Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls
1. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
A B
FedRAMP Security Assessment Plan (SAP) Template
Policy Control Extract
Page
1
Table of Contents
2 ............Access Control (AC)
3 ............Awareness and Training (AT)
4 ............Audit and Accountability (AU)
4 ............Security Assessment and Authorization (CA)
5 ............Configuration Management (CM)
5 ............Contingency Planning (CP)
6 ............Identification and Authentication (IA)
6 ............Incident Response (IR)
7 ............Maintenance (MA)
7 ............Media Protection (MP)
8 ............Physical and Environmental Protection (PE)
8 ............Planning (PL)
9 ............Personnel Security (PS)
9 ............Risk Assessment (RA)
10 ............System and Services Acquisition (SA)
10 ............System and Communications Protection (SC)
11 ............System and Information Integrity (SI)
Page 1 of 11
2. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
23
24
25
26
27
28
29
30
31
32
33
A B
1. Access Control (AC)
1.1. AC-1
Examine information security program documentation for the organization access control policy is reviewed and
updated at least every three years.
Examine organization access control policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the access
control policy and associated access controls and that the , procedures are reviewed and updated at least annually.
Examine organization access control policy and procedures, or other relevant documents for the organization elements
having associated access control roles and responsibilities and to which the access control policy is to be disseminated or
otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the access control
policy was disseminated to the organizational elements.
Examine information security program documentation for the organization access control procedures.
Examine organization access control procedures for evidence that the procedures facilitate implementation of the access
control policy and associated access control controls.
Examine organization access control policy and procedures, or other relevant documents for the organization elements
having associated access control roles and responsibilities and to which the access control procedures are to be
disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the access control
policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 2 of 11
3. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
34
35
36
37
38
39
40
41
42
43
44
A B
2. Awareness and Training (AT)
2.1. AT-1
Examine information security program documentation for the organization security awareness and training policy and
that the security awareness and training policy is reviewed and updated at least every three years.
Examine organization security awareness and training policy for evidence that the policy addresses, purpose, scope,
roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the security
awareness and training policy and associated security awareness and trainings and that the procedures are reviewed and
updated at least annually.
Examine organization security awareness and training policy and procedures, or other relevant documents for the
organization elements having associated security awareness and training roles and responsibilities and to which the
security awareness and training policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the security
awareness and training policy was disseminated to the organizational elements.
Examine information security program documentation for the organization security awareness and training procedures.
Examine organization security awareness and training procedures for evidence that the procedures facilitate
implementation of the security awareness and training policy and associated security awareness and training controls.
Examine organization security awareness and training policy and procedures, or other relevant documents for the
organization elements having associated security awareness and training roles and responsibilities and to which the
security awareness and training procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the security
awareness and training policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 3 of 11
4. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
A B
3. Audit and Accountability (AU)
3.1. AU-1
Examine information security program documentation for the organization audit and accountability policy and that the
audit and accountability policy is reviewed and updated at least every three years.
Examine organization audit and accountability policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the audit and
accountability policy and procedures are reviewed and updated at least annually.
Examine organization audit and accountability policy and procedures, or other relevant documents for the organization
elements having associated audit and accountability roles and responsibilities and to which the audit and accountability
policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the audit and
accountability policy was disseminated to the organizational elements.
Examine information security program documentation for the organization audit and accountability procedures.
Examine organization audit and accountability procedures for evidence that the procedures facilitate implementation of
the audit and accountability policy and associated audit and accountability controls.
Examine organization audit and accountability policy and procedures, or other relevant documents for the organization
elements having associated audit and accountability roles and responsibilities and to which the audit and accountability
procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the audit and
accountability policy is reviewed and updated at least every three years, and the procedures at least annually.
4. Security Assessment and Authorization (CA)
4.1. CA-1
Examine information security program documentation for the organization security assessment and authorization policy
and that the security assessment and authorization policy is reviewed and updated at least every three years.
Examine organization security assessment and authorization policy for evidence that the policy addresses, purpose,
scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the security
assessment and authorization policy and procedures are reviewed and updated at least annually.
Examine organization security assessment and authorization policy and procedures, or other relevant documents for the
organization elements having associated security assessment and authorization roles and responsibilities and to which
the security assessment and authorization policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the security
assessment and authorization policy was disseminated to the organizational elements.
