{"catalog":{"uuid":"42cd2b51-6f41-4321-88b4-1fd5c4d03ec5","metadata":{"links":[{"rel":"source-profile","href":"https://api.dev.comply0.com/v1/profiles/1edafd48-2356-4356-bf6b-3a51a6934606"}],"props":[{"name":"resolution-tool","value":"Comply0"}],"title":"FedRAMP 20x Moderate Resolved","version":"2026-3-9","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"98ca664f-9644-426c-91b6-fdfb1a620b1f"}],"last-modified":"2025-12-16T22:46:02.934Z","oscal-version":"1.1.3"},"groups":[{"id":"FRR","props":[{"name":"sort-id","value":"00"}],"title":"Requirements","groups":[{"id":"FRR-PVA","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services and those seeking authorization based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Persistent Validation and Assessment","controls":[{"id":"FRR-PVA-01","parts":[{"id":"FRR-PVA-01_smt","name":"statement","parts":[{"id":"FRR-PVA-01_smt_01","name":"item","prose":"Providers MUST *persistently* perform validation of their Key Security Indicators following the processes and cycles documented for their *cloud service offering* per FRR-KSI-02; this process is called *persistent validation* and is part of *vulnerability detection*."}]}],"props":[{"name":"label","value":"FRR-PVA-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Persistent Validation"},{"id":"FRR-PVA-02","parts":[{"id":"FRR-PVA-02_smt","name":"statement","parts":[{"id":"FRR-PVA-02_smt_01","name":"item","prose":"Providers MUST treat failures detected during *persistent validation* and failures of the *persistent validation* process as *vulnerabilities*, then follow the requirements and recommendations in the FedRAMP Vulnerability Detection and Response process for such findings."}]}],"props":[{"name":"label","value":"FRR-PVA-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Failures As Vulnerabilities"},{"id":"FRR-PVA-03","parts":[{"id":"FRR-PVA-03_smt","name":"statement","parts":[{"id":"FRR-PVA-03_smt_01","name":"item","prose":"Providers MUST include *persistent validation* activity in the reports on *vulnerability detection* and *response* activity required by the FedRAMP Vulnerability Detection and Response process."}]}],"props":[{"name":"label","value":"FRR-PVA-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Report Persistent Validation"},{"id":"FRR-PVA-04","parts":[{"id":"FRR-PVA-04_smt","name":"statement","parts":[{"id":"FRR-PVA-04_smt_01","name":"item","prose":"Providers MUST track *significant changes* that impact their Key Security Indicator goals and *validation* processes while following the requirements and recommendations in the FedRAMP Significant Change Notification process; if such *significant changes* are not properly tracked and supplied to *all necessary assessors* then a full *Initial FedRAMP Assessment* may be required in place of the expected *Persistent FedRAMP Assessment*."}]}],"props":[{"name":"label","value":"FRR-PVA-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Track Significant Changes"},{"id":"FRR-PVA-05","parts":[{"id":"FRR-PVA-05_smt","name":"statement","parts":[{"id":"FRR-PVA-05_smt_01","name":"item","prose":"Providers MUST have the implementation of their goals and validation processes assessed by a FedRAMP-recognized independent assessor OR by FedRAMP directly AND MUST include the results of this assessment in their *authorization data* without modification."}]},{"name":"guidance","prose":"- The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council. During 20x Phase Two this includes AI services that meet certain criteria as shown at https://fedramp.gov/ai.\n- FedRAMP recognized assessors are listed on the FedRAMP Marketplace."}],"props":[{"name":"label","value":"FRR-PVA-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Independent Assessment"},{"id":"FRR-PVA-06","parts":[{"id":"FRR-PVA-06_smt","name":"statement","parts":[{"id":"FRR-PVA-06_smt_01","name":"item","prose":"Providers MUST ensure a complete assessment of *validation* procedures (including underlying code, pipelines, configurations, automation tools, etc.) for the *cloud service offering* by *all necessary assessors*."}]}],"props":[{"name":"label","value":"FRR-PVA-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Complete Validation Assessment"},{"id":"FRR-PVA-07","parts":[{"id":"FRR-PVA-07_smt","name":"statement","parts":[{"id":"FRR-PVA-07_smt_01","name":"item","prose":"Providers SHOULD provide technical explanations, demonstrations, and other relevant supporting information to *all necessary assessors* for the technical capabilities they employ to meet Key Security Indicators and to provide *validation*."}]}],"props":[{"name":"label","value":"FRR-PVA-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Provide Technical Evidence"},{"id":"FRR-PVA-08","parts":[{"id":"FRR-PVA-08_smt","name":"statement","parts":[{"id":"FRR-PVA-08_smt_01","name":"item","prose":"Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their *validation* and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-09)."}]},{"name":"guidance","prose":"The related A2LA requirements are waived for FedRAMP 20x Phase Two assessments."}],"props":[{"name":"label","value":"FRR-PVA-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Receiving Assessor Advice"},{"id":"FRR-PVA-09","parts":[{"id":"FRR-PVA-09_smt","name":"statement","parts":[{"id":"FRR-PVA-09_smt_01","name":"item","prose":"Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their *validation* and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-08)."}]}],"props":[{"name":"label","value":"FRR-PVA-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Assessors May Advise"},{"id":"FRR-PVA-10","parts":[{"id":"FRR-PVA-10_smt","name":"statement","parts":[{"id":"FRR-PVA-10_smt_01","name":"item","prose":"Assessors MUST evaluate the underlying processes (both *machine-based* and non-*machine-based* ) that providers use to *validate* Key Security Indicators; this evaluation should include at least:"},{"id":"FRR-PVA-10_smt_02","name":"item","prose":"- The effectiveness, completeness, and integrity of the automated processes that perform validation of the *cloud service offering's* security posture.\n- The effectiveness, completeness, and integrity of the human processes that perform *validation* of the *cloud service offering's* security posture\n- The coverage of these processes within the *cloud service offering* , including if all of the consolidated *information resources* listed are being *validated*."}]}],"props":[{"name":"label","value":"FRR-PVA-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Evaluate Validation Processes"},{"id":"FRR-PVA-11","parts":[{"id":"FRR-PVA-11_smt","name":"statement","parts":[{"id":"FRR-PVA-11_smt_01","name":"item","prose":"Assessors MUST evaluate the implementation of processes derived from Key Security Indicators to determine whether or not the provider has accurately documented their process and goals."}]}],"props":[{"name":"label","value":"FRR-PVA-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Assess Process Implementation"},{"id":"FRR-PVA-12","parts":[{"id":"FRR-PVA-12_smt","name":"statement","parts":[{"id":"FRR-PVA-12_smt_01","name":"item","prose":"Assessors MUST evaluate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider."}]}],"props":[{"name":"label","value":"FRR-PVA-12"},{"name":"sort-id","value":"012"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Assess Outcome Consistency"},{"id":"FRR-PVA-13","parts":[{"id":"FRR-PVA-13_smt","name":"statement","parts":[{"id":"FRR-PVA-13_smt_01","name":"item","prose":"Assessors MUST perform evaluation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment."}]}],"props":[{"name":"label","value":"FRR-PVA-13"},{"name":"sort-id","value":"013"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Mixed Methods Evaluation"},{"id":"FRR-PVA-14","parts":[{"id":"FRR-PVA-14_smt","name":"statement","parts":[{"id":"FRR-PVA-14_smt_01","name":"item","prose":"Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process."}]}],"props":[{"name":"label","value":"FRR-PVA-14"},{"name":"sort-id","value":"014"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Engage Provider Experts"},{"id":"FRR-PVA-15","parts":[{"id":"FRR-PVA-15_smt","name":"statement","parts":[{"id":"FRR-PVA-15_smt_01","name":"item","prose":"Assessors MUST NOT rely on screenshots, configuration dumps, or other static output as evidence EXCEPT when evaluating the accuracy and reliability of a process that generates such artifacts."}]}],"props":[{"name":"label","value":"FRR-PVA-15"},{"name":"sort-id","value":"015"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Avoid Static Evidence"},{"id":"FRR-PVA-16","parts":[{"id":"FRR-PVA-16_smt","name":"statement","parts":[{"id":"FRR-PVA-16_smt_01","name":"item","prose":"Assessors MUST assess whether or not procedures are consistently followed, including the processes in place to ensure this occurs, without relying solely on the existence of a procedure document for assessing if appropriate processes and procedures are in place."}]},{"name":"guidance","prose":"Note: This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred."}],"props":[{"name":"label","value":"FRR-PVA-16"},{"name":"sort-id","value":"016"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Verify Procedure Adherence"},{"id":"FRR-PVA-17","parts":[{"id":"FRR-PVA-17_smt","name":"statement","parts":[{"id":"FRR-PVA-17_smt_01","name":"item","prose":"Assessors MUST deliver a high-level summary of their assessment process and findings for each Key Security Indicator; this summary will be included in the *authorization data* for the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-PVA-17"},{"name":"sort-id","value":"017"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Deliver Assessment Summary"},{"id":"FRR-PVA-18","parts":[{"id":"FRR-PVA-18_smt","name":"statement","parts":[{"id":"FRR-PVA-18_smt_01","name":"item","prose":"Assessors MUST NOT deliver an overall recommendation on whether or not the *cloud service offering* meets the requirements for FedRAMP authorization."}]},{"name":"guidance","prose":"FedRAMP will make the final authorization decision based on the assessor's findings and other relevant information."}],"props":[{"name":"label","value":"FRR-PVA-18"},{"name":"sort-id","value":"018"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"No Overall Recommendation"}]},{"id":"FRR-PVA-TF-MO","parts":[{"name":"overview","prose":"This section provides guidance on timeframes that apply specifically to FedRAMP Moderate authorizations for activities required or recommended in this document; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins."}],"props":[{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"timeframe-moderate"}],"title":"Persistent Validation and Assessment (Timeframe Moderate)","controls":[{"id":"FRR-PVA-TF-MO-01","parts":[{"id":"FRR-PVA-TF-MO-01_smt","name":"statement","parts":[{"id":"FRR-PVA-TF-MO-01_smt_01","name":"item","prose":"Providers MUST complete the *validation* processes for Key Security Indicators of non-*machine-based* *information resources* at least once every 3 months."}]}],"props":[{"name":"label","value":"FRR-PVA-TF-MO-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Quarterly Non-Machine Validation"},{"id":"FRR-PVA-TF-LM-02","parts":[{"id":"FRR-PVA-TF-LM-02_smt","name":"statement","parts":[{"id":"FRR-PVA-TF-LM-02_smt_01","name":"item","prose":"Providers MUST complete the *validation* processes for Key Security Indicators of *machine-based* *information resources* at least once every 3 days."}]}],"props":[{"name":"label","value":"FRR-PVA-TF-LM-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"3-Day Machine Validation"}]},{"id":"FRR-RSC","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Recommended Secure Configuration","controls":[{"id":"FRR-RSC-01","parts":[{"id":"FRR-RSC-01_smt","name":"statement","parts":[{"id":"FRR-RSC-01_smt_01","name":"item","prose":"Providers MUST create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission *top-level administrative accounts* that control enterprise access to the entire *cloud service offering*."}]},{"name":"guidance","prose":"This guidance should explain how *top-level administrative accounts* are named and referred to in the *cloud service offering*."}],"props":[{"name":"label","value":"FRR-RSC-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Top-Level Administrative Accounts Guidance"},{"id":"FRR-RSC-02","parts":[{"id":"FRR-RSC-02_smt","name":"statement","parts":[{"id":"FRR-RSC-02_smt_01","name":"item","prose":"Providers MUST create and maintain guidance that explains security-related settings that can be operated only by *top-level administrative accounts* and their security implications."