Skip to main content

FedRAMP

logo

Summary

FedRAMP is a U.S. Government program designed to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. It provides a standardized approach to security assessment, authorization and continuous monitoring of cloud-based services. FedRAMP defines a set of security control implementations and security impact level systems based on NIST baseline controls (NIST SP 800-53).

Definitions

DefinitionRequirements
AC-2_3. Account management - Disable inactive accounts
023. Terminate inactive user sessions
144. Remove inactive accounts periodically
AC-2_5. Account management - Inactivity logout
028. Allow users to log out
AC-2_7. Account management - Role-based schemes
095. Define users with privileges
096. Set user's required privileges
AC-2_12. Account management - Account monitoring, atypical usage
376. Register severity level
AC-6_1. Least privilege - Authorize access to security functions
033. Restrict administrative access
035. Manage privilege modifications
096. Set user's required privileges
AC-6_2. Least privilege - Non-privileged access for nonsecurity functions
096. Set user's required privileges
AC-6_3. Least privilege - Network access to privileged commands
033. Restrict administrative access
AC-6_8. Least privilege - Privilege levels for code execution
352. Enable trusted execution
AC-7_2. Unsuccessful logon - Purge, wipe mobile device
210. Delete information from mobile devices
AC-8. System use notification
227. Display access notification
AC-10. Concurrent session control
025. Manage concurrent sessions
AC-11. Session lock
114. Deny access with inactive credentials
AC-22. Publicly accessible content
045. Remove metadata when sharing files
261. Avoid exposing sensitive information
265. Restrict access to critical processes
325. Protect WSDL files
AU-3_2. Centralized management of planned audit record content
377. Store logs based on valid regulation
378. Use of log management system
AU-8. Time stamps
079. Record exact occurrence time of events
AU-8_1. Synchronization with authoritative time source
363. Synchronize system clocks
AU-12_3. Audit regeneration - Changes by authorized individuals
080. Prevent log modification
322. Avoid excessive logging
378. Use of log management system
CA-2_2. Security assessment - Specialized assessments
041. Scan files for malicious code
115. Filter malicious emails
155. Application free of malicious code
340. Use octet stream downloads
376. Register severity level
CA-2_3. Security assessment - External organizations
161. Define secure default options
262. Verify third-party components
314. Provide processing confirmation
CA-3. System interconnections
181. Transmit data using secure protocols
321. Avoid deserializing untrusted data
CA-3_3. Unclassified non-national security system connections
153. Out of band transactions
336. Disable insecure TLS versions
CA-6. Security authorization
095. Define users with privileges
CA-7. Continuous monitoring
075. Record exceptional events in logs
078. Disable debugging events
079. Record exact occurrence time of events
080. Prevent log modification
376. Register severity level
378. Use of log management system
CM-2_1. Baseline configuration - Reviews and updates
353. Schedule firmware updates
CM-3_6. Baseline configuration - Cryptography management
147. Use pre-existent mechanisms
151. Separate keys for encryption and signatures
224. Use secure cryptographic mechanisms
CM-5_5. Access restrictions for change - Limit production, operational privileges
035. Manage privilege modifications
096. Set user's required privileges
186. Use the principle of least privilege
265. Restrict access to critical processes
CM-7. Least functionality
154. Eliminate backdoors
255. Allow access only to the necessary ports
CM-7_5. Least functionality - Authorized software, whitelisting
326. Detect rooted devices
344. Avoid dynamic code execution
352. Enable trusted execution
IA-2_11. Identification and authentication - Remote access, separate device
362. Assign MFA mechanisms to a single account
IA-4. Identifier management
023. Terminate inactive user sessions
030. Avoid object reutilization
IA-5_1. Authenticator management - Password-based authentication
130. Limit password lifespan
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
138. Define lifespan for temporary passwords
139. Set minimum OTP length
IA-5_3. Authenticator management - In-person or trusted third-party registration
137. Change temporary passwords of third parties
IA-5_8. Authenticator management - Multiple information system accounts
025. Manage concurrent sessions
MP-2. Media access
176. Restrict system objects
205. Configure PIN
229. Request access credentials
264. Request authentication
351. Assign unique keys to each device
MP-5. Media transport
153. Out of band transactions
181. Transmit data using secure protocols
335. Define out of band token lifespan
MP-6. Media sanitization
210. Delete information from mobile devices
214. Allow data destruction
PE-3. Physical access control
114. Deny access with inactive credentials
231. Implement a biometric verification component
362. Assign MFA mechanisms to a single account
PE-16. Delivery and removal
160. Encode system outputs
173. Discard unsafe inputs
PS-3_3. Personnel screening - Information with special protection measures
095. Define users with privileges
096. Set user's required privileges
PS-7. Third-party personnel security
137. Change temporary passwords of third parties
262. Verify third-party components
318. Notify third parties of changes
RA-5. Vulnerability scanning
041. Scan files for malicious code
062. Define standard configurations
118. Inspect attachments
155. Application free of malicious code
RA-5_4. Privileged access
095. Define users with privileges
SA-1. System and services acquisition policy and procedures
331. Guarantee legal compliance
SA-9. External information system services
262. Verify third-party components
SA-10. Developer configuration management
062. Define standard configurations
SC-1. System and communications protection policy and procedures
331. Guarantee legal compliance
SC-8. Transmission confidentiality and integrity
176. Restrict system objects
181. Transmit data using secure protocols
321. Avoid deserializing untrusted data
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
SC-8_1. Cryptographic or alternate physical protection
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
250. Manage access points
257. Access based on user credentials
SC-10. Network disconnect
023. Terminate inactive user sessions
335. Define out of band token lifespan
SC-12_2. Cryptographic key establishment and management - Symmetric keys
145. Protect system cryptographic keys
149. Set minimum size of symmetric encryption
372. Proper Use of Initialization Vector (IV)
SC-13. Cryptographic protection
145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
224. Use secure cryptographic mechanisms
361. Replace cryptographic keys
SC-28. Protection of information at rest
062. Define standard configurations
176. Restrict system objects
329. Keep client-side storage without sensitive data
SI-3. Malicious code protection
041. Scan files for malicious code
155. Application free of malicious code
340. Use octet stream downloads
SI-5. Security alerts, advisories, and directives
075. Record exceptional events in logs
173. Discard unsafe inputs
227. Display access notification
301. Notify configuration changes
318. Notify third parties of changes
358. Notify upcoming expiration dates
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on