{"profile":{"uuid":"145f590d-2443-4c34-9ce9-37ccbe88abf9","metadata":{"roles":[{"id":"prepared-by","title":"Document creator"},{"id":"fedramp-pmo","title":"The FedRAMP Program Management Office (PMO)","short-name":"CSP"},{"id":"fedramp-jab","title":"The FedRAMP Joint Authorization Board (JAB)","short-name":"CSP"}],"title":"FedRAMP Rev 4 Tailored Low Impact Software as a Service (LI-SaaS) Baseline","parties":[{"name":"Federal Risk and Authorization Management Program: Program Management Office","type":"organization","uuid":"8cc0b8e5-9650-4d5f-9796-316f05fa9a2d","links":[{"rel":"homepage","href":"https://fedramp.gov"},{"rel":"logo","href":"#a2381e87-3d04-4108-a30b-b4d2f36d001f"},{"rel":"reference","href":"#985475ee-d4d6-4581-8fdf-d84d3d8caa48"},{"rel":"reference","href":"#1a23a771-d481-4594-9a1a-71d584fa4123"}],"addresses":[{"city":"Washington","type":"work","state":"DC","country":"US","addr-lines":["1800 F St. NW"],"postal-code":"20006"}],"short-name":"FedRAMP PMO","email-addresses":["info@fedramp.gov"]},{"name":"Federal Risk and Authorization Management Program: Joint Authorization Board","type":"organization","uuid":"ca9ba80e-1342-4bfd-b32a-abac468c24b4","links":[{"rel":"logo","href":"#a2381e87-3d04-4108-a30b-b4d2f36d001f"}],"short-name":"FedRAMP JAB"}],"version":"fedramp1.1.0-oscal1.0.0","published":"2021-02-17T00:00:00.000-04:00","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"a3ace999-7318-46b5-aae7-f2bc16c4632d"}],"last-modified":"2021-06-09T14:28:03.343-04:00","oscal-version":"1.0.0","responsible-parties":[{"role-id":"prepared-by","party-uuids":["8cc0b8e5-9650-4d5f-9796-316f05fa9a2d"]},{"role-id":"fedramp-pmo","party-uuids":["8cc0b8e5-9650-4d5f-9796-316f05fa9a2d"]},{"role-id":"fedramp-jab","party-uuids":["ca9ba80e-1342-4bfd-b32a-abac468c24b4"]}]},"imports":[{"href":"#ad005eae-cc63-4e64-9109-3905a9a825e4","include-controls":[{"with-ids":["ac-1","ac-2","ac-3","ac-7","ac-8","ac-14","ac-17","ac-18","ac-19","ac-20","ac-22","at-1","at-2","at-3","at-4","au-1","au-2","au-3","au-4","au-5","au-6","au-8","au-9","au-11","au-12","ca-1","ca-2","ca-2.1","ca-3","ca-5","ca-6","ca-7","ca-9","cm-1","cm-2","cm-4","cm-6","cm-7","cm-8","cm-10","cm-11","cp-1","cp-2","cp-3","cp-4","cp-9","cp-10","ia-1","ia-2","ia-2.1","ia-2.12","ia-4","ia-5","ia-5.1","ia-5.11","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.3","ia-8.4","ir-1","ir-2","ir-4","ir-5","ir-6","ir-7","ir-8","ir-9","ma-1","ma-2","ma-4","ma-5","mp-1","mp-2","mp-6","mp-7","pe-1","pe-2","pe-3","pe-6","pe-8","pe-12","pe-13","pe-14","pe-15","pe-16","pl-1","pl-2","pl-4","ps-1","ps-2","ps-3","ps-4","ps-5","ps-6","ps-7","ps-8","ra-1","ra-2","ra-3","ra-5","sa-1","sa-2","sa-3","sa-4","sa-4.10","sa-5","sa-9","sc-1","sc-5","sc-7","sc-12","sc-13","sc-15","sc-20","sc-21","sc-22","sc-39","si-1","si-2","si-3","si-4","si-5","si-12"]}]}],"merge":{"as-is":true,"combine":{"method":"keep"}},"modify":{"alters":[{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-1"},{"adds":[{"by-id":"ac-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"by-id":"ac-2_smt","parts":[{"id":"ac-2_fr","name":"item","parts":[{"id":"ac-2_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"Parts (b), (c), (d), (e), (i), (j), and (k) are excluded from FedRAMP Tailored for LI-SaaS."}],"title":"AC-2 Additional FedRAMP Requirements and Guidance"}],"position":"ending"},{"parts":[{"id":"ac-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions."},{"id":"ac-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ac-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ac-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for account management on the information system; automated mechanisms for implementing account management."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-id":"ac-2_smt.b"},{"by-id":"ac-2_smt.c"},{"by-id":"ac-2_smt.d"},{"by-id":"ac-2_smt.e"},{"by-id":"ac-2_smt.i"},{"by-id":"ac-2_smt.j"},{"by-id":"ac-2_smt.k"},{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-2"},{"adds":[{"by-id":"ac-3_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ac-3_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ac-3_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; and system developers."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ac-3_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-3"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-7"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - This is related to agency data and agency policy solution."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-8"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - This is related to agency data and agency policy solution."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-14"},{"adds":[{"by-id":"ac-17_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ac-17_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization authorizes remote access to the information system prior to allowing such connections"},{"id":"ac-17_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; security plan; information system configuration settings and associated documentation; remote access authorizations; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ac-17_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections; system/network administrators; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ac-17_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Remote access management capability for the information system."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-17"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1])."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-18"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1])."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-19"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-20"},{"adds":[{"by-id":"ac-22_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ac-22_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization designates individuals authorized to post information onto a publicly accessible information system."},{"id":"ac-22_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs; security awareness training records; other relevant documents or records Interview - Organizational personnel with responsibilities for managing remote access connections; system/network administrators; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ac-22_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ac-22_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ac-22"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"at-1"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"at-2"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"at-3"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"at-4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-1"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-2"},{"adds":[{"by-id":"au-3_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"au-3_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system:\n\nGenerates audit records containing information that establishes:\n\n* What type of event occurred\n* When the event occurred\n* Where the event occurred\n* The source of the event\n* The outcome of the event\n* The identity of any individuals or subjects associated with the event\n"},{"id":"au-3_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Audit and accountability policy; procedures addressing content of audit records; information system design documentation; information system configuration settings and associated documentation; list of organization-defined auditable events; information system audit records; information system incident reports; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"au-3_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities; organizational personnel with information security responsibilities; and system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"au-3_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable events."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-3"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-4"},{"adds":[{"by-id":"au-5_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"au-5_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization defines the personnel or roles to be alerted in the event of an audit processing failure."},{"id":"au-5_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Audit and accountability policy; procedures addressing response to audit processing failures; information system design documentation; security plan; information system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"au-5_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections; system/network administrators; and organizational personnel with information security responsibilities.\n\nOrganizational personnel with audit and accountability responsibilities; organizational personnel with information security responsibilities; and system/network administrators; system developers."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"au-5_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing failures."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-5"},{"adds":[{"by-id":"au-6_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"au-6_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization:\n\n* Defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed.\n* Defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity.\n* Reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency.\n* Defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported.\n* Reports findings to organization-defined personnel or roles.