Print report contains conditional formatting and printer settings to enhance comprehension for for Cloud Service Providers (CSP) as well as Federal and Departmental Agencies.
Warsaw = Tilden
they = the
read = electoral
all = votes
unchanged = were
last = commission
are = members
idiots = republicans
can't = didn't
situation = steal
Plaintext: Tilden the electoral votes were commission members republicans didn't steal
So the encrypted message suggests that Tilden actually won the electoral votes, but the Republican commission members stole the election anyway. This lends some credibility to Tilden's accusations of bribery regarding the disputed states. Of course, without more context it's impossible to say for certain if this message is authentic. But it demonstrates how codebooks and transpositions could have been used to discuss the election secretly.
This document provides troubleshooting information for xCP issues. It outlines several steps users should take before logging a support request, including checking documentation, gathering log and trace files from various xCP components, and reproducing the issue. Common xCP issues addressed include applications failing to redeploy or access properly after redeployment, and preview mode not working after redeployment. The document also describes restrictions on installing the xMS agent on the same application server hosting xCP applications.
A server is a network computer that shares resources with and responds to requests from other computers on the network. Servers provide centralized access and storage of resources like applications, files, printers, and other hardware. When installing Windows Server 2012, there are three installation options: Server Core, Server with a GUI, and Minimal Server Interface. Server Core requires less disk space and has a smaller attack surface while Server with a GUI includes more graphical tools for management. The installation process involves inserting the installation media, selecting an installation option, and completing the setup process which reboots the server.
Object-oriented analysis and design (OOAD) uses visual modeling techniques like the Unified Modeling Language (UML) to analyze and design systems based on interacting objects. UML captures system elements and facilitates specification and visualization. It includes static diagrams for non-changing characteristics and dynamic diagrams for changing behaviors. The goal of OOAD and UML is to integrate analysis and development teams through defined processes and modeling.
Class Diagram for Online Examination systemHASIM ALI
Subject- Object Oriented Software Engineering.
Topic- Designing a class diagram for "Online Examination System"
+ Basic Concept of Class diagram
+ Creating class Diagram
+ Relationship between classes
+ Access specifier
Warsaw = Tilden
they = the
read = electoral
all = votes
unchanged = were
last = commission
are = members
idiots = republicans
can't = didn't
situation = steal
Plaintext: Tilden the electoral votes were commission members republicans didn't steal
So the encrypted message suggests that Tilden actually won the electoral votes, but the Republican commission members stole the election anyway. This lends some credibility to Tilden's accusations of bribery regarding the disputed states. Of course, without more context it's impossible to say for certain if this message is authentic. But it demonstrates how codebooks and transpositions could have been used to discuss the election secretly.
This document provides troubleshooting information for xCP issues. It outlines several steps users should take before logging a support request, including checking documentation, gathering log and trace files from various xCP components, and reproducing the issue. Common xCP issues addressed include applications failing to redeploy or access properly after redeployment, and preview mode not working after redeployment. The document also describes restrictions on installing the xMS agent on the same application server hosting xCP applications.
A server is a network computer that shares resources with and responds to requests from other computers on the network. Servers provide centralized access and storage of resources like applications, files, printers, and other hardware. When installing Windows Server 2012, there are three installation options: Server Core, Server with a GUI, and Minimal Server Interface. Server Core requires less disk space and has a smaller attack surface while Server with a GUI includes more graphical tools for management. The installation process involves inserting the installation media, selecting an installation option, and completing the setup process which reboots the server.
Object-oriented analysis and design (OOAD) uses visual modeling techniques like the Unified Modeling Language (UML) to analyze and design systems based on interacting objects. UML captures system elements and facilitates specification and visualization. It includes static diagrams for non-changing characteristics and dynamic diagrams for changing behaviors. The goal of OOAD and UML is to integrate analysis and development teams through defined processes and modeling.
Class Diagram for Online Examination systemHASIM ALI
Subject- Object Oriented Software Engineering.
Topic- Designing a class diagram for "Online Examination System"
+ Basic Concept of Class diagram
+ Creating class Diagram
+ Relationship between classes
+ Access specifier
This document provides an introduction to the course "Interaction Design Methods". It defines interaction design as the process of creating, shaping, and deciding on the structural, functional, ethical, and aesthetic qualities of a digital artifact within resource constraints. It presents several models of the interaction design process, including identifying needs, establishing requirements, (re)designing, building an interactive version, and evaluating. The course will involve contextual inquiry, creating personas and scenarios, design sessions, concept mapping, developing user stories, testing paper and interface prototypes, and giving a final presentation.
There are five roles in FSMO that are divided into two categories: forest roles and domain roles. The forest roles include the Schema Master, which controls changes to the Active Directory schema, and the Domain Naming Master, which controls the unique naming of domains. The domain roles include the Infrastructure Master, RID Master, and PDC Emulator. The Infrastructure Master replicates changes within a domain, the RID Master assigns object IDs, and the PDC Emulator manages account policies and time synchronization. These roles can be configured and seized using the NTDSUtil tool at the command line.
EMC Documentum - xCP 2.x Installation and DeploymentHaytham Ghandour
This document provides guidance on installing and deploying the EMC xCP application. It outlines the key components that must be installed, such as the JDK, Content Server, xPlore, and xMS agent. It also describes how to configure the application server and set up the xMS environment, including importing templates, creating hosts and services, and synchronizing the environment. Finally, it discusses some common deployment issues like incompatible versions of xPlore, Tomcat role configuration errors, and repository name issues. Logs and performance tuning tips are also presented to help troubleshoot failures.
Unidad 4: Administración de usuarios grupos locales en Windowscarmenrico14
Este documento trata sobre la administración de usuarios y grupos locales en Windows. Explica cómo se configuran y gestionan las cuentas de usuario y grupos locales, incluyendo los predeterminados y las buenas prácticas de seguridad. También cubre la configuración del entorno personal de los usuarios, la virtualización del escritorio, la gestión de permisos y directivas de grupo locales.
Component-based software development aims to reduce costs of developing large distributed systems through programming by assembly rather than development. It focuses expertise on domain problems and improves quality. The document discusses component-based development tools and processes including component libraries, visual design tools, deployment tools and validation tools. It also covers component execution models using CORBA and containers, which provide separation of concerns between business and technical code.
A detail review of configuration and change management. This lecture provides details about how to manage different software versions of same software in a market with different customers clients and different set of functionalities.
The document describes the traditional structured approach to systems design. This includes using data flow diagrams with system boundaries to partition processes. Designers then describe the processes using structured models like system flowcharts, structure charts, and pseudocode. Structure charts can be developed through transaction and transform analysis and may follow a three-layer architecture. The structured design approach aims to produce modular and cohesive system designs.
The document summarizes the Capability Maturity Model (CMM), which was developed by the Software Engineering Institute to help organizations improve their software development processes. The CMM describes five levels of process maturity, from initial/ad hoc processes to optimized processes. It identifies key process areas that organizations should address to improve, such as requirements management, software quality assurance, and configuration management. The CMM provides a framework to help organizations progressively define, measure, and improve their processes. Studies show organizations that implement the CMM principles can achieve reductions in project overruns, better cost prediction, and improved quality. However, the CMM also faces some criticisms such as not directly addressing design or people aspects.
Anas Tarsha presented on using Ansible for network automation. Ansible is an open source automation tool that is agentless and uses simple YAML files called playbooks to execute tasks sequentially. It can be used to generate device configurations, push configurations, collect running configs, upgrade devices, and more. Ansible modules run Python code directly on network devices to perform tasks. The demo showed using Ansible modules like ping, ios_command, and junos_command to execute show commands and change the hostname on both IOS and Junos devices. Additional resources were provided to learn more about using Ansible for network automation.
Introduction To Software Configuration ManagementRajesh Kumar
Configuration management (CM) is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life.[1] For information assurance, CM can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.
There are 5 types of FSMO roles that each serve specific purposes in Active Directory: the Schema Master updates the directory schema; the Domain Naming Master manages domain names; the RID Master assigns SIDs to new objects; the PDC Emulator synchronizes time and processes password changes; and the Infrastructure Master updates object references across domains. These roles can be seized by another domain controller if the current owner becomes permanently unavailable using the Ntdsutil tool.
The document discusses two types of restorations for Active Directory - non-authoritative and authoritative. Non-authoritative restoration can restore an entire domain controller using Windows Server Backup. Authoritative restoration restores individual Active Directory objects and marks them as authoritative by increasing their update sequence number, allowing other domain controllers to recognize it as the most recent update. The document provides details on performing both types of restoration.
The document discusses various object-oriented methodologies including Rumbaugh, Booch, and Jacobson methodologies. It provides details on Rumbaugh's Object Modeling Technique (OMT) which separates modeling into object, dynamic, and functional models. It describes Booch's methodology which uses class, object, state transition, and other diagrams. It also discusses Jacobson's methodologies including Object-Oriented Software Engineering (OOSE) which is use case driven, and Object-Oriented Business Engineering (OOBE) which uses use cases. The document then covers topics on software quality assurance including types of errors, testing strategies like black box and white box testing, and testing approaches like top-down
This document contains 91 multiple choice questions about Pega concepts and features. The questions cover topics like rules, classes, flows, assignments, data modeling, and more. Users are asked to select the best answer from the given options to statements or scenarios related to building applications in Pega.
This document provides an overview of the Windows Phone 7 (WP7) architecture and platform. It discusses the goals of putting the end user first and building richer, deeper apps. It outlines the platform components, including the client runtime, frameworks, and cloud services. It describes the application model and how apps are developed, tested, packaged, certified and deployed to the Windows Phone Marketplace. It also covers the user interface model and how pages, sessions and navigation work. Key services like push notifications, location and Xbox Live integration are summarized.
This document provides a summary of common Linux commands organized by category including file permissions, networking, compression/archives, package installation, searching, login, file transfer, disk usage, directory traversal, system information, hardware information, users, file commands, and process related commands. It also includes brief descriptions and examples of commands like chmod, chown, ip, tar, rpm, grep, ssh, df, du, and kill. More detailed information on Linux commands can be found at the provided URL.
This document provides an overview of the FedRAMP process for obtaining security authorization for cloud systems. It describes the objectives of FedRAMP, including establishing a standardized approach to assessing and authorizing cloud systems. The document then outlines the key stages of the FedRAMP process from the perspective of a cloud service provider, including initiation, security assessment, and continuous monitoring. It provides examples of documents involved in each stage, such as the system security plan, security assessment plan, and continuous monitoring materials. The overall goal of FedRAMP is to increase security and oversight of cloud systems supporting government agencies.
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
This document provides a mapping of program management and privacy control policies and procedures to various NIST cybersecurity documents. It shows that 17 control families have policies and procedures that map to between 1-7 total NIST documents each, with Identification and Authentication mapping to the most at 7 documents. The total number of mappings in the document is 48.
This document provides an introduction to the course "Interaction Design Methods". It defines interaction design as the process of creating, shaping, and deciding on the structural, functional, ethical, and aesthetic qualities of a digital artifact within resource constraints. It presents several models of the interaction design process, including identifying needs, establishing requirements, (re)designing, building an interactive version, and evaluating. The course will involve contextual inquiry, creating personas and scenarios, design sessions, concept mapping, developing user stories, testing paper and interface prototypes, and giving a final presentation.
There are five roles in FSMO that are divided into two categories: forest roles and domain roles. The forest roles include the Schema Master, which controls changes to the Active Directory schema, and the Domain Naming Master, which controls the unique naming of domains. The domain roles include the Infrastructure Master, RID Master, and PDC Emulator. The Infrastructure Master replicates changes within a domain, the RID Master assigns object IDs, and the PDC Emulator manages account policies and time synchronization. These roles can be configured and seized using the NTDSUtil tool at the command line.
EMC Documentum - xCP 2.x Installation and DeploymentHaytham Ghandour
This document provides guidance on installing and deploying the EMC xCP application. It outlines the key components that must be installed, such as the JDK, Content Server, xPlore, and xMS agent. It also describes how to configure the application server and set up the xMS environment, including importing templates, creating hosts and services, and synchronizing the environment. Finally, it discusses some common deployment issues like incompatible versions of xPlore, Tomcat role configuration errors, and repository name issues. Logs and performance tuning tips are also presented to help troubleshoot failures.
Unidad 4: Administración de usuarios grupos locales en Windowscarmenrico14
Este documento trata sobre la administración de usuarios y grupos locales en Windows. Explica cómo se configuran y gestionan las cuentas de usuario y grupos locales, incluyendo los predeterminados y las buenas prácticas de seguridad. También cubre la configuración del entorno personal de los usuarios, la virtualización del escritorio, la gestión de permisos y directivas de grupo locales.
Component-based software development aims to reduce costs of developing large distributed systems through programming by assembly rather than development. It focuses expertise on domain problems and improves quality. The document discusses component-based development tools and processes including component libraries, visual design tools, deployment tools and validation tools. It also covers component execution models using CORBA and containers, which provide separation of concerns between business and technical code.