Examine information security program documentation for the organization security assessment and authorization
procedures.
Examine organization security assessment and authorization procedures for evidence that the procedures facilitate
implementation of the security assessment and authorization policy and associated security assessment and authorization
controls.
Examine organization security assessment and authorization policy and procedures, or other relevant documents for the
organization elements having associated security assessment and authorization roles and responsibilities and to which
the security assessment and authorization procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the security
assessment and authorization policy is reviewed and updated at least every three years, and the procedures at least
annually.
Page 4 of 11
5. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
A B
5. Configuration Management (CM)
5.1. CM-1
Examine configuration management documentation for the organization configuration management policy is reviewed
and updated at least every three years.
Examine organization configuration management policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the
configuration management policy and associated configuration management controls and that the procedures are
reviewed and updated at least annually.
Examine organization configuration management policy and procedures, or other relevant documents for the
organization elements having associated configuration management roles and responsibilities and to which the
configuration management policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the configuration
management policy was disseminated to the organizational elements.
Examine configuration management documentation for the organization configuration management procedures.
Examine organization configuration management procedures for evidence that the procedures facilitate implementation
of the configuration management policy and associated configuration management controls.
Examine organization configuration management policy and procedures, or other relevant documents for the
organization elements having associated configuration management roles and responsibilities and to which the
configuration management procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the configuration
management policy is reviewed and updated at least every three years, and the procedures at least annually.
6. Contingency Planning (CP)
6.1. CP-1
Examine information security program documentation for the organization contingency planning policy and that the
contingency planning policy is reviewed and updated at least every three years.
Examine organization contingency planning policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the
contingency planning policy and procedures are reviewed and updated at least annually.
Examine organization contingency planning policy and procedures, or other relevant documents for the organization
elements having associated contingency planning roles and responsibilities and to which the contingency planning policy
is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the contingency
planning policy was disseminated to the organizational elements.
Examine information security program documentation for the organization contingency planning procedures.
Examine organization contingency planning procedures for evidence that the procedures facilitate implementation of the
contingency planning policy and associated contingency planning controls.
Examine organization contingency planning policy and procedures, or other relevant documents for the organization
elements having associated contingency planning roles and responsibilities and to which the contingency planning
procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the contingency
planning policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 5 of 11
6. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
A B
7. Identification and Authentication (IA)
7.1. IA-1
Examine information security program documentation for the organization identification and authentication policy and
that the identification and authentication policy is reviewed and updated at least every three years.
Examine organization identification and authentication policy for evidence that the policy addresses, purpose, scope,
roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the
identification and authentication policy and procedures are reviewed and updated at least annually.
Examine organization identification and authentication policy and procedures, or other relevant documents for the
organization elements having associated identification and authentication roles and responsibilities and to which the
identification and authentication policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the identification
and authentication policy was disseminated to the organizational elements.
Examine information security program documentation for the organization identification and authentication procedures.
Examine organization identification and authentication procedures for evidence that the procedures facilitate
implementation of the identification and authentication policy and associated identification and authentication controls.
Examine organization identification and authentication policy and procedures, or other relevant documents for the
organization elements having associated identification and authentication roles and responsibilities and to which the
identification and authentication procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the identification
and authentication policy is reviewed and updated at least every three years, and the procedures at least annually.
8. Incident Response (IR)
8.1. IR-1
Examine information security program documentation for the organization incident response policy and that the incident
response policy is reviewed and updated at least every three years.
Examine organization incident response policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the incident
response policy and procedures are reviewed and updated at least annually.
Examine organization incident response policy and procedures, or other relevant documents for the organization
elements having associated incident response roles and responsibilities and to which the incident response policy is to be
disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the incident
response policy was disseminated to the organizational elements.
Examine information security program documentation for the organization incident response procedures.
Examine organization incident response procedures for evidence that the procedures facilitate implementation of the
incident response policy and associated incident response controls.
Examine organization incident response policy and procedures, or other relevant documents for the organization
elements having associated incident response roles and responsibilities and to which the incident response procedures
are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the incident
response policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 6 of 11
7. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
A B
9. Maintenance (MA)
9.1. MA-1
Examine information security program documentation for the organization system maintenance policy and that the
system maintenance policy is reviewed and updated at least every three years.