\n"},{"id":"au-6_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Audit and accountability policy; procedures addressing audit review, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"au-6_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-6"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-8"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-9"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-11"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"au-12"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-1"},{"adds":[{"by-id":"ca-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ca-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Develops a security assessment plan that describes the scope of the assessment including:\n*     * Security controls and control enhancements under assessment.   * Assessment procedures to be used to determine security control effectiveness.   * Assessment environment.   * Assessment team.   * Assessment roles and responsibilities.  \n* Defines the frequency to assess the security controls in the information system and its environment of operation.\n* Assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements.\n* Produces a security assessment report that documents the results of the assessment.\n* Defines individuals or roles to whom the results of the security control assessment are to be provided.\n* Provides the results of the security control assessment to organization-defined individuals or roles. \n"},{"id":"ca-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Security assessment and authorization policy; procedures addressing security assessment planning; procedures addressing security assessments; security assessment plan; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ca-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ca-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting."}],"props":[{"name":"method","value":"TEST"}]},{"id":"ca-2_fr","name":"item","parts":[{"id":"ca-2_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Annual Assessment Guidance [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/) "}],"title":"CA-2 Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-2"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-2.1"},{"adds":[{"by-id":"ca-3_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ca-3_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization:\n\n* Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements.\n* Documents, for each interconnection:\n*     * The interface characteristics;   * The security requirements; and   * The nature of the information communicated.  \n* Defines the frequency to review and update Interconnection Security Agreements.\n* Reviews and updates Interconnection Security Agreements with the organization-defined frequency.\n"},{"id":"ca-3_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Access control policy; procedures addressing information system connections; system and communications protection policy; security plan; information system design documentation; information system configuration settings and associated documentation; list of components or classes of components authorized as system interconnections; security assessment report; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ca-3_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or authorizing system interconnections; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-3"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-5"},{"adds":[{"by-id":"ca-6_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ca-6_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Assigns a senior-level executive or manager as the authorizing official for the information system.\n* Ensures that the authorizing official authorizes the information system for processing before commencing operations.\n* Defines the frequency to update the security authorization.\n* Updates the security authorization with the organization-defined frequency.\n"},{"id":"ca-6_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Security assessment and authorization policy; procedures addressing security authorization; security authorization package (including security plan; security assessment report; plan of action and milestones; authorization statement); and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ca-6_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ca-6_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates."}],"props":[{"name":"method","value":"TEST"}]},{"id":"ca-6_fr","name":"item","parts":[{"id":"ca-6_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the Authorizing Official."}],"title":"CA-6(c) Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-6"},{"adds":[{"by-id":"ca-7_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ca-7_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Develops a continuous monitoring strategy that defines metrics to be monitored.\n* Develops a continuous monitoring strategy that includes monitoring of organization-defined metrics.\n* Implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.\n* Develops a continuous monitoring strategy that defines frequencies for monitoring and defines frequencies for assessments supporting monitoring.\n* Develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring.\n* Implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy.\n* Develops a continuous monitoring strategy that includes ongoing security control assessments.\n* Implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.\n* Develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics.\n* Implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.\n* Develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring.\n* Implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy.\n* Develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information.\n* Implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy.\n* Develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported.\n* Develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles.\n* Develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency.\n* Implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.\n"},{"id":"ca-7_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Security assessment and authorization policy; procedures addressing continuous monitoring of information system security controls; procedures addressing configuration management; security plan; security assessment report; plan of action and milestones; information system monitoring records; configuration management records, security impact analyses; status reports; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ca-7_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security responsibilities; and system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ca-7_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring."}],"props":[{"name":"method","value":"TEST"}]},{"id":"ca-7_fr","name":"item","parts":[{"id":"ca-7_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates."},{"id":"ca-7_fr_gdn.2","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents, Continuous Monitoring Strategy Guide [https://www.fedramp.gov/documents/](https://www.fedramp.gov/documents/) "}],"title":"CA-7 Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-7"},{"adds":[{"by-id":"ca-9_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ca-9_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"}],"prose":"Determine if the organization:\n\n* Defines information system components or classes of components to be authorized as internal connections to the information system.\n* Authorizes internal connections of organization-defined information system components or classes of components to the information system.\n* Documents, for each internal connection:\n*     * The interface characteristics;   * The security requirements; and   * The nature of the information communicated.  \n"},{"id":"ca-9_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Access control policy; procedures addressing information system connections; system and communications protection policy; security plan; information system design documentation; information system configuration settings and associated documentation; list of components or classes of components authorized as internal system connections; security assessment report; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ca-9_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"9.a.2 only: Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ca-9"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-1"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-2"},{"adds":[{"by-id":"cm-4_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"cm-4_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"id":"cm-4_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Configuration management policy; procedures addressing security impact analysis for changes to the information system; configuration management plan; security impact analysis documentation; analysis tools and associated outputs; change control records; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"cm-4_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis; organizational personnel with information security responsibilities; and system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"cm-4_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for security impact analysis."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-4"},{"adds":[{"by-id":"cm-6_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"cm-6_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed.\n* Ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.\n* Establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists.\n* Implements the configuration settings established/documented in CM-6(a).\n* Defines information system components for which any deviations from established configuration settings must be:\n*     * Identified;   * Documented; and   * Approved.  \n* Defines operational requirements to support:\n*     * The identification of any deviations from established configuration settings;   * The documentation of any deviations from established configuration settings; and   * The approval of any deviations from established configuration settings.  \n* Identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements.\n* Approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements.\n* Monitors changes to the configuration settings in accordance with organizational policies and procedures.\n* Controls changes to the configuration settings in accordance with organizational policies and procedures.\n"},{"id":"cm-6_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Configuration management policy; procedures addressing configuration settings for the information system; configuration management plan; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; evidence supporting approved deviations from established configuration settings; change control records; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"cm-6_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities; organizational personnel with information security responsibilities; and system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"cm-6_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings; automated mechanisms that implement, monitor, and/or control information system configuration settings; and automated mechanisms that identify and/or document deviations from established configuration settings."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Required - Specifically include details of least functionality."},{"id":"cm-6_fr","name":"item","parts":[{"id":"cm-6_fr_smt.1","name":"item","props":[{"name":"label","value":"Requirement 1:"}],"prose":"The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. "},{"id":"cm-6_fr_smt.2","name":"item","props":[{"name":"label","value":"Requirement 2:"}],"prose":"The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) ([http://scap.nist.gov/](http://scap.nist.gov/)) validated or SCAP compatible (if validated checklists are not available)."},{"id":"cm-6_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"Information on the USGCB checklists can be found at: [https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline](https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline)."}],"title":"CM-6(a) Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-6"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-7"},{"adds":[{"by-id":"cm-8_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"cm-8_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Develops and documents an inventory of information system components that accurately reflects the current information system.\n* Develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system.\n* Develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.\n* Defines the information deemed necessary to achieve effective information system component accountability.\n* Develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability.\n* Defines the frequency to review and update the information system component inventory.\n* Reviews and updates the information system component inventory with the organization-defined frequency.\n"},{"id":"cm-8_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Configuration management policy; procedures addressing information system component inventory; configuration management plan; security plan; information system inventory records; inventory reviews and update records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"cm-8_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component inventory; organizational personnel with information security responsibilities; and system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"cm-8_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of information system components; automated mechanisms supporting and/or implementing the information system component inventory."}],"props":[{"name":"method","value":"TEST"}]},{"id":"cm-8_fr","name":"item","parts":[{"id":"cm-8_fr_smt.1","name":"item","props":[{"name":"label","value":"Requirement:"}],"prose":"Must be provided at least monthly or when there is a change."}],"title":"CM-8 Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-8"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO- Not directly related to protection of the data."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-10"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cm-11"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cp-1"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cp-2"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cp-3"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cp-4"},{"adds":[{"by-id":"cp-9_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"cp-9_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system.\n* Conducts backups of user-level information contained in the information system with the organization-defined frequency.\n* Defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system.\n* Conducts backups of system-level information contained in the information system with the organization-defined frequency.\n* Defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation.\n* Conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency.\n* Protects the confidentiality, integrity, and availability of backup information at storage locations.\n"},{"id":"cp-9_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Contingency planning policy; procedures addressing information system backup; contingency plan; backup storage location(s);information system backup logs or records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"cp-9_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"cp-9_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups; automated mechanisms supporting and/or implementing information system backups."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"},{"by-id":"cp-9_smt","parts":[{"id":"cp-9_fr","name":"item","parts":[{"id":"cp-9_fr_smt.1","name":"item","props":[{"name":"label","value":"Requirement:"}],"prose":"The service provider shall determine what elements of the cloud environment require the Information System Backup control. The service provider shall determine how Information System Backup is going to be verified and appropriate periodicity of the check."},{"id":"cp-9_fr_smt.a","name":"item","props":[{"name":"label","value":"CP-9(a) Requirement:"}],"prose":"The service provider maintains at least three backup copies of user-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.b","name":"item","props":[{"name":"label","value":"CP-9(b)Requirement:"}],"prose":"The service provider maintains at least three backup copies of system-level information (at least one of which is available online)."},{"id":"cp-9_fr_smt.c","name":"item","props":[{"name":"label","value":"CP-9(c)Requirement:"}],"prose":"The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online)."}],"title":"CP-9 Additional FedRAMP Requirements and Guidance"}]}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cp-9"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"cp-10"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-1"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-2"},{"adds":[{"by-id":"ia-2.1_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ia-2.1_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization implements multifactor authentication for network access to privileged accounts."},{"id":"ia-2.1_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ia-2.1_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; and system/network administrators; system developer."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ia-2.1_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing multifactor authentication capability."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-2.1"},{"adds":[{"by-id":"ia-2.12_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ia-2.12_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system:\n\n* Accepts PIV credentials.\n* Electronically verifies PIV credentials.\n"},{"id":"ia-2.12_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; PIV verification records; evidence of PIV credentials; PIV credential authorizations; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ia-2.12_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; and system developers."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ia-2.12_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"},{"by-id":"ia-2.12_smt","parts":[{"id":"ia-2.12_fr","name":"item","parts":[{"id":"ia-2.12_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12."}],"title":"IA-2 (12) Additional FedRAMP Requirements and Guidance"}]}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-2.12"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-5"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-5.1"},{"adds":[{"by-id":"ia-5.11_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ia-5.11_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if, for hardware token-based authentication, the organization:\n\n* Defines token quality requirements to be satisfied.\n* Employs mechanisms that satisfy organization-defined token quality requirements.\n"},{"id":"ia-5.11_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Identification and authentication policy; procedures addressing authenticator management; security plan; information system design documentation; automated mechanisms employing hardware token-based authentication for the information system; list of token quality requirements; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ia-5.11_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; and system developers."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ia-5.11_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"FED - for Federal privileged users. Condition - Must document and assess for privileged users. May attest to this control for non-privileged users."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"},{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-5.11"},{"adds":[{"by-id":"ia-6_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ia-6_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals."