FedRAMP Rev 5 Moderate Baseline

FedRAMP Rev 5 Moderate Baseline 2024-09-24T02:24:00Z

2025-03-03T00:00:00Z

fedramp-3.0.0rc1-oscal-1.1.2

1.1.3

Document creator The FedRAMP Program Management Office (PMO)

PMO

Federal Risk and Authorization Management Program: Program Management Office

FedRAMP PMO

info@fedramp.gov

1800 F St. NW

Washington DC

20006

8cc0b8e5-9650-4d5f-9796-316f05fa9a2d

ac-1

ac-2

ac-2.1

ac-2.2

ac-2.3

ac-2.4

ac-2.5

ac-2.7

ac-2.9

ac-2.12

ac-2.13

ac-3

ac-4

ac-4.21

ac-5

ac-6

ac-6.1

ac-6.2

ac-6.5

ac-6.7

ac-6.9

ac-6.10

ac-7

ac-8

ac-11

ac-11.1

ac-12

ac-14

ac-17

ac-17.1

ac-17.2

ac-17.3

ac-17.4

ac-18

ac-18.1

ac-18.3

ac-19

ac-19.5

ac-20

ac-20.1

ac-20.2

ac-21

ac-22

at-1

at-2

at-2.2

at-2.3

at-3

at-4

au-1

au-2

au-3

au-3.1

au-4

au-5

au-6

au-6.1

au-6.3

au-7

au-7.1

au-8

au-9

au-9.4

au-11

au-12

ca-1

ca-2

ca-2.1

ca-2.3

ca-3

ca-5

ca-6

ca-7

ca-7.1

ca-7.4

ca-8

ca-8.1

ca-8.2

ca-9

cm-1

cm-2

cm-2.2

cm-2.3

cm-2.7

cm-3

cm-3.2

cm-3.4

cm-4

cm-4.2

cm-5

cm-5.1

cm-5.5

cm-6

cm-6.1

cm-7

cm-7.1

cm-7.2

cm-7.5

cm-8

cm-8.1

cm-8.3

cm-9

cm-10

cm-11

cm-12

cm-12.1

cp-1

cp-2

cp-2.1

cp-2.3

cp-2.8

cp-3

cp-4

cp-4.1

cp-6

cp-6.1

cp-6.3

cp-7

cp-7.1

cp-7.2

cp-7.3

cp-8

cp-8.1

cp-8.2

cp-9

cp-9.1

cp-9.8

cp-10

cp-10.2

ia-1

ia-2

ia-2.1

ia-2.2

ia-2.5

ia-2.6

ia-2.8

ia-2.12

ia-3

ia-4

ia-4.4

ia-5

ia-5.1

ia-5.2

ia-5.6

ia-5.7

ia-6

ia-7

ia-8

ia-8.1

ia-8.2

ia-8.4

ia-11

ia-12

ia-12.2

ia-12.3

ia-12.5

ir-1

ir-2

ir-3

ir-3.2

ir-4

ir-4.1

ir-5

ir-6

ir-6.1

ir-6.3

ir-7

ir-7.1

ir-8

ir-9

ir-9.2

ir-9.3

ir-9.4

ma-1

ma-2

ma-3

ma-3.1

ma-3.2

ma-3.3

ma-4

ma-5

ma-5.1

ma-6

mp-1

mp-2

mp-3

mp-4

mp-5

mp-6

mp-7

pe-1

pe-2

pe-3

pe-4

pe-5

pe-6

pe-6.1

pe-8

pe-9

pe-10

pe-11

pe-12

pe-13

pe-13.1

pe-13.2

pe-14

pe-15

pe-16

pe-17

pl-1

pl-2

pl-4

pl-4.1

pl-8

pl-10

pl-11

ps-1

ps-2

ps-3

ps-3.3

ps-4

ps-5

ps-6

ps-7

ps-8

ps-9

ra-1

ra-2

ra-3

ra-3.1

ra-5

ra-5.2

ra-5.3

ra-5.5

ra-5.11

ra-7

ra-9

sa-1

sa-2

sa-3

sa-4

sa-4.1

sa-4.2

sa-4.9

sa-4.10

sa-5

sa-8

sa-9

sa-9.1

sa-9.2

sa-9.5

sa-10

sa-11

sa-11.1

sa-11.2

sa-15

sa-15.3

sa-22

sc-1

sc-2

sc-4

sc-5

sc-7

sc-7.3

sc-7.4

sc-7.5

sc-7.7

sc-7.8

sc-7.12

sc-7.18

sc-8

sc-8.1

sc-10

sc-12

sc-13

sc-15

sc-17

sc-18

sc-20

sc-21

sc-22

sc-23

sc-28

sc-28.1

sc-39

sc-45

sc-45.1

si-1

si-2

si-2.2

si-2.3

si-3

si-4

si-4.1

si-4.2

si-4.4

si-4.5

si-4.16

si-4.18

si-4.23

si-5

si-6

si-7

si-7.1

si-7.7

si-8

si-8.2

si-10

si-11

si-12

si-16

sr-1

sr-2

sr-2.1

sr-3

sr-5

sr-6

sr-8

sr-10

sr-11

sr-11.1

sr-11.2

sr-12

true

at least every 3 years

at least annually

significant changes

twenty-four (24) hours

eight (8) hours

quarterly for privileged access, annually for non-privileged access

Selection: disables

no more than 96 hours from last use

24 hours for user accounts

ninety (90) days (See additional requirements and guidance.)

for privileged users, it is the end of a user's standard work period

organization-defined need with justification statement that explains why such accounts are necessary

at a minimum, the ISSO and/or similar role within the organization

one (1) hour

all security functions

at a minimum, annually

all users with privileges

see additional Requirements and Guidance

fifteen (15) minutes

at least quarterly

at least every 3 years

at least annually

significant changes

at least annually

at least one (1) year or 1 year after completion of a specific training program

at least every 3 years

at least annually

significant changes

successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes

organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.

