profile: uuid: 3862ba89-7b48-45e2-8daf-582d454724cb metadata: title: FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline published: '2024-09-24T02:24:00Z' last-modified: '2025-03-19T00:00:00Z' version: fedramp-3.0.0rc1-oscal-1.1.2 oscal-version: 1.1.3 roles: - id: prepared-by title: Document creator - id: fedramp-pmo title: The FedRAMP Program Management Office (PMO) short-name: PMO parties: - uuid: 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d type: organization name: 'Federal Risk and Authorization Management Program: Program Management Office' short-name: FedRAMP PMO links: - href: https://fedramp.gov rel: homepage - href: '#a2381e87-3d04-4108-a30b-b4d2f36d001f' rel: logo - href: '#985475ee-d4d6-4581-8fdf-d84d3d8caa48' rel: reference email-addresses: - info@fedramp.gov addresses: - addr-lines: - 1800 F St. NW postal-code: '20006' type: work state: DC city: Washington country: US responsible-parties: - role-id: prepared-by party-uuids: - 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d - role-id: fedramp-pmo party-uuids: - 8cc0b8e5-9650-4d5f-9796-316f05fa9a2d imports: - href: '#051a77c1-b61d-4995-8275-dacfe688d510' include-controls: - with-ids: - ac-1 - ac-2 - ac-3 - ac-7 - ac-8 - ac-14 - ac-17 - ac-18 - ac-19 - ac-20 - ac-22 - at-1 - at-2 - at-2.2 - at-3 - at-4 - au-1 - au-2 - au-3 - au-4 - au-5 - au-6 - au-8 - au-9 - au-11 - au-12 - ca-1 - ca-2 - ca-2.1 - ca-3 - ca-5 - ca-6 - ca-7 - ca-7.4 - ca-8 - ca-9 - cm-1 - cm-2 - cm-4 - cm-5 - cm-6 - cm-7 - cm-8 - cm-10 - cm-11 - cp-1 - cp-2 - cp-3 - cp-4 - cp-9 - cp-10 - ia-1 - ia-2 - ia-2.1 - ia-2.2 - ia-2.8 - ia-2.12 - ia-4 - ia-5 - ia-5.1 - ia-6 - ia-7 - ia-8 - ia-8.1 - ia-8.2 - ia-8.4 - ia-11 - ir-1 - ir-2 - ir-4 - ir-5 - ir-6 - ir-7 - ir-8 - ma-1 - ma-2 - ma-4 - ma-5 - mp-1 - mp-2 - mp-6 - mp-7 - pe-1 - pe-2 - pe-3 - pe-6 - pe-8 - pe-12 - pe-13 - pe-14 - pe-15 - pe-16 - pl-1 - pl-2 - pl-4 - pl-4.1 - pl-8 - pl-10 - pl-11 - ps-1 - ps-2 - ps-3 - ps-4 - ps-5 - ps-6 - ps-7 - ps-8 - ps-9 - ra-1 - ra-2 - ra-3 - ra-3.1 - ra-5 - ra-5.2 - ra-5.11 - ra-7 - sa-1 - sa-2 - sa-3 - sa-4 - sa-4.10 - sa-5 - sa-8 - sa-9 - sa-22 - sc-1 - sc-5 - sc-7 - sc-8 - sc-8.1 - sc-12 - sc-13 - sc-15 - sc-20 - sc-21 - sc-22 - sc-28 - sc-28.1 - sc-39 - si-1 - si-2 - si-3 - si-4 - si-5 - si-12 - sr-1 - sr-2 - sr-2.1 - sr-3 - sr-5 - sr-8 - sr-10 - sr-11 - sr-11.1 - sr-11.2 - sr-12 merge: as-is: true modify: set-parameters: - param-id: ac-01_odp.05 constraints: - description: at least every 3 years - param-id: ac-01_odp.07 constraints: - description: at least annually - param-id: ac-01_odp.08 constraints: - description: significant changes - param-id: ac-02_odp.06 constraints: - description: twenty-four (24) hours - param-id: ac-02_odp.07 constraints: - description: eight (8) hours - param-id: ac-02_odp.08 constraints: - description: eight (8) hours - param-id: ac-02_odp.10 constraints: - description: at least annually - param-id: ac-08_odp.01 constraints: - description: see additional Requirements and Guidance - param-id: ac-08_odp.02 constraints: - description: see additional Requirements and Guidance - param-id: ac-22_odp constraints: - description: at least quarterly - param-id: at-01_odp.05 constraints: - description: at least every 3 years - param-id: at-01_odp.07 constraints: - description: at least annually - param-id: at-01_odp.08 constraints: - description: significant changes - param-id: at-02_odp.01 constraints: - description: at least annually - param-id: at-02_odp.02 constraints: - description: at least annually - param-id: at-02_odp.06 constraints: - description: at least annually - param-id: at-03_odp.03 constraints: - description: at least annually - param-id: at-03_odp.04 constraints: - description: at least annually - param-id: at-04_odp constraints: - description: at least one (1) year or 1 year after completion of a specific training program - param-id: au-01_odp.05 constraints: - description: at least every 3 years - param-id: au-01_odp.07 constraints: - description: at least annually - param-id: au-01_odp.08 constraints: - description: significant changes - param-id: au-02_odp.01 constraints: - description: 'successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes' - param-id: au-02_odp.02 constraints: - description: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event. - param-id: au-02_odp.03 constraints: - description: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event. - param-id: au-02_odp.04 constraints: - description: annually and whenever there is a change in the threat environment - param-id: au-05_odp.03 constraints: - description: overwrite oldest record - param-id: au-06_odp.01 constraints: - description: at least weekly - param-id: au-08_odp constraints: - description: one second granularity of time measurement - param-id: au-11_odp constraints: - description: a time period in compliance with M-21-31 - param-id: au-12_odp.01 constraints: - description: all information system and network components where audit capability is deployed/available - param-id: ca-01_odp.05 constraints: - description: at least every 3 years - param-id: ca-01_odp.07 constraints: - description: at least annually - param-id: ca-01_odp.08 constraints: - description: significant changes - param-id: ca-02_odp.01 constraints: - description: at least annually - param-id: ca-02_odp.02 constraints: - description: individuals or roles to include FedRAMP PMO - param-id: ca-03_odp.03 constraints: - description: at least annually and on input from AO - param-id: ca-05_odp constraints: - description: at least monthly - param-id: ca-06_odp constraints: - description: in accordance with OMB A-130 requirements or when a significant change occurs - param-id: ca-07_odp.04 constraints: - description: to include AO - param-id: ca-07_odp.06 constraints: - description: to include AO - param-id: ca-08_odp.01 constraints: - description: at least annually - param-id: cm-01_odp.05 constraints: - description: at least every 3 years - param-id: cm-01_odp.07 constraints: - description: at least annually - param-id: cm-01_odp.08 constraints: - description: significant changes - param-id: cm-02_odp.01 constraints: - description: at least annually and when a significant change occurs - param-id: cm-02_odp.02 constraints: - description: to include when directed by the AO - param-id: cm-08_odp.02 constraints: - description: at least monthly - param-id: cm-11_odp.03 constraints: - description: Continuously (via CM-7 (5)) - param-id: cp-01_odp.05 constraints: - description: at least every 3 years - param-id: cp-01_odp.07 constraints: - description: at least annually - param-id: cp-01_odp.08 constraints: - description: significant changes - param-id: cp-02_odp.05 constraints: - description: at least annually - param-id: cp-03_odp.01 constraints: - description: \*See Additional Requirements - param-id: cp-03_odp.02 constraints: - description: at least annually - param-id: cp-03_odp.03 constraints: - description: at least annually - param-id: cp-04_odp.01 constraints: - description: at least every 3 years - param-id: cp-04_odp.02 constraints: - description: classroom exercise/table top written tests - param-id: cp-04_odp.03 constraints: - description: classroom exercise/table top written tests - param-id: cp-09_odp.02 constraints: - description: daily incremental; weekly full - param-id: cp-09_odp.03 constraints: - description: daily incremental; weekly full - param-id: cp-09_odp.04 constraints: - description: daily incremental; weekly full - param-id: ia-01_odp.05 constraints: - description: at least every 3 years - param-id: ia-01_odp.07 constraints: - description: at least annually - param-id: ia-01_odp.08 constraints: - description: significant changes - param-id: ia-04_odp.01 constraints: - description: at a minimum, the ISSO (or similar role within the organization) - param-id: ia-04_odp.02 constraints: - description: at least two (2) years - param-id: ir-01_odp.05 constraints: - description: at least every 3 years - param-id: ir-01_odp.07 constraints: - description: at least annually - param-id: ir-01_odp.08 constraints: - description: significant changes - param-id: ir-02_odp.01 constraints: - description: ten (10) days for privileged users, thirty (30) days for Incident Response roles - param-id: ir-02_odp.02 constraints: - description: at least annually - param-id: ir-02_odp.03 constraints: - description: at least annually - param-id: ir-06_odp.01 constraints: - description: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended) - param-id: ir-08_odp.02 constraints: - description: at least annually - param-id: ir-08_odp.04 constraints: - description: see additional FedRAMP Requirements and Guidance - param-id: ir-08_odp.05 constraints: - description: see additional FedRAMP Requirements and Guidance - param-id: ir-08_odp.06 constraints: - description: see additional FedRAMP Requirements and Guidance - param-id: ir-08_odp.07 constraints: - description: see additional FedRAMP Requirements and Guidance - param-id: ma-01_odp.05 constraints: - description: at least every 3 years - param-id: ma-01_odp.07 constraints: - description: at least annually - param-id: ma-01_odp.08 constraints: - description: significant changes - param-id: mp-01_odp.05 constraints: - description: at least every 3 years - param-id: mp-01_odp.07 constraints: - description: at least annually - param-id: mp-01_odp.08 constraints: - description: significant changes - param-id: mp-06_odp.01 constraints: - description: 'techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware' - param-id: mp-06_odp.02 constraints: - description: 'techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware' - param-id: mp-06_odp.03 constraints: - description: 'techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware' - param-id: pe-01_odp.05 constraints: - description: at least every 3 years - param-id: pe-01_odp.07 constraints: - description: at least annually - param-id: pe-01_odp.08 constraints: - description: significant changes - param-id: pe-02_odp constraints: - description: at least annually - param-id: pe-03_odp.02 constraints: - description: CSP defined physical access control systems/devices AND guards - param-id: pe-03_odp.06 constraints: - description: in all circumstances within restricted access area where the information system resides - param-id: pe-03_odp.07 constraints: - description: at least annually - param-id: pe-03_odp.09 constraints: - description: at least annually - param-id: pe-03_odp.10 constraints: - description: at least annually - param-id: pe-06_odp.01 constraints: - description: at least monthly - param-id: pe-08_odp.01 constraints: - description: for a minimum of one (1) year - param-id: pe-08_odp.02 constraints: - description: at least monthly - param-id: pe-14_odp.01 constraints: - description: consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments - param-id: pe-14_odp.04 constraints: - description: continuously - param-id: pe-16_odp.01 constraints: - description: all information system components - param-id: pe-16_odp.02 constraints: - description: all information system components - param-id: pl-01_odp.05 constraints: - description: at least every 3 years - param-id: pl-01_odp.07 constraints: - description: at least annually - param-id: pl-01_odp.08 constraints: - description: significant changes - param-id: pl-02_odp.03 constraints: - description: at least annually - param-id: pl-04_odp.01 constraints: - description: at least every 3 years - param-id: pl-04_odp.02 constraints: - description: at least annually and when the rules are revised or changed - param-id: pl-08_odp constraints: - description: at least annually and when a significant change occurs - param-id: ps-01_odp.05 constraints: - description: at least every 3 years - param-id: ps-01_odp.07 constraints: - description: at least annually - param-id: ps-01_odp.08 constraints: - description: significant changes - param-id: ps-02_odp constraints: - description: at least every three years - param-id: ps-03_odp.01 constraints: - description: 'for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions' - param-id: ps-03_odp.02 constraints: - description: 'for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions' - param-id: ps-04_odp.01 constraints: - description: four (4) hours - param-id: ps-05_odp.02 constraints: - description: twenty-four (24) hours - param-id: ps-05_odp.04 constraints: - description: twenty-four (24) hours - param-id: ps-06_odp.01 constraints: - description: at least annually - param-id: ps-06_odp.02 constraints: - description: at least annually and any time there is a change to the user's level of access - param-id: ps-07_odp.01 constraints: - description: including access control personnel responsible for the system and/or facilities, as appropriate - param-id: ps-07_odp.02 constraints: - description: within twenty-four (24) hours - param-id: ps-08_odp.01 constraints: - description: at a minimum, the ISSO and/or similar role within the organization - param-id: ra-01_odp.05 constraints: - description: at least every 3 years - param-id: ra-01_odp.07 constraints: - description: at least annually - param-id: ra-01_odp.08 constraints: - description: significant changes - param-id: ra-03_odp.01 constraints: - description: security assessment report - param-id: ra-03_odp.03 constraints: - description: at least every three (3) years and when a significant change occurs - param-id: ra-03_odp.05 constraints: - description: at least every three (3) years - param-id: ra-05_odp.01 constraints: - description: monthly operating system/infrastructure; monthly web applications (including APIs) and databases - param-id: ra-05_odp.02 constraints: - description: monthly operating system/infrastructure; monthly web applications (including APIs) and databases - param-id: ra-05_odp.03 constraints: - description: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery - param-id: ra-05.02_odp.01 constraints: - description: prior to a new scan - param-id: sa-01_odp.05 constraints: - description: at least every 3 years - param-id: sa-01_odp.07 constraints: - description: at least annually - param-id: sa-01_odp.08 constraints: - description: significant changes - param-id: sa-05_odp.02 constraints: - description: at a minimum, the ISSO (or similar role within the organization) - param-id: sa-09_odp.01 constraints: - description: Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system - param-id: sa-09_odp.02 constraints: - description: Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored - param-id: sc-01_odp.05 constraints: - description: at least every 3 years - param-id: sc-01_odp.07 constraints: - description: at least annually - param-id: sc-01_odp.08 constraints: - description: significant changes - param-id: sc-05_odp.02 constraints: - description: Protect against - param-id: sc-05_odp.01 constraints: - description: 'at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack' - param-id: sc-12_odp constraints: - description: In accordance with Federal requirements - param-id: sc-13_odp.02 constraints: - description: FIPS-validated or NSA-approved cryptography - param-id: sc-15_odp constraints: - description: no exceptions for computing devices - param-id: sc-28.01_odp.02 constraints: - description: all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels - param-id: si-01_odp.05 constraints: - description: at least every 3 years - param-id: si-01_odp.07 constraints: - description: at least annually - param-id: si-01_odp.08 constraints: - description: significant changes - param-id: si-02_odp constraints: - description: within thirty (30) days of release of updates - param-id: si-03_odp.01 constraints: - description: signature based and non-signature based - param-id: si-03_odp.02 constraints: - description: at least weekly - param-id: si-03_odp.03 constraints: - description: to include endpoints and network entry and exit points - param-id: si-03_odp.04 constraints: - description: to include blocking and quarantining malicious code - param-id: si-03_odp.06 constraints: - description: administrator or defined security personnel near-realtime - param-id: si-05_odp.01 constraints: - description: to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives - param-id: si-05_odp.02 constraints: - description: to include system security personnel and administrators with configuration/patch-management responsibilities - param-id: sr-01_odp.01 constraints: - description: to include chief privacy and ISSO and/or similar role or designees - param-id: sr-01_odp.05 constraints: - description: at least every 3 years - param-id: sr-01_odp.07 constraints: - description: at least annually - param-id: sr-01_odp.08 constraints: - description: significant changes - param-id: sr-02_odp.02 constraints: - description: at least annually - param-id: sr-08_odp.01 constraints: - description: notification of supply chain compromises and results of assessment or audits - param-id: sr-11.02_odp constraints: - description: all alters: - control-id: ac-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ac-2 adds: - position: starting by-id: ac-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ac-3 adds: - position: starting by-id: ac-3_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ac-7 adds: - position: starting by-id: ac-7_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication. - control-id: ac-8 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: FED class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: FED - This is related to agency data and agency policy solution. - control-id: ac-14 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: FED class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: FED - This is related to agency data and agency policy solution. - control-id: ac-17 adds: - position: starting by-id: ac-17_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ac-18 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2\[1\]). - control-id: ac-19 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 \[1\]). - control-id: ac-20 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ac-22 adds: - position: starting by-id: ac-22_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: at-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: at-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: at-2.2 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: at-3 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: at-4 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: au-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: au-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: au-3 adds: - position: starting by-id: au-3_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: au-4 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs. - control-id: au-5 adds: - position: starting by-id: au-5_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: au-6 adds: - position: starting by-id: au-6_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: au-8 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: au-9 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: au-11 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs. - control-id: au-12 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ca-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ca-2 adds: - position: starting by-id: ca-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ca-2.1 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ca-3 adds: - position: starting by-id: ca-3_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.' - control-id: ca-5 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements. - control-id: ca-6 adds: - position: starting by-id: ca-6_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ca-7 adds: - position: starting by-id: ca-7_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ca-7.4 adds: - position: starting by-id: ca-7.4_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ca-8 adds: - position: starting by-id: ca-8_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ca-9 adds: - position: starting by-id: ca-9_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.' - control-id: cm-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: cm-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: cm-4 adds: - position: starting by-id: cm-4_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: cm-5 adds: - position: starting by-id: cm-5_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: cm-6 adds: - position: starting by-id: cm-6_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: Required - Specifically include details of least functionality. - control-id: cm-7 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: cm-8 adds: - position: starting by-id: cm-8_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: cm-10 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO- Not