}]}],"props":[{"name":"label","value":"FRR-RSC-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Top-Level Administrative Accounts Security Settings Guidance"},{"id":"FRR-RSC-03","parts":[{"id":"FRR-RSC-03_smt","name":"statement","parts":[{"id":"FRR-RSC-03_smt_01","name":"item","prose":"Providers SHOULD create and maintain guidance that explains security-related settings that can be operated only by *privileged accounts* and their security implications."}]}],"props":[{"name":"label","value":"FRR-RSC-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Privileged Accounts Security Settings Guidance"},{"id":"FRR-RSC-04","parts":[{"id":"FRR-RSC-04_smt","name":"statement","parts":[{"id":"FRR-RSC-04_smt_01","name":"item","prose":"Providers SHOULD set all settings to their recommended secure defaults for *top-level administrative accounts* and *privileged accounts* when initially provisioned."}]}],"props":[{"name":"label","value":"FRR-RSC-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Secure Defaults on Provisioning"},{"id":"FRR-RSC-05","parts":[{"id":"FRR-RSC-05_smt","name":"statement","parts":[{"id":"FRR-RSC-05_smt_01","name":"item","prose":"Providers SHOULD offer the capability to compare all current settings for *top-level administrative accounts* and *privileged accounts* to the recommended secure defaults."}]}],"props":[{"name":"label","value":"FRR-RSC-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Comparison Capability"},{"id":"FRR-RSC-06","parts":[{"id":"FRR-RSC-06_smt","name":"statement","parts":[{"id":"FRR-RSC-06_smt_01","name":"item","prose":"Providers SHOULD offer the capability to export all security settings in a *machine-readable* format."}]}],"props":[{"name":"label","value":"FRR-RSC-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Export Capability"},{"id":"FRR-RSC-07","parts":[{"id":"FRR-RSC-07_smt","name":"statement","parts":[{"id":"FRR-RSC-07_smt_01","name":"item","prose":"Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability."}]}],"props":[{"name":"label","value":"FRR-RSC-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"API Capability"},{"id":"FRR-RSC-08","parts":[{"id":"FRR-RSC-08_smt","name":"statement","parts":[{"id":"FRR-RSC-08_smt_01","name":"item","prose":"Providers SHOULD provide recommended secure configuration guidance in a *machine-readable* format that can be used by customers or third-party tools to compare against current settings."}]}],"props":[{"name":"label","value":"FRR-RSC-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Machine-Readable Guidance"},{"id":"FRR-RSC-09","parts":[{"id":"FRR-RSC-09_smt","name":"statement","parts":[{"id":"FRR-RSC-09_smt_01","name":"item","prose":"Providers SHOULD make recommended secure configuration guidance available publicly."}]}],"props":[{"name":"label","value":"FRR-RSC-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Publish Guidance"},{"id":"FRR-RSC-10","parts":[{"id":"FRR-RSC-10_smt","name":"statement","parts":[{"id":"FRR-RSC-10_smt_01","name":"item","prose":"Providers SHOULD provide versioning and a release history for recommended secure default settings for *top-level administrative accounts* and *privileged accounts* as they are adjusted over time."}]}],"props":[{"name":"label","value":"FRR-RSC-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Versioning and Release History"}]},{"id":"FRR-UCM","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Using Cryptographic Modules","controls":[{"id":"FRR-UCM-01","parts":[{"id":"FRR-UCM-01_smt","name":"statement","parts":[{"id":"FRR-UCM-01_smt_01","name":"item","prose":"Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect *federal customer data*, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules."}]}],"props":[{"name":"label","value":"FRR-UCM-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Cryptographic Module Documentation"},{"id":"FRR-UCM-02","parts":[{"id":"FRR-UCM-02_smt","name":"statement","parts":[{"id":"FRR-UCM-02_smt_01","name":"item","prose":"Providers SHOULD configure *agency* tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available."}]}],"props":[{"name":"label","value":"FRR-UCM-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Use of Validated Cryptographic Modules"},{"id":"FRR-UCM-03","parts":[{"id":"FRR-UCM-03_smt","name":"statement","parts":[{"id":"FRR-UCM-03_smt_01","name":"item","prose":"Providers SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect *federal customer data*."}]}],"props":[{"name":"label","value":"FRR-UCM-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Update Streams (Moderate)"}]},{"id":"FRR-ADS","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Authorization Data Sharing","controls":[{"id":"FRR-ADS-01","parts":[{"id":"FRR-ADS-01_smt","name":"statement","parts":[{"id":"FRR-ADS-01_smt_01","name":"item","prose":"Providers MUST publicly share up-to-date information about the *cloud service offering* in both human-readable and *machine-readable* formats, including at least:"},{"id":"FRR-ADS-01_smt_02","name":"item","prose":"- Direct link to the FedRAMP Marketplace for the offering\n- Service Model\n- Deployment Model\n- Business Category\n- UEI Number\n- Contact Information\n- Overall Service Description\n- Detailed list of specific services and their impact levels (see FRR-ADS-03)\n- Summary of customer responsibilities and secure configuration guidance\n- Process for accessing information in the *trust center* (if applicable)\n- Availability status and recent disruptions for the *trust center* (if applicable)\n- Customer support information for the *trust center* (if applicable)"}]}],"props":[{"name":"label","value":"FRR-ADS-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Public Information"},{"id":"FRR-ADS-02","parts":[{"id":"FRR-ADS-02_smt","name":"statement","parts":[{"id":"FRR-ADS-02_smt_01","name":"item","prose":"Providers MUST use automation to ensure information remains consistent between human-readable and *machine-readable* formats when *authorization data* is provided in both formats; Providers SHOULD generate human-readable and *machine-readable* data from the same source at the same time OR generate human-readable formats directly from *machine-readable* data."}]}],"props":[{"name":"label","value":"FRR-ADS-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Consistency Between Formats"},{"id":"FRR-ADS-03","parts":[{"id":"FRR-ADS-03_smt","name":"statement","parts":[{"id":"FRR-ADS-03_smt_01","name":"item","prose":"Providers MUST share a detailed list of specific services and their impact levels that are included in the *cloud service offering* using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP authorization without requesting access to underlying *authorization data*."}]}],"props":[{"name":"label","value":"FRR-ADS-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Detailed Service List"},{"id":"FRR-ADS-04","parts":[{"id":"FRR-ADS-04_smt","name":"statement","parts":[{"id":"FRR-ADS-04_smt_01","name":"item","prose":"Providers MUST share *authorization data* with all necessary parties without interruption, including at least FedRAMP, CISA, and agency customers."}]}],"props":[{"name":"label","value":"FRR-ADS-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Uninterrupted Sharing"},{"id":"FRR-ADS-05","parts":[{"id":"FRR-ADS-05_smt","name":"statement","parts":[{"id":"FRR-ADS-05_smt_01","name":"item","prose":"Providers MUST provide sufficient information in *authorization data* to support authorization decisions but SHOULD NOT include sensitive information that would *likely* enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-ADS-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Information Sharing"},{"id":"FRR-ADS-06","parts":[{"id":"FRR-ADS-06_smt","name":"statement","parts":[{"id":"FRR-ADS-06_smt_01","name":"item","prose":"Providers of FedRAMP Rev5 Authorized *cloud service offerings* MUST share *authorization data* via the USDA Connect Community Portal UNLESS they use a FedRAMP-compatible *trust center*."}]}],"props":[{"name":"label","value":"FRR-ADS-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"USDA Connect Community Portal"},{"id":"FRR-ADS-07","parts":[{"id":"FRR-ADS-07_smt","name":"statement","parts":[{"id":"FRR-ADS-07_smt_01","name":"item","prose":"Providers of FedRAMP 20x Authorized *cloud service offerings* MUST use a FedRAMP-compatible *trust center* to store and share *authorization data* with all necessary parties."}]}],"props":[{"name":"label","value":"FRR-ADS-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"FedRAMP-Compatible Trust Centers"},{"id":"FRR-ADS-08","parts":[{"id":"FRR-ADS-08_smt","name":"statement","parts":[{"id":"FRR-ADS-08_smt_01","name":"item","prose":"Providers MUST notify all necessary parties when migrating to a *trust center* and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the *trust center* to obtain *authorization data*."}]}],"props":[{"name":"label","value":"FRR-ADS-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Trust Center Migration Notification"},{"id":"FRR-ADS-09","parts":[{"id":"FRR-ADS-09_smt","name":"statement","parts":[{"id":"FRR-ADS-09_smt_01","name":"item","prose":"Providers MUST make historical versions of *authorization data* available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP requirements; deltas between versions MAY be consolidated quarterly."}]}],"props":[{"name":"label","value":"FRR-ADS-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Historical Authorization Data"},{"id":"FRR-ADS-10","parts":[{"id":"FRR-ADS-10_smt","name":"statement","parts":[{"id":"FRR-ADS-10_smt_01","name":"item","prose":"Providers SHOULD follow FedRAMP’s best practices and technical assistance for sharing *authorization data* where applicable."}]}],"props":[{"name":"label","value":"FRR-ADS-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Best Practices and Technical Assistance"}]},{"id":"FRR-ADS-AC","parts":[{"name":"overview","prose":"These requirements for managing access apply to cloud service providers who establish FedRAMP-compatible *trust centers* for storing and sharing *authorization data*."}],"props":[{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"access_control"}],"title":"Authorization Data Sharing (Access Control)","controls":[{"id":"FRR-ADS-AC-01","parts":[{"id":"FRR-ADS-AC-01_smt","name":"statement","parts":[{"id":"FRR-ADS-AC-01_smt_01","name":"item","prose":"Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to *authorization data* stored in the *trust center*."}]}],"props":[{"name":"label","value":"FRR-ADS-AC-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Public Guidance"},{"id":"FRR-ADS-AC-02","parts":[{"id":"FRR-ADS-AC-02_smt","name":"statement","parts":[{"id":"FRR-ADS-AC-02_smt_01","name":"item","prose":"Providers SHOULD share at least the *authorization package* with prospective agency customers upon request and MUST notify FedRAMP within five business days if a prospective agency customer request is denied."}]}],"props":[{"name":"label","value":"FRR-ADS-AC-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Prospective Customer Access"}]},{"id":"FRR-ADS-TC","parts":[{"name":"overview","prose":"These requirements apply to FedRAMP-compatible *trust centers* used to store and share *authorization data*."}],"props":[{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"trust_center"}],"title":"Authorization Data Sharing (Trust Center)","controls":[{"id":"FRR-ADS-TC-01","parts":[{"id":"FRR-ADS-TC-01_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-01_smt_01","name":"item","prose":"*Trust centers* MUST be included as an *information resource* included in the *cloud service offering* for assessment if FRR-MAS-01 applies."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Trust Center Assessment"},{"id":"FRR-ADS-TC-02","parts":[{"id":"FRR-ADS-TC-02_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-02_smt_01","name":"item","prose":"*Trust centers* SHOULD make *authorization data* available to view and download in both human-readable and *machine-readable* formats"}]}],"props":[{"name":"label","value":"FRR-ADS-TC-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Human and Machine-Readable"},{"id":"FRR-ADS-TC-03","parts":[{"id":"FRR-ADS-TC-03_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-03_smt_01","name":"item","prose":"*Trust centers* MUST provide documented programmatic access to all *authorization data*, including programmatic access to human-readable materials."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Programmatic Access"},{"id":"FRR-ADS-TC-04","parts":[{"id":"FRR-ADS-TC-04_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-04_smt_01","name":"item","prose":"*Trust centers* SHOULD include features that encourage all necessary parties to provision and manage access to *authorization data* for their users and services directly."