annually and whenever there is a change in the threat environment

session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands

overwrite oldest record

at least weekly

one second granularity of time measurement

a time period in compliance with M-21-31

all information system and network components where audit capability is deployed/available

at least every 3 years

at least annually

significant changes

at least annually

individuals or roles to include FedRAMP PMO

any FedRAMP Accredited 3PAO

the conditions of the AO in the FedRAMP Repository

at least annually and on input from AO

at least monthly

in accordance with OMB A-130 requirements or when a significant change occurs

to include AO

at least annually

at least every 3 years

at least annually

significant changes

at least annually and when a significant change occurs

to include when directed by the AO

Configuration control board (CCB) or similar (as defined in CM-3)

at least quarterly

at least annually

at least quarterly or when there is a change

at least monthly

automated mechanisms with a maximum five-minute delay in detection

continuously

Continuously (via CM-7 (5))

Federal data and system data that must be protected at the High or Moderate impact levels

at least every 3 years

at least annually

significant changes

at least annually

all

time period defined in service provider and organization SLA

*See Additional Requirements

at least annually

functional exercises

daily incremental; weekly full

at least annually

all backup files

at least every 3 years

at least annually

significant changes

local, network and remote

privileged accounts; non-privileged accounts

FIPS-validated or NSA-approved cryptography

privileged accounts; non-privileged accounts

at a minimum, the ISSO (or similar role within the organization)

at least two (2) years

contractors; foreign nationals

at least every 3 years

at least annually

significant changes

ten (10) days for privileged users, thirty (30) days for Incident Response roles

at least annually

functional, at least annually

US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)

at least annually

see additional FedRAMP Requirements and Guidance

at least annually

at least every 3 years

at least annually

significant changes

at least annually

the information owner

a timeframe to support advertised uptime and availability

at least every 3 years

at least annually

significant changes

all types of digital and/or non-digital media containing sensitive information

no removable media types

organization-defined security safeguards not applicable

all types of digital and non-digital media with sensitive information

see additional FedRAMP requirements and guidance

all media with sensitive information

prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container

techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware

at least every 3 years

at least annually

significant changes

at least annually

CSP defined physical access control systems/devices AND guards

in all circumstances within restricted access area where the information system resides

at least annually

at least annually or earlier as required by a security relevant event.

at least monthly

for a minimum of one (1) year

at least monthly

near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off

service provider building maintenance/physical security personnel

service provider emergency responders with incident response responsibilities

consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments

continuously

all information system components

at least every 3 years

at least annually

significant changes

to include chief privacy and ISSO and/or similar role or designees

to include chief privacy and ISSO and/or similar role

at least annually

at least every 3 years

at least annually and when the rules are revised or changed

at least annually and when a significant change occurs

at least every 3 years

at least annually

significant changes

at least every three years

for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.

For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions

personnel screening criteria - as required by specific information

four (4) hours

twenty-four (24) hours

including access control personnel responsible for the system

twenty-four (24) hours

at least annually

at least annually and any time there is a change to the user's level of access

including access control personnel responsible for the system and/or facilities, as appropriate

within twenty-four (24) hours

to include the ISSO and/or similar role within the organization

24 hours

at least every 3 years

at least annually

significant changes

security assessment report

at least every three (3) years and when a significant change occurs

at least every three (3) years

monthly operating system/infrastructure; monthly web applications (including APIs) and databases

high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery

within 24 hours prior to running scans

all components that support authentication

all scans

at least every 3 years

at least annually

significant changes

at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram;

at a minimum, the ISSO (or similar role within the organization)

Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system

Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored

all external systems where Federal information is processed or stored

information processing, information or data, AND system services

development, implementation, AND operation

frequency at least annually

FedRAMP Security Authorization requirements

at least every 3 years

at least annually

significant changes

Protect against

at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack

at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions

any systems

any network outside of organizational control and any network outside the authorization boundary

Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall

confidentiality AND integrity

prevent unauthorized disclosure of information AND detect changes to information

no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions

In accordance with Federal requirements

FIPS-validated or NSA-approved cryptography

no exceptions for computing devices

confidentiality AND integrity

all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels

At least hourly

http://tf.nist.gov/tf-cgi/servers.cgi

any difference

at least every 3 years

at least annually

significant changes

within thirty (30) days of release of updates

at least monthly

signature based and non-signature based

at least weekly

to include endpoints and network entry and exit points

to include blocking and quarantining malicious code

administrator or defined security personnel near-realtime

continuously

to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives

to include system security personnel and administrators with configuration/patch-management responsibilities

to include upon system startup and/or restart

at least monthly

to include system administrators and security personnel

selection to include security relevant event

at least monthly

to include the ISSO and/or similar role within the organization

to include chief privacy and ISSO and/or similar role or designees

at least every 3 years

at least annually

significant changes

at least annually

notification of supply chain compromises and results of assessment or audits

all

IA-5 Additional FedRAMP Requirements and Guidance

Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3

SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).

IA-11 Additional FedRAMP Requirements and Guidance

The fixed time period cannot exceed the limits set in SP 800-63. At this writing they are:

AAL2 (moderate baseline)
- 12 hours or
- 30 minutes of inactivity

MA-5 (1) Additional FedRAMP Requirements and Guidance

Only MA-5 (1) (a) (1) is required by FedRAMP Moderate Baseline

FedRAMP Applicable Laws and Regulations

FedRAMP Logo

NIST Special Publication (SP) 800-53 revision 5