Skip to main content

FedRAMP

logo

Summary

FedRAMP is a U.S. Government program designed to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. It provides a standardized approach to security assessment, authorization and continuous monitoring of cloud-based services. FedRAMP defines a set of security control implementations and security impact level systems based on NIST baseline controls (NIST SP 800-53).

Definitions

DefinitionRequirements
AC-2_3. Account management - Disable inactive accounts023. Terminate inactive user sessions
144. Remove inactive accounts periodically
AC-2_5. Account management - Inactivity logout028. Allow users to log out
AC-2_7. Account management - Role-based schemes095. Define users with privileges
096. Set user's required privileges
AC-2_12. Account management - Account monitoring, atypical usage376. Register severity level
AC-6_1. Least privilege - Authorize access to security functions033. Restrict administrative access
035. Manage privilege modifications
096. Set user's required privileges
AC-6_2. Least privilege - Non-privileged access for nonsecurity functions096. Set user's required privileges
AC-6_3. Least privilege - Network access to privileged commands033. Restrict administrative access
AC-6_8. Least privilege - Privilege levels for code execution352. Enable trusted execution
AC-7_2. Unsuccessful logon - Purge, wipe mobile device210. Delete information from mobile devices
AC-8. System use notification227. Display access notification
AC-10. Concurrent session control025. Manage concurrent sessions
AC-11. Session lock114. Deny access with inactive credentials
AC-22. Publicly accessible content045. Remove metadata when sharing files
261. Avoid exposing sensitive information
265. Restrict access to critical processes
325. Protect WSDL files
AU-3_2. Centralized management of planned audit record content377. Store logs based on valid regulation
378. Use of log management system
AU-8. Time stamps079. Record exact occurrence time of events
AU-8_1. Synchronization with authoritative time source363. Synchronize system clocks
AU-12_3. Audit regeneration - Changes by authorized individuals080. Prevent log modification
322. Avoid excessive logging
378. Use of log management system
CA-2_2. Security assessment - Specialized assessments041. Scan files for malicious code
115. Filter malicious emails
155. Application free of malicious code
340. Use octet stream downloads
376. Register severity level
CA-2_3. Security assessment - External organizations161. Define secure default options
262. Verify third-party components
314. Provide processing confirmation
CA-3. System interconnections181. Transmit data using secure protocols
321. Avoid deserializing untrusted data
CA-3_3. Unclassified non-national security system connections153. Out of band transactions
336. Disable insecure TLS versions
CA-6. Security authorization095. Define users with privileges
CA-7. Continuous monitoring075. Record exceptional events in logs
078. Disable debugging events
079. Record exact occurrence time of events
080. Prevent log modification
376. Register severity level
378. Use of log management system
CM-2_1. Baseline configuration - Reviews and updates353. Schedule firmware updates
CM-3_6. Baseline configuration - Cryptography management147. Use pre-existent mechanisms
151. Separate keys for encryption and signatures
224. Use secure cryptographic mechanisms
CM-5_5. Access restrictions for change - Limit production, operational privileges035. Manage privilege modifications
096. Set user's required privileges
186. Use the principle of least privilege
265. Restrict access to critical processes
CM-7. Least functionality154. Eliminate backdoors
255. Allow access only to the necessary ports
CM-7_5. Least functionality - Authorized software, whitelisting326. Detect rooted devices
344. Avoid dynamic code execution
352. Enable trusted execution
IA-2_11. Identification and authentication - Remote access, separate device362. Assign MFA mechanisms to a single account
IA-4. Identifier management023. Terminate inactive user sessions
030. Avoid object reutilization
IA-5_1. Authenticator management - Password-based authentication130. Limit password lifespan
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
138. Define lifespan for temporary passwords
139. Set minimum OTP length
IA-5_3. Authenticator management - In-person or trusted third-party registration137. Change temporary passwords of third parties
IA-5_8. Authenticator management - Multiple information system accounts025. Manage concurrent sessions
MP-2. Media access176. Restrict system objects
205. Configure PIN
229. Request access credentials
264. Request authentication
351. Assign unique keys to each device
MP-5. Media transport153. Out of band transactions
181. Transmit data using secure protocols
335. Define out of band token lifespan
MP-6. Media sanitization210. Delete information from mobile devices
214. Allow data destruction
PE-3. Physical access control114. Deny access with inactive credentials
231. Implement a biometric verification component
362. Assign MFA mechanisms to a single account
PE-16. Delivery and removal160. Encode system outputs
173. Discard unsafe inputs
PS-3_3. Personnel screening - Information with special protection measures095. Define users with privileges
096. Set user's required privileges
PS-7. Third-party personnel security137. Change temporary passwords of third parties
262. Verify third-party components
318. Notify third parties of changes
RA-5. Vulnerability scanning041. Scan files for malicious code
062. Define standard configurations
118. Inspect attachments
155. Application free of malicious code
RA-5_4. Privileged access095. Define users with privileges
SA-1. System and services acquisition policy and procedures331. Guarantee legal compliance
SA-9. External information system services262. Verify third-party components
SA-10. Developer configuration management062. Define standard configurations
SC-1. System and communications protection policy and procedures331. Guarantee legal compliance
SC-8. Transmission confidentiality and integrity176. Restrict system objects
181. Transmit data using secure protocols
321. Avoid deserializing untrusted data
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
SC-8_1. Cryptographic or alternate physical protection147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
250. Manage access points
257. Access based on user credentials
SC-10. Network disconnect023. Terminate inactive user sessions
335. Define out of band token lifespan
SC-12_2. Cryptographic key establishment and management - Symmetric keys145. Protect system cryptographic keys
149. Set minimum size of symmetric encryption
372. Proper Use of Initialization Vector (IV)
SC-13. Cryptographic protection145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
224. Use secure cryptographic mechanisms
361. Replace cryptographic keys
SC-28. Protection of information at rest062. Define standard configurations
176. Restrict system objects
329. Keep client-side storage without sensitive data
SI-3. Malicious code protection041. Scan files for malicious code
155. Application free of malicious code
340. Use octet stream downloads
SI-5. Security alerts, advisories, and directives075. Record exceptional events in logs
173. Discard unsafe inputs
227. Display access notification
301. Notify configuration changes
318. Notify third parties of changes
358. Notify upcoming expiration dates