A detail review of configuration and change management. This lecture provides details about how to manage different software versions of same software in a market with different customers clients and different set of functionalities.
The document describes the traditional structured approach to systems design. This includes using data flow diagrams with system boundaries to partition processes. Designers then describe the processes using structured models like system flowcharts, structure charts, and pseudocode. Structure charts can be developed through transaction and transform analysis and may follow a three-layer architecture. The structured design approach aims to produce modular and cohesive system designs.
The document summarizes the Capability Maturity Model (CMM), which was developed by the Software Engineering Institute to help organizations improve their software development processes. The CMM describes five levels of process maturity, from initial/ad hoc processes to optimized processes. It identifies key process areas that organizations should address to improve, such as requirements management, software quality assurance, and configuration management. The CMM provides a framework to help organizations progressively define, measure, and improve their processes. Studies show organizations that implement the CMM principles can achieve reductions in project overruns, better cost prediction, and improved quality. However, the CMM also faces some criticisms such as not directly addressing design or people aspects.
Anas Tarsha presented on using Ansible for network automation. Ansible is an open source automation tool that is agentless and uses simple YAML files called playbooks to execute tasks sequentially. It can be used to generate device configurations, push configurations, collect running configs, upgrade devices, and more. Ansible modules run Python code directly on network devices to perform tasks. The demo showed using Ansible modules like ping, ios_command, and junos_command to execute show commands and change the hostname on both IOS and Junos devices. Additional resources were provided to learn more about using Ansible for network automation.
Introduction To Software Configuration ManagementRajesh Kumar
Configuration management (CM) is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life.[1] For information assurance, CM can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.
There are 5 types of FSMO roles that each serve specific purposes in Active Directory: the Schema Master updates the directory schema; the Domain Naming Master manages domain names; the RID Master assigns SIDs to new objects; the PDC Emulator synchronizes time and processes password changes; and the Infrastructure Master updates object references across domains. These roles can be seized by another domain controller if the current owner becomes permanently unavailable using the Ntdsutil tool.
The document discusses two types of restorations for Active Directory - non-authoritative and authoritative. Non-authoritative restoration can restore an entire domain controller using Windows Server Backup. Authoritative restoration restores individual Active Directory objects and marks them as authoritative by increasing their update sequence number, allowing other domain controllers to recognize it as the most recent update. The document provides details on performing both types of restoration.
The document discusses various object-oriented methodologies including Rumbaugh, Booch, and Jacobson methodologies. It provides details on Rumbaugh's Object Modeling Technique (OMT) which separates modeling into object, dynamic, and functional models. It describes Booch's methodology which uses class, object, state transition, and other diagrams. It also discusses Jacobson's methodologies including Object-Oriented Software Engineering (OOSE) which is use case driven, and Object-Oriented Business Engineering (OOBE) which uses use cases. The document then covers topics on software quality assurance including types of errors, testing strategies like black box and white box testing, and testing approaches like top-down
This document contains 91 multiple choice questions about Pega concepts and features. The questions cover topics like rules, classes, flows, assignments, data modeling, and more. Users are asked to select the best answer from the given options to statements or scenarios related to building applications in Pega.
This document provides an overview of the Windows Phone 7 (WP7) architecture and platform. It discusses the goals of putting the end user first and building richer, deeper apps. It outlines the platform components, including the client runtime, frameworks, and cloud services. It describes the application model and how apps are developed, tested, packaged, certified and deployed to the Windows Phone Marketplace. It also covers the user interface model and how pages, sessions and navigation work. Key services like push notifications, location and Xbox Live integration are summarized.
This document provides a summary of common Linux commands organized by category including file permissions, networking, compression/archives, package installation, searching, login, file transfer, disk usage, directory traversal, system information, hardware information, users, file commands, and process related commands. It also includes brief descriptions and examples of commands like chmod, chown, ip, tar, rpm, grep, ssh, df, du, and kill. More detailed information on Linux commands can be found at the provided URL.
This document provides an overview of the FedRAMP process for obtaining security authorization for cloud systems. It describes the objectives of FedRAMP, including establishing a standardized approach to assessing and authorizing cloud systems. The document then outlines the key stages of the FedRAMP process from the perspective of a cloud service provider, including initiation, security assessment, and continuous monitoring. It provides examples of documents involved in each stage, such as the system security plan, security assessment plan, and continuous monitoring materials. The overall goal of FedRAMP is to increase security and oversight of cloud systems supporting government agencies.
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
This document provides a mapping of program management and privacy control policies and procedures to various NIST cybersecurity documents. It shows that 17 control families have policies and procedures that map to between 1-7 total NIST documents each, with Identification and Authentication mapping to the most at 7 documents. The total number of mappings in the document is 48.
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
This document maps security controls from the Committee on National Security Systems (CNSS) Instruction 5.0 to controls in National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4. It provides a table with 203 rows that lists each CNSS control, its associated family, identification number, title, priority level, whether it is included in the low, moderate, or high security baselines, and any associated NIST controls and enhancements. The table provides a mapping of CNSS controls to the corresponding or related NIST controls.
The document discusses developing a System Security Plan (SSP) for the Federal Risk and Authorization Management Program (FedRAMP). The SSP is a detailed document that describes how security controls have been implemented based on NIST SP 800-53. It provides an overview of the system, identifies responsible personnel, and delineates control responsibilities. Developing a thorough SSP can streamline the FedRAMP assessment process. The SSP template is lengthy at 352 pages to fully document the system and control implementation.
This template provides a sample format for preparing the Control Implementation Summary (CIS) Report for the CSP information system. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements.
This document provides a performance summary for Hafizul Alam covering his work from August 2000 to March 2001 on the Wave 1 SAP implementation project at the BBC. During this time, he served as a SAP trainer and helped customize training courses. He is now transitioning to a role as the SAP Transition Manager for Marketing and Communications in Wave 2. The summary highlights his achievements, including creating and delivering specialized training with little notice. It also outlines the training and development he received, such as attending pilot courses to provide feedback from his experience in management accounting. His manager, Andrew Ratcliffe, comments positively on his flexibility, resilience, and skills in training and developing others.
Focus on Federal Risk and Authorization Management Program (FedRAMP) - PanelAkamai Technologies
This interactive session is designed to deliver deeper insights into the Federal Risk and Authorization Management Program (FedRAMP), a U.S. Federal Government-wide initiative intended to provide “a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services” to be used in support of Federal agency operations. The speakers will update attendees on current FedRAMP progress and ongoing initiatives, as well as a detailed review of the recently received provisional approval to operate (P-ATO) granted to Akamai Technologies. The Akamai approach is distinct among the others approved to date by FedRAMP—as it authorizes core cloud services to operate using Akamai’s highly distributed commercial network. While others are focused on government-only cloud environments, Akamai can offer government-wide accreditation and assurance to the defense and civilian agencies it serves. Plan to attend this session to build on your understanding of FedRAMP and the expanding cloud computing options available to agency professionals—regardless of mission or location. See the full Edge Presentation: http://www.akamai.com/html/custconf/edgetv-forum.html#session-fedramp
Panelists Include: Matthew Goodrich, Matt Mitchell, Christine Schweickert
The Akamai Edge Conference is a gathering of the industry revolutionaries who are committed to creating leading edge experiences, realizing the full potential of what is possible in a Faster Forward World. From customer innovation stories, industry panels, technical labs, partner and government forums to Web security and developers' tracks, there’s something for everyone at Edge 2013.
Learn more at http://www.akamai.com/edge
The document provides an overview of the FedRAMP program, which aims to standardize how federal agencies assess and authorize the use of cloud services. It establishes a "do once, use many times" framework to reduce duplication of security assessments. Key elements include the Joint Authorization Board which reviews CSP security packages and can grant provisional authorization, and third-party assessment organizations which validate CSP compliance. The document outlines the roles and processes involved in FedRAMP assessments and authorization for cloud service providers and federal agencies.
Azure Government will receive FedRAMP High authorization and two new physically isolated regions will be launched for the Department of Defense and DISA Impact Level 5. New Azure services like App Service, Key Vault, D-Series machines, Site Recovery, and Backup will be available in Azure Government. Azure Government will also support the Azure Resource Manager template deployment model.
This document provides guidance to Cloud Service Providers (CSPs) on FedRAMP's continuous monitoring strategy and requirements for maintaining provisional authorization. It describes roles and responsibilities, expectations for operational visibility, change control processes, required control assessment frequencies, annual self-attestation requirements, and assistance with incident response. CSPs must continuously monitor their systems, report any changes to security controls, and provide annual updates to maintain their FedRAMP authorization.
Federal Agencies & Cloud Service Providers meeting FISMA requirements via FedRAMP
This presentation covers Federal Risk Authorization Management Program with FISMA, SCAP and Federal Data Center Consolidation Initiative to clarify how US government agencies purchase cloud services need to meet Federal Information Security Management Act (FISMA) requirements.
January 2013 - The FedRAMP Joint Authorization Board has granted its first provisional authorization to Autonomic Resources, who used Veris Group as their FedRAMP accredited 3PAO.
This document summarizes access control enhancements from NIST SP 800-53 Revision 1. It lists over 100 access control enhancements across multiple control families including AC-1 Access Control Policy and Procedures, AC-2 Account Management, AC-3 Access Enforcement, AC-4 Information Flow Enforcement, and AC-6 Least Privilege. For each enhancement, it provides a brief description and indicates whether the enhancement is selected. The document appears to be assessing security controls for an information system and determining whether selected enhancements are implemented correctly.
This document outlines the process for obtaining a barangay clearance, which requires an individual to ask the barangay administrator for the clearance, pay the applicable fee after submitting the required documents, and then receive the issued barangay clearance upon meeting all the requirements.
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...James W. De Rienzo
The document outlines templates and procedures for assessing an organization's compliance with FedRAMP security policies across various control areas. It provides assessment templates for 17 control areas including access control, awareness and training, audit and accountability, and others. Each template includes steps to examine relevant documentation, policies, procedures, and interviews to validate that policies are reviewed regularly and procedures facilitate policy implementation.
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
This document maps the controls from the Council on CyberSecurity's Critical Security Controls version 5.0 to controls in the US National Institute of Standards and Technology Special Publication 800-53 Revision 4. It contains 203 entries that map a CSC control to the corresponding NIST SP 800-53 control. The purpose is to help organizations understand how the CSC framework maps to the NIST cybersecurity framework.
"How to document your decisions", Dmytro Ovcharenko Fwdays
We will perform architecture kata around a proposed business case. We will review ADD in detail. How usually architecture vision document looks like. How to match your architecture drivers and proposed architecture decisions in architecture views. We will review what is ATAM and how to perform analysis of your decisions in the right way. And finally, we will create an architecture vision document from scratch.
Platform Observability and Infrastructure Closed LoopsLiz Warner
The document provides a legal disclaimer for Sunku Ranganath's LinkedIn profile. It states that no intellectual property rights are granted and disclaims all warranties. It also notes that the information provided is subject to change and that customers should contact their Intel representative for the latest specifications. The document lists Intel as a trademark and acknowledges several individuals.
Running or planning on deploying a large ClearPass cluster? See what others are doing in larger environments to improve their deployments This session is designed to help customers that run the largest and most demanding networks learn how to deal with multiple locations, 100k+ endpoints, and strict SLA’s. Come to this session to discuss architecture for distributed deployments and how to better design your install for high performance, high availability needs. This is the one session where we’ll include the most experienced ClearPass team members for what will be a highly interactive session.
Werardt offers various systems like, ERP, Plant Maintenance, Sales & Distribution, etc. to the Industry apart from specialized systems for the past 15 years.
I C M - The Instrument Calibration Management System is a comprehensive, easy-to-use SOFTWARE solution with the ability to maintain long term, organized, and readily accessible calibration records of all types of Instruments.
Many comprehensive reports are generated including Master Calibration Planner.
Please contact Werardt Systemss Pvt Ltd., Pune, India. Phone : 91-20-25285256, 25285257. email: business@werardt.com
Oracle Ebiz R12.2 Features -- Ravi Sagaramravisagaram
The deck provides the new features with Oracle Ebiz R12.2 released in Sept 2013. It compares the new features in R12.2 with prior release R12.1.3 and provides setups. The deck was presented at NCOAUG in March 2014.
After your successful ClearPass deployment, how will you know if it's still performing properly? In this session, you'll leran how to use our built-in dashboard, logging and trending tools to identify problem areas, and reasonable threshold levels related to authentications, as well as overall appliance performance numbers. See how to turn on and use proactive notifications before problems occur that can keep users from connecting. Hear about best-practices for operationalizing ClearPass as the growth of devices, authentications, and collected data increases.
In This Presentation, Following Optional Configuration for PGW/GGSN is clarified and presented.
