Skip to main content

APPENDIX A - FedRAMP Tailored Security Controls Baseline

Download as an Excel Spreadsheet

Key to LISaaS Baseline

Tailoring Symbol Tailoring Criteria
FED Controls that are uniquely Federal, which are primarily the responsibility of the Federal Government
NSO Controls FedRAMP determined do not impact the security of Low Impact Cloud SaaS
Required Controls FedRAMP determined are required for Low Impact Cloud SaaS
Conditional Controls FedRAMP determined are conditionally required for Low Impact Cloud SaaS
Inherited Controls FedRAMP determined to be inherited from the underlying infrastructure provider (i.e., FedRAMP authorized IaaS/PaaS) for Low Impact Cloud SaaS
Attestation Controls for which FedRAMP determined that the CSP is required to attest to being in place for Low Impact Cloud SaaS

FedRAMP Tailored-CSP Response

Provides a list of all controls that require the CSP to provide detailed descriptions of their implementation, or provide a self-attestation that their implementation meets the intent of the security requirements. All required and conditional controls must be tested by an approved assessor.

No Control ID Control Name Tailoring Action Additional Control Tailoring Comments Conditional Requirements
1 AC-1 Access Control Policy and Procedures Attestation    
2 AC-2 Account Management Required    
3 AC-3 Access Enforcement Required    
4 AC-7 Unsuccessful Login Attempts NSO, Attestation NSO - for non-privileged users; Attestation - for privileged users related to multi-factor identification and authentication  
5 AC-17 Remote Access Required    
6 AC-20 Use of External Information Systems Attestation    
7 AC-22 Publicly Accessible Content Required    
8 AT-1 Security Awareness and Training Policy and Procedures Attestation    
9 AT-2 Security Awareness Training Attestation    
10 AT-3 Role-Based Security Training Attestation    
11 AT-4 Security Training Records Attestation    
12 AU-1 Audit and Accountability Policy and Procedures Attestation    
13 AU-2 Audit Events Attestation    
14 AU-3 Content of Audit Records Required    
15 AU-5 Response to Audit Processing Failures Required    
16 AU-6 Audit Review, Analysis, and Reporting Required    
17 AU-8 Time Stamps Attestation    
18 AU-9 Protection of Audit Information Attestation    
19 AU-12 Audit Generation Attestation    
20 CA-1 Security Assessment and AuthorizationPolicies and Procedures Attestation    
21 CA-2 Security Assessments Required    
22 CA-2 (1) Security Assessments Independent Assessors Attestation  
23 CA-3 System Interconnections Attestation    
24 CA-5 Plan of Action and Milestones Attestation Attestation - for compliance with FedRAMP Tailored LISaaS Continuous Monitoring Requirements  
25 CA-6 Security Authorization Required    
26 CA-7 Continuous Monitoring Required    
27 CA-9 Internal System Connections Required (Conditional) Required: (Conditional) - Control is applicable if there are internal system connection(s). Connections (if any) shall be authorized and:1) Identify the interface/connection;2) Detail what data is involved and its sensitivity;3) Whether the connection is one-way or bidirectional, and;4) How the connection is secured.  
28 CM-1 Configuration Management Policy andProcedures Attestation    
29 CM-2 Baseline Configuration Attestation    
30 CM-4 Security Impact Analysis Required    
31 CM-6 Configuration Settings Required    
32 CM-7 Least Functionality Attestation    
33 CM-8 Information System Component Inventory Required    
34 CP-1 Contingency Planning Policy and Procedures Attestation    
35 CP-9 Information System Backup Required    
36 IA-1 Identification and Authentication Policy and Procedures Attestation    
37 IA-2 Identification and Authentication(Organizational Users) NSO, Attestation NSO -for non-privileged users; Attestation - for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts  
38 IA-2 (1) Identification and Authentication(Organizational Users) Network Access to Privileged Accounts Required  
39 IA-2 (12) Identification and Authentication(Organizational Users) Acceptance of PIV Credentials Required (Conditional) Required: (Conditional) - Required for privileged users; Conditional for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
40 IA-4 Identifier Management Attestation    
41 IA-5 Authenticator Management Attestation    
42 IA-5 (1) Authenticator Management Password-Based Authentication Attestation  
43 IA-5 (11) Authenticator Management Hardware Token-Based Authentication FED, Required (Conditional) FED - for Federal privileged users; Required (Conditional) - Required for privileged users; Conditional for all non-privileged users
44 IA-6 Authenticator Feedback Required    
45 IA-7 Cryptographic Module Authentication Attestation    
46 IA-8 Identification and Authentication (NonOrganizational Users) Attestation    
47 IA-8 (1) Identification and Authentication (NonOrganizational Users) Acceptance of PIV Credentials from Other Agencies Required (Conditional) Required: (Conditional) - Required for privileged users; Conditional for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