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Self-Service Access Management"},{"id":"FRR-ADS-TC-05","parts":[{"id":"FRR-ADS-TC-05_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-05_smt_01","name":"item","prose":"*Trust centers* MUST maintain an inventory and history of federal agency users or systems with access to *authorization data* and MUST make this information available to FedRAMP without interruption."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Access Inventory"},{"id":"FRR-ADS-TC-06","parts":[{"id":"FRR-ADS-TC-06_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-06_smt_01","name":"item","prose":"*Trust centers* MUST log access to *authorization data* and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Access Logging"},{"id":"FRR-ADS-TC-07","parts":[{"id":"FRR-ADS-TC-07_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-07_smt_01","name":"item","prose":"*Trust centers* SHOULD deliver responsive performance during normal operating conditions and minimize service disruptions."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsive Performance"}]},{"id":"FRR-ADS-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements for this standard."}],"props":[{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Authorization Data Sharing (Exceptions)","controls":[{"id":"FRR-ADS-EX-01","parts":[{"id":"FRR-ADS-EX-01_smt","name":"statement","parts":[{"id":"FRR-ADS-EX-01_smt_01","name":"item","prose":"Providers of FedRAMP Rev5 Authorized *cloud service offerings* at FedRAMP High using a legacy self-managed repository for *authorization data* MAY ignore the requirements in this Authorization Data Sharing document until future notice."}]}],"props":[{"name":"label","value":"FRR-ADS-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Legacy Self-Managed Repository Exception"}]},{"id":"FRR-VDR","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Vulnerability Detection and Response","controls":[{"id":"FRR-VDR-01","parts":[{"id":"FRR-VDR-01_smt","name":"statement","parts":[{"id":"FRR-VDR-01_smt_01","name":"item","prose":"Providers MUST systematically, *persistently* , and *promptly* discover and identify *vulnerabilities* within their *cloud service offering* using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called *vulnerability detection*."}]}],"props":[{"name":"label","value":"FRR-VDR-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Vulnerability Detection"},{"id":"FRR-VDR-02","parts":[{"id":"FRR-VDR-02_smt","name":"statement","parts":[{"id":"FRR-VDR-02_smt_01","name":"item","prose":"Providers MUST systematically, *persistently* , and *promptly* track, evaluate, monitor, *mitigate* , *remediate* , assess exploitation of, report, and otherwise manage all detected vulnerabilities within their *cloud service offering* ; this process is called *vulnerability response*."}]}],"props":[{"name":"label","value":"FRR-VDR-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Vulnerability Response"},{"id":"FRR-VDR-03","parts":[{"id":"FRR-VDR-03_smt","name":"statement","parts":[{"id":"FRR-VDR-03_smt_01","name":"item","prose":"Providers MUST follow the requirements and recommendations outlined in FRR-VDR-TF regarding timeframes for *vulnerability detection* and *response*."}]},{"name":"guidance","prose":"Providers are strongly encouraged to build programs that consistently exceed these thresholds. Performance will be measured by FedRAMP for comparison between providers and scoring within the FedRAMP Marketplace."}],"props":[{"name":"label","value":"FRR-VDR-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Timeframe Requirements"},{"id":"FRR-VDR-04","parts":[{"id":"FRR-VDR-04_smt","name":"statement","parts":[{"id":"FRR-VDR-04_smt_01","name":"item","prose":"Providers MAY sample effectively identical *information resources* , especially *machine-based* *information resources* , when performing *vulnerability detection* UNLESS doing so would decrease the efficiency or effectiveness of *vulnerability detection*."}]}],"props":[{"name":"label","value":"FRR-VDR-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Sampling Identical Resources"},{"id":"FRR-VDR-05","parts":[{"id":"FRR-VDR-05_smt","name":"statement","parts":[{"id":"FRR-VDR-05_smt_01","name":"item","prose":"Providers SHOULD evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to identify logical groupings of affected *information resources* that may improve the efficiency and effectiveness of *vulnerability response* by consolidating further activity; requirements and recommendations in this process are then applied to these consolidated groupings of *vulnerabilities* instead of each individual detected instance."}]}],"props":[{"name":"label","value":"FRR-VDR-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Grouping Vulnerabilities"},{"id":"FRR-VDR-06","parts":[{"id":"FRR-VDR-06_smt","name":"statement","parts":[{"id":"FRR-VDR-06_smt_01","name":"item","prose":"Providers SHOULD evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to determine if they are *false positive vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate False Positives"},{"id":"FRR-VDR-07","parts":[{"id":"FRR-VDR-07_smt","name":"statement","parts":[{"id":"FRR-VDR-07_smt_01","name":"item","prose":"Providers MUST evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to determine if they are *likely exploitable vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Exploitability"},{"id":"FRR-VDR-08","parts":[{"id":"FRR-VDR-08_smt","name":"statement","parts":[{"id":"FRR-VDR-08_smt_01","name":"item","prose":"Providers MUST evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to determine if they are *internet-reachable vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Internet-Reachability"},{"id":"FRR-VDR-09","parts":[{"id":"FRR-VDR-09_smt","name":"statement","parts":[{"id":"FRR-VDR-09_smt_01","name":"item","prose":"Providers MUST evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to estimate the *potential adverse impact* of exploitation on government customers AND assign one of the following *potential adverse impact* ratings:"},{"id":"FRR-VDR-09_smt_02","name":"item","prose":"- **N1** : Exploitation could be expected to have *negligible adverse effects* on one or more *agencies* that use the *cloud service offering*.\n- **N2** : Exploitation could be expected to have *limited adverse effects* on one or more *agencies* that use the *cloud service offering*.\n- **N3** : Exploitation could be expected to have a *serious adverse effect* on one *agency* that uses the *cloud service offering*.\n- **N4** : Exploitation could be expected to have a *catastrophic adverse effect* on one *agency* that uses the *cloud service offering* OR a *serious adverse effect* on more than one federal agency that uses the *cloud service offering*.\n- **N5** : Exploitation could be expected to have a *catastrophic adverse effect* on more than one *agency* that uses the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-VDR-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Estimate Potential Adverse Impact"},{"id":"FRR-VDR-10","parts":[{"id":"FRR-VDR-10_smt","name":"statement","parts":[{"id":"FRR-VDR-10_smt_01","name":"item","prose":"Providers SHOULD consider at least the following factors when considering the context of the *cloud service offering* to evaluate *detected vulnerabilities*:"},{"id":"FRR-VDR-10_smt_02","name":"item","prose":"- **Criticality** : How important are the systems or information that might be impacted by the *vulnerability*?\n- **Reachability** : How might a threat actor reach the *vulnerability* and how *likely* is that?\n- **Exploitability** : How easy is it for a threat actor to exploit the *vulnerability* and how *likely* is that?\n- **Detectability** : How easy is it for a threat actor to become aware of the *vulnerability* and how *likely* is that?\n- **Prevalence** : How much of the *cloud service offering* is affected by the *vulnerability*?\n- **Privilege** : How much privileged authority or access is granted or can be gained from exploiting the *vulnerability*?\n- **Proximate Vulnerabilities** : How does this *vulnerability* interact with previously *detected vulnerabilities* , especially *partially* or *fully mitigated vulnerabilities?*\n- **Known Threats** : How might already known threats leverage the *vulnerability* and how *likely* is that?"}]}],"props":[{"name":"label","value":"FRR-VDR-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluation Factors"},{"id":"FRR-VDR-11","parts":[{"id":"FRR-VDR-11_smt","name":"statement","parts":[{"id":"FRR-VDR-11_smt_01","name":"item","prose":"Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this process; this documentation MUST be included in the *authorization data* for the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-VDR-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Documenting Reasons"}]},{"id":"FRR-VDR-AY","parts":[{"name":"overview","prose":"This section provides guidance on the application of this process, including recommendations for implementing high quality *vulnerability detection* and *response* programs; providers who follow some or all of these will be better positioned to meet future FedRAMP authorization requirements."}],"props":[{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"apply"}],"title":"Vulnerability Detection and Response (Apply)","controls":[{"id":"FRR-VDR-AY-01","parts":[{"id":"FRR-VDR-AY-01_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-01_smt_01","name":"item","prose":"If it is not possible to *fully mitigate* or *remediate* *detected vulnerabilities* , providers SHOULD instead *partially mitigate vulnerabilities* *promptly* , progressively, and *persistently*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Partial Mitigation"},{"id":"FRR-VDR-AY-02","parts":[{"id":"FRR-VDR-AY-02_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-02_smt_01","name":"item","prose":"Providers SHOULD make design and architecture decisions for their *cloud service offering* that mitigate the risk of *vulnerabilities* by default AND decrease the risk and complexity of *vulnerability* *detection* and *response*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Design For Resilience"},{"id":"FRR-VDR-AY-03","parts":[{"id":"FRR-VDR-AY-03_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-03_smt_01","name":"item","prose":"Providers SHOULD use automated services to improve and streamline *vulnerability detection* and *response*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Automate Detection"},{"id":"FRR-VDR-AY-04","parts":[{"id":"FRR-VDR-AY-04_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-04_smt_01","name":"item","prose":"Providers SHOULD automatically perform *vulnerability detection* on representative samples of new or *significantly* *changed* *information resources*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Detection on Changes"},{"id":"FRR-VDR-AY-05","parts":[{"id":"FRR-VDR-AY-05_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-05_smt_01","name":"item","prose":"Providers SHOULD NOT weaken the security of *information resources* to facilitate vulnerability scanning or assessment activities."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Maintain Security Postures"},{"id":"FRR-VDR-AY-06","parts":[{"id":"FRR-VDR-AY-06_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-06_smt_01","name":"item","prose":"Providers SHOULD NOT deploy or otherwise activate new *machine-based* *information resources* with *Known Exploited Vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Avoid Known Exploited Vulnerabilities"}]},{"id":"FRR-VDR-RP","parts":[{"name":"overview","prose":"This section identifies FedRAMP-specific reporting requirements and recommendations for *vulnerabilities*."}],"props":[{"name":"sort-id","value":"012"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"reporting"}],"title":"Vulnerability Detection and Response (Reporting)","controls":[{"id":"FRR-VDR-RP-01","parts":[{"id":"FRR-VDR-RP-01_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-01_smt_01","name":"item","prose":"Providers MUST report *vulnerability detection* and *response* activity to all necessary parties *persistently* , summarizing ALL activity since the previous report; these reports are *authorization data* and are subject to the FedRAMP Authorization Data Sharing (ADS) process."}]}],"props":[{"name":"label","value":"FRR-VDR-RP-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Monthly Reporting"},{"id":"FRR-VDR-RP-02","parts":[{"id":"FRR-VDR-RP-02_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-02_smt_01","name":"item","prose":"Providers SHOULD include high-level overviews of ALL *vulnerability detection* and *response* activities conducted during this period for the *cloud service offering;* this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc."}]}],"props":[{"name":"label","value":"FRR-VDR-RP-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"High-Level Overviews"},{"id":"FRR-VDR-RP-03","parts":[{"id":"FRR-VDR-RP-03_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-03_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose specific sensitive information about *vulnerabilities* that would *likely* lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties."}]},{"name":"guidance","prose":"See FRR-VDR-EX for exceptions to this requirement."}],"props":[{"name":"label","value":"FRR-VDR-RP-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"No Irresponsible Disclosure"},{"id":"FRR-VDR-RP-04","parts":[{"id":"FRR-VDR-RP-04_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-04_smt_01","name":"item","prose":"Providers MAY responsibly disclose *vulnerabilities* publicly or with other parties if the provider determines doing so will NOT *likely* lead to exploitation."}]}],"props":[{"name":"label","value":"FRR-VDR-RP-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Public Disclosure"},{"id":"FRR-VDR-RP-05","parts":[{"id":"FRR-VDR-RP-05_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-05_smt_01","name":"item","prose":"Providers MUST include the following information (if applicable) on *detected vulnerabilities* when reporting on *vulnerability detection* and *response* activity, UNLESS it is an *accepted vulnerability*:"},{"id":"FRR-VDR-RP-05_smt_02","name":"item","prose":"- Provider's internally assigned tracking identifier\n- Time and source of the detection\n- Time of completed evaluation\n- Is it an *internet-reachable vulnerability* or not?\n- Is it a *likely exploitable vulnerability* or not?\n- Historically and currently estimated *potential adverse impact* of exploitation\n- Time and level of each completed and evaluated reduction in *potential adverse impact*\n- Estimated time and target level of next reduction in *potential adverse impact*\n- Is it currently or is it likely to become an *overdue vulnerability* or not? If so, explain.\n- Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their *federal customer data* within the *cloud service offering* resulting from the *vulnerability*\n- Final disposition of the *vulnerability*"}]}],"props":[{"name":"label","value":"FRR-VDR-RP-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Vulnerability Details"},{"id":"FRR-VDR-RP-06","parts":[{"id":"FRR-VDR-RP-06_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-06_smt_01","name":"item","prose":"Providers MUST include the following information on *accepted vulnerabilities* when reporting on *vulnerability detection* and *response* activity:"},{"id":"FRR-VDR-RP-06_smt_02","name":"item","prose":"- Provider's internally assigned tracking identifier\n- Time and source of the detection\n- Time of completed evaluation\n- Is it an *internet-reachable vulnerability* or not?\n- Is it a *likely exploitable vulnerability* or not?\n- Currently estimated *potential adverse impact* of exploitation\n- Explanation of why this is an *accepted vulnerability*\n- Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their *federal customer data* within the *cloud service offering* resulting from the *accepted vulnerability*"}]}],"props":[{"name":"label","value":"FRR-VDR-RP-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Accepted Vulnerability Info"}]},{"id":"FRR-VDR-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements and recommendations in this document."}],"props":[{"name":"sort-id","value":"013"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Vulnerability Detection and Response (Exceptions)","controls":[{"id":"FRR-VDR-EX-01","parts":[{"id":"FRR-VDR-EX-01_smt","name":"statement","parts":[{"id":"FRR-VDR-EX-01_smt_01","name":"item","prose":"Providers MAY be required to share additional *vulnerability* information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies."}]}],"props":[{"name":"label","value":"FRR-VDR-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Additional Reporting Requirements"},{"id":"FRR-VDR-EX-02","parts":[{"id":"FRR-VDR-EX-02_smt","name":"statement","parts":[{"id":"FRR-VDR-EX-02_smt_01","name":"item","prose":"Providers MAY be required to provide additional information or details about *vulnerabilities* , including sensitive information that would *likely* lead to exploitation, as part of review, response or investigation by necessary parties."}]}],"props":[{"name":"label","value":"FRR-VDR-EX-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Additional Details"},{"id":"FRR-VDR-EX-03","parts":[{"id":"FRR-VDR-EX-03_smt","name":"statement","parts":[{"id":"FRR-VDR-EX-03_smt_01","name":"item","prose":"Providers MUST NOT use this process to reject requests for additional information from necessary parties which also include law enforcement, Congress, and Inspectors General."}]}],"props":[{"name":"label","value":"FRR-VDR-EX-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Do Not Reject Requests"}]},{"id":"FRR-VDR-TF","parts":[{"name":"overview","prose":"This section provides guidance on timeframes that apply to all impact levels of FedRAMP authorization for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins."}],"props":[{"name":"sort-id","value":"014"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"timeframes"}],"title":"Vulnerability Detection and Response (Timeframes)","controls":[{"id":"FRR-VDR-TF-01","parts":[{"id":"FRR-VDR-TF-01_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-01_smt_01","name":"item","prose":"Providers MUST report *vulnerability detection* and *response* activity to all necessary parties in a consistent format that is human readable at least monthly."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Monthly Human-Readable"},{"id":"FRR-VDR-TF-02","links":[{"href":"https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities","text":"CISA BOD 22-01"}],"parts":[{"id":"FRR-VDR-TF-02_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-02_smt_01","name":"item","prose":"Providers SHOULD *remediate Known Exploited Vulnerabilities* according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been *fully mitigated*) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Remediate KEVs"},{"id":"FRR-VDR-TF-03","parts":[{"id":"FRR-VDR-TF-03_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-03_smt_01","name":"item","prose":"Providers MUST categorize any vulnerability that is not or will not be *fully mitigated* or *remediated* within 192 days of evaluation as an *accepted vulnerability*."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Mark Accepted Vulnerabilities"}]},{"id":"FRR-VDR-TF-MO","parts":[{"name":"overview","prose":"This section provides guidance on timeframes that apply specifically to FedRAMP Moderate authorizations for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins."}],"props":[{"name":"sort-id","value":"016"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"timeframe-moderate"}],"title":"Vulnerability Detection and Response (Timeframe Moderate)","controls":[{"id":"FRR-VDR-TF-MO-01","parts":[{"id":"FRR-VDR-TF-MO-01_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-01_smt_01","name":"item","prose":"Providers SHOULD make all recent historical *vulnerability detection* and *response* activity available in a *machine-readable* format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated *persistently*, at least once every 14 days."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"14-Day History"},{"id":"FRR-VDR-TF-MO-02","parts":[{"id":"FRR-VDR-TF-MO-02_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-02_smt_01","name":"item","prose":"Providers SHOULD *persistently* perform *vulnerability detection* on representative samples of similar *machine-based* *information resources*, at least once every 3 days."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"3-Day Sampling"},{"id":"FRR-VDR-TF-MO-03","parts":[{"id":"FRR-VDR-TF-MO-03_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-03_smt_01","name":"item","prose":"Providers SHOULD *persistently* perform *vulnerability detection* on all *information resources* that are *likely* to *drift*, at least once every 14 days."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"14-Day Drift Detection"},{"id":"FRR-VDR-TF-MO-04","parts":[{"id":"FRR-VDR-TF-MO-04_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-04_smt_01","name":"item","prose":"Providers SHOULD *persistently* perform *vulnerability detection* on all *information resources* that are NOT *likely* to *drift*, at least once per month."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Monthly Detection"},{"id":"FRR-VDR-TF-MO-05","parts":[{"id":"FRR-VDR-TF-MO-05_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-05_smt_01","name":"item","prose":"Providers SHOULD evaluate ALL *vulnerabilities* as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 5 days of *detection*."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Within 5 Days"},{"id":"FRR-VDR-TF-MO-06","parts":[{"id":"FRR-VDR-TF-MO-06_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-06_smt_01","name":"item","prose":"Providers SHOULD treat *internet-reachable likely exploitable vulnerabilities* with a *potential adverse impact* of N4 or N5 as a security *incident* until they are *partially mitigated* to N3 or below."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incidents"},{"id":"FRR-VDR-TF-MO-07","parts":[{"id":"FRR-VDR-TF-MO-07_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-07_smt_01","name":"item","prose":"Providers SHOULD *partially mitigate, fully mitigate,* or *remediate vulnerabilities* to a lower *potential adverse impact* within the timeframes from evaluation shown below, factoring for the current *potential adverse impact* , *internet reachability,* and *likely exploitability*:"}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Mitigate Per Timeframes"},{"id":"FRR-VDR-TF-MO-08","parts":[{"id":"FRR-VDR-TF-MO-08_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-MO-08_smt_01","name":"item","prose":"Providers SHOULD *mitigate* or *remediate* remaining *vulnerabilities* during routine operations as determined necessary by the provider."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-MO-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Mitigate During Operations"}]},{"id":"FRR-VDR-AG","parts":[{"name":"overview","prose":"The section provides guidance for agencies that apply under 44 USC § 3613 (e) which states that the assessment and materials within a FedRAMP authorization package \"shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.\""}],"props":[{"name":"sort-id","value":"018"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"agencies"}],"title":"Vulnerability Detection and Response (Agencies)","controls":[{"id":"FRR-VDR-AG-01","parts":[{"id":"FRR-VDR-AG-01_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-01_smt_01","name":"item","prose":"Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers."}]},{"name":"guidance","prose":"FedRAMP recommends that agencies only review *overdue* and *accepted vulnerabilities* with a *potential adverse impact* of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, *accepted vulnerabilities* generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency’s use or authorization."}],"props":[{"name":"label","value":"FRR-VDR-AG-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Review Vulnerability Reports"},{"id":"FRR-VDR-AG-02","parts":[{"id":"FRR-VDR-AG-02_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-02_smt_01","name":"item","prose":"Agencies SHOULD use *vulnerability* information reported by the Provider to maintain Plans of Action \\& Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with *accepted vulnerabilities* that put agency information systems at risk)."}]}],"props":[{"name":"label","value":"FRR-VDR-AG-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Maintain Agency POA\\&M"},{"id":"FRR-VDR-AG-03","parts":[{"id":"FRR-VDR-AG-03_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-03_smt_01","name":"item","prose":"Agencies SHOULD NOT request additional information from cloud service providers that is not required by this FedRAMP process UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such."}]},{"name":"guidance","prose":"This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e)."}],"props":[{"name":"label","value":"FRR-VDR-AG-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Do Not Request Extra Info"},{"id":"FRR-VDR-AG-04","parts":[{"id":"FRR-VDR-AG-04_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-04_smt_01","name":"item","prose":"Agencies MUST inform FedRAMP after requesting any additional *vulnerability* information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to [info@fedramp.gov](mailto:info@fedramp.gov)."}]},{"name":"guidance","prose":"This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a)."