at least annually
at least annually
significant changes
twenty-four (24) hours
eight (8) hours
eight (8) hours
monthly for privileged accessed, every six (6) months for non-privileged access
Selection: disables
no more than 24 hours from last use
24 hours for user accounts
thirty-five (35) days (See additional requirements and guidance.)
inactivity is anticipated to exceed Fifteen (15) minutes
organization-defined need with justification statement that explains why such accounts are necessary
at a minimum, the ISSO and/or similar role within the organization
one (1) hour
intrusion detection mechanisms
all functions not publicly accessible
all functions not publicly accessible
all functions not publicly accessible
all security-relevant information not publicly available
all security functions
all privileged commands
at a minimum, annually
all users with privileges
any software except software explicitly documented
see additional Requirements and Guidance
see additional Requirements and Guidance
three (3) sessions for privileged access and two (2) sessions for non-privileged access
fifteen (15) minutes
at least quarterly
at least annually
at least annually
significant changes
at least annually
at least annually
at least annually
at least annually
at least annually
five (5) years or 5 years after completion of a specific training program
at least annually
at least annually
significant changes
successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes
organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.
organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.
annually and whenever there is a change in the threat environment
session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands
overwrite oldest record
75%, or one month before expected negative impact
real-time
service provider personnel with authority to address failed audit events
audit failure events requiring real-time alerts, as defined by organization audit policy
at least weekly
vulnerability scanning information; performance data; information system monitoring information; penetration test data;
information system process; role; user
one second granularity of time measurement
at least weekly
minimum actions including the addition, modification, deletion, approval, sending, or receiving of data
a time period in compliance with M-21-31
all information system and network components where audit capability is deployed/available
all network, data storage, and computing devices
service provider-defined individuals or roles with audit configuration responsibilities
all network, data storage, and computing devices
at least annually
at least annually
significant changes
at least annually
individuals or roles to include FedRAMP PMO
at least annually
any FedRAMP Accredited 3PAO
the conditions of the AO in the FedRAMP Repository
at least annually and on input from AO
at least monthly
in accordance with OMB A-130 requirements or when a significant change occurs
to include AO
to include AO
at least annually
at least annually
at least annually
at least annually
significant changes
at least annually and when a significant change occurs
to include when directed by the AO
organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components
organization agreed upon time period
organization defined configuration management approval authorities
Configuration control board (CCB) or similar (as defined in CM-3)
All security safeguards that rely on cryptography
at least quarterly
at least quarterly
at least annually
at least quarterly or when there is a change
at least monthly
automated mechanisms with a maximum five-minute delay in detection
automated mechanisms with a maximum five-minute delay in detection
automated mechanisms with a maximum five-minute delay in detection
continuously
position and role
Continuously (via CM-7 (5))
Federal data and system data that must be protected at the High or Moderate impact levels
at least annually
at least annually
significant changes
at least annually
all
time period defined in service provider and organization SLA
essential
*See Additional Requirements
at least annually
at least annually
at least annually
functional exercises
functional exercises
annually
annually
daily incremental; weekly full
daily incremental; weekly full
daily incremental; weekly full
at least monthly
at least monthly
time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA.
time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA.
all backup files
time period consistent with the restoration time-periods defined in the service provider and organization SLA
at least annually
at least annually
significant changes
local, network and remote
privileged accounts; non-privileged accounts
FIPS-validated or NSA-approved cryptography
privileged accounts; non-privileged accounts
at a minimum, the ISSO (or similar role within the organization)
at least two (2) years
contractors; foreign nationals
different authenticators in different user authentication domains
at least annually
at least annually
significant changes
ten (10) days for privileged users, thirty (30) days for Incident Response roles
at least annually
at least annually
at least every six (6) months, including functional at least annually
all network, data storage, and computing devices
US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)
at least annually
see additional FedRAMP Requirements and Guidance
see additional FedRAMP Requirements and Guidance
see additional FedRAMP Requirements and Guidance
see additional FedRAMP Requirements and Guidance
at least annually
at least annually
at least annually
significant changes
at least annually
the information owner
a timeframe to support advertised uptime and availability
at least annually
at least annually
significant changes
all types of digital and/or non-digital media containing sensitive information
all types of digital and/or non-digital media containing sensitive information
no removable media types
organization-defined security safeguards not applicable
all types of digital and non-digital media with sensitive information
all types of digital and non-digital media with sensitive information
all types of digital and non-digital media with sensitive information
all types of digital and non-digital media with sensitive information
see additional FedRAMP requirements and guidance
see additional FedRAMP requirements and guidance
all media with sensitive information
prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container
prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container
techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware
techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware
techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware
at least every six (6) months
at least every six (6) months
at least annually
at least annually
significant changes
at least every ninety (90) days
CSP defined physical access control systems/devices AND guards
in all circumstances within restricted access area where the information system resides
at least annually
at least annually or earlier as required by a security relevant event.