},{"id":"ia-6_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Identification and authentication policy; procedures addressing authenticator feedback; information system design documentation; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ia-6_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities; system/network administrators; and system developers."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ia-6_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-6"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-7"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-8"},{"adds":[{"by-id":"ia-8.1_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ia-8.1_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system:\n\n* Accepts PIV credentials from other agencies.\n* Electronically verifies PIV credentials from other agencies.\n"},{"id":"ia-8.1_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; PIV verification records; evidence of PIV credentials; PIV credential authorizations; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ia-8.1_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; and organizational personnel with account management responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ia-8.1_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and authentication capability; automated mechanisms that accept and verify PIV credentials."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-8.1"},{"adds":[{"by-id":"ia-8.2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ia-8.2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization; third-party credential verification records; evidence of FICAM-approved third-party credentials; third-party credential authorizations; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ia-8.2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; and organizational personnel with account management responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ia-8.2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing identification and authentication capability; automated mechanisms that accept FICAM-approved credentials."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-8.2"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-8.3"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ia-8.4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-1"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-2"},{"adds":[{"by-id":"ir-4_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ir-4_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Implements an incident handling capability for security incidents that includes:\n*     * Preparation;   * Detection and analysis;   * Containment;   * Eradication; and   * Recovery.  \n* Coordinates incident handling activities with contingency planning activities.\n* Incorporates lessons learned from ongoing incident handling activities into:\n*     * Incident response procedures;   * Training; and   * Testing/exercises.  \n* Implements the resulting changes accordingly to:\n*     * Incident response procedures;   * Training; and   * Testing/exercises.  \n"},{"id":"ir-4_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Incident response policy; contingency planning policy; procedures addressing incident handling; incident response plan; contingency plan; security plan; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ir-4_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ir-4_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Incident handling capability for the organization"}],"props":[{"name":"method","value":"TEST"}]},{"id":"ir-4_fr","name":"item","parts":[{"id":"ir-4_fr_smt.1","name":"item","props":[{"name":"label","value":"Requirement:"}],"prose":"The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system."}],"title":"IR-4 Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-5"},{"adds":[{"by-id":"ir-6_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ir-6_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines the time period within which personnel report suspected security incidents to the organizational incident response capability.\n* Requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period.\n* Defines authorities to whom security incident information is to be reported.\n* Reports security incident information to organization-defined authorities.\n"},{"id":"ir-6_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; incident response plan; security plan; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ir-6_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities; organizational personnel with information security responsibilities; personnel who have/should have reported incidents; and personnel (authorities) to whom incident information is to be reported."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ir-6_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for incident reporting; automated mechanisms supporting and/or implementing incident reporting."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"},{"by-id":"ir-6_smt","parts":[{"id":"ir-6_fr","name":"item","parts":[{"id":"ir-6_fr_smt.1","name":"item","props":[{"name":"label","value":"Requirement:"}],"prose":"Report security incident information according to FedRAMP Incident Communications Procedure."}],"title":"IR-6 Additional FedRAMP Requirements and Guidance"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-6"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-7"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically attest to US-CERT compliance."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-8"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically describe information spillage response processes."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ir-9"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ma-1"},{"adds":[{"by-id":"ma-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ma-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* schedules maintenance and repairs on information system components in accordance with manufacturer or vendor specifications; and/or organizational requirements;\n* performs maintenance and repairs on information system components in accordance with manufacturer or vendor specifications; and/or organizational requirements;\n* documents maintenance and repairs on information system components in accordance with manufacturer or vendor specifications; and/or organizational requirements;\n* reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications; and/or organizational requirements;\n* approves all maintenance activities, whether performed on-site or remotely and whether the equipment is serviced on-site or removed to another location;\n* monitors all maintenance activities, whether performed on-site or remotely and whether the equipment is serviced on-site or removed to another location;\n* defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\n* requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\n* sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;\n* checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;\n* defines maintenance-related information to be included in organizational maintenance records; and\n* includes organization-defined maintenance-related information in organizational maintenance records.\n"},{"id":"ma-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Information system maintenance policy; procedures addressing controlled information system maintenance; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ma-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ma-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system; organizational processes for sanitizing information system components; automated mechanisms supporting and/or implementing controlled maintenance; automated mechanisms implementing sanitization of information system components."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ma-2"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ma-4"},{"adds":[{"by-id":"ma-5_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ma-5_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* establishes a process for maintenance personnel authorization;\n* maintains a list of authorized maintenance organizations or personnel;\n* ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and\n* designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.\n"},{"id":"ma-5_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ma-5_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ma-5_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel; automated mechanisms supporting and/or implementing authorization of maintenance personnel."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ma-5"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"mp-1"},{"adds":[{"by-id":"mp-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"mp-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* defines types of digital and/or non-digital media requiring restricted access;\n* defines personnel or roles authorized to access organization-defined types of digital and/or non-digital media; and\n* restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.\n"},{"id":"mp-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Information system media protection policy; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"mp-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"mp-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for restricting information media; automated mechanisms supporting and/or implementing media access restrictions."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"mp-2"},{"adds":[{"by-id":"mp-6_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"mp-6_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* defines information system media to be sanitized prior to:\n*     * disposal;   * release out of organizational controls; or   * release for reuse.  \n* defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:\n*     * disposal;   * release out of organizational controls; or   * release for reuse.  \n* sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and\n* employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.\n"},{"id":"mp-6_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Information system media protection policy; procedures addressing media sanitization and disposal; applicable federal standards and policies addressing media sanitization; media sanitization records; audit records; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"mp-6_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"mp-6_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"mp-6"},{"adds":[{"by-id":"mp-7_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"mp-7_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* defines types of information system media to be:\n*     * restricted on information systems or system components; or   * prohibited from use on information systems or system components  \n* defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:\n*     * restricted; or   * prohibited.  \n* defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and,\n* restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards.\n"},{"id":"mp-7_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Information system media protection policy; procedures addressing media sanitization and disposal; applicable federal standards and policies addressing media sanitization; media sanitization records; audit records; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"mp-7_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"mp-7_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"mp-7"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-1"},{"adds":[{"by-id":"pe-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* develops a list of individuals with authorized access to the facility where the information system resides;\n* approves a list of individuals with authorized access to the facility where the information system resides;\n* maintains a list of individuals with authorized access to the facility where the information system resides;\n* issues authorization credentials for facility access;\n* defines the frequency to review the access list detailing authorized facility access by individuals;\n* reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and,\n* removes individuals from the facility access list when access is no longer required.\n"},{"id":"pe-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/ or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-2"},{"adds":[{"by-id":"pe-3_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-3_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* defines entry/exit points to the facility where the information system resides;\n* enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:\n*     * verifying individual access authorizations before granting access to the facility;  \n* enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by:\n*     * defining physical access control systems/devices to be employed to control ingress/egress to the facility where the information system resides;   * using one or more of the following ways to control ingress/egress to the facility:   *       * organization-defined physical access control systems/devices; and/or     * guards;    \n* defines entry/exit points for which physical access audit logs are to be maintained;\n* maintains physical access audit logs for organization-defined entry/exit points;\n* defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;\n* provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;\n* defines circumstances requiring visitor:\n*     * escorts; and   * monitoring;  \n* in accordance with organization-defined circumstances requiring visitor escorts and monitoring:\n*     * escorts visitors; and   * monitors visitor activities.  \n* secures keys;\n* secures combinations;\n* secures other physical access devices;\n* defines physical access devices to be inventoried;\n* defines the frequency to inventory organization-defined physical access devices;\n* inventories the organization-defined physical access devices with the organization-defined frequency;\n* defines the frequency to change combinations and keys; and\n* changes combinations and keys with the organization-defined frequency and/or when:\n*     * keys are lost;   * combinations are compromised; or   * individuals are transferred or terminated.  \n"},{"id":"pe-3_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-3_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-3_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-3"},{"adds":[{"by-id":"pe-6_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-6_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;\n* defines the frequency to review physical access logs;\n* defines events or potential indication of events requiring physical access logs to be reviewed;\n* reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and\n* coordinates results of reviews and investigations with the organizational incident response capability.\n"},{"id":"pe-6_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-6_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-6_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-6"},{"adds":[{"by-id":"pe-8_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-8_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* defines the time period to maintain visitor access records to the facility where the information system resides;\n* maintains visitor access records to the facility where the information system resides for the organization-defined time period;\n* defines the frequency to review visitor access records; and\n* reviews visitor access records with the organization-defined frequency.\n"},{"id":"pe-8_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-8_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-8_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-8"},{"adds":[{"by-id":"pe-12_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-12_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption; and\n* employs and maintains automatic emergency lighting for the information system that covers emergency exits and evacuation routes within the facility.\n"},{"id":"pe-12_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-12_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-12_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-12"},{"adds":[{"by-id":"pe-13_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-13_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and\n* maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.\n"},{"id":"pe-13_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-13_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-13_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-13"},{"adds":[{"by-id":"pe-14_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-14_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* defines acceptable temperature levels to be maintained within the facility where the information system resides;\n* defines acceptable humidity levels to be maintained within the facility where the information system resides;\n* maintains temperature levels within the facility where the information system resides at the organization-defined levels;\n* maintains humidity levels within the facility where the information system resides at the organization-defined levels;\n* defines the frequency to monitor temperature levels;\n* defines the frequency to monitor humidity levels;\n* monitors temperature levels with the organization-defined frequency; and\n* monitors humidity levels with the organization-defined frequency.\n"},{"id":"pe-14_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-14_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-14_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"},{"by-id":"pe-14_smt","parts":[{"id":"pe-14_fr","name":"item","parts":[{"id":"pe-14_fr_smt.a","name":"item","props":[{"name":"label","value":"(a) Requirement:"}],"prose":"The service provider measures temperature at server inlets and humidity levels by dew point."}],"title":"PE-14(a) Additional FedRAMP Requirements and Guidance"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-14"},{"adds":[{"by-id":"pe-15_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-15_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:\n*     * accessible;   * working properly; and   * known to key personnel.  \n"},{"id":"pe-15_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-15_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-15_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-15"},{"adds":[{"by-id":"pe-16_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pe-16_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;\n* authorizes organization-defined information system components entering the facility;\n* monitors organization-defined information system components entering the facility;\n* controls organization-defined information system components entering the facility;\n* authorizes organization-defined information system components exiting the facility;\n* monitors organization-defined information system components exiting the facility;\n* controls organization-defined information system components exiting the facility;\n* maintains records of information system components entering the facility; and\n* maintains records of information system components exiting the facility.