}],"props":[{"name":"label","value":"FRR-VDR-AG-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify FedRAMP"}]},{"id":"FRR-FSI","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to FedRAMP and ALL cloud services listed in the FedRAMP Marketplace based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"019"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"FedRAMP Security Inbox","controls":[{"id":"FRR-FSI-01","parts":[{"id":"FRR-FSI-01_smt","name":"statement","parts":[{"id":"FRR-FSI-01_smt_01","name":"item","prose":"FedRAMP MUST send messages to cloud service providers using an official @fedramp.gov or @gsa.gov email address with properly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication."}]},{"name":"guidance","prose":"Anyone at GSA can send email from @fedramp.gov or @gsa.gov - FedRAMP team members will typically have \"FedRAMP\" or \"Q20B\" in their name but this is not universal or enforceable. The nature of government enterprise IT services makes it difficult for FedRAMP to isolate FedRAMP-specific team members with enforceable identifiers."}],"props":[{"name":"label","value":"FRR-FSI-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Verified Emails"},{"id":"FRR-FSI-02","parts":[{"id":"FRR-FSI-02_smt","name":"statement","parts":[{"id":"FRR-FSI-02_smt_01","name":"item","prose":"FedRAMP MUST convey the criticality of the message in the subject line using one of the following designators if the message requires an elevated response:"},{"id":"FRR-FSI-02_smt_02","name":"item","prose":"- **Emergency:** There is a potential incident or crisis such that FedRAMP requires an extremely urgent response; emergency messages will contain aggressive timeframes for response and failure to meet these timeframes will result in corrective action.\n- **Emergency Test:** FedRAMP requires an extremely urgent response to confirm the functionality and effectiveness of the FedRAMP Security Inbox; emergency test messages will contain aggressive timeframes for response and failure to meet these timeframes will result in corrective action.\n- **Important:** There is an important issue that FedRAMP requires the cloud service provider to address; important messages will contain reasonable timeframes for response and failure to meet these timeframes may result in corrective action."}]},{"name":"guidance","prose":"Messages sent by FedRAMP without one of these designators are considered general communications and do not require an elevated response; these may be resolved in the normal course of business by the cloud service provider."}],"props":[{"name":"label","value":"FRR-FSI-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Criticality Designators"},{"id":"FRR-FSI-03","parts":[{"id":"FRR-FSI-03_smt","name":"statement","parts":[{"id":"FRR-FSI-03_smt_01","name":"item","prose":"FedRAMP MUST send Emergency and Emergency Test designated messages from fedramp_security@gsa.gov OR fedramp_security@fedramp.gov."}]}],"props":[{"name":"label","value":"FRR-FSI-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Sender Addresses"},{"id":"FRR-FSI-04","parts":[{"id":"FRR-FSI-04_smt","name":"statement","parts":[{"id":"FRR-FSI-04_smt_01","name":"item","prose":"FedRAMP MUST post a public notice at least 10 business days in advance of sending an Emergency Test message; such notices MUST include explanation of the *likely* expected actions and timeframes for the Emergency Test message."}]}],"props":[{"name":"label","value":"FRR-FSI-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Public Notice of Emergency Tests"},{"id":"FRR-FSI-05","parts":[{"id":"FRR-FSI-05_smt","name":"statement","parts":[{"id":"FRR-FSI-05_smt_01","name":"item","prose":"FedRAMP MUST clearly specify the required actions in the body of messages that require an elevated response."}]}],"props":[{"name":"label","value":"FRR-FSI-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Required Actions"},{"id":"FRR-FSI-06","parts":[{"id":"FRR-FSI-06_smt","name":"statement","parts":[{"id":"FRR-FSI-06_smt_01","name":"item","prose":"FedRAMP MUST clearly specify the expected timeframe for completing required actions in the body of messages that require an elevated response; timeframes for actions will vary depending on the situation but the default timeframes to provide an estimated resolution time for Emergency and Emergency Test designated messages will be as follows:"},{"id":"FRR-FSI-06_smt_02","name":"item","prose":"- **High Impact:** within 12 hours\n- **Moderate Impact:** by 3:00 p.m. Eastern Time on the 2nd business day\n- **Low Impact:** by 3:00 p.m. Eastern Time on the 3rd business day"}]},{"name":"guidance","prose":"Note: High impact cloud service providers are expected to address Emergency messages (including tests) from FedRAMP with a response time appropriate to operating a service where failure to respond rapidly might have a severe or catastrophic adverse effect on the U.S. Government; some Emergency messages may require faster responses and all such messages should be addressed as quickly as possible."}],"props":[{"name":"label","value":"FRR-FSI-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Response Timeframes"},{"id":"FRR-FSI-07","parts":[{"id":"FRR-FSI-07_smt","name":"statement","parts":[{"id":"FRR-FSI-07_smt_01","name":"item","prose":"FedRAMP MUST clearly specify the corrective actions that will result from failure to complete the required actions in the body of messages that require an elevated response; such actions may vary from negative ratings in the FedRAMP Marketplace to suspension of FedRAMP authorization depending on the severity of the event."}]}],"props":[{"name":"label","value":"FRR-FSI-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Corrective Actions"},{"id":"FRR-FSI-08","parts":[{"id":"FRR-FSI-08_smt","name":"statement","parts":[{"id":"FRR-FSI-08_smt_01","name":"item","prose":"FedRAMP MAY track and publicly share the time required by cloud service providers to take the actions specified in messages that require an elevated response."}]}],"props":[{"name":"label","value":"FRR-FSI-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Response Metrics"},{"id":"FRR-FSI-09","parts":[{"id":"FRR-FSI-09_smt","name":"statement","parts":[{"id":"FRR-FSI-09_smt_01","name":"item","prose":"Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a *FedRAMP Security Inbox* (FSI)."}]},{"name":"guidance","prose":"- Unless otherwise notified, FedRAMP will use the listed Security E-mail on the Marketplace for these notifications.\n- If a provider establishes a new inbox in response to this guidance that is different from the Security E-Mail then they must follow the requirements in FRR-FSI-12 to notify FedRAMP."}],"props":[{"name":"label","value":"FRR-FSI-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"FedRAMP Security Inbox"},{"id":"FRR-FSI-10","parts":[{"id":"FRR-FSI-10_smt","name":"statement","parts":[{"id":"FRR-FSI-10_smt_01","name":"item","prose":"Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then *FedRAMP Security Inbox* requirements no longer apply."}]}],"props":[{"name":"label","value":"FRR-FSI-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Receiving Messages"},{"id":"FRR-FSI-11","parts":[{"id":"FRR-FSI-11_smt","name":"statement","parts":[{"id":"FRR-FSI-11_smt_01","name":"item","prose":"Providers MUST receive and respond to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP."}]},{"name":"guidance","prose":"Note: This requirement is intended to prevent cloud service providers from requiring FedRAMP to respond to a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message."}],"props":[{"name":"label","value":"FRR-FSI-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Response"},{"id":"FRR-FSI-12","parts":[{"id":"FRR-FSI-12_smt","name":"statement","parts":[{"id":"FRR-FSI-12_smt_01","name":"item","prose":"Providers MUST immediately notify FedRAMP of any changes in addressing for their *FedRAMP Security Inbox* by emailing info@fedramp.gov with the name and FedRAMP ID of the cloud service offering and the updated email address."}]}],"props":[{"name":"label","value":"FRR-FSI-12"},{"name":"sort-id","value":"012"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Notification of Changes"},{"id":"FRR-FSI-13","parts":[{"id":"FRR-FSI-13_smt","name":"statement","parts":[{"id":"FRR-FSI-13_smt_01","name":"item","prose":"Providers SHOULD *promptly* and automatically acknowledge the receipt of messages received from FedRAMP in their *FedRAMP Security Inbox*."}]}],"props":[{"name":"label","value":"FRR-FSI-13"},{"name":"sort-id","value":"013"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Acknowledgment of Receipt"},{"id":"FRR-FSI-14","parts":[{"id":"FRR-FSI-14_smt","name":"statement","parts":[{"id":"FRR-FSI-14_smt_01","name":"item","prose":"Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message."}]},{"name":"guidance","prose":"Timeframes may vary by impact level of the *cloud service offering*."}],"props":[{"name":"label","value":"FRR-FSI-14"},{"name":"sort-id","value":"014"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Required Response for Emergency Messages"},{"id":"FRR-FSI-15","parts":[{"id":"FRR-FSI-15_smt","name":"statement","parts":[{"id":"FRR-FSI-15_smt_01","name":"item","prose":"Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness."}]},{"name":"guidance","prose":"Senior security officials are determined by the provider."}],"props":[{"name":"label","value":"FRR-FSI-15"},{"name":"sort-id","value":"015"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Routing"},{"id":"FRR-FSI-16","parts":[{"id":"FRR-FSI-16_smt","name":"statement","parts":[{"id":"FRR-FSI-16_smt_01","name":"item","prose":"Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message."}]},{"name":"guidance","prose":"Timeframes may vary by impact level of the *cloud service offering*."}],"props":[{"name":"label","value":"FRR-FSI-16"},{"name":"sort-id","value":"016"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Recommended Response for Important Messages"}]},{"id":"FRR-ICP","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"020"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Incident Communications Procedures","controls":[{"id":"FRR-ICP-01","parts":[{"id":"FRR-ICP-01_smt","name":"statement","parts":[{"id":"FRR-ICP-01_smt_01","name":"item","prose":"Providers MUST responsibly report *incidents* to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov."}]}],"props":[{"name":"label","value":"FRR-ICP-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Reporting to FedRAMP"},{"id":"FRR-ICP-02","parts":[{"id":"FRR-ICP-02_smt","name":"statement","parts":[{"id":"FRR-ICP-02_smt_01","name":"item","prose":"Providers MUST responsibly report *incidents* to all *agency* customers within 1 hour of identification using the *incident* communications points of contact provided by each *agency* customer."}]}],"props":[{"name":"label","value":"FRR-ICP-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Reporting to Agencies"},{"id":"FRR-ICP-03","parts":[{"id":"FRR-ICP-03_smt","name":"statement","parts":[{"id":"FRR-ICP-03_smt_01","name":"item","prose":"Providers MUST responsibly report *incidents* to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf."}]}],"props":[{"name":"label","value":"FRR-ICP-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Reporting to CISA"},{"id":"FRR-ICP-04","parts":[{"id":"FRR-ICP-04_smt","name":"statement","parts":[{"id":"FRR-ICP-04_smt_01","name":"item","prose":"Providers MUST update *all necessary parties* , including at least FedRAMP, CISA (if applicable), and all *agency* customers, at least once per calendar day until the *incident* is resolved and recovery is complete."}]}],"props":[{"name":"label","value":"FRR-ICP-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Updates"},{"id":"FRR-ICP-05","parts":[{"id":"FRR-ICP-05_smt","name":"statement","parts":[{"id":"FRR-ICP-05_smt_01","name":"item","prose":"Providers MUST make *incident* report information available in their secure FedRAMP repository (such as USDA Connect) or *trust center*."}]}],"props":[{"name":"label","value":"FRR-ICP-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Report Availability"},{"id":"FRR-ICP-06","parts":[{"id":"FRR-ICP-06_smt","name":"statement","parts":[{"id":"FRR-ICP-06_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose specific sensitive information about *incidents* that would *likely* increase the impact of the *incident* , but MUST disclose sufficient information for informed risk-based decision-making to *all necessary parties*."}]}],"props":[{"name":"label","value":"FRR-ICP-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Disclosure"},{"id":"FRR-ICP-07","parts":[{"id":"FRR-ICP-07_smt","name":"statement","parts":[{"id":"FRR-ICP-07_smt_01","name":"item","prose":"Providers MUST provide a final report once the *incident* is resolved and recovery is complete that describes at least:"},{"id":"FRR-ICP-07_smt_02","name":"item","prose":"- What occurred\n- Root cause\n- Response\n- Lessons learned\n- Changes needed"}]}],"props":[{"name":"label","value":"FRR-ICP-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Final Incident Report"},{"id":"FRR-ICP-08","parts":[{"id":"FRR-ICP-08_smt","name":"statement","parts":[{"id":"FRR-ICP-08_smt_01","name":"item","prose":"Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA)."