directly related to protection of the data. - control-id: cm-11 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2\[1\]) are considerations. - control-id: cp-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: cp-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs. - control-id: cp-3 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs. - control-id: cp-4 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs. - control-id: cp-9 adds: - position: starting by-id: cp-9_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: cp-10 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs. - control-id: ia-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ia-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts. - control-id: ia-2.1 adds: - position: starting by-id: ia-2.1_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP. - control-id: ia-2.2 adds: - position: starting by-id: ia-2.2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ia-2.8 adds: - position: starting by-id: ia-2.8_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ia-2.12 adds: - position: starting by-id: ia-2.12_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - control-id: ia-4 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ia-5 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ia-5.1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ia-6 adds: - position: starting by-id: ia-6_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ia-7 adds: - position: starting by-id: ia-7_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ia-8 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ia-8.1 adds: - position: starting by-id: ia-8.1_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.' - control-id: ia-8.2 adds: - position: starting by-id: ia-8.2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.' - control-id: ia-8.4 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ia-11 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ir-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ir-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ir-4 adds: - position: starting by-id: ir-4_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ir-5 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ir-6 adds: - position: starting by-id: ir-6_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ir-7 removes: - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ir-8 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: Attestation - Specifically attest to US-CERT compliance. - control-id: ma-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ma-2 adds: - position: starting by-id: ma-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: ma-4 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ma-5 adds: - position: starting by-id: ma-5_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: mp-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: mp-2 adds: - position: starting by-id: mp-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: mp-6 adds: - position: starting by-id: mp-6_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: mp-7 adds: - position: starting by-id: mp-7_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: pe-2 adds: - position: starting by-id: pe-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-3 adds: - position: starting by-id: pe-3_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-6 adds: - position: starting by-id: pe-6_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-8 adds: - position: starting by-id: pe-8_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-12 adds: - position: starting by-id: pe-12_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-13 adds: - position: starting by-id: pe-13_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-14 adds: - position: starting by-id: pe-14_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-15 adds: - position: starting by-id: pe-15_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pe-16 adds: - position: starting by-id: pe-16_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.' - control-id: pl-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: pl-2 adds: - position: starting by-id: pl-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: pl-4 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: pl-4.1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: pl-8 adds: - position: starting by-id: pl-8_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: pl-10 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: pl-11 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ps-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ps-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: FED class: FedRAMP-Tailored-LI-SaaS - control-id: ps-3 adds: - position: starting by-id: ps-3_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ps-4 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ps-5 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ps-6 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ps-7 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: Attestation - Specifically stating that any third-party security personnel are treated as CSP employees. - control-id: ps-8 