PISC/SACC Over View
Traffic
Inspection, Analysis
Authorization and QoS
Configuration
Rating Group, Service Set
Header Rule Set , Header Rule
HTTP/WSP Rule
Rating Group Mapping
Fannie mae bmc remedy its mv7 production infrastructure_v8_021009Accenture
This document contains a diagram and descriptions of an IT infrastructure supporting a BMC Remedy IT service management (ITSM) system. It includes:
- A load balanced web tier with application servers running Weblogic and Remedy middleware.
- Oracle database servers for the primary and reporting databases, with data replication between sites for disaster recovery.
- Application servers separated for online transaction processing and reporting.
- Infrastructure across two primary and secondary data centers for high availability, with failover connections enabled during outages.
Today, most mobile connectivity issues are quickly attributed to “bad Wi-Fi”. Very often it may not be a wireless or RF related issue at all. With Aruba Clarity, IT organisations now have visibility into non-RF metrics not only giving them end-to-end visibility into a wireless user experience, but also the ability to foresee connectivity issues before users are even impacted. Check out the webinar recording where this presentation was used. https://attendee.gotowebinar.com/register/224478872155652612
Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908
This document provides an overview of the PlantPAx automation system capabilities. PlantPAx is a distributed control system that integrates process and machine control, safety, and information across an entire plant. It uses a modular, scalable architecture and supports all major process control disciplines including continuous, batch, and discrete control. The document outlines PlantPAx capabilities in areas like control system features, configuration and programming, visualization, communications, and advanced process control. It also describes the system's process safety, asset management, batch management, and process optimization functions.
Reliability Centered Maintenance for minimizing integrity failure by Bhavesh Shukla at APAC 2015 Process Safety Management Conference 9th March 2015 Singapore.
This document discusses minimizing integrity failures of aging plants and equipment through reliability centered maintenance. It defines different types of maintenance such as repair, preventive maintenance, and predictive maintenance. The document outlines the process of reliability centered maintenance, including identifying failure modes, prioritizing risks, and selecting maintenance tasks. It provides an example of applying this process to develop a maintenance strategy for different systems based on their risk ranking.
The document discusses several use cases for automating business processes using the Automic Automation Platform. It describes automating social media for event marketing, commercial finance processes, customer onboarding for mobile operators, outage response and customer communication, employee access control, disaster recovery testing, and supply chain replenishment. Central benefits highlighted include reduced costs, improved customer experience, increased visibility and control.
The document discusses PlantPAx, a process automation system that provides integrated control, safety, and information capabilities across discrete, process, batch, and other applications. It has extensive functionality including plant-wide control, I/O support, safety systems, batch management, data collection, advanced control strategies, and asset management tools. PlantPAx is characterized as a flexible, scalable distributed control system that supports all major process networks and fieldbuses.
Service Assurance Constructs for Achieving Network Transformation - Sunku Ran...Liz Warner
Transformation of network softwarization towards 5G inherently requires satisfying the requirements across a broad scope of verticals while maintaining Quality of Service (QoS) and Quality of Experience (QoE) criteria required to satisfy various network slice constraints. This session with hands-on lab introduces 3 key elements of service assurance – Monitoring, Presentation & provisioning layers and introduction to various cloud-native open source frameworks like Collectd, Influxdb, Grafana, Prometheus, Kafka and Platform for Network Data Analytics (PNDA).
Service Assurance Constructs for Achieving Network Transformation by Sunku Ra...Liz Warner
The document discusses integrating platform telemetry into various monitoring and automation systems. It describes using Collectd to collect metrics from the platform and exposing them through plugins to systems like Prometheus, Kafka, OpenStack Telemetry (Ceilometer), ONAP and PNDA. Integrating the platform telemetry enables closed-loop automation and predictive analytics on the platform resources and services.
The document discusses the implementation of a SCADA-DMS-OMS system for Puri Electrical Division in Odisha, India comprising RTUs, FRTUs, and other devices to monitor and control the electrical distribution network. Key features of the DMS software are described including dynamic visualization of the network, real-time control capabilities, simulation for analysis and planning, and access to databases and reports. An overview of the communication infrastructure, servers, and other hardware deployed is also provided.
The document discusses the implementation of a real-time condition monitoring process at Anglo American Copper's Collahuasi Mine. It defines the key elements of technology, people, and processes that must be considered. For technology, it discusses the data network, data collectors, and monitoring systems compatible with the mine's equipment. For people, it defines roles like the system administrator and predictive technicians. For processes, it discusses determining what equipment will be monitored and how maintenance areas will interact with the monitoring information. The benefits of implementation are expected to include increased safety, reduced costs, improved reliability and availability.
This document outlines a risk assessment project for RLK Enterprises, a medical records storage company. It establishes a risk management policy and framework to identify and address risks concerning business processes and legal/statutory requirements. It also describes adopting the NIST Risk Assessment Framework to conduct an assessment, including identifying information asset types and values, control baselines, and mitigation procedures. The goal is to embed practical risk management into key approval and review processes to safeguard assets and information while balancing costs and benefits.
Similar to FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fedramp Baseline Controls (20)
This document provides summaries of several NIST publications related to computer security:
1) SP 500-299 describes a NIST Cloud Computing Security Reference Architecture framework that identifies security components for securing cloud environments and operations.
2) SP 500-304 defines a conformance testing methodology for ANSI/NIST-ITL 1-2011, a standard for biometric data interchange.
3) SP 800-1 is a bibliography of selected computer security publications from 1980 to 1989 covering access controls, auditing, cryptography, and other topics.
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
This document provides a summary of key areas and objectives for cyber security frameworks. It discusses concepts for detecting anomalies and events, maintaining detection processes, performing security continuous monitoring, identifying assets and the business environment, assessing risks, establishing a risk management strategy, controlling access to assets, providing security awareness training, protecting data and information, maintaining security policies and procedures, and performing maintenance. The document lists specific objectives and related standards for each concept area.
NIST NVD REV 4 Security Controls Online Database AnalysisJames W. De Rienzo
This document provides an analysis of NIST NVD 800 Rev4 data across 256 security controls. It shows the distribution of controls by priority level, with over 47% rated P1. It also includes counts of controls, enhancements, and control families. For each control, it lists the identifier, priority, baseline requirements, and enhanced requirements with associated enhancement identifiers.
This document contains a list of 46 podcasts from the CERT organization covering various topics in cybersecurity. The podcasts are grouped into 10 categories: Forensics, Governing for Enterprise Security, Measuring Security, Privacy, Risk Management and Resilience, Security Education and Training, Software Security, Threat, Tips from the Trenches: Areas of Practice, and Trends and Lessons Learned. Each entry includes the podcast title, category, and brief description of topics covered in the podcast. The podcasts address a wide range of issues organizations may face such as malware analysis, security metrics, software development practices, and more.
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
The document provides a summary of access control family requirements from NIST Special Publication 800-53. It lists each access control requirement (e.g. AC-01, AC-02, etc.) along with the requirement's priority level and impact level. For each requirement, it then lists sub-requirements and provides a short description of each sub-requirement. The document contains over 20 access control requirements with multiple sub-requirements for each.
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
This document maps security controls from the Center for Internet Security's Critical Security Controls (CSC) version 5.0 to controls and enhancements in National Institute of Standards and Technology Special Publication 800-53 Revision 4. It provides a table that lists each CSC control, the corresponding NIST SP 800-53 control, and any associated enhancements. The table includes over 100 rows mapping CSC controls to NIST SP 800-53 access controls and audit controls.
This document discusses information assurance training and security fundamentals. It defines 8 security attributes: confidentiality, integrity, availability, accountability, auditability, authenticity/trustworthiness, non-repudiation, and privacy. It explains that information assurance professionals recommend security controls to protect information system components from harm based on assessing the sensitivity level of information and determining a minimum baseline of security controls. Sensitivity level is assigned based on the potential impact of changes to the confidentiality, integrity, and availability of information types stored in a system.
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
The document provides an overview of the Defense Information Systems Agency's (DISA) Command Cyber Readiness Inspection (CCRI) process. It discusses:
1) The background and phases of the CCRI program, which evaluates sites' security posture and compliance.
2) How CCRIs determine compliance with DISA security requirements and involve aspects beyond just technical compliance.
3) A proposed conceptual framework for the CCRI process, consisting of four phases: defining inspection scope, inspecting assets, documenting observations, and reporting findings.
This document outlines the 9 steps involved in a risk assessment process. It includes system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendations, and results documentation. The process involves characterizing the system, identifying potential threats and vulnerabilities, analyzing current and planned controls, determining the likelihood and potential impacts of risks, and documenting the results in a risk assessment report.
This document outlines the Risk Management Framework which includes 3 phases for managing risk to systems and information. Phase 1 is certification where the system is categorized, controls are selected and implemented, and controls are assessed. Phase 2 is accreditation where the authorizing official accepts any residual risk of the system. Phase 3 is continuous monitoring where controls are monitored on an ongoing basis and the security plan and any issues are updated. It provides steps for each phase including tasks like categorizing the system, developing security plans, assessing controls, issuing accreditation documents, and ongoing monitoring activities.
This document provides an overview of application and desktop delivery technologies, including secure access, web application acceleration, connection brokers, application streaming/virtualization, OS provisioning, virtual desktop infrastructure (VDI), remote desktop services, client-side virtualization, client management services, and application virtualization. It discusses providers for each technology, benefits of application virtualization from Citrix and Microsoft, and compares Microsoft and VMware solutions.
How To Cultivate Community Affinity Throughout The Generosity JourneyAggregage
This session will dive into how to create rich generosity experiences that foster long-lasting relationships. You’ll walk away with actionable insights to redefine how you engage with your supporters — emphasizing trust, engagement, and community!
Presentation by Julie Topoleski, CBO’s Director of Labor, Income Security, and Long-Term Analysis, at the 16th Annual Meeting of the OECD Working Party of Parliamentary Budget Officials and Independent Fiscal Institutions.
Bharat Mata - History of Indian culture.pdfBharat Mata
Bharat Mata Channel is an initiative towards keeping the culture of this country alive. Our effort is to spread the knowledge of Indian history, culture, religion and Vedas to the masses.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
karnataka housing board schemes . all schemesnarinav14
The Karnataka government, along with the central government’s Pradhan Mantri Awas Yojana (PMAY), offers various housing schemes to cater to the diverse needs of citizens across the state. This article provides a comprehensive overview of the major housing schemes available in the Karnataka housing board for both urban and rural areas in 2024.
Presentation by Rebecca Sachs and Joshua Varcie, analysts in CBO’s Health Analysis Division, at the 13th Annual Conference of the American Society of Health Economists.
1. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 1 of 66
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
AC-1 Access Control Policy and
Procedures
X X AC-1.b.1 [at least every 3 years]
AC-1.b.2 [at least annually]
AC-2 Account Management X X AC-2j [at least annually]
AC-2 (1) Account Management |
Automated System Account
Management
X
AC-2 (2) Account Management |
Removal of Temporary /
Emergency Accounts
X [No more than 30 days for temporary and
emergency account types]
AC-2 (3) Account Management | Disable
Inactive Accounts
X [90 days for user accounts] Requirement: The service provider defines the
time period for non-user accounts (e.g.,
accounts associated with devices). The time
periods are approved and accepted by the
Authorizing Official.
AC-2 (4) Account Management |
Automated Audit Actions
X
AC-2 (5) Account Management |
Inactivity Logout
X
AC-2 (7) Account Management | Role-
Based Schemes
X
AC-2 (9) Account Management |
Restrictions on Use of Shared
Groups / Accounts
X Required if shared/group accounts are
deployed
AC-2 (10) Account Management | Shared
/ Group Account Credential
Termination
X Required if shared/group accounts are
deployed
AC-2 (12) Account Management | Account
Monitoring / Atypical Usage
X AC-2 (12)(a) and AC-2 (12)(b) Additional
FedRAMP Requirements and Guidance:
Required for privileged accounts.
AC-3 Access Enforcement X X
AC-4 Information Flow Enforcement X
2. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 2 of 66
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
A B C D
Base
Control
ID
Control Title Low Mod
AC-1 Access Control Policy and
Procedures
X X
AC-2 Account Management X X
AC-2 (1) Account Management |
Automated System Account
Management
X
AC-2 (2) Account Management |
Removal of Temporary /
Emergency Accounts
X
AC-2 (3) Account Management | Disable
Inactive Accounts
X
AC-2 (4) Account Management |
Automated Audit Actions
X
AC-2 (5) Account Management |
Inactivity Logout
X
AC-2 (7) Account Management | Role-
Based Schemes
X
AC-2 (9) Account Management |
Restrictions on Use of Shared
Groups / Accounts
X
AC-2 (10) Account Management | Shared
/ Group Account Credential
Termination
X
AC-2 (12) Account Management | Account
Monitoring / Atypical Usage
X
AC-3 Access Enforcement X X
AC-4 Information Flow Enforcement X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
3. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 3 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
17
18
19
20
21
22
23
24
25
AC-4 (21) Information Flow Enforcement |
Physical / Logical Separation of
Information Flows
X
AC-5 Separation of Duties X
AC-6 Least Privilege X
AC-6 (1) Least Privilege | Authorize
Access to Security Functions
X
AC-6 (2) Least Privilege | Non-Privileged
Access For No security
Functions
X [all security functions] AC-6 (2). Guidance: Examples of security
functions include but are not limited to:
establishing system accounts, configuring
access authorizations (i.e., permissions,
privileges), setting events to be audited, and
setting intrusion detection parameters, system
programming, system and security
administration, other privileged functions.
