-TPR-02", "retired": true, "statement": "", "note": "Superseded by KSI-AFR-01 (MAS)", "impact": { "low": false, "moderate": false } }, { "id": "KSI-TPR-03", "name": "Supply Chain Risk Management", "statement": "Identify and prioritize mitigation of potential supply chain risks.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-20", "title": "Use of External Systems" }, { "control_id": "ra-3.1", "title": "Supply Chain Risk Assessment" }, { "control_id": "sa-9", "title": "External System Services" }, { "control_id": "sa-10", "title": "Developer Configuration Management" }, { "control_id": "sa-11", "title": "Developer Testing and Evaluation" }, { "control_id": "sa-15.3", "title": "Criticality Analysis" }, { "control_id": "sa-22", "title": "Unsupported System Components" }, { "control_id": "si-7.1", "title": "Integrity Checks" }, { "control_id": "sr-5", "title": "Acquisition Strategies, Tools, and Methods" }, { "control_id": "sr-6", "title": "Supplier Assessments and Reviews" } ] }, { "id": "KSI-TPR-04", "name": "Supply Chain Risk Monitoring", "statement": "Automatically monitor third party software _information resources_ for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.", "impact": { "low": true, "moderate": true }, "controls": [ { "control_id": "ac-20", "title": "Use of External Systems" }, { "control_id": "ca-3", "title": "Information Exchange" }, { "control_id": "ir-6.3", "title": "Supply Chain Coordination" }, { "control_id": "ps-7", "title": "External Personnel Security" }, { "control_id": "ra-5", "title": "Vulnerability Monitoring and Scanning" }, { "control_id": "sa-9", "title": "External System Services" }, { "control_id": "si-5", "title": "Security Alerts, Advisories, and Directives" }, { "control_id": "sr-5", "title": "Acquisition Strategies, Tools, and Methods" }, { "control_id": "sr-6", "title": "Supplier Assessments and Reviews" }, { "control_id": "sr-8", "title": "Notification Agreements" } ] } ] } } }