48 IA-8 (2) Identification and Authentication (NonOrganizational Users) Acceptance of Third-Party Credentials Required (Conditional) Required: (Conditional) - Required for privileged users; Conditional for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
49 IA-8 (3) Identification and Authentication (NonOrganizational Users) Acceptance of FICAM-Approved Products Attestation  
50 IA-8 (4) Identification and Authentication (NonOrganizational Users) Use of FICAM-Issued Profiles Attestation  
51 IR-1 Incident Response Policy and Procedures Attestation    
52 IR-2 Incident Response Training Attestation    
53 IR-4 Incident Handling Required    
54 IR-5 Incident Monitoring Attestation    
55 IR-6 Incident Reporting Required    
56 IR-7 Incident Response Assistance Attestation    
57 IR-8 Incident Response Plan Attestation Attestation - Specifically attest to US-CERT compliance  
58 IR-9 Information Spillage Response Attestation Attestation - Specifically describe information spillage response processes  
59 MA-1 System Maintenance Policy and Procedures Attestation    
60 MA-2 Controlled Maintenance Inherited, Attestation CSP includes inherited controls in self-attestation  
61 MA-4 Nonlocal Maintenance Attestation    
62 MA-5 Maintenance Personnel Inherited, Attestation CSP includes inherited controls in self-attestation  
63 MP-1 Media Protection Policy and Procedures Attestation    
64 MP-2 Media Access Inherited, Attestation CSP includes inherited controls in self-attestation  
65 MP-6 Media Sanitization Inherited, Attestation CSP includes inherited controls in self-attestation  
66 MP-7 Media Use Inherited, Attestation CSP includes inherited controls in self-attestation  
67 PE-1 Physical and Environmental ProtectionPolicy and Procedures Attestation    
68 PE-2 Physical Access Authorizations Inherited, Attestation CSP includes inherited controls in self-attestation  
69 PE-3 Physical Access Control Inherited, Attestation CSP includes inherited controls in self-attestation  
70 PE-6 Monitoring Physical Access Inherited, Attestation CSP includes inherited controls in self-attestation  
71 PE-8 Visitor Access Records Inherited, Attestation CSP includes inherited controls in self-attestation  
72 PE-12 Emergency Lighting Inherited, Attestation CSP includes inherited controls in self-attestation  
73 PE-13 Fire Protection Inherited, Attestation CSP includes inherited controls in self-attestation  
74 PE-14 Temperature and Humidity Controls Inherited, Attestation CSP includes inherited controls in self-attestation  
75 PE-15 Water Damage Protection Inherited, Attestation CSP includes inherited controls in self-attestation  
76 PE-16 Delivery and Removal Inherited, Attestation CSP includes inherited controls in self-attestation  
77 PL-1 Security Planning Policy and Procedures Attestation    
78 PL-2 System Security Plan Required    
79 PL-4 Rules of Behavior Attestation    
80 PS-1 Personnel Security Policy and Procedures Attestation    
81 PS-3 Personnel Screening Required    
82 PS-4 Personnel Termination Attestation    
83 PS-5 Personnel Transfer Attestation    
84 PS-6 Access Agreements Attestation    
85 PS-7 Third-Party Personnel Security Attestation Attestation - Specifically stating that any third-party security personnel are treated as CSP employees  
86 PS-8 Personnel Sanctions Attestation    
87 RA-1 Risk Assessment Policy and Procedures Attestation    
88 RA-2 Security Categorization Required    
89 RA-3 Risk Assessment Required    
90 RA-5 Vulnerability Scanning Required    
91 SA-1 System and Services Acquisition Policy andProcedures Attestation    
92 SA-2 Allocation of Resources Attestation    
93 SA-3 System Development Life Cycle Attestation    
94 SA-4 Acquisition Process Attestation    
95 SA-4 (10) Acquisition Process Use of Approved PIV Products Attestation  
96 SA-5 Information System Documentation Attestation    
97 SA-9 External Information System Services Required    
98 SC-1 System and Communications ProtectionPolicy and Procedures Attestation    
99 SC-5 Denial of Service Protection Required (Conditional) Required: (Conditional) - If availability is a requirement - define protections in place as per control requirement  
100 SC-7 Boundary Protection Required    
101 SC-12 Cryptographic Key Establishment andManagement Required    
102 SC-13 Conditional Cryptographic Protection - Required (Conditional) Required: (Conditional) - if implementing need to detail how they meet it or don’t meet it  
103 SC-20 Secure Name /Address Resolution Service(Authoritative Source) Attestation    
104 SC-21 Secure Name /Address Resolution Service(Recursive or Caching Resolver) Attestation    
105 SC-22 Architecture and Provisioning forName/Address Resolution Service Attestation    
106 SC-39 Process Isolation Attestation    
107 SI-1 System and Information Integrity Policy and Procedures Attestation    
108 SI-2 Flaw Remediation Required    
109 SI-3 Malicious Code Protection Required    
110 SI-4 Information System Monitoring Required    
111 SI-5 Security Alerts, Advisories, and Directives Attestation    
112 SI-12 Information Handling and Retention Attestation Attestation - Specifically related to US-CERT and FedRAMP communications procedures  