Examine organization system maintenance policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the system
maintenance policy and procedures are reviewed and updated at least annually.
Examine organization system maintenance policy and procedures, or other relevant documents for the organization
elements having associated system maintenance roles and responsibilities and to which the system maintenance policy is
to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system
maintenance policy was disseminated to the organizational elements.
Examine information security program documentation for the organization system maintenance procedures.
Examine organization system maintenance procedures for evidence that the procedures facilitate implementation of the
system maintenance policy and associated system maintenance controls.
Examine organization system maintenance policy and procedures, or other relevant documents for the organization
elements having associated system maintenance roles and responsibilities and to which the system maintenance
procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system
maintenance policy is reviewed and updated at least every three years, and the procedures at least annually.
10. Media Protection (MP)
10.1. MP-1
Examine information security program documentation for the organization media protection policy and that the media
protection policy is reviewed and updated at least every three years.
Examine organization media protection policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the media
protection policy and procedures are reviewed and updated at least annually.
Examine organization media protection policy and procedures, or other relevant documents for the organization
elements having associated media protection roles and responsibilities and to which the media protection policy is to be
disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the media
protection policy was disseminated to the organizational elements.
Examine information security program documentation for the organization media protection procedures.
Examine organization media protection procedures for evidence that the procedures facilitate implementation of the
media protection policy and associated media protection controls.
Examine organization media protection policy and procedures, or other relevant documents for the organization
elements having associated media protection roles and responsibilities and to which the media protection procedures are
to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the media
protection policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 7 of 11
8. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
A B
11. Physical and Environmental Protection (PE)
11.1. PE-1
Examine information security program documentation for the organization physical and environmental protection policy
and that the physical and environmental protection policy is reviewed and updated at least every three years.
Examine organization physical and environmental protection policy for evidence that the policy addresses, purpose,
scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the physical
and environmental protection policy and procedures are reviewed and updated at least annually.
Examine organization physical and environmental protection policy and procedures, or other relevant documents for the
organization elements having associated physical and environmental protection roles and responsibilities and to which
the physical and environmental protection policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the physical and
environmental protection policy was disseminated to the organizational elements.
Examine information security program documentation for the organization physical and environmental protection
procedures.
Examine organization physical and environmental protection procedures for evidence that the procedures facilitate
implementation of the physical and environmental protection policy and associated physical and environmental
protection controls.
Examine organization physical and environmental protection policy and procedures, or other relevant documents for the
organization elements having associated physical and environmental protection roles and responsibilities and to which
the physical and environmental protection procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the physical and
environmental protection policy is reviewed and updated at least every three years, and the procedures at least annually.
12. Planning (PL)
12.1. PL-1
Examine information security program documentation for the organization security planning policy and that the security
planning policy is reviewed and updated at least every three years.
Examine organization security planning policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the security
planning policy and procedures are reviewed and updated at least annually.
Examine organization security planning policy and procedures, or other relevant documents for the organization
elements having associated security planning roles and responsibilities and to which the security planning policy is to be
disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the security
planning policy was disseminated to the organizational elements.
Examine information security program documentation for the organization security planning procedures.
Examine organization security planning procedures for evidence that the procedures facilitate implementation of the
security planning policy and associated security planning controls.
Examine organization security planning policy and procedures, or other relevant documents for the organization
elements having associated security planning roles and responsibilities and to which the security planning procedures are
to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the security
planning policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 8 of 11
9. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
A B
13. Personnel Security (PS)
13.1. PS-1
Examine information security program documentation for the organization personnel security policy and that the
personnel security policy is reviewed and updated at least every three years.
Examine organization personnel security policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for evidence that procedures that facilitate the implementation of
the personnel security policy and procedures are reviewed and updated at least annually.
Examine organization personnel security policy and procedures, or other relevant documents for the organization
elements having associated personnel security roles and responsibilities and to which the personnel security policy is to
be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the personnel
security policy was disseminated to the organizational elements.
Examine information security program documentation for the organization personnel security procedures.
Examine organization personnel security procedures for evidence that the procedures facilitate implementation of the
personnel security policy and associated personnel security controls.