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ps-9 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ra-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ra-2 adds: - position: starting by-id: ra-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ra-3 adds: - position: starting by-id: ra-3_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ra-3.1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: ra-5 adds: - position: starting by-id: ra-5_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ra-5.2 adds: - position: starting by-id: ra-5.2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ra-5.11 adds: - position: starting by-id: ra-5.11_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: ra-7 adds: - position: starting by-id: ra-7_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sa-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sa-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sa-3 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sa-4 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sa-4.10 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sa-5 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sa-8 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sa-9 adds: - position: starting by-id: sa-9_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sa-22 adds: - position: starting by-id: sa-22_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sc-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sc-5 adds: - position: starting by-id: sc-5_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: If availability is a requirement, define protections in place as per control requirement.' - control-id: sc-7 adds: - position: starting by-id: sc-7_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sc-8 adds: - position: starting by-id: sc-8_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sc-8.1 adds: - position: starting by-id: sc-8.1_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sc-12 adds: - position: starting by-id: sc-12_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sc-13 adds: - position: starting by-id: sc-13_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - name: method ns: http://fedramp.gov/ns/oscal value: CONDITIONAL class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: 'Condition: If implementing need to detail how they meet it or don''t meet it.' - control-id: sc-15 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: NSO class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: NSO - Not directly related to the security of the SaaS. - control-id: sc-20 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sc-21 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sc-22 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sc-28 adds: - position: starting by-id: sc-28_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sc-28.1 adds: - position: starting by-id: sc-28.1_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: sc-39 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: si-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: si-2 adds: - position: starting by-id: si-2_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: si-3 adds: - position: starting by-id: si-3_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: si-4 adds: - position: starting by-id: si-4_smt props: - name: response-point ns: http://fedramp.gov/ns/oscal value: Required - props: - name: method ns: http://fedramp.gov/ns/oscal value: ASSESS class: FedRAMP-Tailored-LI-SaaS - control-id: si-5 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: si-12 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS parts: - name: guidance ns: http://fedramp.gov/ns/oscal class: FedRAMP-Tailored-LI-SaaS title: Additional Tailoring Comments prose: Attestation - Specifically related to US-CERT and FedRAMP communications procedures. - control-id: sr-1 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-2 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-2.1 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-3 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-5 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-8 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-10 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-11 removes: - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-11.1 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-11.2 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS - control-id: sr-12 removes: - by-name: response-point - by-name: response-point adds: - props: - name: method ns: http://fedramp.gov/ns/oscal value: ATTEST class: FedRAMP-Tailored-LI-SaaS back-matter: resources: - uuid: 985475ee-d4d6-4581-8fdf-d84d3d8caa48 title: FedRAMP Applicable Laws and Regulations rlinks: - href: https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx - uuid: a2381e87-3d04-4108-a30b-b4d2f36d001f description: FedRAMP Logo props: - name: type value: logo rlinks: - href: https://www.fedramp.gov/assets/img/logo-main-fedramp.png - uuid: 051a77c1-b61d-4995-8275-dacfe688d510 title: NIST Special Publication (SP) 800-53 revision 5 props: - name: version value: 5.1.1 rlinks: - href: FedRAMP_rev5_LOW-baseline_profile.xml media-type: application/oscal+xml