at least annually or earlier as required by a security relevant event.
at least monthly
for a minimum of one (1) year
at least monthly
near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off
automatically
service provider building maintenance/physical security personnel
service provider emergency responders with incident response responsibilities
consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments
continuously
service provider building maintenance/physical security personnel
all information system components
all information system components
physical and environmental hazards identified during threat assessment
at least annually
at least annually
significant changes
to include chief privacy and ISSO and/or similar role or designees
to include chief privacy and ISSO and/or similar role
at least annually
at least annually
at least annually and when the rules are revised or changed
at least annually and when a significant change occurs
at least annually
at least annually
significant changes
at least annually
for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.
For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.
For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions
personnel screening criteria - as required by specific information
one (1) hour
access control personnel responsible for disabling access to the system
twenty-four (24) hours
including access control personnel responsible for the system
twenty-four (24) hours
at least annually
at least annually and any time there is a change to the user's level of access
including access control personnel responsible for the system and/or facilities, as appropriate
terminations: immediately; transfers: within twenty-four (24) hours
to include the ISSO and/or similar role within the organization
24 hours
at least annually
at least annually
significant changes
security assessment report
at least annually and whenever a significant change occurs
annually
monthly operating system/infrastructure; monthly web applications (including APIs) and databases
monthly operating system/infrastructure; monthly web applications (including APIs) and databases
high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery
within 24 hours prior to running scans
notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions
all components that support authentication
all scans
at least annually
at least annually
significant changes
at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;
organization-defined design/implementation information
The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.
at a minimum, the ISSO (or similar role within the organization)
Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system
Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored
all external systems where Federal information is processed or stored
information processing, information or data, AND system services
U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction
all High impact data, systems, or services
development, implementation, AND operation
frequency as before first use and annually thereafter
FedRAMP Security Authorization requirements
at least annually
at least annually
significant changes
Protect against
at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack
at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions
any systems
any network outside of organizational control and any network outside the authorization boundary
Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall
confidentiality AND integrity
prevent unauthorized disclosure of information AND detect changes to information
no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions
In accordance with Federal requirements
FIPS-validated or NSA-approved cryptography
no exceptions for computing devices
confidentiality AND integrity
all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels
At least hourly
http://tf.nist.gov/tf-cgi/servers.cgi
any difference
at least annually
at least annually
significant changes
within thirty (30) days of release of updates
at least monthly
signature based and non-signature based
at least weekly
to include endpoints and network entry and exit points
to include blocking and quarantining malicious code
administrator or defined security personnel near-realtime
continuously
continuously
to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives
to include system security personnel and administrators with configuration/patch-management responsibilities
to include upon system startup and/or restart
at least monthly
to include system administrators and security personnel
selection to include security relevant event
selection to include security relevant event
selection to include security relevant event
at least monthly
at least monthly
at least monthly
to include the ISSO and/or similar role within the organization
to include all software and firmware inside the boundary
to include the ISSO and/or similar role within the organization
to include chief privacy and ISSO and/or similar role or designees
to include chief privacy and ISSO and/or similar role or designees
at least annually
at least annually
significant changes
at least annually
at least annually
notification of supply chain compromises and results of assessment or audits
all
FedRAMP Logo