FedRAMP Tailored - Details

Provides details of the FedRAMP tailoring criteria against all of the security controls in the FedRAMP Low Impact Baseline.

No Control ID Control Name Tailoring Action Additional Tailoring Comments  
1 AC-1 Access Control Policy and Procedures Attestation    
2 AC-2 Account Management Required    
3 AC-3 Access Enforcement Required    
4 AC-7 Unsuccessful Login Attempts NSO, Attestation NSO for non-privileged users; Attestation for privileged users related to multi-factor identification and authentication  
5 AC-8 System Use Notification FED FED - This is related to agency data and agency policy solution  
6 AC-14 Permitted Actions without Identification or Authentication FED FED - This is related to agency data and agency policy solution  
7 AC-17 Remote Access Required    
8 AC-18 Wireless Access NSO NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).  
9 AC-19 Access Control for Mobile Devices NSO NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).  
10 AC-20 Use of External Information Systems Attestation    
11 AC-22 Publicly Accessible Content Required    
12 AT-1 Security Awareness and Training Policy and Procedures Attestation    
13 AT-2 Security Awareness Training Attestation    
14 AT-3 Role-Based Security Training Attestation    
15 AT-4 Security Training Records Attestation    
16 AU-1 Audit and Accountability Policy and Procedures Attestation    
17 AU-2 Audit Events Attestation    
18 AU-3 Content of Audit Records Required    
19 AU-4 Audit Storage Capacity NSO NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs  
20 AU-5 Response to Audit Processing Failures Required    
21 AU-6 Audit Review, Analysis, and Reporting Required    
22 AU-8 Time Stamps Attestation    
23 AU-9 Protection of Audit Information Attestation    
24 AU-11 Audit Record Retention NSO NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs  
25 AU-12 Audit Generation Attestation    
26 CA-1 Security Assessment and AuthorizationPolicies and Procedures Attestation    
27 CA-2 Security Assessments Required    
28 CA-2 (1) Security Assessments Independent Assessors Attestation  
29 CA-3 System Interconnections Attestation    
30 CA-5 Plan of Action and Milestones Attestation Attestation - for compliance with FedRAMP Tailored LISaaS Continuous Monitoring Requirements  
31 CA-6 Security Authorization Required    
32 CA-7 Continuous Monitoring Required    
33 CA-9 Internal System Connections Required (Conditional) Required - Conditional - Control is applicable if there are internal system connection(s). Connections (if any) shall be authorized and:1) Identify the interface/connection;2) Detail what data is involved and its sensitivity;3) Whether the connection is one-way or bidirectional, and;4) How the connection is secured.  
34 CM-1 Configuration Management Policy andProcedures Attestation    
35 CM-2 Baseline Configuration Attestation    
36 CM-4 Security Impact Analysis Required    
37 CM-6 Configuration Settings Required Required - Specifically include details of least functionality  
38 CM-7 Least Functionality Attestation    
39 CM-8 Information System Component Inventory Required    
40 CM-10 Software Usage Restrictions NSO NSO- Not directly related to protection of the data  
41 CM-11 User-Installed Software NSO NSO - Boundary is specific to SaaS environment; all access is via web services; users’ machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.  
42 CP-1 Contingency Planning Policy and Procedures Attestation    
43 CP-2 Contingency Plan NSO NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs  