\n"},{"id":"pe-16_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pe-16_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to information system facility; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pe-16_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pe-16"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pl-1"},{"adds":[{"by-id":"pl-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"pl-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Develops a security plan for the information system that:\n*     * Is consistent with the organization’s enterprise architecture;   * Explicitly defines the authorization boundary for the system;   * Describes the operational context of the information system in terms of missions and business processes;   * Provides the security categorization of the information system including supporting rationale;   * Describes the operational environment for the information system and relationships with or connections to other information systems;   * Provides an overview of the security requirements for the system;   * Identifies any relevant overlays, if applicable;   * Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and   * Is reviewed and approved by the authorizing official or designated representative prior to plan implementation.  \n* Defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated.\n* Distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles.\n* Defines the frequency to review the security plan for the information system.\n* Reviews the security plan for the information system with the organization-defined frequency.\n* Updates the plan to address:\n*     * Changes to the information system/environment of operation;   * Problems identified during plan implementation; and   * Problems identified during security control assessments.  \n* Protects the security plan from unauthorized:\n*     * Disclosure; and   * Modification.  \n"},{"id":"pl-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan for the information system; records of security plan reviews and updates; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"pl-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"pl-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for security plan development/review/update/approval; automated mechanisms supporting the information system security plan."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pl-2"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"pl-4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-1"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"FED"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-2"},{"adds":[{"by-id":"ps-3_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ps-3_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Screens individuals prior to authorizing access to the information system.\n* Defines conditions requiring re-screening.\n* Defines the frequency of re-screening where it is so indicated.\n* Re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening.\n"},{"id":"ps-3_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Personnel security policy; procedures addressing personnel screening; records of screened personnel; security plan; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ps-3_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ps-3_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for personnel screening."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-3"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-5"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-6"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically stating that any third-party security personnel are treated as CSP employees."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-7"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ps-8"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ra-1"},{"adds":[{"by-id":"ra-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ra-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Categorizes information and the information system in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n* Documents the security categorization results (including supporting rationale) in the security plan for the information system.\n* Ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.\n"},{"id":"ra-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Risk assessment policy; security planning policy and procedures; procedures addressing security categorization of organizational information and information systems; security plan; security categorization documentation; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ra-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ra-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for security categorization."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ra-2"},{"adds":[{"by-id":"ra-3_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ra-3_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:\n*     * The information system. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:\n*     * The information the system processes, stores, or transmits.  \n* Defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report).\n* Documents risk assessment results in one of the following:\n*     * The security plan;   * The risk assessment report; or   * The organization-defined document.  \n* Reviews risk assessment results with the organization-defined frequency.Defines the frequency to review risk assessment results.\n* Defines personnel or roles to whom risk assessment results are to be disseminated.\n* Disseminates risk assessment results to organization-defined personnel or roles.\n* Defines the frequency to update the risk assessment.\n* Updates the risk assessment:\n*     * With the organization-defined frequency;   * Whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and   * Whenever there are other conditions that may impact the security state of the system.  \n"},{"id":"ra-3_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ra-3_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities; and organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ra-3_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"},{"by-id":"ra-_smt","parts":[{"id":"ra-3_fr","name":"item","parts":[{"id":"ra-3_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F"},{"id":"ra-3_fr_smt.d","name":"item","props":[{"name":"label","value":"RA-3 (d) Requirement:"}],"prose":"Include all Authorizing Officials; for JAB authorizations to include FedRAMP."}],"title":"RA-3 Additional FedRAMP Requirements and Guidance"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ra-3"},{"adds":[{"by-id":"ra-5_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"ra-5_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines the frequency for conducting vulnerability scans on the information system and hosted applications.\n* Defines the process for conducting random vulnerability scans on the information system and hosted applications.\n* In accordance with the organization-defined frequency and/or organization-defined process for conducting random scans, scans for vulnerabilities in:\n*     * The information system; and   * Hosted applications.  \n* When new vulnerabilities potentially affecting the system/applications are identified and reported, scans for vulnerabilities in:\n*     * The information system; and   * Hosted applications.  \n* Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\n*     * Enumerating platforms;   * Enumerating software flaws; and   * Enumerating improper configurations.  \n* Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\n*     * Formatting checklists; and   * Formatting test procedures.  \n* Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\n*     * Measuring vulnerability impact.  \n* Analyzes vulnerability scan reports.\n* Analyzes results from security control assessments.\n* Defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk.\n* Remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk.\n* Defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared.\n* Shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).\n* Shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).\n"},{"id":"ra-5_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"ra-5_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with vulnerability remediation responsibilities; organizational personnel with information security responsibilities; system/network administrators."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"ra-5_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing."}],"props":[{"name":"method","value":"TEST"}]},{"id":"ra-5_fr_smt.a","name":"item","props":[{"name":"label","value":"RA-5 (a)Requirement:"}],"prose":"An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.","title":"RA-5(a) Additional FedRAMP Requirements and Guidance"},{"id":"ra-5_fr_smt.e","name":"item","props":[{"name":"label","value":"RA-5 (e)Requirement:"}],"prose":"To include all Authorizing Officials; for JAB authorizations to include FedRAMP.","title":"RA-5(e) Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"},{"by-id":"ra-5_smt","parts":[{"id":"ra-5_fr","name":"item","parts":[{"id":"ra-5_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":" **See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements** ([https://www.FedRAMP.gov/documents/](https://www.FedRAMP.gov/documents/))"}],"title":"RA-5 Additional FedRAMP Requirements and Guidance"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"ra-5"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sa-1"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sa-2"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sa-3"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sa-4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sa-4.10"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sa-5"},{"adds":[{"by-id":"sa-9_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"sa-9_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines security controls to be employed by providers of external information system services.\n* Requires that providers of external information system services comply with organizational information security requirements.\n* Requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n* Defines and documents government oversight with regard to external information system services.