FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline

FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline 2024-09-24T02:24:00Z

2025-03-19T00:00:00Z

fedramp-3.0.0rc1-oscal-1.1.2

1.1.3

Document creator The FedRAMP Program Management Office (PMO)

PMO

Federal Risk and Authorization Management Program: Program Management Office

FedRAMP PMO

info@fedramp.gov

1800 F St. NW

Washington DC

20006

8cc0b8e5-9650-4d5f-9796-316f05fa9a2d

ac-1

ac-2

ac-3

ac-7

ac-8

ac-14

ac-17

ac-18

ac-19

ac-20

ac-22

at-1

at-2

at-2.2

at-3

at-4

au-1

au-2

au-3

au-4

au-5

au-6

au-8

au-9

au-11

au-12

ca-1

ca-2

ca-2.1

ca-3

ca-5

ca-6

ca-7

ca-7.4

ca-8

ca-9

cm-1

cm-2

cm-4

cm-5

cm-6

cm-7

cm-8

cm-10

cm-11

cp-1

cp-2

cp-3

cp-4

cp-9

cp-10

ia-1

ia-2

ia-2.1

ia-2.2

ia-2.8

ia-2.12

ia-4

ia-5

ia-5.1

ia-6

ia-7

ia-8

ia-8.1

ia-8.2

ia-8.4

ia-11

ir-1

ir-2

ir-4

ir-5

ir-6

ir-7

ir-8

ma-1

ma-2

ma-4

ma-5

mp-1

mp-2

mp-6

mp-7

pe-1

pe-2

pe-3

pe-6

pe-8

pe-12

pe-13

pe-14

pe-15

pe-16

pl-1

pl-2

pl-4

pl-4.1

pl-8

pl-10

pl-11

ps-1

ps-2

ps-3

ps-4

ps-5

ps-6

ps-7

ps-8

ps-9

ra-1

ra-2

ra-3

ra-3.1

ra-5

ra-5.2

ra-5.11

ra-7

sa-1

sa-2

sa-3

sa-4

sa-4.10

sa-5

sa-8

sa-9

sa-22

sc-1

sc-5

sc-7

sc-8

sc-8.1

sc-12

sc-13

sc-15

sc-20

sc-21

sc-22

sc-28

sc-28.1

sc-39

si-1

si-2

si-3

si-4

si-5

si-12

sr-1

sr-2

sr-2.1

sr-3

sr-5

sr-8

sr-10

sr-11

sr-11.1

sr-11.2

sr-12

true

at least every 3 years

at least annually

significant changes

twenty-four (24) hours

eight (8) hours

at least annually

see additional Requirements and Guidance

at least quarterly

at least every 3 years

at least annually

significant changes

at least annually

at least one (1) year or 1 year after completion of a specific training program

at least every 3 years

at least annually

significant changes

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

annually and whenever there is a change in the threat environment

overwrite oldest record

at least weekly

one second granularity of time measurement

a time period in compliance with M-21-31

all information system and network components where audit capability is deployed/available

at least every 3 years

at least annually

significant changes

at least annually

individuals or roles to include FedRAMP PMO

at least annually and on input from AO

at least monthly

in accordance with OMB A-130 requirements or when a significant change occurs

to include AO

at least annually

at least every 3 years

at least annually

significant changes

at least annually and when a significant change occurs

to include when directed by the AO

at least monthly

Continuously (via CM-7 (5))

at least every 3 years

at least annually

significant changes

at least annually

*See Additional Requirements

at least annually

at least every 3 years

classroom exercise/table top written tests

daily incremental; weekly full

at least every 3 years

at least annually

significant changes

at a minimum, the ISSO (or similar role within the organization)

at least two (2) years

at least every 3 years

at least annually

significant changes

ten (10) days for privileged users, thirty (30) days for Incident Response roles

at least annually

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

at least annually

see additional FedRAMP Requirements and Guidance

at least every 3 years

at least annually

significant changes

at least every 3 years

at least annually

significant changes

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

at least every 3 years

at least annually

significant changes

at least annually

CSP defined physical access control systems/devices AND guards

in all circumstances within restricted access area where the information system resides

at least annually

at least monthly

for a minimum of one (1) year

at least monthly

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

continuously

all information system components

at least every 3 years

at least annually

significant changes

at least annually

at least every 3 years

at least annually and when the rules are revised or changed

at least annually and when a significant change occurs

at least every 3 years

at least annually

significant changes

at least every three years

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

four (4) hours

twenty-four (24) hours

at least annually

at least annually and any time there is a change to the user's level of access

including access control personnel responsible for the system and/or facilities, as appropriate

within twenty-four (24) hours

at a minimum, the ISSO and/or similar role within the organization

at least every 3 years

at least annually

significant changes

security assessment report

at least every three (3) years and when a significant change occurs

at least every three (3) years

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

prior to a new scan

at least every 3 years

at least annually

significant changes

at a minimum, the ISSO (or similar role within the organization)

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

at least every 3 years

at least annually

significant changes

Protect against

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

In accordance with Federal requirements

FIPS-validated or NSA-approved cryptography

no exceptions for computing devices

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

at least every 3 years

at least annually

significant changes

within thirty (30) days of release of updates

signature based and non-signature based

at least weekly

to include endpoints and network entry and exit points

to include blocking and quarantining malicious code

administrator or defined security personnel near-realtime

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

to include system security personnel and administrators with configuration/patch-management responsibilities

to include chief privacy and ISSO and/or similar role or designees

at least every 3 years

at least annually

significant changes

at least annually

notification of supply chain compromises and results of assessment or audits

all

Additional Tailoring Comments

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.

Additional Tailoring Comments

FED - This is related to agency data and agency policy solution.

Additional Tailoring Comments

FED - This is related to agency data and agency policy solution.

Additional Tailoring Comments

NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).

Additional Tailoring Comments

NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).

Additional Tailoring Comments

NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.

Additional Tailoring Comments

NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.

Additional Tailoring Comments

Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.

Additional Tailoring Comments

Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.

Additional Tailoring Comments

Required - Specifically include details of least functionality.

Additional Tailoring Comments

NSO- Not directly related to protection of the data.

Additional Tailoring Comments

NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.

Additional Tailoring Comments

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

Additional Tailoring Comments

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

Additional Tailoring Comments

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

Additional Tailoring Comments

NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.

Additional Tailoring Comments

NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.

Additional Tailoring Comments

FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

Additional Tailoring Comments

Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.

Additional Tailoring Comments

Attestation - Specifically attest to US-CERT compliance.

Additional Tailoring Comments