44 CP-3 Contingency Training NSO NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs  
45 CP-4 Contingency Plan Testing NSO NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs  
46 CP-9 Information System Backup Required    
47 CP-10 Information System Recovery andReconstitution NSO NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs  
48 IA-1 Identification and Authentication Policy and Procedures Attestation    
49 IA-2 Identification and Authentication(Organizational Users) NSO, Attestation NSO for non-privileged users; Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts  
50 IA-2 (1) Identification and Authentication(Organizational Users) Network Access to Privileged Accounts Required  
51 IA-2 (12) Identification and Authentication(Organizational Users) Acceptance of PIV Credentials Required (Conditional) Required (Conditional) - Required for privileged users; Conditional for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
52 IA-4 Identifier Management Attestation    
53 IA-5 Authenticator Management Attestation    
54 IA-5 (1) Authenticator Management Password-Based Authentication Attestation  
55 IA-5 (11) Authenticator Management Hardware Token-Based Authentication FED, Required (Conditional) FED - for Federal privileged users; Required (Conditional) - Required for privileged users; Conditional for all non-privileged users
56 IA-6 Authenticator Feedback Required    
57 IA-7 Cryptographic Module Authentication Attestation    
58 IA-8 Identification and Authentication (NonOrganizational Users) Attestation    
59 IA-8 (1) Identification and Authentication (NonOrganizational Users) Acceptance of PIV Credentials from Other Agencies Required (Conditional) Required (Conditional) - Required for privileged users; Conditional for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
60 IA-8 (2) Identification and Authentication (NonOrganizational Users) Acceptance of Third-Party Credentials Required (Conditional) Required (Conditional) - Required for privileged users; Conditional for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
61 IA-8 (3) Identification and Authentication (NonOrganizational Users) Acceptance of FICAM-Approved Products Attestation  
62 IA-8 (4) Identification and Authentication (NonOrganizational Users) Use of FICAM-Issued Profiles Attestation  
63 IR-1 Incident Response Policy and Procedures Attestation    
64 IR-2 Incident Response Training Attestation    
65 IR-4 Incident Handling Required    
66 IR-5 Incident Monitoring Attestation    
67 IR-6 Incident Reporting Required    
68 IR-7 Incident Response Assistance Attestation    
69 IR-8 Incident Response Plan Attestation Attestation - Specifically attest to US-CERT compliance  
70 IR-9 Information Spillage Response Attestation Attestation - specifically describe information spillage response processes  
71 MA-1 System Maintenance Policy and Procedures Attestation    
72 MA-2 Controlled Maintenance Inherited, Attestation CSP includes inherited controls in self-attestation  
73 MA-4 Nonlocal Maintenance Attestation    
74 MA-5 Maintenance Personnel Inherited, Attestation CSP includes inherited controls in self-attestation  
75 MP-1 Media Protection Policy and Procedures Attestation    
76 MP-2 Media Access Inherited, Attestation CSP includes inherited controls in self-attestation  
77 MP-6 Media Sanitization Inherited, Attestation CSP includes inherited controls in self-attestation  
78 MP-7 Media Use Inherited, Attestation CSP includes inherited controls in self-attestation  
79 PE-1 Physical and Environmental ProtectionPolicy and Procedures Attestation    