}]}],"props":[{"name":"label","value":"FRR-ICP-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Automated Reporting"},{"id":"FRR-ICP-09","parts":[{"id":"FRR-ICP-09_smt","name":"statement","parts":[{"id":"FRR-ICP-09_smt_01","name":"item","prose":"Providers SHOULD make *incident* report information available in consistent human-readable and *machine-readable* formats."}]}],"props":[{"name":"label","value":"FRR-ICP-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Human-Readable and Machine-Readable Formats"}]},{"id":"FRR-SCN","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL *significant changes* based on current Effective Date(s) and Overall Applicability"}],"props":[{"name":"sort-id","value":"021"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Significant Change Notifications","controls":[{"id":"FRR-SCN-01","parts":[{"id":"FRR-SCN-01_smt","name":"statement","parts":[{"id":"FRR-SCN-01_smt_01","name":"item","prose":"Providers MUST notify all necessary parties when Significant Change Notifications are required, including at least FedRAMP and all agency customers. Providers MAY share Significant Change Notifications publicly or with other parties."}]}],"props":[{"name":"label","value":"FRR-SCN-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Notifications"},{"id":"FRR-SCN-02","parts":[{"id":"FRR-SCN-02_smt","name":"statement","parts":[{"id":"FRR-SCN-02_smt_01","name":"item","prose":"Providers MUST follow the procedures documented in their security plan to plan, evaluate, test, perform, assess, and document changes."}]}],"props":[{"name":"label","value":"FRR-SCN-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Procedures and Documentation"},{"id":"FRR-SCN-03","parts":[{"id":"FRR-SCN-03_smt","name":"statement","parts":[{"id":"FRR-SCN-03_smt_01","name":"item","prose":"Providers MUST evaluate and type label all *significant changes*, then follow FedRAMP requirements for the type."}]}],"props":[{"name":"label","value":"FRR-SCN-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Changes"},{"id":"FRR-SCN-04","parts":[{"id":"FRR-SCN-04_smt","name":"statement","parts":[{"id":"FRR-SCN-04_smt_01","name":"item","prose":"Providers MUST maintain auditable records of these activities and make them available to all necessary parties."}]}],"props":[{"name":"label","value":"FRR-SCN-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-05","parts":[{"id":"FRR-SCN-05_smt","name":"statement","parts":[{"id":"FRR-SCN-05_smt_01","name":"item","prose":"Providers MUST keep historical Significant Change Notifications available to all necessary parties at least until the service completes its next annual assessment."}]}],"props":[{"name":"label","value":"FRR-SCN-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-06","parts":[{"id":"FRR-SCN-06_smt","name":"statement","parts":[{"id":"FRR-SCN-06_smt_01","name":"item","prose":"All parties SHOULD follow FedRAMP's best practices and technical assistance on *significant change* assessment and notification where applicable."}]}],"props":[{"name":"label","value":"FRR-SCN-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-07","parts":[{"id":"FRR-SCN-07_smt","name":"statement","parts":[{"id":"FRR-SCN-07_smt_01","name":"item","prose":"Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible."}]}],"props":[{"name":"label","value":"FRR-SCN-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-08","parts":[{"id":"FRR-SCN-08_smt","name":"statement","parts":[{"id":"FRR-SCN-08_smt_01","name":"item","prose":"Providers MUST make ALL Significant Change Notifications and related audit records available in similar human-readable and compatible *machine-readable* formats."}]}],"props":[{"name":"label","value":"FRR-SCN-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-09","parts":[{"id":"FRR-SCN-09_smt","name":"statement","parts":[{"id":"FRR-SCN-09_smt_01","name":"item","prose":"Providers MUST include at least the following information in Significant Change Notifications:"},{"id":"FRR-SCN-09_smt_02","name":"item","prose":"- Service Offering FedRAMP ID\n- Assessor Name (if applicable)\n- Related POA\\&M (if applicable)\n- Significant Change type and explanation of categorization\n- Short description of change\n- Reason for change\n- Summary of customer impact, including changes to services and customer configuration responsibilities\n- Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls\n- Copy of the business or security impact analysis\n- Name and title of approver"}]}],"props":[{"name":"label","value":"FRR-SCN-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-10","parts":[{"id":"FRR-SCN-10_smt","name":"statement","parts":[{"id":"FRR-SCN-10_smt_01","name":"item","prose":"Providers MAY include additional relevant information in Significant Change Notifications."}]}],"props":[{"name":"label","value":"FRR-SCN-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-RR","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *routine recurring*."}],"props":[{"name":"sort-id","value":"022"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"routine_recurring"}],"title":"Significant Change Notifications (Routine Recurring)","controls":[{"id":"FRR-SCN-RR-01","parts":[{"id":"FRR-SCN-RR-01_smt","name":"statement","parts":[{"id":"FRR-SCN-RR-01_smt_01","name":"item","prose":"Providers SHOULD NOT make formal Significant Change Notifications for *routine recurring* changes; this type of change is exempted from the notification requirements of this process."}]}],"props":[{"name":"label","value":"FRR-SCN-RR-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-AD","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *adaptive*."}],"props":[{"name":"sort-id","value":"023"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"adaptive"}],"title":"Significant Change Notifications (Adaptive)","controls":[{"id":"FRR-SCN-AD-01","parts":[{"id":"FRR-SCN-AD-01_smt","name":"statement","parts":[{"id":"FRR-SCN-AD-01_smt_01","name":"item","prose":"Providers MUST notify all necessary parties within ten business days after finishing *adaptive* changes, also including the following information:"},{"id":"FRR-SCN-AD-01_smt_02","name":"item","prose":"- Summary of any new risks identified and/or POA\\&Ms resulting from the change (if applicable)"}]}],"props":[{"name":"label","value":"FRR-SCN-AD-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-TR","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *transformative*."}],"props":[{"name":"sort-id","value":"024"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"transformative"}],"title":"Significant Change Notifications (Transformative)","controls":[{"id":"FRR-SCN-TR-01","parts":[{"id":"FRR-SCN-TR-01_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-01_smt_01","name":"item","prose":"Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting *transformative* changes if human validation is necessary. This review SHOULD be limited to security decisions that require human validation. Providers MUST document this decision and justification."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-02","parts":[{"id":"FRR-SCN-TR-02_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-02_smt_01","name":"item","prose":"Providers MUST notify all necessary parties of initial plans for *transformative* changes at least 30 business days before starting *transformative* changes."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-03","parts":[{"id":"FRR-SCN-TR-03_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-03_smt_01","name":"item","prose":"Providers MUST notify all necessary parties of final plans for *transformative* changes at least 10 business days before starting *transformative* changes."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-04","parts":[{"id":"FRR-SCN-TR-04_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-04_smt_01","name":"item","prose":"Providers MUST notify all necessary parties within 5 business days after finishing *transformative* changes, also including the following information:"},{"id":"FRR-SCN-TR-04_smt_02","name":"item","prose":"- Updates to all previously sent information"}]}],"props":[{"name":"label","value":"FRR-SCN-TR-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-05","parts":[{"id":"FRR-SCN-TR-05_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-05_smt_01","name":"item","prose":"Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of *transformative* changes, also including the following information:"},{"id":"FRR-SCN-TR-05_smt_02","name":"item","prose":"- Updates to all previously sent information\n- Summary of any new risks identified and/or POA\\&Ms resulting from the change (if applicable)\n- Copy of the security assessment report (if applicable)"}]}],"props":[{"name":"label","value":"FRR-SCN-TR-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-06","parts":[{"id":"FRR-SCN-TR-06_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-06_smt_01","name":"item","prose":"Providers MUST publish updated service documentation and other materials to reflect *transformative* changes within 30 business days after finishing *transformative* changes."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-07","parts":[{"id":"FRR-SCN-TR-07_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-07_smt_01","name":"item","prose":"Providers MUST allow agency customers to OPT OUT of *transformative* changes whenever feasible."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-IM","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *impact categorization*."}],"props":[{"name":"sort-id","value":"025"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"impact"}],"title":"Significant Change Notifications (Impact)","controls":[{"id":"FRR-SCN-IM-01","parts":[{"id":"FRR-SCN-IM-01_smt","name":"statement","parts":[{"id":"FRR-SCN-IM-01_smt_01","name":"item","prose":"Providers MUST follow the legacy Significant Change Request process or full re-authorization for *impact categorization* changes, with advance approval from an identified lead agency, until further notice."}]}],"props":[{"name":"label","value":"FRR-SCN-IM-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements for this process."}],"props":[{"name":"sort-id","value":"026"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Significant Change Notifications (Exceptions)","controls":[{"id":"FRR-SCN-EX-01","parts":[{"id":"FRR-SCN-EX-01_smt","name":"statement","parts":[{"id":"FRR-SCN-EX-01_smt_01","name":"item","prose":"Providers MAY be required to delay *significant changes* beyond the standard Significant Change Notification period and/or submit *significant changes* for approval in advance as a condition of a formal FedRAMP Corrective Action Plan or other agreement."}]}],"props":[{"name":"label","value":"FRR-SCN-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-EX-02","parts":[{"id":"FRR-SCN-EX-02_smt","name":"statement","parts":[{"id":"FRR-SCN-EX-02_smt_01","name":"item","prose":"Providers MAY execute *significant changes* (including *transformative* changes) during an emergency or incident without meeting Significant Change Notification requirements in advance ONLY if absolutely necessary. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident."}]}],"props":[{"name":"label","value":"FRR-SCN-EX-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-KSI","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL FedRAMP 20x authorizations based on the Effective Date(s) and Overall Applicability."}],"props":[{"name":"sort-id","value":"027"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Key Security Indicators","controls":[{"id":"FRR-KSI-01","parts":[{"id":"FRR-KSI-01_smt","name":"statement","parts":[{"id":"FRR-KSI-01_smt_01","name":"item","prose":"Cloud service providers SHOULD apply ALL Key Security Indicators to ALL aspects of their *cloud service offering* that are within the FedRAMP Minimum Assessment Scope."