AC-6 (5) Least Privilege | Privileged
Accounts
X
AC-6 (9) Least Privilege | Auditing Use of
Privileged Functions
X
AC-6 (10) Least Privilege | Prohibit Non-
privileged Users from Executing
Privileged Functions
X
AC-7 Unsuccessful Logon Attempts X X AC-7a [not more than three]
[fifteen minutes]
AC-7b [locks the account/node for thirty
minutes]
4. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 4 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
17
18
19
20
21
22
23
24
25
AC-4 (21) Information Flow Enforcement |
Physical / Logical Separation of
Information Flows
X
AC-5 Separation of Duties X
AC-6 Least Privilege X
AC-6 (1) Least Privilege | Authorize
Access to Security Functions
X
AC-6 (2) Least Privilege | Non-Privileged
Access For No security
Functions
X
AC-6 (5) Least Privilege | Privileged
Accounts
X
AC-6 (9) Least Privilege | Auditing Use of
Privileged Functions
X
AC-6 (10) Least Privilege | Prohibit Non-
privileged Users from Executing
Privileged Functions
X
AC-7 Unsuccessful Logon Attempts X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
5. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 5 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
26
27
28
29
30
31
AC-8 System Use Notification X X Parameter: See Additional Requirements and
Guidance.
Requirement: The service provider shall
determine elements of the cloud environment
that require the System Use Notification control.
The elements of the cloud environment that
require System Use Notification are approved
and accepted by the Authorizing Official (AO).
Requirement: The service provider shall
determine how System Use Notification is going
to be verified and provide appropriate
periodicity of the check. The System Use
Notification verification and periodicity are
approved and accepted by the AO.
Guidance: If performed as part of a
Configuration Baseline check, then the % of
items requiring setting that are checked and
that pass (or fail) check can be provided.
Requirement: If not performed as part of a
Configuration Baseline check, then there must
be documented agreement on how to provide
results of verification and the necessary
periodicity of the verification by the service
provider. The documented agreement on how
to provide verification of the results are
approved and accepted by the AO.
AC-10 Concurrent Session Control X [three (3) sessions for privileged access and
two (2) sessions for non-privileged access]
AC-11 Session Lock X AC-11a. [fifteen minutes]
AC-11 (1) Session Lock | Pattern-Hiding
Displays
X
AC-12 Session Termination X
AC-14 Permitted Actions Without
Identification or Authentication
X X
6. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 6 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
26
27
28
29
30
31
AC-8 System Use Notification X X
AC-10 Concurrent Session Control X
AC-11 Session Lock X
AC-11 (1) Session Lock | Pattern-Hiding
Displays
X
AC-12 Session Termination X
AC-14 Permitted Actions Without
Identification or Authentication
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
7. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 7 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
AC-17 Remote Access X X
AC-17 (1) Remote Access | Automated
Monitoring / Control
X
AC-17 (2) Remote Access | Protection of
Confidentiality / Integrity Using
Encryption
X
AC-17 (3) Remote Access | Managed
Access Control Points
X
AC-17 (4) Remote Access | Privileged
Commands / Access
X
AC-17 (9) Remote Access | Disconnect /
Disable Access
X [no greater than 15 minutes]
AC-18 Wireless Access X X
AC-18 (1) Wireless Access |
Authentication and Encryption
X
AC-19 Access Control For Mobile
Devices
X X
AC-19 (5) Access Control For Mobile
Devices | Full Device /
Container-Based Encryption
X
AC-20 Use of External Information
Systems
X X
AC-20 (1) Use of External Information
Systems | Limits on Authorized
Use
X
AC-20 (2) Use of External Information
Systems | Portable Storage
Devices
X
AC-21 Information Sharing X
AC-22 Publicly Accessible Content X X AC-22d. [at least quarterly]
AT-1 Security Awareness and
Training Policy and Procedures
X X AT-1.b.1 [at least every 3 years]
AT-1.b.2 [at least annually]
8. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 8 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
AC-17 Remote Access X X
AC-17 (1) Remote Access | Automated
Monitoring / Control
X
AC-17 (2) Remote Access | Protection of
Confidentiality / Integrity Using
Encryption
X
AC-17 (3) Remote Access | Managed
Access Control Points
X
AC-17 (4) Remote Access | Privileged
Commands / Access
X
AC-17 (9) Remote Access | Disconnect /
Disable Access
X
AC-18 Wireless Access X X
AC-18 (1) Wireless Access |
Authentication and Encryption
X
AC-19 Access Control For Mobile
Devices
X X
AC-19 (5) Access Control For Mobile
Devices | Full Device /
Container-Based Encryption
X
AC-20 Use of External Information
Systems
X X
AC-20 (1) Use of External Information
Systems | Limits on Authorized
Use
X
AC-20 (2) Use of External Information
Systems | Portable Storage
Devices
X
AC-21 Information Sharing X
AC-22 Publicly Accessible Content X X
AT-1 Security Awareness and
Training Policy and Procedures
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
9. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 9 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
48
49
50
51
52
53
54
55
AT-2 Security Awareness Training X X AT-2. [Assignment: organization-defined
frequency]
Parameter: [at least annually]
AT-2 (2) Security Awareness | Insider
Threat
X
AT-3 Role-Based Security Training X X AT-3c. [Assignment: organization-defined
frequency]
Parameter: [at least annually]
AT-4 Security Training Records X X AT-4b. [Assignment: organization-defined
frequency]
Parameter: [At least one years]
AU-1 Audit and Accountability Policy
and Procedures
X X AU-1.b.1 [at least every 3 years]
AU-1.b.2 [at least annually]
AU-2 Audit Events X X AU-2a. [Successful and unsuccessful account
logon events, account management events,
object access, policy change, privilege
functions, process tracking, and system events.
For Web applications: all administrator activity,
authentication checks, authorization checks,
data deletions, data access, data changes, and
permission changes];
AU-2d. [organization-defined subset of the
auditable events defined in AU-2 a. to be
audited continually for each identified event].
AU-2 (3) Audit Events | Reviews and
Updates
X AU-2 (3). [Assignment: organization-defined
frequency]
Parameter: [annually or whenever there is a
change in the threat environment]
Guidance: Annually or whenever changes in
the threat environment are communicated to
the service provider by the Authorizing Official.
AU-3 Content of Audit Records X X
10. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 10 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
48
49
50
51
52
53
54
55
AT-2 Security Awareness Training X X
AT-2 (2) Security Awareness | Insider
Threat
X
AT-3 Role-Based Security Training X X
AT-4 Security Training Records X X
AU-1 Audit and Accountability Policy
and Procedures
X X
AU-2 Audit Events X X
AU-2 (3) Audit Events | Reviews and
Updates
X
AU-3 Content of Audit Records X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
11. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 11 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
56
57
58
59
60
61
62
63
64
AU-3 (1) Content of Audit Records |
Additional Audit Information
X AU-3 (1). [Assignment: organization-defined
additional, more detailed information]
Parameter: [session, connection, transaction, or
activity duration; for client-server transactions,
the number of bytes received and bytes sent;
additional informational messages to diagnose
or identify the event; characteristics that
describe or identify the object or resource being
acted upon]
AU-3 (1). Requirement: The service provider
defines audit record types. The audit record
types are approved and accepted by the
Authorizing Official.
Guidance: For client-server transactions, the
number of bytes sent and received gives
bidirectional transfer information that can be
helpful during an investigation or inquiry.
AU-4 Audit Storage Capacity X X
AU-5 Response to Audit Processing
Failures
X X AU-5b. [Assignment: Organization-defined
actions to be taken]
Parameter: [low-impact: overwrite oldest audit
records; moderate-impact: shut down]
AU-6 Audit Review, Analysis, and
Reporting
X X AU-6a. [Assignment: organization-defined
frequency]
Parameter: [at least weekly]
AU-6 (1) Audit Review, Analysis, and
Reporting | Process Integration
X
AU-6 (3) Audit Review, Analysis, and
Reporting | Correlate Audit
Repositories
X
AU-7 Audit Reduction and Report
Generation
X
AU-7 (1) Audit Reduction and Report
Generation | Automatic
Processing
X
AU-8 Time Stamps X X
12. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 12 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
56
57
58
59
60
61
62
63
64
AU-3 (1) Content of Audit Records |
Additional Audit Information
X
AU-4 Audit Storage Capacity X X
AU-5 Response to Audit Processing
Failures
X X
AU-6 Audit Review, Analysis, and
Reporting
X X
AU-6 (1) Audit Review, Analysis, and
Reporting | Process Integration
X
AU-6 (3) Audit Review, Analysis, and
Reporting | Correlate Audit
Repositories
X
AU-7 Audit Reduction and Report
Generation
X
AU-7 (1) Audit Reduction and Report
Generation | Automatic
Processing
X
AU-8 Time Stamps X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
13. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 13 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
65
66
67
68
69
70
71
AU-8 (1) Time Stamps | Synchronization
With Authoritative Time Source
X AU-8 (1). [http://tf.nist.gov/tf-cgi/servers.cgi] <At
least hourly>
AU-8 (1). Requirement: The service provider
selects primary and secondary time servers
used by the NIST Internet time service. The
secondary server is selected from a different
geographic region than the primary server.
Requirement: The service provider
synchronizes the system clocks of network
computers that run operating systems other
than Windows to the Windows Server Domain
Controller emulator or to the same time source
for that server.
Guidance: Synchronization of system clocks
improves the accuracy of log analysis.
AU-9 Protection of Audit Information X X
AU-9 (2) Protection of Audit Information |
Audit Backup on Separate
Physical Systems /
Components
X AU-9 (2). [at least weekly]
AU-9 (4) Protection of Audit Information |
Access by Subset of Privileged
Users
X
AU-11 Audit Record Retention X X AU-11. [at least ninety days] AU-11. Requirement: The service provider
retains audit records on-line for at least ninety
days and further preserves audit records off-line
for a period that is in accordance with NARA
requirements.
AU-12 Audit Generation X X AU-12a. [all information system and network
components where audit capability is
deployed/available]
CA-1 Security Assessment and
Authorization Policies and
Procedures
X X CA-1.b.1 [at least every 3 years]
CA-1.b.2 [at least annually]
14. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 14 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
65
66
67
68
69
70
71
AU-8 (1) Time Stamps | Synchronization
With Authoritative Time Source
X
AU-9 Protection of Audit Information X X
AU-9 (2) Protection of Audit Information |
Audit Backup on Separate
Physical Systems /
Components
X
AU-9 (4) Protection of Audit Information |
Access by Subset of Privileged
Users
X
AU-11 Audit Record Retention X X
AU-12 Audit Generation X X
CA-1 Security Assessment and
Authorization Policies and
Procedures
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
15. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 15 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
72
73
74
75
76
77
78
79
80
CA-2 Security Assessments X X CA-2b. [at least annually]
CA-2d[individuals or roles to include FedRAMP
PMO]
CA-2 (1) Security Assessments |
Independent Assessors
X X Added to NIST Baseline for "Low" FedRAMP
baseline.
For JAB Authorization, must be an accredited
3PAO
CA-2 (2) Security Assessments |
Specialized Assessments
X [at least annually] Requirement: To include 'announced',
'vulnerability scanning'
CA-2 (3) Security Assessments |
External Organizations
X [Any FedRAMP Accredited 3PAO] [the
conditions of a P-ATO in the FedRAMP
Repository]
CA-3 System Interconnections X X CA-3c. 3 Years / Annually and on input from
FedRAMP
CA-3 (3) System Interconnections |
Unclassified Non-National
Security System Connections
X Boundary Protections which meet the Trusted
Internet Connection (TIC) requirements
CA-3(3) Guidance: Refer to Appendix H –
Cloud Considerations of the TIC 2.0 Reference
Architecture document.
CA-3 (5) System Interconnections |
Restrictions on External
Network Connections
X For JAB Authorization, CSPs shall include
details of this control in their Architecture
Briefing
CA-5 Plan of Action and Milestones X X CA-5b. [at least monthly] CA-5 Guidance: Requirement: POA&Ms must
be provided at least monthly.
CA-6 Security Authorization X X CA-6c. [at least every three years or when a
significant change occurs]
CA-6c. Guidance: Significant change is defined
in NIST Special Publication 800-37 Revision 1,
Appendix F. The service provider describes the
types of changes to the information system or
the environment of operations that would
impact the risk posture. The types of changes
are approved and accepted by the Authorizing
Official.
16. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 16 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
72
73
74
75
76
77
78
79
80
CA-2 Security Assessments X X
CA-2 (1) Security Assessments |
Independent Assessors
X X
CA-2 (2) Security Assessments |
Specialized Assessments
X
CA-2 (3) Security Assessments |
External Organizations
X
CA-3 System Interconnections X X
CA-3 (3) System Interconnections |
Unclassified Non-National
Security System Connections
X
CA-3 (5) System Interconnections |
Restrictions on External
Network Connections
X
CA-5 Plan of Action and Milestones X X
CA-6 Security Authorization X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
17. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 17 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
81
82
83
84
85
86
87
88
89
90
91
CA-7 Continuous Monitoring X X CA-7d. [To meet Federal and FedRAMP
requirements]
Operating System Scans: at least monthly
Database and Web Application Scans: at least
monthly
All scans performed by Independent Assessor:
at least annually
CA-7 Guidance: CSPs must provide evidence
of closure and remediation of high
vulnerabilities within the timeframe for standard
POA&M updates.
CA-7 (1) Continuous Monitoring |
Independent Assessment
X
CA-8 Penetration Testing X [at least annually]
CA-8 (1) Penetration Testing |
Independent Penetration Agent
or Team
X
CA-9 Internal System Connections X X
CM-1 Configuration Management
Policy and Procedures
X X CM-1.b.1 [at least every 3 years]
CM-1.b.2 [at least annually]
CM-2 Baseline Configuration X X
CM-2 (1) Baseline Configuration |
Reviews and Updates
X CM-2 (1) (a). [at least annually]
CM-2 (1) (b). [to include when directed by
Authorizing Official]
CM-2 (2) Baseline Configuration |
Automation Support For
Accuracy / Currency
X
CM-2 (3) Baseline Configuration |
Retention of Previous
Configurations
X
CM-2 (7) Baseline Configuration |
Configure Systems,
Components, or Devices for
High-Risk Areas
X
18. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 18 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
81
82
83
84
85
86
87
88
89
90
91
CA-7 Continuous Monitoring X X
CA-7 (1) Continuous Monitoring |
Independent Assessment
X
CA-8 Penetration Testing X
CA-8 (1) Penetration Testing |
Independent Penetration Agent
or Team
X
CA-9 Internal System Connections X X
CM-1 Configuration Management
Policy and Procedures
X X
CM-2 Baseline Configuration X X
CM-2 (1) Baseline Configuration |
Reviews and Updates
X
CM-2 (2) Baseline Configuration |
Automation Support For
Accuracy / Currency
X
CM-2 (3) Baseline Configuration |
Retention of Previous
Configurations
X
CM-2 (7) Baseline Configuration |
Configure Systems,
Components, or Devices for
High-Risk Areas
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
19. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 19 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
92
93
94
95
96
97
CM-3 Configuration Change Control X Requirement: The service provider establishes
a central means of communicating major
changes to or developments in the information
system or environment of operations that may
affect its services to the federal government
and associated service consumers (e.g.,
electronic bulletin board, web status page).
The means of communication are approved and
accepted by the Authorizing Official.
CM-3e Guidance: In accordance with record
retention policies and procedures.
CM-4 Security Impact Analysis X X
CM-5 Access Restrictions For
Change
X
CM-5 (1) Access Restrictions For
Change | Automated Access
Enforcement / Auditing
X
CM-5 (3) Access Restrictions For
Change | Signed Components
X Guidance: If digital signatures/certificates are
unavailable, alternative cryptographic integrity
checks (hashes, self-signed certs, etc.) can be
utilized.
CM-5 (5) Access Restrictions For
Change | Limit Production /
Operational Privileges
X CM-5 (5) (b). [at least quarterly]
20. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 20 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
92
93
94
95
96
97
CM-3 Configuration Change Control X
CM-4 Security Impact Analysis X X
CM-5 Access Restrictions For
Change
X
CM-5 (1) Access Restrictions For
Change | Automated Access
Enforcement / Auditing
X
CM-5 (3) Access Restrictions For
Change | Signed Components
X
CM-5 (5) Access Restrictions For
Change | Limit Production /
Operational Privileges
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
21. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 21 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
98
99
100
101
CM-6 Configuration Settings X X CM-6a. [See CM-6(a) Additional FedRAMP
Requirements and Guidance]
CM-6a. Requirement: The service provider shall
use the Center for Internet Security guidelines
(Level 1) to establish configuration settings or
establishes its own configuration settings if
USGCB is not available.
CM-6a. Requirement: The service provider shall
ensure that checklists for configuration settings
are Security Content Automation Protocol
(SCAP) validated or SCAP compatible (if
validated checklists are not available).
CM-6a. Guidance: Information on the USGCB
checklists can be found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_
usgcbfdcc .
CM-6 (1) Configuration Settings |
Automated Central
Management / Application /
Verification
X
CM-7 Least Functionality X X CM-7. [United States Government
Configuration Baseline (USGCB)]
Requirement: The service provider shall use
the Center for Internet Security guidelines
(Level 1) to establish list of prohibited or
restricted functions, ports, protocols, and/or
services or establishes its own list of prohibited
or restricted functions, ports, protocols, and/or
services if USGCB is not available.
CM-7. Guidance: Information on the USGCB
checklists can be found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_
usgcbfdcc.
(Partially derived from AC-17(8).)
CM-7 (1) Least Functionality | Periodic
Review
X CM-7(1) [ At least Monthly]
22. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 22 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
98
99
100
101
CM-6 Configuration Settings X X
CM-6 (1) Configuration Settings |
Automated Central
Management / Application /
Verification
X
CM-7 Least Functionality X X
CM-7 (1) Least Functionality | Periodic
Review
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
23. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 23 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
102
103
104
105
106
107
108
109
110
111
112
113
CM-7 (2) Least Functionality | Prevent
Program Execution
X CM-7(2) Guidance: This control shall be
implemented in a technical manner on the
information system to only allow programs to
run that adhere to the policy (i.e. white listing).
This control is not to be based off of strictly
written policy on what is allowed or not allowed
to run.
CM-7 (5) Least Functionality | Authorized
Software / Whitelisting
X CM-7(5)[ at least Annually or when there is a
change.]
CM-8 Information System Component
Inventory
X X CM-8b. [at least monthly] CM-8 Requirement: must be provided at least
monthly or when there is a change.
CM-8 (1) Information System Component
Inventory | Updates During
Installations / Removals
X
CM-8 (2) #N/A #N/A #N/A #N/A This is a FedRAMP High Control. Does not
belong here.
CM-8 (3) Information System Component
Inventory | Automated
Unauthorized Component
Detection
X CM-8 (3) (a). [Continuously, using automated
mechanisms with a maximum five-minute delay
in detection.]
CM-8 (5) Information System Component
Inventory | No Duplicate
Accounting of Components
X
CM-9 Configuration Management
Plan
X
CM-10 Software Usage Restrictions X X
CM-10 (1) Software Usage Restrictions |
Open Source Software
X
CM-11 User-Installed Software X X CM-11.c. [Continuously (via CM-7 (5))]
CP-1 Contingency Planning Policy
and Procedures
X X CP-1.b.1 [at least every 3 years]
CP-1.b.2 [at least annually]
24. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 24 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
102
103
104
105
106
107
108
109
110
111
112
113
CM-7 (2) Least Functionality | Prevent
Program Execution
X
CM-7 (5) Least Functionality | Authorized
Software / Whitelisting
X
CM-8 Information System Component
Inventory
X X
CM-8 (1) Information System Component
Inventory | Updates During
Installations / Removals
X
CM-8 (2) #N/A #N/A #N/A
CM-8 (3) Information System Component
Inventory | Automated
Unauthorized Component
Detection
X
CM-8 (5) Information System Component
Inventory | No Duplicate
Accounting of Components
X
CM-9 Configuration Management
Plan
X
CM-10 Software Usage Restrictions X X
CM-10 (1) Software Usage Restrictions |
Open Source Software
X
CM-11 User-Installed Software X X
CP-1 Contingency Planning Policy
and Procedures
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
25. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 25 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
114
115
116
117
118
119
120
121
122
123
124
125
CP-2 Contingency Plan X X CP-2d. [at least annually] Requirement: For JAB authorizations the
contingency lists include designated FedRAMP
personnel.
CP-2 (1) Contingency Plan | Coordinate
With Related Plans
X
CP-2 (2) Contingency Plan | Capacity
Planning
X
CP-2 (3) Contingency Plan | Resume
Essential Missions / Business
Functions
X
CP-2 (8) Contingency Plan | Identify
Critical Assets
X
CP-3 Contingency Training X X CP-3.a. [ 10 days]
CP-3.c. [at least annually]
CP-4 Contingency Plan Testing X X CP-4a. [at least annually for moderate impact
systems; at least every three years for low
impact systems] [functional exercises for
moderate impact systems; classroom
exercises/table top written tests for low impact
systems]
CP-4a. Requirement: The service provider
develops test plans in accordance with NIST
Special Publication 800-34 (as amended);
plans are approved by the Authorizing Official
prior to initiating testing.
CP-4 (1) Contingency Plan Testing |
Coordinate With Related Plans
X
CP-6 Alternate Storage Site X
CP-6 (1) Alternate Storage Site |
Separation From Primary Site
X
CP-6 (3) Alternate Storage Site |
Accessibility
X
CP-7 Alternate Processing Site X CP-7a. Requirement: The service provider
defines a time period consistent with the
recovery time objectives and business impact
analysis.
26. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 26 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
114
115
116
117
118
119
120
121
122
123
124
125
CP-2 Contingency Plan X X
CP-2 (1) Contingency Plan | Coordinate
With Related Plans
X
CP-2 (2) Contingency Plan | Capacity
Planning
X
CP-2 (3) Contingency Plan | Resume
Essential Missions / Business
Functions
X
CP-2 (8) Contingency Plan | Identify
Critical Assets
X
CP-3 Contingency Training X X
CP-4 Contingency Plan Testing X X
CP-4 (1) Contingency Plan Testing |
Coordinate With Related Plans
X
CP-6 Alternate Storage Site X
CP-6 (1) Alternate Storage Site |
Separation From Primary Site
X
CP-6 (3) Alternate Storage Site |
Accessibility
X
CP-7 Alternate Processing Site X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
27. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 27 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
126
127
128
129
130
CP-7 (1) Alternate Processing Site |
Separation From Primary Site
X CP-7(1) Guidance: The service provider may
determine what is considered a sufficient
degree of separation between the primary and
alternate processing sites, based on the types
of threats that are of concern. For one particular
type of threat (i.e., hostile cyber attack), the
degree of separation between sites will be less
relevant.
CP-7 (2) Alternate Processing Site |
Accessibility
X
CP-7 (3) Alternate Processing Site |
Priority of Service
X
CP-8 Telecommunications Services X CP-8. Requirement: The service provider
defines a time period consistent with the
business impact analysis.
CP-8 (1) Telecommunications Services |
Priority of Service Provisions
X
28. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 28 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
126
127
128
129
130
CP-7 (1) Alternate Processing Site |
Separation From Primary Site
X
CP-7 (2) Alternate Processing Site |
Accessibility
X
CP-7 (3) Alternate Processing Site |
Priority of Service
X
CP-8 Telecommunications Services X
CP-8 (1) Telecommunications Services |
Priority of Service Provisions
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
29. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 29 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
131
132
133
134
CP-9 Information System Backup X X CP-9a. [daily incremental; weekly full]
CP-9b. [daily incremental; weekly full]
CP-9c. [daily incremental; weekly full]
CP-9. Requirement: The service provider shall
determine what elements of the cloud
environment require the Information System
Backup control.
Requirement: The service provider shall
determine how Information System Backup is
going to be verified and appropriate periodicity
of the check.
CP-9a. Requirement: The service provider
maintains at least three backup copies of user-
level information (at least one of which is
available online) or provides an equivalent
alternative.
CP-9b. Requirement: The service provider
maintains at least three backup copies of
system-level information (at least one of which
is available online) or provides an equivalent
alternative.
CP-9c. Requirement: The service provider
maintains at least three backup copies of
information system documentation including
security information (at least one of which is
available online) or provides an equivalent
alternative.