80 PE-2 Physical Access Authorizations Inherited, Attestation CSP includes inherited controls in self-attestation  
81 PE-3 Physical Access Control Inherited, Attestation CSP includes inherited controls in self-attestation  
82 PE-6 Monitoring Physical Access Inherited, Attestation CSP includes inherited controls in self-attestation  
83 PE-8 Visitor Access Records Inherited, Attestation CSP includes inherited controls in self-attestation  
84 PE-12 Emergency Lighting Inherited, Attestation CSP includes inherited controls in self-attestation  
85 PE-13 Fire Protection Inherited, Attestation CSP includes inherited controls in self-attestation  
86 PE-14 Temperature and Humidity Controls Inherited, Attestation CSP includes inherited controls in self-attestation  
87 PE-15 Water Damage Protection Inherited, Attestation CSP includes inherited controls in self-attestation  
88 PE-16 Delivery and Removal Inherited, Attestation CSP includes inherited controls in self-attestation  
89 PL-1 Security Planning Policy and Procedures Attestation    
90 PL-2 System Security Plan Required    
91 PL-4 Rules of Behavior Attestation    
92 PS-1 Personnel Security Policy and Procedures Attestation    
93 PS-2 Position Risk Designation FED    
94 PS-3 Personnel Screening Required    
95 PS-4 Personnel Termination Attestation    
96 PS-5 Personnel Transfer Attestation    
97 PS-6 Access Agreements Attestation    
98 PS-7 Third-Party Personnel Security Attestation Attestation - specifically stating that any third-party security personnel are treated as CSP employees  
99 PS-8 Personnel Sanctions Attestation    
100 RA-1 Risk Assessment Policy and Procedures Attestation    
101 RA-2 Security Categorization Required    
102 RA-3 Risk Assessment Required    
103 RA-5 Vulnerability Scanning Required    
104 SA-1 System and Services Acquisition Policy andProcedures Attestation    
105 SA-2 Allocation of Resources Attestation    
106 SA-3 System Development Life Cycle Attestation    
107 SA-4 Acquisition Process Attestation    
108 SA-4 (10) Acquisition Process Use of Approved PIV Products Attestation  
109 SA-5 Information System Documentation Attestation    
110 SA-9 External Information System Services Required    
111 SC-1 System and Communications ProtectionPolicy and Procedures Attestation    
112 SC-5 Denial of Service Protection Required (Conditional) Required: (Conditional) - If availability is a requirement - define protections in place as per control requirement  
113 SC-7 Boundary Protection Required    
114 SC-12 Cryptographic Key Establishment andManagement Required    
115 SC-13 Conditional Cryptographic Protection - Required (Conditional) Required: (Conditional) - if implementing need to detail how they meet it or don’t meet it  
116 SC-15 Collaborative Computing Devices NSO NSO - Not directly related to the security of the SaaS  
117 SC-20 Secure Name /Address Resolution Service(Authoritative Source) Attestation    
118 SC-21 Secure Name /Address Resolution Service(Recursive or Caching Resolver) Attestation    
119 SC-22 Architecture and Provisioning forName/Address Resolution Service Attestation    
120 SC-39 Process Isolation Attestation    
121 SI-1 System and Information Integrity Policy and Procedures Attestation    
122 SI-2 Flaw Remediation Required    
123 SI-3 Malicious Code Protection Required    
124 SI-4 Information System Monitoring Required    
125 SI-5 Security Alerts, Advisories, and Directives Attestation    
126 SI-12 Information Handling and Retention Attestation Attestation - specifically related to US-CERT and FedRAMP communications procedures  

