FedRAMP Control Quick Guide V12
FedRAMP Control Quick Guide V12
FedRAMP Control Quick Guide V12
Assessment (CA)
Control # Control Name Control Baseline Additional Control # Control Name Control Baseline Additional
Quick Guide Low Moderate Req.
CA-1 Security Assessment and Authorization
Low
L
Moderate
M
Req.
AC-1 Access Control Policy and Procedures L M
Control requirements are identified in the Policies and Procedures
AC-2 Account Management L M (1,2,3,4,7) CA-2 Security Assessments L (1) M (1)
FedRAMP SSP AC-3 Access Enforcement L M (3) CA-3 Information System Connections L M
ID Family Class Low Moderate
AC-4 Information Flow Enforcement M CA-5 Plan of Action and Milestones L M
Count Count
AC-5 Separation of Duties M CA-6 Security Authorization L M G
AC Access Control Technical 11 17 (24) CA-7 Continuous Monitoring
AC-6 Least Privilege M (1,2) G L M (2)
AT Awareness and Training Operational 4 4 AC-7 Unsuccessful Login Attempts L M
AU Audit and Accountability Technical 10 12 (9) AC-8 System Use Notification L M G
AC-10 Concurrent Session Control M
CA Certification, Accreditation, Management 6 (1) 6 (2)
and Security Assessment
AC-11 Session Lock M (1) G Configuration Management (CM)
AC-14 Permitted Actions Without Identification/ L M (1) Control # Control Name Control Baseline Additional
CM Configuration Management Operational 6 9 (12) Authentication Low Moderate Req.
AC-16 Security Attributes M CM-1 Configuration Management Policy and L M
Procedures
AC-17 Remote Access L M (1,2,3,4,5, CM-2 Baseline Configuration L M (1,3,5) G
CP Contingency Planning Operational 6 9 (15) G
7,8) CM-3 Configuration Change Control M (2)
AC-18 Wireless Access L M (1,2) CM-4 Security Impact Analysis L M
AC-19 Access Control for Mobile Devices L M (1,2,3) CM-5 Access Restrictions for Change M (1,5)
IA Identification and Technical 7 (2) 8 (10) AC-20 Use of External Information Systems L M (1,2) CM-6 Configuration Settings L M (1,3) G
Authentication AC-22 Publicly Accessible Content L M CM-7 Least Functionality L M (1) G
CM-8 Information System L M (1,3,5)
IR Incident Response Operational 7 8 (4) Component Inventory
G
CM-9 Configuration Management Plan M
Awareness and Training (AT)
MA Maintenance Operational 4 6 (6) Control # Control Name Control Baseline Additional
Low Moderate Req.
AT-1 Security Awareness and Training Policy L M
and Procedures
MP Media Protection Operational 3 6 (5) AT-2 Security Awareness L M Contingency Planning (CP)
AT-3 Security Training L M Control # Control Name Control Baseline Additional
AT-4 Security Training Records L M Low Moderate Req.
PE Physical and Environmental Operational 11 18 (5) CP-1 Contingency Planning Policy and L M
Procedures
Protection CP-2 Contingency Plan L M (1,2)
CP-3 Contingency Training L M
PL Planning Management 4 5 CP-4 Contingency Plan Testing and L M (1)
Audit and Accountability (AU) Exercises
Control # Control Name Additional CP-6 Alternate Storage Site M (1,3)
Control Baseline
PS Personnel Security Operational 8 8 Low Moderate Req. CP-7 Alternate Processing Site M (1,2,3,5)
AU-1 Audit and Accountability Policy and L M CP-8 Telecommunications Services M (1,2)
Procedures
CP-9 Information System Backup L M (1,3)
RA Risk Assessment Management 4 4 (5) AU-2 Auditable Events L M (3,4) G
AU-3 Content of Audit Records L M (1) G CP-10 Information System Recovery and L M (2,3)
AU-4 Audit Storage Capacity L M Reconstitution
SA System and Services Management 8 12 (7) AU-5 Response to Audit Processing Failures L M
AU-6 Audit Review, Analysis, and Reporting L M (1,3)
Acquisition
AU-7 Audit Reduction and Report Generation M (1)
SC System and Technical 8 (1) 24 (16) AU-8 Time Stamps L M (1) G
AU-9 Protection of Audit Information L M (2)
Communications Protection
AU-10 Non-Repudiation M (5)
SI System and Information Operational 5 12 (9) AU-11 Audit Record Retention L M Identification and Authentication (IA)
Integrity AU-12 Audit Generation L M Control # Control Name Additional
Control Baseline
Low Moderate Req.
IA-1 Identification and Authentication Policy L M
Legend: and Procedures
IA-2 Identification and Authentication L (1) M (1,2,3,8)
(Organizational Users)
Count = # of controls (#of enhancements) Note: Controls IA-3 Device Identification and Authentication M
Physical and Environmental Protection (PE) System and Services Acquisition (SA) System and Information Integrity (SI)
Control # Control Name Control Baseline Additional Control # Control Name Control Baseline Additional Control # Control Name Control Baseline Additional
Low Moderate Req. Low Moderate Req. Low Moderate Req.
PE-1 Physical and environmental protection L M SA-1 System and Services Acquisition Policy L M SI-1 System and Information Integrity Policy L M
policy and procedures and Procedures and Procedures
PE-2 Physical Access Authorizations L M SA-2 Allocation of Resources L M SI-2 Flaw Remediation L M (2)
PE-3 Physical Access Control L M SA-3 Life Cycle Support L M SI-3 Malicious Code Protection L M (1,2,3)
PE-4 Access Control for Transmission M SA-4 Acquisitions L M (1,4,7) G SI-4 Information System Monitoring M (2,4,5,6) G
Medium
SI-5 Security Alerts, Advisories, and L M
PE-5 Access Control for Output Devices M SA-5 Information System Documentation L M (1,3) Directives
PE-6 Monitoring Physical Access L M (1) SA-6 Software Usage Restrictions L M SI-6 Security functionality verification M
PE-7 Visitor Control L M (1) SA-7 User-Installed Software L M
SI-7 Software and Information Integrity M (1)
PE-8 Access Records L M
SA-8 Security Engineering Principles M SI-8 Spam Protection M
PE-9 Power Equipment and Power Cabling M
SA-9 External Information System Services SI-9 Information Input Restrictions M
PE-10 Emergency Shutoff M L M (1)
SI-10 Information Input Validation M
PE-11 Emergency Power M SA-10 Developer Configuration Management M
SI-11 Error Handling M
PE-12 Emergency Lighting L M
SA-11 Developer Security Testing M (1) SI-12 Information Output Handling and L M
PE-13 Fire Protection L M (1,2,3) Retention
SA-12 Supply Chain Protection M
PE-14 Temperature and Humidity Controls L M
PE-15 Water Damage Protection L M
PE-16 Delivery and Removal L M
PE-17 Alternate Work Site M
PE-18 Location of Information System M
Components