CP-9 (1) Information System Backup |
Testing For Reliability / Integrity
X CP-9 (1). [at least annually]
CP-9 (3) Information System Backup |
Separate Storage for Critical
Information
X
CP-10 Information System Recovery
and Reconstitution
X X
30. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 30 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
131
132
133
134
CP-9 Information System Backup X X
CP-9 (1) Information System Backup |
Testing For Reliability / Integrity
X
CP-9 (3) Information System Backup |
Separate Storage for Critical
Information
X
CP-10 Information System Recovery
and Reconstitution
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
31. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 31 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
135
136
137
138
139
140
141
142
CP-10 (2) Information System Recovery
and Reconstitution |
Transaction Recovery
X
IA-1 Identification and Authentication
Policy and Procedures
X X IA-1.b.1 [at least every 3 years]
IA-1.b.2 [at least annually]
IA-2 Identification and Authentication
(Organizational Users)
X X
IA-2 (1) Identification and Authentication
(Organizational Users) |
Network Access to Privileged
Accounts
X X
IA-2 (2) Identification and Authentication
(Organizational Users) |
Network Access to Non-
Privileged Accounts
X
IA-2 (3) Identification and Authentication
(Organizational Users) | Local
Access to Privileged Accounts
X
IA-2 (5) Identification and Authentication
(Organizational Users) | Group
Authentication
X
IA-2 (8) Identification and Authentication
(Organizational Users) |
Network Access to Privileged
Accounts - Replay Resistant
X
32. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 32 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
135
136
137
138
139
140
141
142
CP-10 (2) Information System Recovery
and Reconstitution |
Transaction Recovery
X
IA-1 Identification and Authentication
Policy and Procedures
X X
IA-2 Identification and Authentication
(Organizational Users)
X X
IA-2 (1) Identification and Authentication
(Organizational Users) |
Network Access to Privileged
Accounts
X X
IA-2 (2) Identification and Authentication
(Organizational Users) |
Network Access to Non-
Privileged Accounts
X
IA-2 (3) Identification and Authentication
(Organizational Users) | Local
Access to Privileged Accounts
X
IA-2 (5) Identification and Authentication
(Organizational Users) | Group
Authentication
X
IA-2 (8) Identification and Authentication
(Organizational Users) |
Network Access to Privileged
Accounts - Replay Resistant
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
33. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 33 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
143
144
145
146
147
148
149
150
151
IA-2 (11) Identification and Authentication
(Organizational Users) |
Remote Access - Separate
Device
X The information system implements multifactor
authentication for remote access to privileged
and non-privileged accounts such that one of
the factors is provided by a device separate
from the system gaining access and the device
meets [Assignment: organization-defined
strength of mechanism requirements].
IA-2 (12) Identification and Authentication
(Organizational Users) |
Acceptance of PIV Credentials
X X Guidance: Include Common Access Card
(CAC), i.e., the DoD technical implementation
of PIV/FIPS 201/HSPD-12.
IA-3 Device Identification and
Authentication
X
IA-4 Identifier Management X X IA-4d. [at least two years]
IA-4e. [ninety days for user identifiers] (See
additional requirements and guidance.)
IA-4e. Requirement: The service provider
defines time period of inactivity for device
identifiers.
IA-4 (4) Identifier Management | Identify
User Status
X IA-4 (4). [contractors; foreign nationals]
IA-5 Authenticator Management X X IA-5g. [to include sixty days for passwords]
IA-5 (1) Authenticator Management |
Password-Based Authentication
X X IA-5 (1) (a). [case sensitive, minimum of twelve
characters, and at least one each of upper-case
letters, lower-case letters, numbers, and special
characters]
IA-5 (1) (b). [at least one]
IA-5 (1) (d). [one day minimum, sixty day
maximum]
IA-5 (1) (e). [twenty four]
IA-5 (2) Authenticator Management |
PKI-Based Authentication
X
IA-5 (3) Authenticator Management | In-
Person or Trusted Third-Party
Registration
X IA-5 (3). [All hardware/biometric (multifactor
authenticators] [in person]
34. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 34 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
143
144
145
146
147
148
149
150
151
IA-2 (11) Identification and Authentication
(Organizational Users) |
Remote Access - Separate
Device
X
IA-2 (12) Identification and Authentication
(Organizational Users) |
Acceptance of PIV Credentials
X X
IA-3 Device Identification and
Authentication
X
IA-4 Identifier Management X X
IA-4 (4) Identifier Management | Identify
User Status
X
IA-5 Authenticator Management X X
IA-5 (1) Authenticator Management |
Password-Based Authentication
X X
IA-5 (2) Authenticator Management |
PKI-Based Authentication
X
IA-5 (3) Authenticator Management | In-
Person or Trusted Third-Party
Registration
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
35. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 35 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
152
153
154
155
156
157
158
159
160
IA-5 (4) Authenticator Management |
Automated Support for
Password Strength
Determination
X IA-4e Additional FedRAMP Requirements and
Guidance: Guidance: If automated mechanisms
which enforce password authenticator strength
at creation are not used, automated
mechanisms must be used to audit strength of
created password authenticators
IA-5 (6) Authenticator Management |
Protection of Authenticators
X
IA-5 (7) Authenticator Management | No
Embedded Unencrypted Static
Authenticators
X
IA-5 (11) Authenticator Management |
Hardware Token-Based
Authentication
X X
IA-6 Authenticator Feedback X X
IA-7 Cryptographic Module
Authentication
X X
IA-8 Identification and Authentication
(Non-Organizational Users)
X X
IA-8 (1) Identification and Authentication
(Non-Organizational Users) |
Acceptance of PIV Credentials
from Other Agencies
X X
IA-8 (2) Identification and Authentication
(Non-Organizational Users) |
Acceptance of Third-Party
Credentials
X X
36. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 36 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
152
153
154
155
156
157
158
159
160
IA-5 (4) Authenticator Management |
Automated Support for
Password Strength
Determination
X
IA-5 (6) Authenticator Management |
Protection of Authenticators
X
IA-5 (7) Authenticator Management | No
Embedded Unencrypted Static
Authenticators
X
IA-5 (11) Authenticator Management |
Hardware Token-Based
Authentication
X X
IA-6 Authenticator Feedback X X
IA-7 Cryptographic Module
Authentication
X X
IA-8 Identification and Authentication
(Non-Organizational Users)
X X
IA-8 (1) Identification and Authentication
(Non-Organizational Users) |
Acceptance of PIV Credentials
from Other Agencies
X X
IA-8 (2) Identification and Authentication
(Non-Organizational Users) |
Acceptance of Third-Party
Credentials
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
37. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 37 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
161
162
163
164
165
166
167
168
IA-8 (3) Identification and Authentication
(Non-Organizational Users) |
Use of FICAM-Approved
Products
X X
IA-8 (4) Identification and Authentication
(Non-Organizational Users) |
Use of FICAM-Issued Profiles
X X
IR-1 Incident Response Policy and
Procedures
X X IR-1.b.1 [at least every 3 years]
IR-1.b.2 [at least annually]
IR-2 Incident Response Training X X IR-2b. [at least annually]
IR-3 Incident Response Testing X IR-3. [at least annually] IR-3. Requirement: The service provider
defines tests and/or exercises in accordance
with NIST Special Publication 800-61 (as
amended).
Requirement: For JAB Authorization, the
service provider provides test plans to the
Authorizing Official (AO) annually.
Requirement: Test plans are approved and
accepted by the Authorizing Official prior to test
commencing.
IR-3 (2) Incident Response Testing |
Coordination With Related
Plans
X
IR-4 Incident Handling X X IR-4/A13. Requirement: The service provider
ensures that individuals conducting incident
handling meet personnel security requirements
commensurate with the criticality/sensitivity of
the information being processed, stored, and
transmitted by the information system.
IR-4 (1) Incident Handling | Automated
Incident Handling Processes
X
38. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 38 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
161
162
163
164
165
166
167
168
IA-8 (3) Identification and Authentication
(Non-Organizational Users) |
Use of FICAM-Approved
Products
X X
IA-8 (4) Identification and Authentication
(Non-Organizational Users) |
Use of FICAM-Issued Profiles
X X
IR-1 Incident Response Policy and
Procedures
X X
IR-2 Incident Response Training X X
IR-3 Incident Response Testing X
IR-3 (2) Incident Response Testing |
Coordination With Related
Plans
X
IR-4 Incident Handling X X
IR-4 (1) Incident Handling | Automated
Incident Handling Processes
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
39. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 39 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
169
170
171
172
173
174
175
176
177
178
179
IR-5 Incident Monitoring X X
IR-6 Incident Reporting X X IR-6a. [US-CERT incident reporting timelines as
specified in NIST Special Publication 800-61
(as amended)]
Requirement: Reports security incident
information according to FedRAMP Incident
Communications Procedure.
IR-6 (1) Incident Reporting | Automated
Reporting
X
IR-7 Incident Response Assistance X X
IR-7 (1) Incident Response Assistance |
Automation Support For
Availability of Information /
Support
X
IR-7 (2) Incident Response Assistance |
Coordination With External
Providers
X
IR-8 Incident Response Plan X X IR-8c. [at least annually] IR-8(b) Additional FedRAMP Requirements and
Guidance: The service provider defines a list of
incident response personnel (identified by
name and/or by role) and organizational
elements. The incident response list includes
designated FedRAMP personnel.
IR-8(e) Additional FedRAMP Requirements and
Guidance: The service provider defines a list of
incident response personnel (identified by
name and/or by role) and organizational
elements. The incident response list includes
designated FedRAMP personnel.
IR-9 Information Spillage Response X
IR-9 (1) Information Spillage Response |
Responsible Personnel
X
IR-9 (2) Information Spillage Response |
Training
X
IR-9 (3) Information Spillage Response |
Post-Spill Operations
X
40. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 40 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
169
170
171
172
173
174
175
176
177
178
179
IR-5 Incident Monitoring X X
IR-6 Incident Reporting X X
IR-6 (1) Incident Reporting | Automated
Reporting
X
IR-7 Incident Response Assistance X X
IR-7 (1) Incident Response Assistance |
Automation Support For
Availability of Information /
Support
X
IR-7 (2) Incident Response Assistance |
Coordination With External
Providers
X
IR-8 Incident Response Plan X X
IR-9 Information Spillage Response X
IR-9 (1) Information Spillage Response |
Responsible Personnel
X
IR-9 (2) Information Spillage Response |
Training
X
IR-9 (3) Information Spillage Response |
Post-Spill Operations
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
41. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 41 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
IR-9 (4) Information Spillage Response |
Exposure to Unauthorized
Personnel
X
MA-1 System Maintenance Policy
and Procedures
X X MA-1.b.1 [at least every 3 years]
MA-1.b.2 [at least annually]
MA-2 Controlled Maintenance X X
MA-3 Maintenance Tools X
MA-3 (1) Maintenance Tools | Inspect
Tools
X
MA-3 (2) Maintenance Tools | Inspect
Media
X
MA-3 (3) Maintenance Tools | Prevent
Unauthorized Removal
X MA-3 (3) (d). [the information owner explicitly
authorizing removal of the equipment from the
facility]
MA-4 Nonlocal Maintenance X X
MA-4 (2) Nonlocal Maintenance |
Document Nonlocal
Maintenance
X
MA-5 Maintenance Personnel X X
MA-5 (1) Maintenance Personnel |
Individuals Without Appropriate
Access
X Requirement: Only MA-5 (1)(a)(1) is required by
FedRAMP Moderate Baseline
MA-6 Timely Maintenance X
MP-1 Media Protection Policy and
Procedures
X X MP-1.b.1 [at least every 3 years]
MP-1.b.2 [at least annually]
MP-2 Media Access X X
MP-3 Media Marking X MP-3b. [no removable media types] MP-3b. Guidance: Second parameter not-
applicable
MP-4 Media Storage X MP-4a. [all types of digital and non-digital
media with sensitive information] within
[FedRAMP Assignment: see additional
FedRAMP requirements and guidance];
MP-4a Additional FedRAMP Requirements and
Guidance: Requirement: The service provider
defines controlled areas within facilities where
the information and information system reside.
42. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 42 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
IR-9 (4) Information Spillage Response |
Exposure to Unauthorized
Personnel
X
MA-1 System Maintenance Policy
and Procedures
X X
MA-2 Controlled Maintenance X X
MA-3 Maintenance Tools X
MA-3 (1) Maintenance Tools | Inspect
Tools
X
MA-3 (2) Maintenance Tools | Inspect
Media
X
MA-3 (3) Maintenance Tools | Prevent
Unauthorized Removal
X
MA-4 Nonlocal Maintenance X X
MA-4 (2) Nonlocal Maintenance |
Document Nonlocal
Maintenance
X
MA-5 Maintenance Personnel X X
MA-5 (1) Maintenance Personnel |
Individuals Without Appropriate
Access
X
MA-6 Timely Maintenance X
MP-1 Media Protection Policy and
Procedures
X X
MP-2 Media Access X X
MP-3 Media Marking X
MP-4 Media Storage X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
43. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 43 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
196
197
198
199
200
201
202
203
MP-5 Media Transport X MP-5a. [all media with sensitive information]
[prior to leaving secure/controlled environment:
for digital media, encryption using a FIPS 140-2
validated encryption module; for non-digital
media, secured in locked container]
MP-5 (4) Media Transport |
Cryptographic Protection
X
MP-6 Media Sanitization X X The organization: a. Sanitizes [Assignment:
organization-defined information system media]
prior to disposal, release out of organizational
control, or release for reuse using [Assignment:
organization-defined sanitization techniques
and procedures] in accordance with applicable
federal and organizational standards and
policies; and b. Employs sanitization
mechanisms with the strength and integrity
commensurate with the security category or
classification of the information.