APPENDIX B - FedRAMP Tailored Mandatory Templates

in development

APPENDIX C - FedRAMP Tailored ATO Letter Template

Download as a Word Document

Insert your information here

ATO Letter Template

Federal Agency/Office logo

Date

Cloud System Owner Name

Cloud Service Name Cloud System Owner

Address

Mr./Mrs. CSP System Owner Name:

Federal Agency/Office has completed the security review of the Cloud Service Provider (CSP) Name (CSP Acronym) System Name (System Acronym), which leverages the CSP Name (CSP Acronym) System Name (System Acronym) Select IaaS or _PaaS. Based on the Federal Information Processing Standard (FIPS) security impact categorization of Low (Confidentiality = Low, Integrity = Low, Availability = Low) and specifically the FedRAMP _Tailored Low Impact Software-as-a-Service (LISaaS) Security Requirements,1Federal Agency/Office has determined that System Acronym meets the information security requirements and is granted Federal Agency/Office FedRAMP Authorization to Operate (ATO).

The FedRAMP Tailored LISaaS Baseline established by the FedRAMP Joint Authorization Board (JAB) defines the minimum security requirements for SaaS systems and applications that meet specific criteria for use by agencies.

Insert information regarding the appropriate use, purposes and restrictions for use of this SaaS

The Federal Agency/Office has determined this CSP system Name ATO is applicable for use by Federal Agency/Office users for the following purposes, and with the following restrictions:

Based on the assessment conducted by Assessment Organization Name, and review by Federal Agency/Office's Authorization Organization the CSP and/or CSP System Name has been implemented and is maintained at an acceptable level of risk.

Edit as appropriate, if known risks or security controls are not implemented and have been accepted by the Authorization Organization specifically for this ATO

The following is a list of known vulnerabilities and risks of the CSP Name/System Name that have been determined as acceptable for the specific use and with the specified restrictions:

The security authorization of the information system will remain in effect for a length of time in alignment with Office of Management and Budget Circular A-130 as long as:

  1. CSP Acronym satisfies the requirement of implementing continuous monitoring activities in accordance with FedRAMP Tailored LISaaS continuous monitoring requirements and/or as agreed between Federal Agency/Office andSystem Acronym.
  2. CSP Acronym mitigates open vulnerabilities in accordance with FedRAMP requirements and as agreed between Federal Agency/Office and System Acronym.
  3. Significant changes or critical vulnerabilities are identified and managed in accordance with applicable Federal law, guidelines, policies, and best practices.

System Acronym is delivered as an SaaS offering using a multi-tenant Deployment Model cloud computing environment. It is available to Insert scope of customers exactly as stated in the documentation (for example, Public, Federal Only, Hybrid community).

Brief system description provided by CSP

Federal Agencies are encouraged to leverage this Agency FedRAMP ATO as a key element of their own ATO as applicable. The package associated with the IaaS and/or PaaS System Acronym ATO must be considered with this System AcronymATO. Federal Agency/Office believes the System Acronym and System AcronymFedRAMP Security Authorization Packages accurately document and clearly define the aggregate outstanding risk considerations, when viewed in concert. Agency customers must consider the aggregate risk for the LISaaS and underlying systems when granting an ATO.

Copies of authorization packages are available for agency review in the FedRAMP Secure Repository. If you have any questions or comments regarding this ATO, please contact Agency ATO contact information.

APPROVED: _______________X

Agency AO Name

Agency AO Title

Agency Name

APPENDIX D - FedRAMP Tailored Continuous Monitoring Requirements

in development

APPENDIX E - FedRAMP Tailored Self-Attestation Requirements

Download as a Word Document

FedRAMP Tailored Self-Attestation Requirements

Cloud Service Providers (CSPs) must attest to meeting the intent of the implementations of the security controls below. CSPs are not required to implement the security controls as explicitly stated in the security controls statement, however vendors must attest to meeting the intent of the controls.

For example, for AT-2, a CSP would attest to the fact that CSP staff are appropriate trained on security awareness issues. The details of the training and an assessment of the training are not required as a part of the assessment and authorization under FedRAMP Tailored.

If a vendor does not meet the intent of any of the security controls below, a vendor must identify that security control in their attestation to state that they do not implement that control and agency Authorizing Officials must be aware when making a risk based determination to authorize that system for use.

CSP ATTESTATION

CSP attests to meeting the intent of all of the security controls in table E-1 below. Any details about the security controls agency Authorizing Officials should be aware of are noted in the last column of Table E-1.