\n* Defines and documents user roles and responsibilities with regard to external information system services.\n* Defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers.\n* Employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.\n"},{"id":"sa-9_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"System and services acquisition policy; procedures addressing external information system services; procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services; acquisition contracts, service-level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"sa-9_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities; external providers of information system services; organizational personnel with information security responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"sa-9_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external service providers on an ongoing basis; automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sa-9"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-1"},{"adds":[{"by-id":"sc-5_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"sc-5_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects.\n* Defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks.\n* Protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards.\n"},{"id":"sc-5_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"System and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; list of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks; list of security safeguards protecting against or limiting the effects of denial of service attacks; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"sc-5_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"System/network administrators; organizational personnel with information security responsibilities; organizational personnel with incident response responsibilities; system developer."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"sc-5_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of service attacks."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: If availability is a requirement, define protections in place as per control requirement."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-5"},{"adds":[{"by-id":"sc-7_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"sc-7_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Monitors communications at the external boundary of the information system.\n* Monitors communications at key internal boundaries within the system.\n* Controls communications at the external boundary of the information system.\n* Controls communications at key internal boundaries within the system.\n* Implements subnetworks for publicly accessible system components that are either:\n*     * Physically separated from internal organizational networks; and/or   * Logically separated from internal organizational networks.  \n* Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.\n"},{"id":"sc-7_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"System and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the information system; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; enterprise security architecture documentation; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"sc-7_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"System/network administrators; and organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"sc-7_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-7"},{"adds":[{"by-id":"sc-12_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"sc-12_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines requirements for cryptographic key:\n*     * Generation;   * Distribution;   * Storage;   * Access; and   * Destruction.  \n* Establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.\n"},{"id":"sc-12_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"System and communications protection policy; procedures addressing cryptographic key establishment and management; information system design documentation; cryptographic mechanisms; information system configuration settings and associated documentation; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"sc-12_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"System/network administrators; organizational personnel with information security responsibilities; and organizational personnel with responsibilities for cryptographic key establishment and/or management."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"sc-12_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic key establishment and management."}],"props":[{"name":"method","value":"TEST"}]},{"id":"sc-12_fr","name":"item","parts":[{"id":"sc-12_fr_gdn.1","name":"guidance","props":[{"name":"label","value":"Guidance:"}],"prose":"Federally approved cryptography."}],"title":"SC-12 Additional FedRAMP Requirements and Guidance"}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-12"},{"adds":[{"by-id":"sc-13_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"sc-13_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines cryptographic uses.\n* Defines the type of cryptography required for each use.\n* Implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n"},{"id":"sc-13_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"System and communications protection policy; procedures addressing cryptographic protection; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS validated cryptographic modules; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"sc-13_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"System/network administrators; organizational personnel with information security responsibilities; system developer; and organizational personnel with responsibilities for cryptographic protection."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"sc-13_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Automated mechanisms supporting and/or implementing cryptographic protection."}],"props":[{"name":"method","value":"TEST"}]},{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Condition: If implementing need to detail how they meet it or don't meet it."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"CONDITIONAL"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-13"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"NSO - Not directly related to the security of the SaaS."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"NSO"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-15"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-20"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-21"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-22"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"sc-39"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"si-1"},{"adds":[{"by-id":"si-2_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"si-2_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Identifies information system flaws.\n* Reports information system flaws.\n* Corrects information system flaws.\n* Tests software updates related to flaw remediation for effectiveness and potential side effects before installation.\n* Tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation.\n* Defines the time period within which to install security-relevant software updates after the release of the updates.\n* Defines the time period within which to install security-relevant firmware updates after the release of the updates.\n* Installs software updates within the organization-defined time period of the release of the updates.\n* Installs firmware updates within the organization-defined time period of the release of the updates.\n* Incorporates flaw remediation into the organizational configuration management process.\n"},{"id":"si-2_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"System and information integrity policy; procedures addressing flaw remediation; procedures addressing configuration management; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software and firmware updates to correct information system flaws; installation/change control records for security-relevant software and firmware updates; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"si-2_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation; and organizational personnel with configuration management responsibility."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"si-2_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information system flaws; organizational process for installing software and firmware updates; automated mechanisms supporting and/or implementing reporting, and correcting information system flaws; and automated mechanisms supporting an/or implementing testing software and firmware updates."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"si-2"},{"adds":[{"by-id":"si-3_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"si-3_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Employs malicious code protection mechanisms to detect and eradicate malicious code at information system:\n*     * Entry points; and   * Exit points.  \n* Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1).\n* Defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system.\n* Defines action to be initiated by malicious protection mechanisms in response to malicious code detection.\n* Configures malicious code protection mechanisms to:\n*     * Perform periodic scans of the information system with the organization-defined frequency;   * Perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy.  \n* Configures malicious code protection mechanisms to do one or more of the following:\n*     * Block malicious code in response to malicious code detection;   * Quarantine malicious code in response to malicious code detection;   * Send alert to administrator in response to malicious code detection; and/or   * Initiate organization-defined action in response to malicious code detection.  \n* Addresses the receipt of false positives during malicious code detection and eradication.\n* Addresses the resulting potential impact on the availability of the information system.\n"},{"id":"si-3_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; information system design documentation; information system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; information system audit records; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"si-3_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection; and organizational personnel with configuration management responsibility."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"si-3_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms; automated mechanisms supporting and/or implementing malicious code scanning and subsequent act."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"si-3"},{"adds":[{"by-id":"si-4_smt","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."}],"position":"starting"},{"parts":[{"id":"si-4_obj_fr","name":"objective","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"response-point","value":"You must fill in this response point."},{"name":"method","class":"fedramp","value":"EXAMINE"},{"name":"method","class":"fedramp","value":"INTERVIEW"},{"name":"method","class":"fedramp","value":"TEST"}],"prose":"Determine if the organization:\n\n* Defines monitoring objectives to detect attacks and indicators of potential attacks on the information system.\n* Monitors the information system to detect, in accordance with organization-defined monitoring objectives:\n*     * Attacks; and/or   * Indicators of potential attacks.  \n* Monitors the information system to detect unauthorized:\n*     * Local connections;   * Network connections; and/or   * Remote connections.  \n* Defines techniques and methods to identify unauthorized use of the information system.\n* Identifies unauthorized use of the information system through organization-defined techniques and methods.\n* Deploys monitoring devices:\n*     * Strategically within the information system to collect organization-determined essential information.   * At ad hoc locations within the system to track specific types of transactions of interest to the organization.  \n* Protects information obtained from intrusion-monitoring tools from unauthorized:\n*     * Access;   * Modification; and/or   * Deletion.  \n* Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.\n* Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.\n* Defines personnel or roles to whom information system monitoring information is to be provided.\n* Defines information system monitoring information to be provided to organization-defined personnel or roles.\n* Defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles.\n* Provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:\n*     * As needed; and/or   * With the organization-defined frequency.  \n"},{"id":"si-4_asmt_fr.1","name":"assess","parts":[{"name":"objects","prose":"Continuous monitoring strategy; system and information integrity policy; procedures addressing information system monitoring tools and techniques; facility diagram/layout; information system design documentation; information system monitoring tools and techniques documentation; locations within information system where monitoring devices are deployed; information system configuration settings and associated documentation; and other relevant documents or records."}],"props":[{"name":"method","value":"EXAMINE"}]},{"id":"si-4_asmt_fr.2","name":"assess","parts":[{"name":"objects","prose":"System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; and organizational personnel with responsibility monitoring the information system."}],"props":[{"name":"method","value":"INTERVIEW"}]},{"id":"si-4_asmt_fr.3","name":"assess","parts":[{"name":"objects","prose":"Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing information system monitoring capability."}],"props":[{"name":"method","value":"TEST"}]}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ASSESS"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"si-4"},{"adds":[{"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"si-5"},{"adds":[{"parts":[{"name":"guidance","class":"FedRAMP-Tailored-LI-SaaS","prose":"Attestation - Specifically related to US-CERT and FedRAMP communications procedures."}],"props":[{"name":"method","class":"FedRAMP-Tailored-LI-SaaS","value":"ATTEST"}],"position":"ending"}],"removes":[{"by-name":"objective"},{"by-name":"assessment"}],"control-id":"si-12"}],"set-parameters":[{"param-id":"ac-22_prm_1","constraints":[{"description":"at least quarterly"}]},{"param-id":"au-5_prm_2","constraints":[{"description":"organization-defined actions to be taken (overwrite oldest record)"}]},{"param-id":"au-6_prm_1","constraints":[{"description":"at least weekly"}]},{"param-id":"ca-2_prm_1","constraints":[{"description":"at least annually"}]},{"param-id":"ca-2_prm_2","constraints":[{"description":"individuals or roles to include FedRAMP PMO"}]},{"param-id":"ca-3_prm_1","constraints":[{"description":"at least annually and on input from FedRAMP"}]},{"param-id":"ca-5_prm_1","constraints":[{"description":"at least monthly"}]},{"param-id":"ca-6_prm_1","constraints":[{"description":"at least every three years or when a significant change occurs"}]},{"param-id":"ca-7_prm_4","constraints":[{"description":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},{"param-id":"ca-7_prm_5","constraints":[{"description":"to meet Federal and FedRAMP requirements (See additional guidance)"}]},{"param-id":"cm-6_prm_1","constraints":[{"description":"see CM-6(a) Additional FedRAMP Requirements and Guidance"}]},{"param-id":"cm-8_prm_2","constraints":[{"description":"at least monthly"}]},{"param-id":"cp-9_prm_1","constraints":[{"description":"daily incremental; weekly full"}]},{"param-id":"cp-9_prm_2","constraints":[{"description":"daily incremental; weekly full"}]},{"param-id":"cp-9_prm_3","constraints":[{"description":"daily incremental; weekly full"}]},{"param-id":"ir-6_prm_1","constraints":[{"description":"US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"}]},{"param-id":"pe-2_prm_1","constraints":[{"description":"at least annually"}]},{"param-id":"pe-3_prm_2","constraints":[{"description":"CSP defined physical access control systems/devices AND guards"}]},{"param-id":"pe-3_prm_6","constraints":[{"description":"in all circumstances within restricted access area where the information system resides"}]},{"param-id":"pe-3_prm_8","constraints":[{"description":"at least annually"}]},{"param-id":"pe-3_prm_9","constraints":[{"description":"at least annually"}]},{"param-id":"pe-6_prm_1","constraints":[{"description":"at least monthly"}]},{"param-id":"pe-8_prm_1","constraints":[{"description":"for a minimum of one (1) year"}]},{"param-id":"pe-8_prm_2","constraints":[{"description":"at least monthly"}]},{"param-id":"pe-14_prm_1","constraints":[{"description":"consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"}]},{"param-id":"pe-14_prm_2","constraints":[{"description":"continuously"}]},{"param-id":"pe-16_prm_1","constraints":[{"description":"all information system components"}]},{"param-id":"pl-2_prm_2","constraints":[{"description":"at least annually"}]},{"param-id":"ps-3_prm_1","constraints":[{"description":"For national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions."}]},{"param-id":"ra-3_prm_2","constraints":[{"description":"security assessment report"}]},{"param-id":"ra-3_prm_3","constraints":[{"description":"at least every three (3) years or when a significant change occurs"}]},{"param-id":"ra-3_prm_5","constraints":[{"description":"at least every three (3) years or when a significant change occurs"}]},{"param-id":"ra-5_prm_1","constraints":[{"description":"monthly operating system/infrastructure; monthly web applications and databases"}]},{"param-id":"ra-5_prm_2","constraints":[{"description":"[high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery."}]},{"param-id":"sa-9_prm_1","constraints":[{"description":"FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system"}]},{"param-id":"sa-9_prm_2","constraints":[{"description":"Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored"}]},{"param-id":"sc-13_prm_1","constraints":[{"description":"FIPS-validated or NSA-approved cryptography"}]},{"param-id":"si-2_prm_1","constraints":[{"description":"within 30 days of release of updates"}]},{"param-id":"si-3_prm_1","constraints":[{"description":"at least weekly"}]},{"param-id":"si-3_prm_2","constraints":[{"description":"to include endpoints"}]},{"param-id":"si-3_prm_3","constraints":[{"description":"to include alerting administrator or defined security personnel"}]}]},"back-matter":{"resources":[{"uuid":"985475ee-d4d6-4581-8fdf-d84d3d8caa48","title":"FedRAMP Applicable Laws and Regulations","rlinks":[{"href":"https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"}]},{"uuid":"1a23a771-d481-4594-9a1a-71d584fa4123","title":"FedRAMP Master Acronym and Glossary","rlinks":[{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Master_Acronym_and_Glossary.pdf"}]},{"uuid":"a2381e87-3d04-4108-a30b-b4d2f36d001f","props":[{"name":"type","value":"logo"}],"rlinks":[{"href":"https://www.fedramp.gov/assets/img/logo-main-fedramp.png"}],"description":"FedRAMP Logo"},{"uuid":"ad005eae-cc63-4e64-9109-3905a9a825e4","props":[{"name":"version","value":"Revision 4"}],"title":"NIST Special Publication (SP) 800-53","rlinks":[{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/v1.0.0/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml","media-type":"application/xml"},{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/v1.0.0/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","media-type":"application/oscal.catalog+json"},{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/v1.0.0/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_catalog.yaml","media-type":"application/oscal.catalog+yaml"}]}]}}}