{ "profile": { "uuid": "8afa367e-3cdb-4a6f-acd9-f7baa7641140", "metadata": { "title": "FedRAMP Rev 5 Low Baseline", "published": "2024-09-24T02:24:00Z", "last-modified": "2025-03-03T00:00:00Z", "version": "fedramp-3.0.0rc1-oscal-1.1.2", "oscal-version": "1.1.3", "roles": [ { "id": "prepared-by", "title": "Document creator" }, { "id": "fedramp-pmo", "title": "The FedRAMP Program Management Office (PMO)", "short-name": "PMO" } ], "parties": [ { "uuid": "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d", "type": "organization", "name": "Federal Risk and Authorization Management Program: Program Management Office", "short-name": "FedRAMP PMO", "links": [ { "href": "https://fedramp.gov", "rel": "homepage" }, { "href": "#a2381e87-3d04-4108-a30b-b4d2f36d001f", "rel": "logo" }, { "href": "#985475ee-d4d6-4581-8fdf-d84d3d8caa48", "rel": "reference" } ], "email-addresses": [ "info@fedramp.gov" ], "addresses": [ { "addr-lines": [ "1800 F St. NW" ], "postal-code": "20006", "type": "work", "state": "DC", "city": "Washington", "country": "US" } ] } ], "responsible-parties": [ { "role-id": "prepared-by", "party-uuids": [ "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" ] }, { "role-id": "fedramp-pmo", "party-uuids": [ "8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" ] } ] }, "imports": [ { "href": "#051a77c1-b61d-4995-8275-dacfe688d510", "include-controls": [ { "with-ids": [ "ac-1", "ac-2", "ac-3", "ac-7", "ac-8", "ac-14", "ac-17", "ac-18", "ac-19", "ac-20", "ac-22", "at-1", "at-2", "at-2.2", "at-3", "at-4", "au-1", "au-2", "au-3", "au-4", "au-5", "au-6", "au-8", "au-9", "au-11", "au-12", "ca-1", "ca-2", "ca-2.1", "ca-3", "ca-5", "ca-6", "ca-7", "ca-7.4", "ca-8", "ca-9", "cm-1", "cm-2", "cm-4", "cm-5", "cm-6", "cm-7", "cm-8", "cm-10", "cm-11", "cp-1", "cp-2", "cp-3", "cp-4", "cp-9", "cp-10", "ia-1", "ia-2", "ia-2.1", "ia-2.2", "ia-2.8", "ia-2.12", "ia-4", "ia-5", "ia-5.1", "ia-6", "ia-7", "ia-8", "ia-8.1", "ia-8.2", "ia-8.4", "ia-11", "ir-1", "ir-2", "ir-4", "ir-5", "ir-6", "ir-7", "ir-8", "ma-1", "ma-2", "ma-4", "ma-5", "mp-1", "mp-2", "mp-6", "mp-7", "pe-1", "pe-2", "pe-3", "pe-6", "pe-8", "pe-12", "pe-13", "pe-14", "pe-15", "pe-16", "pl-1", "pl-2", "pl-4", "pl-4.1", "pl-8", "pl-10", "pl-11", "ps-1", "ps-2", "ps-3", "ps-4", "ps-5", "ps-6", "ps-7", "ps-8", "ps-9", "ra-1", "ra-2", "ra-3", "ra-3.1", "ra-5", "ra-5.2", "ra-5.11", "ra-7", "sa-1", "sa-2", "sa-3", "sa-4", "sa-4.10", "sa-5", "sa-8", "sa-9", "sa-22", "sc-1", "sc-5", "sc-7", "sc-8", "sc-8.1", "sc-12", "sc-13", "sc-15", "sc-20", "sc-21", "sc-22", "sc-28", "sc-28.1", "sc-39", "si-1", "si-2", "si-3", "si-4", "si-5", "si-12", "sr-1", "sr-2", "sr-2.1", "sr-3", "sr-5", "sr-8", "sr-10", "sr-11", "sr-11.1", "sr-11.2", "sr-12" ] } ] } ], "merge": { "as-is": true }, "modify": { "set-parameters": [ { "param-id": "ac-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "ac-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ac-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "ac-02_odp.06", "constraints": [ { "description": "twenty-four (24) hours" } ] }, { "param-id": "ac-02_odp.07", "constraints": [ { "description": "eight (8) hours" } ] }, { "param-id": "ac-02_odp.08", "constraints": [ { "description": "eight (8) hours" } ] }, { "param-id": "ac-02_odp.10", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ac-08_odp.01", "constraints": [ { "description": "see additional Requirements and Guidance" } ] }, { "param-id": "ac-08_odp.02", "constraints": [ { "description": "see additional Requirements and Guidance" } ] }, { "param-id": "ac-22_odp", "constraints": [ { "description": "at least quarterly" } ] }, { "param-id": "at-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "at-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "at-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "at-02_odp.01", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "at-02_odp.02", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "at-02_odp.06", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "at-03_odp.03", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "at-03_odp.04", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "at-04_odp", "constraints": [ { "description": "at least one (1) year or 1 year after completion of a specific training