}]}],"props":[{"name":"label","value":"FRR-KSI-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Application of Key Security Indicators"},{"id":"FRR-KSI-02","parts":[{"id":"FRR-KSI-02_smt","name":"statement","parts":[{"id":"FRR-KSI-02_smt_01","name":"item","prose":"Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:"},{"id":"FRR-KSI-02_smt_02","name":"item","prose":"- Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability\n- The consolidated *information resources* that will be validated (this should include consolidated summaries such as \"all employees with privileged access that are members of the Admin group\")\n- The machine-based processes for validation and the *persistent* cycle on which they will be performed (or an explanation of why this doesn't apply)\n- The non-machine-based processes for validation and the *persistent* cycle on which they will be performed (or an explanation of why this doesn't apply)\n- Current implementation status\n- Any clarifications or responses to the assessment summary"}]}],"props":[{"name":"label","value":"FRR-KSI-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Implementation Summaries"}]},{"id":"FRR-CCM","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"039"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Collaborative Continuous Monitoring","controls":[{"id":"FRR-CCM-01","parts":[{"id":"FRR-CCM-01_smt","name":"statement","parts":[{"id":"FRR-CCM-01_smt_01","name":"item","prose":"Providers MUST make an *Ongoing Authorization Report* available to *all necessary parties* every 3 months, in a consistent format that is human readable, covering the entire period since the previous summary; this report MUST include high-level summaries of at least the following information:"},{"id":"FRR-CCM-01_smt_02","name":"item","prose":"- Changes to *authorization data*\n- Planned changes to *authorization data* during at least the next 3 months\n- _Accepted vulnerabilities\n- *Transformative* changes\n- Updated recommendations or best practices for security, configuration, usage, or similar aspects of the *cloud service offering*"}]}],"props":[{"name":"label","value":"FRR-CCM-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Ongoing Authorization Reports"},{"id":"FRR-CCM-02","parts":[{"id":"FRR-CCM-02_smt","name":"statement","parts":[{"id":"FRR-CCM-02_smt_01","name":"item","prose":"Providers SHOULD establish a regular 3 month cycle for *Ongoing Authorization Reports* that is spread out from the beginning, middle, or end of each quarter."}]},{"name":"guidance","prose":"This recommendation is intended to discourage hundreds of cloud service providers from releasing their *Ongoing Authorization Reports* during the first or last week of each quarter because that is the easiest way for a single provider to track this deliverable; the result would overwhelm agencies with many cloud services. Widely used cloud service providers are encouraged to work with their customers to identify ideal timeframes for this cycle."}],"props":[{"name":"label","value":"FRR-CCM-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Avoiding Simultaneous Reports"},{"id":"FRR-CCM-03","parts":[{"id":"FRR-CCM-03_smt","name":"statement","parts":[{"id":"FRR-CCM-03_smt_01","name":"item","prose":"Providers MUST publicly include the target date for their next *Ongoing Authorization Report* with the *authorization data* required by FRR-ADS-01."}]}],"props":[{"name":"label","value":"FRR-CCM-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Public Next Report Date"},{"id":"FRR-CCM-04","parts":[{"id":"FRR-CCM-04_smt","name":"statement","parts":[{"id":"FRR-CCM-04_smt_01","name":"item","prose":"Providers MUST establish and share an asynchronous mechanism for *all necessary parties* to provide feedback or ask questions about each *Ongoing Authorization Report*."}]}],"props":[{"name":"label","value":"FRR-CCM-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Feedback Mechanism"},{"id":"FRR-CCM-05","parts":[{"id":"FRR-CCM-05_smt","name":"statement","parts":[{"id":"FRR-CCM-05_smt_01","name":"item","prose":"Providers MUST maintain an anonymized and desensitized summary of the feedback, questions, and answers about each *Ongoing Authorization Report* as an addendum to the *Ongoing Authorization Report*."}]},{"name":"guidance","prose":"This is intended to encourage sharing of information and decrease the burden on the cloud service provider - providing this summary will reduce duplicate questions from *agencies* and ensure FedRAMP has access to this information. It is generally in the provider’s interest to update this addendum frequently throughout the quarter."}],"props":[{"name":"label","value":"FRR-CCM-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Anonymized Feedback Summary"},{"id":"FRR-CCM-06","parts":[{"id":"FRR-CCM-06_smt","name":"statement","parts":[{"id":"FRR-CCM-06_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose sensitive information in an *Ongoing Authorization Report* that would *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Protect Sensitive Information"},{"id":"FRR-CCM-07","parts":[{"id":"FRR-CCM-07_smt","name":"statement","parts":[{"id":"FRR-CCM-07_smt_01","name":"item","prose":"Providers MAY responsibly share some or all of the information an *Ongoing Authorization Report* publicly or with other parties if the provider determines doing so will NOT *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Public Sharing"}]},{"id":"FRR-CCM-QR","parts":[{"name":"overview","prose":"These requirements and recommendations apply to providers hosting synchronous *Quarterly Reviews* with all agencies."}],"props":[{"name":"sort-id","value":"040"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"quarterly_reviews"}],"title":"Collaborative Continuous Monitoring (Quarterly Reviews)","controls":[{"id":"FRR-CCM-QR-02","parts":[{"id":"FRR-CCM-QR-02_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-02_smt_01","name":"item","prose":"Providers MUST host a synchronous *Quarterly Review* every 3 months, open to *all necessary parties* , to review aspects of the most recent *Ongoing Authorization Reports* that the provider determines are of the most relevance to *agencies*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Quarterly Review"},{"id":"FRR-CCM-QR-03","parts":[{"id":"FRR-CCM-QR-03_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-03_smt_01","name":"item","prose":"Providers SHOULD regularly schedule *Quarterly Reviews* to occur at least 3 business days after releasing an *Ongoing Authorization Report* AND within 10 business days of such release."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Review Scheduling Window"},{"id":"FRR-CCM-QR-04","parts":[{"id":"FRR-CCM-QR-04_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-04_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose sensitive information in a *Quarterly Review* that would *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"No Irresponsible Disclosure"},{"id":"FRR-CCM-QR-05","parts":[{"id":"FRR-CCM-QR-05_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-05_smt_01","name":"item","prose":"Providers MUST include either a registration link or a downloadable calendar file with meeting information for *Quarterly Reviews* in the *authorization data* available to all *necessary parties* required by FRR-ADS-06 and FRR-ADS-07."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Meeting Registration Info"},{"id":"FRR-CCM-QR-06","parts":[{"id":"FRR-CCM-QR-06_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-06_smt_01","name":"item","prose":"Providers MUST publicly include the target date for their next *Quarterly Review* with the *authorization data* required by FRR-ADS-01."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Next Review Date"},{"id":"FRR-CCM-QR-07","parts":[{"id":"FRR-CCM-QR-07_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-07_smt_01","name":"item","prose":"Providers SHOULD include additional information in *Quarterly Reviews* that the provider determines is of interest, use, or otherwise relevant to *agencies*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Additional Content"},{"id":"FRR-CCM-QR-08","parts":[{"id":"FRR-CCM-QR-08_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-08_smt_01","name":"item","prose":"Providers SHOULD NOT invite third parties to attend *Quarterly Reviews* intended for *agencies* unless they have specific relevance."}]},{"name":"guidance","prose":"This is because *agencies* are less likely to actively participate in meetings with third parties; the cloud service provider's independent assessor should be considered relevant by default."}],"props":[{"name":"label","value":"FRR-CCM-QR-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Restrict Third Parties"},{"id":"FRR-CCM-QR-09","parts":[{"id":"FRR-CCM-QR-09_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-09_smt_01","name":"item","prose":"Providers SHOULD record or transcribe *Quarterly Reviews* and make such available to *all necessary parties* with other *authorization data* required by FRR-ADS-06 and FRR-ADS07."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Record/Transcribe Reviews"},{"id":"FRR-CCM-QR-10","parts":[{"id":"FRR-CCM-QR-10_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-10_smt_01","name":"item","prose":"Providers MAY responsibly share recordings or transcriptions of *Quarterly Reviews* with the public or other parties ONLY if the provider removes all *agency* information (comments, questions, names, etc.) AND determines sharing will NOT *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Share Recordings Responsibly"},{"id":"FRR-CCM-QR-11","parts":[{"id":"FRR-CCM-QR-11_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-11_smt_01","name":"item","prose":"Providers MAY responsibly share content prepared for a *Quarterly Review* with the public or other parties if the provider determines doing so will NOT *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Share Content Responsibly"}]},{"id":"FRR-CCM-AG","parts":[{"name":"overview","prose":"This section includes requirements and recommendations for *agencies* who are using FedRAMP Authorized cloud services based on statute and policy directives from OMB that apply to *agencies*."}],"props":[{"name":"sort-id","value":"041"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"agencies"}],"title":"Collaborative Continuous Monitoring (Agencies)","controls":[{"id":"FRR-CCM-AG-01","parts":[{"id":"FRR-CCM-AG-01_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-01_smt_01","name":"item","prose":"Agencies MUST review each *Ongoing Authorization Report* to understand how changes to the *cloud service offering* may impact the previously agreed-upon risk tolerance documented in the *agency's* Authorization to Operate of a federal information system that includes the *cloud service offering* in its boundary."}]},{"name":"guidance","prose":"This is required by 44 USC § 35, OMB A-130, FIPS-200, and M-24-15."}],"props":[{"name":"label","value":"FRR-CCM-AG-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Review Ongoing Reports"},{"id":"FRR-CCM-AG-02","parts":[{"id":"FRR-CCM-AG-02_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-02_smt_01","name":"item","prose":"Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the *cloud service offering* in its boundary and assign appropriate information security resources for reviewing *Ongoing Authorization Reports* , attending *Quarterly Reviews* , and other ongoing *authorization data*."}]}],"props":[{"name":"label","value":"FRR-CCM-AG-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Consider Security Category"},{"id":"FRR-CCM-AG-04","parts":[{"id":"FRR-CCM-AG-04_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-04_smt_01","name":"item","prose":"Agencies SHOULD formally notify the provider if the information presented in an *Ongoing Authorization Report* , *Quarterly Review* , or other ongoing *authorization data* causes significant concerns that may lead the *agency* to remove the *cloud service offering* from operation."}]}],"props":[{"name":"label","value":"FRR-CCM-AG-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify Provider of Concerns"},{"id":"FRR-CCM-AG-05","parts":[{"id":"FRR-CCM-AG-05_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-05_smt_01","name":"item","prose":"Agencies MUST notify FedRAMP by sending a notification to info@fedramp.gov if the information presented in an *Ongoing Authorization Report* , *Quarterly Review* , or other ongoing *authorization data* causes significant concerns that may lead the *agency* to stop operation of the *cloud service offering*."}]},{"name":"guidance","prose":"Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)."}],"props":[{"name":"label","value":"FRR-CCM-AG-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify FedRAMP of Concerns"},{"id":"FRR-CCM-AG-06","parts":[{"id":"FRR-CCM-AG-06_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-06_smt_01","name":"item","prose":"Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about *authorization data*."}]},{"name":"guidance","prose":"This is a statory requirement in 44 USC § 3613 (e) related to the Presumption of Adequacy for a FedRAMP authorization."}],"props":[{"name":"label","value":"FRR-CCM-AG-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"No Additional Requirements"},{"id":"FRR-CCM-AG-07","parts":[{"id":"FRR-CCM-AG-07_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-07_smt_01","name":"item","prose":"Agencies MUST inform FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to info@fedramp.gov."