MP-6 (2) Media Sanitization | Equipment
Testing
X [At least annually] Guidance: Equipment and procedures may be
tested or validated for effectiveness
MP-7 Media Use X X
MP-7 (1) Media Use | Prohibit Use
without Owner
X
PE-1 Physical and Environmental
Protection Policy and
Procedures
X X PE-1.b.1 [at least every 3 years]
PE-1.b.2 [at least annually]
PE-2 Physical Access Authorizations X X PE-2c. [at least annually]
44. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 44 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
196
197
198
199
200
201
202
203
MP-5 Media Transport X
MP-5 (4) Media Transport |
Cryptographic Protection
X
MP-6 Media Sanitization X X
MP-6 (2) Media Sanitization | Equipment
Testing
X
MP-7 Media Use X X
MP-7 (1) Media Use | Prohibit Use
without Owner
X
PE-1 Physical and Environmental
Protection Policy and
Procedures
X X
PE-2 Physical Access Authorizations X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
45. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 45 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
204
205
206
207
208
209
210
211
212
213
214
215
216
PE-3 Physical Access Control X X PE-3a.2 [CSP defined physical access control
systems/devices AND guards]
PE-3d. [in all circumstances within restricted
access area where the information system
resides]
PE-3f. [at least annually]
PE-3g. [at least annually]
PE-4 Access Control For
Transmission Medium
X
PE-5 Access Control For Output
Devices
X
PE-6 Monitoring Physical Access X X PE-6b.[at least monthly]
PE-6 (1) Monitoring Physical Access |
Intrusion Alarms / Surveillance
Equipment
X
PE-8 Visitor Access Records X X PE-8a [for a minimum of one year]
PE-8b. [at least monthly]
PE-9 Power Equipment and Cabling X
PE-10 Emergency Shutoff X
PE-11 Emergency Power X
PE-12 Emergency Lighting X X
PE-13 Fire Protection X X
PE-13 (2) Fire Protection | Suppression
Devices / Systems
X
PE-13 (3) Fire Protection | Automatic Fire
Suppression
X
46. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 46 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
204
205
206
207
208
209
210
211
212
213
214
215
216
PE-3 Physical Access Control X X
PE-4 Access Control For
Transmission Medium
X
PE-5 Access Control For Output
Devices
X
PE-6 Monitoring Physical Access X X
PE-6 (1) Monitoring Physical Access |
Intrusion Alarms / Surveillance
Equipment
X
PE-8 Visitor Access Records X X
PE-9 Power Equipment and Cabling X
PE-10 Emergency Shutoff X
PE-11 Emergency Power X
PE-12 Emergency Lighting X X
PE-13 Fire Protection X X
PE-13 (2) Fire Protection | Suppression
Devices / Systems
X
PE-13 (3) Fire Protection | Automatic Fire
Suppression
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
47. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 47 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
217
218
219
220
221
222
223
224
225
226
227
228
229
PE-14 Temperature and Humidity
Controls
X X PE-14a. [consistent with American Society of
Heating, Refrigerating and Air-conditioning
Engineers (ASHRAE) document entitled
Thermal Guidelines for Data Processing
Environments]
PE-14b. [continuously]
PE-14a. Requirements: The service provider
measures temperature at server inlets and
humidity levels by dew point.
PE-14 (2) Temperature and Humidity
Controls | Monitoring With
Alarms / Notifications
X
PE-15 Water Damage Protection X X
PE-16 Delivery and Removal X X PE-16. [all information system components]
PE-17 Alternate Work Site X
PL-1 Security Planning Policy and
Procedures
X X PL-1.b.1 [at least every 3 years]
PL-1.b.2 [at least annually]
PL-2 System Security Plan X X PL-2c. [at least annually]
PL-2 (3) System Security Plan | Plan /
Coordinate With Other
Organizational Entities
X
PL-4 Rules of Behavior X X PL-4c. [At least every 3 years]
PL-4 (1) Rules of Behavior | Social
Media and Networking
Restrictions
X
PL-8 Information Security
Architecture
X PL-8b. [At least annually]
PS-1 Personnel Security Policy and
Procedures
X X PS-1.b.1 [at least every 3 years]
PS-1.b.2 [at least annually]
PS-2 Position Risk Designation X X PS-2c. [at least every three years]
48. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 48 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
217
218
219
220
221
222
223
224
225
226
227
228
229
PE-14 Temperature and Humidity
Controls
X X
PE-14 (2) Temperature and Humidity
Controls | Monitoring With
Alarms / Notifications
X
PE-15 Water Damage Protection X X
PE-16 Delivery and Removal X X
PE-17 Alternate Work Site X
PL-1 Security Planning Policy and
Procedures
X X
PL-2 System Security Plan X X
PL-2 (3) System Security Plan | Plan /
Coordinate With Other
Organizational Entities
X
PL-4 Rules of Behavior X X
PL-4 (1) Rules of Behavior | Social
Media and Networking
Restrictions
X
PL-8 Information Security
Architecture
X
PS-1 Personnel Security Policy and
Procedures
X X
PS-2 Position Risk Designation X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
49. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 49 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
230
231
232
233
234
235
236
237
238
239
PS-3 Personnel Screening X X PS-3b. [for national security clearances; a
reinvestigation is required during the 5th year
for top secret security clearance, the 10th year
for secret security clearance, and 15th year for
confidential security clearance.
For moderate risk law enforcement and high
impact public trust level, a reinvestigation is
required during the 5th year. There is no
reinvestigation for other moderate risk positions
or any low risk positions]
PS-3 (3) Personnel Screening |
Information With Special
Protection Measures
X PS-3 (3)(b). [personnel screening criteria – as
required by specific information]
PS-4 Personnel Termination X X PS-4.a. [same day]
PS-5 Personnel Transfer X X PS-5. [within five days of the formal transfer
action (DoD 24 hours)]
PS-6 Access Agreements X X PS-6b. [at least annually]
PS-6c.2. [at least annually]
PS-7 Third-Party Personnel Security X X PS-7d. organization-defined time period – same
day
PS-8 Personnel Sanctions X X
RA-1 Risk Assessment Policy and
Procedures
X X RA-1.b.1 [at least every 3 years]
RA-1.b.2 [at least annually]
RA-2 Security Categorization X X
RA-3 Risk Assessment X X RA-3b. [security assessment report]
RA-3c. [at least every three years or when a
significant change occurs]
RA-3e. [at least every three years or when a
significant change occurs]
Guidance: Significant change is defined in NIST
Special Publication 800-37 Revision 1,
Appendix F.
RA-3d. Requirement: to include the Authorizing
Official; for JAB authorizations to include
FedRAMP
50. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 50 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
230
231
232
233
234
235
236
237
238
239
PS-3 Personnel Screening X X
PS-3 (3) Personnel Screening |
Information With Special
Protection Measures
X
PS-4 Personnel Termination X X
PS-5 Personnel Transfer X X
PS-6 Access Agreements X X
PS-7 Third-Party Personnel Security X X
PS-8 Personnel Sanctions X X
RA-1 Risk Assessment Policy and
Procedures
X X
RA-2 Security Categorization X X
RA-3 Risk Assessment X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
51. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 51 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
240
241
242
243
244
245
246
247
248
249
RA-5 Vulnerability Scanning X X RA-5a. [monthly operating
system/infrastructure; monthly web applications
and databases]
RA-5d. [high-risk vulnerabilities mitigated within
thirty days from date of discovery; moderate-
risk vulnerabilities mitigated within ninety days
from date of discovery]
RA-5a. Requirement: an accredited
independent assessor scans operating
systems/infrastructure, web applications, and
databases once annually.
RA-5e. Requirement: to include the Risk
Executive; for JAB authorizations to include
FedRAMP
RA-5 (1) Vulnerability Scanning | Update
Tool Capability
X
RA-5 (2) Vulnerability Scanning | Update
by Frequency / Prior to New
Scan / When Identified
X RA-5 (2). [prior to a new scan]
RA-5 (3) Vulnerability Scanning |
Breadth / Depth of Coverage
X
RA-5 (5) Vulnerability Scanning |
Privileged Access
X RA-5 (5). [operating systems / web applications
/ databases] [all scans]
RA-5 (6) Vulnerability Scanning |
Automated Trend Analyses
X RA-5(6) Guidance: include in Continuous
Monitoring ISSO digest/report to Authorizing
Official
RA-5 (8) Vulnerability Scanning | Review
Historic Audit Logs
X RA-5 (8). Requirements: This enhancement is
required for all high vulnerability scan findings.
Guidance: While scanning tools may lable
findings as high or critical, the intent of the
control is based around NIST's definition of high
vulnerability.
SA-1 System and Services
Acquisition Policy and
Procedures
X X SA-1.b.1 [at least every 3 years]
SA-1.b.2 [at least annually]
SA-2 Allocation of Resources X X
SA-3 System Development Life Cycle X X
52. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 52 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
240
241
242
243
244
245
246
247
248
249
RA-5 Vulnerability Scanning X X
RA-5 (1) Vulnerability Scanning | Update
Tool Capability
X
RA-5 (2) Vulnerability Scanning | Update
by Frequency / Prior to New
Scan / When Identified
X
RA-5 (3) Vulnerability Scanning |
Breadth / Depth of Coverage
X
RA-5 (5) Vulnerability Scanning |
Privileged Access
X
RA-5 (6) Vulnerability Scanning |
Automated Trend Analyses
X
RA-5 (8) Vulnerability Scanning | Review
Historic Audit Logs
X
SA-1 System and Services
Acquisition Policy and
Procedures
X X
SA-2 Allocation of Resources X X
SA-3 System Development Life Cycle X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
53. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 53 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
250
251
252
253
254
255
256
257
258
SA-4 Acquisition Process X X SA-4. Guidance: The use of Common Criteria
(ISO/IEC 15408) evaluated products is strongly
preferred.
See http://www.niap-ccevs.org/vpl or
http://www.commoncriteriaportal.org/products.ht
ml.
SA-4 (1) Acquisition Process |
Functional Properties of
Security Controls
X
SA-4 (2) Acquisition Process | Design /
Implementation Information for
Security Controls
X [to include security-relevant external system
interfaces and high-level design]
SA-4 (8) Acquisition Process |
Continuous Monitoring Plan
X SA-4 (8). [at least the minimum requirement as
defined in control CA-7]
SA-4 (8) Guidance: CSP must use the same
security standards regardless of where the
system component or information system
service is aquired.
SA-4 (9) Acquisition Process | Functions
/ Ports / Protocols / Services in
Use
X
SA-4 (10) Acquisition Process | Use of
Approved PIV Products
X X
SA-5 Information System
Documentation
X X
SA-8 Security Engineering Principles X
SA-9 External Information System
Services
X X SA-9a. [FedRAMP Security Controls
Baseline(s) if Federal information is processed
or stored within the external system]
SA-9c. [Federal/FedRAMP Continuous
Monitoring requirements must be met for
external systems where Federal information is
processed or stored]
54. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 54 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
250
251
252
253
254
255
256
257
258
SA-4 Acquisition Process X X
SA-4 (1) Acquisition Process |
Functional Properties of
Security Controls
X
SA-4 (2) Acquisition Process | Design /
Implementation Information for
Security Controls
X
SA-4 (8) Acquisition Process |
Continuous Monitoring Plan
X
SA-4 (9) Acquisition Process | Functions
/ Ports / Protocols / Services in
Use
X
SA-4 (10) Acquisition Process | Use of
Approved PIV Products
X X
SA-5 Information System
Documentation
X X
SA-8 Security Engineering Principles X
SA-9 External Information System
Services
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
55. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 55 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
259
260
261
262
263
264
265
266
267
SA-9 (1) External Information Systems |
Risk Assessments /
Organizational Approvals
X SA-9 (1) see Additional Requirement and
Guidance
SA-9 (1). Requirement: The service provider
documents all existing outsourced security
services and conducts a risk assessment of
future outsourced security services. For JAB
authorizations, future planned outsourced
services are approved and accepted by the
JAB.
SA-9 (2) External Information Systems |
Identification of Functions /
Ports / Protocols / Services
X SA-9 (2). [All external systems where Federal
information is processed, transmitted or stored]
SA-9 (4) External Information Systems |
Consistent Interests of
Consumers and Providers
X SA-9 (4). [All external systems where Federal
information is processed, transmitted or stored]
SA-9 (5) External Information Systems |
Processing, Storage, and
Service Location
X SA-9 (5). [information processing, transmission,
information data, AND information services]
SA-10 Developer Configuration
Management
X SA-10a. [development, implementation, AND
operation]
SA-10e. Requirement: for JAB authorizations,
track security flaws and flaw resolution within
the system, component, or service and report
findings to organization-defined personnel, to
include FedRAMP.