program" } ] }, { "param-id": "au-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "au-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "au-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "au-02_odp.01", "constraints": [ { "description": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes" } ] }, { "param-id": "au-02_odp.02", "constraints": [ { "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." } ] }, { "param-id": "au-02_odp.03", "constraints": [ { "description": "organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event." } ] }, { "param-id": "au-02_odp.04", "constraints": [ { "description": "annually and whenever there is a change in the threat environment" } ] }, { "param-id": "au-05_odp.03", "constraints": [ { "description": "overwrite oldest record" } ] }, { "param-id": "au-06_odp.01", "constraints": [ { "description": "at least weekly" } ] }, { "param-id": "au-08_odp", "constraints": [ { "description": "one second granularity of time measurement" } ] }, { "param-id": "au-11_odp", "constraints": [ { "description": "a time period in compliance with M-21-31" } ] }, { "param-id": "au-12_odp.01", "constraints": [ { "description": "all information system and network components where audit capability is deployed/available" } ] }, { "param-id": "ca-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "ca-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ca-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "ca-02_odp.01", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ca-02_odp.02", "constraints": [ { "description": "individuals or roles to include FedRAMP PMO" } ] }, { "param-id": "ca-03_odp.03", "constraints": [ { "description": "at least annually and on input from AO" } ] }, { "param-id": "ca-05_odp", "constraints": [ { "description": "at least monthly" } ] }, { "param-id": "ca-06_odp", "constraints": [ { "description": "in accordance with OMB A-130 requirements or when a significant change occurs" } ] }, { "param-id": "ca-07_odp.04", "constraints": [ { "description": "to include AO" } ] }, { "param-id": "ca-07_odp.06", "constraints": [ { "description": "to include AO" } ] }, { "param-id": "ca-08_odp.01", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "cm-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "cm-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "cm-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "cm-02_odp.01", "constraints": [ { "description": "at least annually and when a significant change occurs" } ] }, { "param-id": "cm-02_odp.02", "constraints": [ { "description": "to include when directed by the AO" } ] }, { "param-id": "cm-08_odp.02", "constraints": [ { "description": "at least monthly" } ] }, { "param-id": "cm-11_odp.03", "constraints": [ { "description": "Continuously (via CM-7 (5))" } ] }, { "param-id": "cp-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "cp-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "cp-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "cp-02_odp.05", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "cp-03_odp.01", "constraints": [ { "description": "\\*See Additional Requirements" } ] }, { "param-id": "cp-03_odp.02", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "cp-03_odp.03", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "cp-04_odp.01", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "cp-04_odp.02", "constraints": [ { "description": "classroom exercise/table top written tests" } ] }, { "param-id": "cp-04_odp.03", "constraints": [ { "description": "classroom exercise/table top written tests" } ] }, { "param-id": "cp-09_odp.02", "constraints": [ { "description": "daily incremental; weekly full" } ] }, { "param-id": "cp-09_odp.03", "constraints": [ { "description": "daily incremental; weekly full" } ] }, { "param-id": "cp-09_odp.04", "constraints": [ { "description": "daily incremental; weekly full" } ] }, { "param-id": "ia-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "ia-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ia-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "ia-04_odp.01", "constraints": [ { "description": "at a minimum, the ISSO (or similar role within the organization)" } ] }, { "param-id": "ia-04_odp.02", "constraints": [ { "description": "at least two (2) years" } ] }, { "param-id": "ir-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "ir-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ir-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "ir-02_odp.01", "constraints": [ { "description": "ten (10) days for privileged users, thirty (30) days for Incident Response roles" } ] }, { "param-id": "ir-02_odp.02", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ir-02_odp.03", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ir-06_odp.01", "constraints": [ { "description": "US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)" } ] }, { "param-id": "ir-08_odp.02", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ir-08_odp.04", "constraints": [ { "description": "see additional FedRAMP Requirements and Guidance" } ] }, { "param-id": "ir-08_odp.05", "constraints": [ { "description": "see additional FedRAMP Requirements and Guidance" } ] }, { "param-id": "ir-08_odp.06", "constraints": [ { "description": "see additional FedRAMP Requirements and Guidance" } ] }, { "param-id": "ir-08_odp.07", "constraints": [ { "description": "see additional FedRAMP Requirements and Guidance" } ] }, { "param-id": "ma-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "ma-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ma-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "mp-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "mp-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "mp-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "mp-06_odp.01", "constraints": [ { "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" } ] }, { "param-id": "mp-06_odp.02", "constraints": [ { "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" } ] }, { "param-id": "mp-06_odp.03", "constraints": [ { "description": "techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware" } ] }, { "param-id": "pe-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "pe-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "pe-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "pe-02_odp", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "pe-03_odp.02", "constraints": [ { "description": "CSP defined physical access control systems/devices AND guards" } ] }, { "param-id": "pe-03_odp.06", "constraints": [ { "description": "in all circumstances within restricted access area where the information system resides" } ] }, { "param-id": "pe-03_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "pe-03_odp.09", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "pe-03_odp.10", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "pe-06_odp.01", "constraints": [ { "description": "at least monthly" } ] }, { "param-id": "pe-08_odp.01", "constraints": [ { "description": "for a minimum of one (1) year" } ] }, { "param-id": "pe-08_odp.02", "constraints": [ { "description": "at least monthly" } ] }, { "param-id": "pe-14_odp.01", "constraints": [ { "description": "consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments" } ] }, { "param-id": "pe-14_odp.04", "constraints": [ { "description": "continuously" } ] }, { "param-id": "pe-16_odp.01", "constraints": [ { "description": "all information system components" } ] }, { "param-id": "pe-16_odp.02", "constraints": [ { "description": "all information system components" } ] }, { "param-id": "pl-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "pl-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "pl-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "pl-02_odp.03", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "pl-04_odp.01", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "pl-04_odp.02", "constraints": [ { "description": "at least annually and when the rules are revised or changed" } ] }, { "param-id": "pl-08_odp", "constraints": [ { "description": "at least annually and when a significant change occurs" } ] }, { "param-id": "ps-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "ps-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ps-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "ps-02_odp", "constraints": [ { "description": "at least every three years" } ] }, { "param-id": "ps-03_odp.01", "constraints": [ { "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" } ] }, { "param-id": "ps-03_odp.02", "constraints": [ { "description": "for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.