CSP System Owner Signature Date

TABLE E-1

No Control ID Control Name Additional Control Information and Comments CSP Implementation Notes  
1 AC-1 Access Control Policy and Procedures      
2 AC-7 Unsuccessful Login Attempts NSO - for non-privileged users; Attestation - for privileged users related to multi-factor identification and authentication    
3 AC-20 Use of External Information Systems      
4 AT-1 Security Awareness and Training Policy and Procedures      
5 AT-2 Security Awareness Training      
6 AT-3 Role-Based Security Training      
7 AT-4 Security Training Records      
8 AU-1 Audit and Accountability Policy and Procedures      
9 AU-2 Audit Events      
10 AU-8 Time Stamps      
11 AU-9 Protection of Audit Information      
12 AU-12 Audit Generation      
13 CA-1 Security Assessment and Authorization Policies and Procedures      
14 CA-2 (1) Security Assessments Independent Assessors    
15 CA-3 System Interconnections      
16 CA-5 Plan of Action and Milestones Attestation - for compliance with FedRAMP Tailored LISaaS Continuous Monitoring Requirements    
17 CM-1 Configuration Management Policy and Procedures      
18 CM-2 Baseline Configuration      
19 CM-7 Least Functionality      
20 CP-1 Contingency Planning Policy and Procedures      
21 IA-1 Identification and Authentication Policy and Procedures      
22 IA-2 Identification and Authentication (Organizational Users) NSO -for non-privileged users; Attestation - for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts    
23 IA-4 Identifier Management      
24 IA-5 Authenticator Management      
25 IA-5 (1) Authenticator Management Password-Based Authentication    
26 IA-7 Cryptographic Module Authentication      
27 IA-8 Identification and Authentication (NonOrganizational Users)      
28 IA-8 (3) Identification and Authentication (NonOrganizational Users) Acceptance of FICAM-Approved Products    
29 IA-8 (4) Identification and Authentication (NonOrganizational Users) Use of FICAM-Issued Profiles    
30 IR-1 Incident Response Policy and Procedures      
31 IR-2 Incident Response Training      
32 IR-5 Incident Monitoring      
33 IR-7 Incident Response Assistance      
34 IR-8 Incident Response Plan Attestation - Specifically attest to US-CERT compliance    
35 IR-9 Information Spillage Response Attestation - Specifically describe information spillage response processes    
36 MA-1 System Maintenance Policy and Procedures      
37 MA-2 Controlled Maintenance CSP includes inherited controls in self-attestation    
38 MA-4 Nonlocal Maintenance      
39 MA-5 Maintenance Personnel CSP includes inherited controls in self-attestation    
40 MP-1 Media Protection Policy and Procedures      
41 MP-2 Media Access CSP includes inherited controls in self-attestation    
42 MP-6 Media Sanitization CSP includes inherited controls in self-attestation    
43 MP-7 Media Use CSP includes inherited controls in self-attestation    
44 PE-1 Physical and Environmental Protection Policy and Procedures      
45 PE-2 Physical Access Authorizations CSP includes inherited controls in self-attestation    
46 PE-3 Physical Access Control CSP includes inherited controls in self-attestation    
47 PE-6 Monitoring Physical Access CSP includes inherited controls in self-attestation    
48 PE-8 Visitor Access Records CSP includes inherited controls in self-attestation    
49 PE-12 Emergency Lighting CSP includes inherited controls in self-attestation    
50 PE-13 Fire Protection CSP includes inherited controls in self-attestation    
51 PE-14 Temperature and Humidity Controls CSP includes inherited controls in self-attestation    
52 PE-15 Water Damage Protection CSP includes inherited controls in self-attestation    
53 PE-16 Delivery and Removal CSP includes inherited controls in self-attestation    
54 PL-1 Security Planning Policy and Procedures      
55 PL-4 Rules of Behavior      
56 PS-1 Personnel Security Policy and Procedures      
57 PS-4 Personnel Termination      
58 PS-5 Personnel Transfer      
59 PS-6 Access Agreements      
60 PS-7 Third-Party Personnel Security Attestation - Specifically stating that any third-party security personnel are treated as CSP employees    
61 PS-8 Personnel Sanctions      
62 RA-1 Risk Assessment Policy and Procedures      
63 SA-1 System and Services Acquisition Policy and Procedures      
64 SA-2 Allocation of Resources      
65 SA-3 System Development Life Cycle      
66 SA-4 Acquisition Process      
67 SA-4 (10) Acquisition Process Use of Approved PIV Products    
68 SA-5 Information System Documentation      
69 SC-1 System and Communications Protection Policy and Procedures      
70 SC-20 Secure Name /Address Resolution Service (Authoritative Source)      
71 SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver)      
72 SC-22 Architecture and Provisioning for Name/Address Resolution Service      
73 SC-39 Process Isolation      
74 SI-1 System and Information Integrity Policy and Procedures      
75 SI-5 Security Alerts, Advisories, and Directives      
76 SI-12 Information Handling and Retention Attestation - Specifically related to US-CERT and FedRAMP communications procedures    
  1. [FedRAMP Tailored Low Impact Software-as-a Service (LISaaS) Requirements and FedRAMP Tailored Low Impact Software-as-a-Service__Template] will be available at www.fedramp.gov.