SA-10 (1) Developer Configuration
Management | Software /
Firmware Integrity Verification
X
SA-11 Developer Security Testing and
Evaluation
X
SA-11 (1) Developer Security Testing and
Evaluation | Static Code
Analysis
X Requirement: SA-11 (1) or SA-11 (8) or both
Requirement: The service provider documents
in the Continuous Monitoring Plan, how newly
developed code for the information system is
reviewed.
SA-11 (2) Developer Security Testing and
Evaluation | Threat and
Vulnerability Analyses
X
56. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 56 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
259
260
261
262
263
264
265
266
267
SA-9 (1) External Information Systems |
Risk Assessments /
Organizational Approvals
X
SA-9 (2) External Information Systems |
Identification of Functions /
Ports / Protocols / Services
X
SA-9 (4) External Information Systems |
Consistent Interests of
Consumers and Providers
X
SA-9 (5) External Information Systems |
Processing, Storage, and
Service Location
X
SA-10 Developer Configuration
Management
X
SA-10 (1) Developer Configuration
Management | Software /
Firmware Integrity Verification
X
SA-11 Developer Security Testing and
Evaluation
X
SA-11 (1) Developer Security Testing and
Evaluation | Static Code
Analysis
X
SA-11 (2) Developer Security Testing and
Evaluation | Threat and
Vulnerability Analyses
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
57. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 57 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
268
269
270
271
272
273
274
275
276
277
278
279
280
SA-11 (8) Developer Security Testing and
Evaluation | Dynamic Code
Analysis
X Requirement: SA-11 (1) or SA-11 (8) or both
Requirement: The service provider documents
in the Continuous Monitoring Plan, how newly
developed code for the information system is
reviewed.
SC-1 System and Communications
Protection Policy and
Procedures
X X SC-1.b.1 [at least every 3 years]
SC-1.b.2 [at least annually]
SC-2 Application Partitioning X
SC-4 Information In Shared
Resources
X
SC-5 Denial of Service Protection X X
SC-6 Resource Availability X
SC-7 Boundary Protection X X
SC-7 (3) Boundary Protection | Access
Points
X
SC-7 (4) Boundary Protection | External
Telecommunications Services
X SC-7 (4). [at least annually]
SC-7 (5) Boundary Protection | Deny by
Default / Allow by Exception
X
SC-7 (7) Boundary Protection | Prevent
Split Tunneling for Remote
Devices
X
SC-7 (8) Boundary Protection | Route
Traffic to Authenticated Proxy
Servers
X
SC-7 (12) Boundary Protection | Host-
Based Protection
X
58. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 58 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
268
269
270
271
272
273
274
275
276
277
278
279
280
SA-11 (8) Developer Security Testing and
Evaluation | Dynamic Code
Analysis
X
SC-1 System and Communications
Protection Policy and
Procedures
X X
SC-2 Application Partitioning X
SC-4 Information In Shared
Resources
X
SC-5 Denial of Service Protection X X
SC-6 Resource Availability X
SC-7 Boundary Protection X X
SC-7 (3) Boundary Protection | Access
Points
X
SC-7 (4) Boundary Protection | External
Telecommunications Services
X
SC-7 (5) Boundary Protection | Deny by
Default / Allow by Exception
X
SC-7 (7) Boundary Protection | Prevent
Split Tunneling for Remote
Devices
X
SC-7 (8) Boundary Protection | Route
Traffic to Authenticated Proxy
Servers
X
SC-7 (12) Boundary Protection | Host-
Based Protection
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
59. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 59 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
281
282
283
284
285
286
287
288
289
290
SC-7 (13) Boundary Protection | Isolation
of Security Tools / Mechanisms
/ Support Components
X SC-7 (13). Requirement: The service provider
defines key information security tools,
mechanisms, and support components
associated with system and security
administration and isolates those tools,
mechanisms, and support components from
other internal information system components
via physically or logically separate subnets.
SC-7 (18) Boundary Protection | Fail
Secure
X
SC-8 Transmission Confidentiality
and Integrity
X SC-8. [confidentiality AND integrity]
SC-8 (1) Transmission Confidentiality
and Integrity | Cryptographic or
Alternate Physical Protection
X SC-8 (1). [prevent unauthorized disclosure of
information AND detect changes to information]
[a hardened or alarmed carrier Protective
Distribution System (PDS)]
SC-10 Network Disconnect X SC-10. [no longer than 30 minutes for RAS-
based sessions or no longer than 60 minutes
for non-interactive user sessions]
SC-12 Cryptographic Key
Establishment and
Management
X X SC-12 Guidance: Federally approved
cryptography
SC-12 (2) Cryptographic Key
Establishment and
Management | Symmetric Keys
X SC-12 (2). [NIST FIPS-compliant]
SC-12 (3) Cryptographic Key
Establishment and
Management | Asymmetric
Keys
X
SC-13 Cryptographic Protection X X [FIPS-validated or NSA-approved cryptography]
SC-15 Collaborative Computing
Devices
X X SC-15a. [no exceptions]
60. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 60 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
281
282
283
284
285
286
287
288
289
290
SC-7 (13) Boundary Protection | Isolation
of Security Tools / Mechanisms
/ Support Components
X
SC-7 (18) Boundary Protection | Fail
Secure
X
SC-8 Transmission Confidentiality
and Integrity
X
SC-8 (1) Transmission Confidentiality
and Integrity | Cryptographic or
Alternate Physical Protection
X
SC-10 Network Disconnect X
SC-12 Cryptographic Key
Establishment and
Management
X X
SC-12 (2) Cryptographic Key
Establishment and
Management | Symmetric Keys
X
SC-12 (3) Cryptographic Key
Establishment and
Management | Asymmetric
Keys
X
SC-13 Cryptographic Protection X X
SC-15 Collaborative Computing
Devices
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
61. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 61 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
291
292
293
294
295
296
297
298
299
300
301
302
303
304
SC-17 Public Key Infrastructure
Certificates
X
SC-18 Mobile Code X
SC-19 Voice Over Internet Protocol X
SC-20 Secure Name / Address
Resolution Service
(Authoritative Source)
X X
SC-21 Secure Name / Address
Resolution Service (Recursive
or Caching Resolver)
X X
SC-22 Architecture and Provisioning
for Name / Address Resolution
Service
X X
SC-23 Session Authenticity X
SC-28 Protection of Information At
Rest
X SC-28. [confidentiality AND integrity] SC-28. Guidance: The organization supports
the capability to use cryptographic mechanisms
to protect information at rest.
SC-28 (1) Protection Of Information At
Rest | Cryptographic Protection
X
SC-39 Process Isolation X X
SI-1 System and Information
Integrity Policy and Procedures
X X SI-1.b.1 [at least every 3 years]
SI-1.b.2 [at least annually]
SI-2 Flaw Remediation X X SI-2c. [Within 30 days of release of updates]
SI-2 (2) Flaw Remediation | Automated
Flaw Remediation Status
X SI-2 (2). [at least monthly]
SI-2 (3) Flaw Remediation | Time to
Remediate Flaws / Benchmarks
for Corrective Actions
X
62. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 62 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
291
292
293
294
295
296
297
298
299
300
301
302
303
304
SC-17 Public Key Infrastructure
Certificates
X
SC-18 Mobile Code X
SC-19 Voice Over Internet Protocol X
SC-20 Secure Name / Address
Resolution Service
(Authoritative Source)
X X
SC-21 Secure Name / Address
Resolution Service (Recursive
or Caching Resolver)
X X
SC-22 Architecture and Provisioning
for Name / Address Resolution
Service
X X
SC-23 Session Authenticity X
SC-28 Protection of Information At
Rest
X
SC-28 (1) Protection Of Information At
Rest | Cryptographic Protection
X
SC-39 Process Isolation X X
SI-1 System and Information
Integrity Policy and Procedures
X X
SI-2 Flaw Remediation X X
SI-2 (2) Flaw Remediation | Automated
Flaw Remediation Status
X
SI-2 (3) Flaw Remediation | Time to
Remediate Flaws / Benchmarks
for Corrective Actions
X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
63. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 63 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
305
306
307
308
309
310
311
312
313
314
315
316
317
SI-3 Malicious Code Protection X X SI-3.c.1 [at least weekly] [to include endpoints]
SI-3.c.2 [to include alerting administrator or
defined security personnel]
SI-3 (1) Malicious Code Protection |
Central Management
X
SI-3 (2) Malicious Code Protection |
Automatic Updates
X
SI-3 (7) Malicious Code Protection |
Nonsignature-Based Detection
X
SI-4 Information System Monitoring X X
SI-4 (1) Information System Monitoring |
System-Wide Intrusion
Detection System
X
SI-4 (2) Information System Monitoring |
Automated Tools For Real-
Time Analysis
X
SI-4 (4) Information System Monitoring |
Inbound and Outbound
Communications Traffic
X SI-4 (4). [continually]
SI-4 (5) Information System Monitoring |
System-Generated Alerts
X SI-4(5) Guidance: In accordance with the
incident response plan.
SI-4 (14) Information System Monitoring |
Wireless Intrusion Detection
X
SI-4 (16) Information System Monitoring |
Correlate Monitoring
Information
X
SI-4 (23) Information System Monitoring |
Host-Based Devices
X
SI-5 Security Alerts, Advisories, and
Directives
X X SI-5a. [to include US-CERT]
SI-5c. [to include system security personnel
and administrators with configuration/patch-
management responsibilities]
64. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 64 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
305
306
307
308
309
310
311
312
313
314
315
316
317
SI-3 Malicious Code Protection X X
SI-3 (1) Malicious Code Protection |
Central Management
X
SI-3 (2) Malicious Code Protection |
Automatic Updates
X
SI-3 (7) Malicious Code Protection |
Nonsignature-Based Detection
X
SI-4 Information System Monitoring X X
SI-4 (1) Information System Monitoring |
System-Wide Intrusion
Detection System
X
SI-4 (2) Information System Monitoring |
Automated Tools For Real-
Time Analysis
X
SI-4 (4) Information System Monitoring |
Inbound and Outbound
Communications Traffic
X
SI-4 (5) Information System Monitoring |
System-Generated Alerts
X
SI-4 (14) Information System Monitoring |
Wireless Intrusion Detection
X
SI-4 (16) Information System Monitoring |
Correlate Monitoring
Information
X
SI-4 (23) Information System Monitoring |
Host-Based Devices
X
SI-5 Security Alerts, Advisories, and
Directives
X X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization
65. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 65 of 66
2
3
A B C D E F G H I J K
Base Parameters Implementation Status
Control
ID
Control Title Low Mod
FedRAMP Defined Assignment/Selection
Parameters
Additional FedRAMP Requirements And
Guidance
In
Place
Partially
Implemented
Planned
Alternative
Implementation
N/A
318
319
320
321
322
323
324
325
326
327
328
SI-6 Security Function Verification X SI-6b [to include upon system startup and/or
restart at least monthly]
SI-6c [to include system administrators and
security personnel]
SI-6d [to include notification of system
administrators and security personnel]
SI-7 Software, Firmware, and
Information Integrity
X
SI-7 (1) Software, Firmware, and
Information Integrity | Integrity
Checks
X SI-7 (1). [Selection to include security relevant
events and at least monthly]
SI-7 (7) Software, Firmware, and
Information Integrity |
Integration of Detection and
Response
X
SI-8 Spam Protection X
SI-8 (1) Spam Protection | Central
Management
X
SI-8 (2) Spam Protection | Automatic
Updates
X
SI-10 Information Input Validation X
SI-11 Error Handling X
SI-12 Information Handling and
Retention
X X
SI-16 Memory Protection X
66. FedRAMP Control Implementation Summary Template v4.1 Cross Matrixed to FedRAMP Baseline Controls Rev. 4 Page 66 of 66
2
3
A B C D
Base
Control
ID
Control Title Low Mod
318
319
320
321
322
323
324
325
326
327
328
SI-6 Security Function Verification X
SI-7 Software, Firmware, and
Information Integrity
X
SI-7 (1) Software, Firmware, and
Information Integrity | Integrity
Checks
X
SI-7 (7) Software, Firmware, and
Information Integrity |
Integration of Detection and
Response
X
SI-8 Spam Protection X
SI-8 (1) Spam Protection | Central
Management
X
SI-8 (2) Spam Protection | Automatic
Updates
X
SI-10 Information Input Validation X
SI-11 Error Handling X
SI-12 Information Handling and
Retention
X X
SI-16 Memory Protection X
L M N O P Q R
Control Origination
Service Provider-
Corporate
Service Provider-
System Specific
Service Provider Hybrid:
(Service Provider - Corporate
and Service Provider - System
Specific)
Configured by
Customer
(Customer -
System Specific)
Provided by
Customer
(Customer- System
Specific)
Shared
(Service Provider
and Customer
Responsibility)
Inherited from Pre-
Existing
Provisional
Authorization