Examine organization personnel security policy and procedures, or other relevant documents for the organization
elements having associated personnel security roles and responsibilities and to which the personnel security procedures
are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the personnel
security policy is reviewed and updated at least every three years, and the procedures at least annually.
14. Risk Assessment (RA)
14.1. RA-1
Examine information security program documentation for the organization risk assessment policy and that the risk
assessment policy is reviewed and updated at least every three years.
Examine organization risk assessment policy for evidence that the policy addresses, purpose, scope, roles and
responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the risk
assessment policy and procedures are reviewed and updated at least annually.
Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements
having associated risk assessment roles and responsibilities and to which the risk assessment policy is to be disseminated
or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the risk
assessment policy was disseminated to the organizational elements.
Examine information security program documentation for the organization risk assessment procedures.
Examine organization risk assessment procedures for evidence that the procedures facilitate implementation of the risk
assessment policy and associated risk assessment controls.
Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements
having associated risk assessment roles and responsibilities and to which the risk assessment procedures are to be
disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the risk
assessment policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 9 of 11
10. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
A B
15. System and Services Acquisition (SA)
15.1. SA-1
Examine information security program documentation for the organization system and services acquisition policy and
that the system and services acquisition policy is reviewed and updated at least every three years.
Examine organization system and services acquisition policy for evidence that the policy addresses, purpose, scope,
roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the system and
services acquisition policy and procedures are reviewed and updated at least annually.
Examine organization system and services acquisition policy and procedures, or other relevant documents for the
organization elements having associated system and services acquisition roles and responsibilities and to which the
system and services acquisition policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system and
services acquisition policy was disseminated to the organizational elements.
Examine information security program documentation for the organization system and services acquisition procedures.
Examine organization system and services acquisition procedures for evidence that the procedures facilitate
implementation of the system and services acquisition policy and associated system and services acquisition controls.
Examine organization system and services acquisition policy and procedures, or other relevant documents for the
organization elements having associated system and services acquisition roles and responsibilities and to which the
system and services acquisition procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system and
services acquisition policy is reviewed and updated at least every three years, and the procedures at least annually.
16. System and Communications Protection (SC)
16.1. SC-1
Examine information security program documentation for the organization system and communication protection policy
and that the system and communication protection policy is reviewed and updated at least every three years.
Examine organization system and communication protection policy for evidence that the policy addresses, purpose,
scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the system and
communication protection policy and procedures are reviewed and updated at least annually.
Examine organization system and communication protection policy and procedures, or other relevant documents for the
organization elements having associated system and communication protection roles and responsibilities and to which
the system and communication protection policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system and
communication protection policy was disseminated to the organizational elements.
Examine organization system and communication protection procedures for evidence that the procedures facilitate
implementation of the system and communication protection policy and associated system and communication
protection controls.
Examine organization system and communication protection policy and procedures, or other relevant documents for the
organization elements having associated system and communication protection roles and responsibilities and to which
the system and communication protection procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system and
communication protection policy is reviewed and updated at least every three years, and the procedures at least
annually.
Page 10 of 11
11. POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
198
199
200
201
202
203
204
205
206
207
208
A B
17. System and Information Integrity (SI)
17.1. SI-1
Examine information security program documentation for the organization system and information integrity policy and
that the system and information integrity policy is reviewed and updated at least every three years.
Examine organization system and information integrity policy for evidence that the policy addresses, purpose, scope,
roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the system and
information integrity policy and procedures are reviewed and updated at least annually.
Examine organization system and information integrity policy and procedures, or other relevant documents for the
organization elements having associated system and information integrity roles and responsibilities and to which the
system and information integrity policy is to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system and
information integrity policy was disseminated to the organizational elements.
Examine information security program documentation for the organization system and information integrity procedures.
Examine organization system and information integrity procedures for evidence that the procedures facilitate
implementation of the system and information integrity policy and associated system and information integrity controls.
Examine organization system and information integrity policy and procedures, or other relevant documents for the
organization elements having associated system and information integrity roles and responsibilities and to which the
system and information integrity procedures are to be disseminated or otherwise made available.
Interview a sample of key organizational personnel within the organization elements for evidence that the system and
information integrity policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 11 of 11