\n\nFor moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions" } ] }, { "param-id": "ps-04_odp.01", "constraints": [ { "description": "four (4) hours" } ] }, { "param-id": "ps-05_odp.02", "constraints": [ { "description": "twenty-four (24) hours" } ] }, { "param-id": "ps-05_odp.04", "constraints": [ { "description": "twenty-four (24) hours" } ] }, { "param-id": "ps-06_odp.01", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ps-06_odp.02", "constraints": [ { "description": "at least annually and any time there is a change to the user's level of access" } ] }, { "param-id": "ps-07_odp.01", "constraints": [ { "description": "including access control personnel responsible for the system and/or facilities, as appropriate" } ] }, { "param-id": "ps-07_odp.02", "constraints": [ { "description": "within twenty-four (24) hours" } ] }, { "param-id": "ps-08_odp.01", "constraints": [ { "description": "at a minimum, the ISSO and/or similar role within the organization" } ] }, { "param-id": "ra-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "ra-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "ra-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "ra-03_odp.01", "constraints": [ { "description": "security assessment report" } ] }, { "param-id": "ra-03_odp.03", "constraints": [ { "description": "at least every three (3) years and when a significant change occurs" } ] }, { "param-id": "ra-03_odp.05", "constraints": [ { "description": "at least every three (3) years" } ] }, { "param-id": "ra-05_odp.01", "constraints": [ { "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" } ] }, { "param-id": "ra-05_odp.02", "constraints": [ { "description": "monthly operating system/infrastructure; monthly web applications (including APIs) and databases" } ] }, { "param-id": "ra-05_odp.03", "constraints": [ { "description": "high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery" } ] }, { "param-id": "ra-05.02_odp.01", "constraints": [ { "description": "prior to a new scan" } ] }, { "param-id": "sa-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "sa-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "sa-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "sa-05_odp.02", "constraints": [ { "description": "at a minimum, the ISSO (or similar role within the organization)" } ] }, { "param-id": "sa-09_odp.01", "constraints": [ { "description": "Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system" } ] }, { "param-id": "sa-09_odp.02", "constraints": [ { "description": "Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored" } ] }, { "param-id": "sc-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "sc-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "sc-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "sc-05_odp.02", "constraints": [ { "description": "Protect against" } ] }, { "param-id": "sc-05_odp.01", "constraints": [ { "description": "at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack" } ] }, { "param-id": "sc-12_odp", "constraints": [ { "description": "In accordance with Federal requirements" } ] }, { "param-id": "sc-13_odp.02", "constraints": [ { "description": "FIPS-validated or NSA-approved cryptography" } ] }, { "param-id": "sc-15_odp", "constraints": [ { "description": "no exceptions for computing devices" } ] }, { "param-id": "sc-28.01_odp.02", "constraints": [ { "description": "all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels" } ] }, { "param-id": "si-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "si-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "si-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "si-02_odp", "constraints": [ { "description": "within thirty (30) days of release of updates" } ] }, { "param-id": "si-03_odp.01", "constraints": [ { "description": "signature based and non-signature based" } ] }, { "param-id": "si-03_odp.02", "constraints": [ { "description": "at least weekly" } ] }, { "param-id": "si-03_odp.03", "constraints": [ { "description": "to include endpoints and network entry and exit points" } ] }, { "param-id": "si-03_odp.04", "constraints": [ { "description": "to include blocking and quarantining malicious code" } ] }, { "param-id": "si-03_odp.06", "constraints": [ { "description": "administrator or defined security personnel near-realtime" } ] }, { "param-id": "si-05_odp.01", "constraints": [ { "description": "to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives" } ] }, { "param-id": "si-05_odp.02", "constraints": [ { "description": "to include system security personnel and administrators with configuration/patch-management responsibilities" } ] }, { "param-id": "sr-01_odp.01", "constraints": [ { "description": "to include chief privacy and ISSO and/or similar role or designees" } ] }, { "param-id": "sr-01_odp.05", "constraints": [ { "description": "at least every 3 years" } ] }, { "param-id": "sr-01_odp.07", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "sr-01_odp.08", "constraints": [ { "description": "significant changes" } ] }, { "param-id": "sr-02_odp.02", "constraints": [ { "description": "at least annually" } ] }, { "param-id": "sr-08_odp.01", "constraints": [ { "description": "notification of supply chain compromises and results of assessment or audits" } ] }, { "param-id": "sr-11.02_odp", "constraints": [ { "description": "all" } ] } ], "alters": [ { "control-id": "ca-8", "removes": [ { "by-id": "ca-8_fr" } ], "adds": [ { "position": "after", "by-id": "ca-8_gdn", "parts": [ { "id": "ca-8_fr", "name": "item", "ns": "http://fedramp.gov/ns/oscal", "title": "CA-8 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ca-8_fr_gdn.1", "name": "guidance", "ns": "http://fedramp.gov/ns/oscal", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Scope can be limited to public facing applications in alignment with M-22-09. Reference the FedRAMP Penetration Test Guidance." } ] } ] } ] }, { "control-id": "cm-6", "removes": [ { "by-id": "cm-6_fr" } ], "adds": [ { "position": "after", "by-id": "cm-6_gdn", "parts": [ { "id": "cm-6_fr", "name": "item", "ns": "http://fedramp.gov/ns/oscal", "title": "CM-6 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "cm-6_fr_smt.1", "name": "item", "ns": "http://fedramp.gov/ns/oscal", "props": [ { "name": "label", "value": "(a) Requirement 1:" } ], "prose": "The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;" }, { "id": "cm-6_fr_smt.2", "name": "item", "ns": "http://fedramp.gov/ns/oscal", "props": [ { "name": "label", "value": "(a) Requirement 2:" } ], "prose": "The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available)." }, { "id": "cm-6_fr_gdn.1", "name": "guidance", "ns": "http://fedramp.gov/ns/oscal", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA\\&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.\n\nDuring monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA\\&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests." } ] } ] } ] }, { "control-id": "ia-5", "removes": [ { "by-id": "ia-5_fr" } ], "adds": [ { "position": "after", "by-id": "ia-5_gdn", "parts": [ { "id": "ia-5_fr", "name": "item", "ns": "http://fedramp.gov/ns/oscal", "title": "IA-5 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-5_fr_smt.1", "name": "item", "ns": "http://fedramp.gov/ns/oscal", "props": [ { "name": "label", "value": "Requirement:" } ], "prose": "Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3" }, { "id": "ia-5_fr_gdn.1", "name": "guidance", "ns": "http://fedramp.gov/ns/oscal", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE)." } ] } ] } ] }, { "control-id": "ia-11", "removes": [ { "by-id": "ia-11_fr" } ], "adds": [ { "position": "after", "by-id": "ia-11_gdn", "parts": [ { "id": "ia-11_fr", "name": "item", "ns": "http://fedramp.gov/ns/oscal", "title": "IA-11 Additional FedRAMP Requirements and Guidance", "parts": [ { "id": "ia-11_fr_gdn.1", "name": "guidance", "ns": "http://fedramp.gov/ns/oscal", "props": [ { "name": "label", "value": "Guidance:" } ], "prose": "The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:\n\n- AAL1 (low baseline)\n - 30 days of extended session\n - No limit on inactivity" } ] } ] } ] }, { "control-id": "sc-20", "removes": [ { "by-id": "sc-20_fr_smt.2" } ] } ] }, "back-matter": { "resources": [ { "uuid": "985475ee-d4d6-4581-8fdf-d84d3d8caa48", "title": "FedRAMP Applicable Laws and Regulations", "rlinks": [ { "href": "https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx" } ] }, { "uuid": "a2381e87-3d04-4108-a30b-b4d2f36d001f", "description": "FedRAMP Logo", "props": [ { "name": "type", "value": "logo" } ], "rlinks": [ { "href": "https://www.fedramp.gov/assets/img/logo-main-fedramp.png" } ] }, { "uuid": "051a77c1-b61d-4995-8275-dacfe688d510", "title": "NIST Special Publication (SP) 800-53 revision 5", "props": [ { "name": "version", "value": "5.1.1" } ], "rlinks": [ { "href": "FedRAMP_rev5_catalog_tailoring_profile.xml", "media-type": "application/oscal+xml" } ] } ] } } }