}]},{"name":"guidance","prose":"Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)."}],"props":[{"name":"label","value":"FRR-CCM-AG-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify FedRAMP After Requests"}]},{"id":"FRR-MAS","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability."}],"props":[{"name":"sort-id","value":"042"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Minimum Assessment Scope","controls":[{"id":"FRR-MAS-01","parts":[{"id":"FRR-MAS-01_smt","name":"statement","parts":[{"id":"FRR-MAS-01_smt_01","name":"item","prose":"Providers MUST identify a set of *information resources* to assess for FedRAMP authorization that includes all *information resources* that are *likely* to *handle* *federal customer data* or *likely* to impact the confidentiality, integrity, or availability of *federal customer data* *handled* by the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-MAS-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Cloud Service Offering Identification"},{"id":"FRR-MAS-02","parts":[{"id":"FRR-MAS-02_smt","name":"statement","parts":[{"id":"FRR-MAS-02_smt_01","name":"item","prose":"Providers MUST include the configuration and usage of *third-party information resources* , ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Third-Party Information Resources"},{"id":"FRR-MAS-03","parts":[{"id":"FRR-MAS-03_smt","name":"statement","parts":[{"id":"FRR-MAS-03_smt_01","name":"item","prose":"Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to *federal customer data* from the configuration and usage of non-FedRAMP authorized *third-party information resources* , ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Non-FedRAMP Authorized Third-Party Information Resources"},{"id":"FRR-MAS-04","parts":[{"id":"FRR-MAS-04_smt","name":"statement","parts":[{"id":"FRR-MAS-04_smt_01","name":"item","prose":"Providers MUST include metadata (including metadata about *federal customer data* ), ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Metadata Inclusion"},{"id":"FRR-MAS-05","parts":[{"id":"FRR-MAS-05_smt","name":"statement","parts":[{"id":"FRR-MAS-05_smt_01","name":"item","prose":"Providers MUST clearly identify, document, and explain information flows and impact levels for ALL *information resources* , ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Information Flows and Impact Levels"}]},{"id":"FRR-MAS-AY","parts":[{"name":"overview","prose":"This section provides general guidance on the application of this process."}],"props":[{"name":"sort-id","value":"043"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"application"}],"title":"Minimum Assessment Scope (Application)","controls":[{"id":"FRR-MAS-AY-01","links":[{"href":"http://fedramp.gov/scope","text":"Overall Scope of FedRAMP"}],"parts":[{"id":"FRR-MAS-AY-01_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-01_smt_01","name":"item","prose":"Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the *cloud service offering* for FedRAMP. For more, see https://fedramp.gov/scope."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Scope of FedRAMP"},{"id":"FRR-MAS-AY-02","links":[{"href":"http://fedramp.gov/scope","text":"Overall Scope of FedRAMP"}],"parts":[{"id":"FRR-MAS-AY-02_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-02_smt_01","name":"item","prose":"Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the *cloud service offering* for FedRAMP. For more, see fedramp.gov/scope."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Non-Cloud-Based Software"},{"id":"FRR-MAS-AY-03","parts":[{"id":"FRR-MAS-AY-03_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-03_smt_01","name":"item","prose":"*Information resources* (including *third-party information resources* ) that do not meet the conditions in FRR-MAS-01 are not included in the *cloud service offering* for FedRAMP (*FRR-MAS-02*)."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Exclusion of Non-Impacting Information Resources"},{"id":"FRR-MAS-AY-04","parts":[{"id":"FRR-MAS-AY-04_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-04_smt_01","name":"item","prose":"*Information resources* (including *third-party information resources* ) MAY vary by impact level as appropriate to the level of information *handled* or impacted by the information resource (*FRR-MAS-05*)."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Impact Level Variations"},{"id":"FRR-MAS-AY-05","parts":[{"id":"FRR-MAS-AY-05_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-05_smt_01","name":"item","prose":"All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Review of Best Practices"},{"id":"FRR-MAS-AY-06","parts":[{"id":"FRR-MAS-AY-06_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-06_smt_01","name":"item","prose":"All aspects of the *cloud service offering* are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Cloud Service Offering Determination"}]},{"id":"FRR-MAS-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements for this process."}],"props":[{"name":"sort-id","value":"044"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Minimum Assessment Scope (Exceptions)","controls":[{"id":"FRR-MAS-EX-01","parts":[{"id":"FRR-MAS-EX-01_smt","name":"statement","parts":[{"id":"FRR-MAS-EX-01_smt_01","name":"item","prose":"Providers MAY include documentation of *information resources* beyond the *cloud service offering* , or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and *authorization package* supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-MAS-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Supplemental Information"}]}]},{"id":"KSI","props":[{"name":"sort-id","value":"01"}],"title":"Key Security Indicators","groups":[{"id":"KSI-AFR","parts":[{"name":"overview","prose":"# THEME\n\nA secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers."}],"props":[{"name":"sort-id","value":"028"}],"title":"Authorization by FedRAMP","controls":[{"id":"KSI-AFR-01","links":[{"href":"https://fedramp.gov/docs/minimum-assessment-scope","text":"Minimum Assessment Scope"}],"parts":[{"id":"KSI-AFR-01_smt","name":"statement","parts":[{"id":"KSI-AFR-01_smt_01","name":"item","prose":"Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Minimum Assessment Scope"},{"id":"KSI-AFR-02","links":[{"href":"https://fedramp.gov/docs/key-security-indicators","text":"Key Security Indicators"}],"parts":[{"id":"KSI-AFR-02_smt","name":"statement","parts":[{"id":"KSI-AFR-02_smt_01","name":"item","prose":"Set security goals for the cloud service offering based on FedRAMP 20x Phase Two Key Security Indicators (KSIs - you are here), develop automated validation of status and progress to the greatest extent possible, and persistently address all related requirements and recommendations."}]},{"name":"guidance","prose":"This KSI is not intended to create an infinite loop; unlike other KSI-AFR themed indicators, this KSI is addressed by otherwise addressing all the KSIs. Providers and assessors may use this KSI to summarize the approach, coverage, status, etc. but are not expected to include all KSIs within this KSI in an infinite loop."}],"props":[{"name":"label","value":"KSI-AFR-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Key Security Indicators"},{"id":"KSI-AFR-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Enforcement","resource-fragment":"ac-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Flow Enforcement","resource-fragment":"ac-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Event Logging","resource-fragment":"au-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Content of Audit Records","resource-fragment":"au-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Audit Record Review, Analysis, and Reporting","resource-fragment":"au-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Control Assessments","resource-fragment":"ca-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Handling","resource-fragment":"ir-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Vulnerability Monitoring and Scanning","resource-fragment":"ra-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Transmission Confidentiality and Integrity","resource-fragment":"sc-8"},{"href":"https://fedramp.gov/docs/authorization-data-sharing","text":"Authorization Data Sharing"}],"parts":[{"id":"KSI-AFR-03_smt","name":"statement","parts":[{"id":"KSI-AFR-03_smt_01","name":"item","prose":"Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Authorization Data Sharing"},{"id":"KSI-AFR-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Control Assessments","resource-fragment":"ca-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Continuous Monitoring","resource-fragment":"ca-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automation Support for Monitoring","resource-fragment":"ca-7.6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ir-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Handling","resource-fragment":"ir-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Incident Handling Processes","resource-fragment":"ir-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Monitoring","resource-fragment":"ir-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Tracking, Data Collection, and Analysis","resource-fragment":"ir-5.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Reporting","resource-fragment":"ir-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Reporting","resource-fragment":"ir-6.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Vulnerabilities Related to Incidents","resource-fragment":"ir-6.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Security and Privacy Resources","resource-fragment":"pm-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Inventory","resource-fragment":"pm-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Continuous Monitoring Strategy","resource-fragment":"pm-31"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security Categorization","resource-fragment":"ra-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Impact-level Prioritization","resource-fragment":"ra-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Risk Assessment","resource-fragment":"ra-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Dynamic Threat Awareness","resource-fragment":"ra-3.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Vulnerability Monitoring and Scanning","resource-fragment":"ra-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Update Vulnerabilities to Be Scanned","resource-fragment":"ra-5.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Breadth and Depth of Coverage","resource-fragment":"ra-5.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Discoverable Information","resource-fragment":"ra-5.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Privileged Access","resource-fragment":"ra-5.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Trend Analyses","resource-fragment":"ra-5.6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Detection and Notification of Unauthorized Components","resource-fragment":"ra-5.7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Public Disclosure Program","resource-fragment":"ra-5.11"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Criticality Analysis","resource-fragment":"ra-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Threat Hunting","resource-fragment":"ra-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Flaw Remediation","resource-fragment":"si-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Central Management","resource-fragment":"si-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Flaw Remediation Status","resource-fragment":"si-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Patch Management Tools","resource-fragment":"si-2.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automatic Software and Firmware Updates","resource-fragment":"si-2.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Malicious Code Protection","resource-fragment":"si-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Central Management","resource-fragment":"si-3.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automatic Updates","resource-fragment":"si-3.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Monitoring","resource-fragment":"si-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Tools and Mechanisms for Real-time Analysis","resource-fragment":"si-4.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Tool and Mechanism Integration","resource-fragment":"si-4.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Response to Suspicious Events","resource-fragment":"si-4.7"},{"href":"https://fedramp.gov/docs/vulnerability-detection-and-response","text":"Vulnerability Detection and Response"}],"parts":[{"id":"KSI-AFR-04_smt","name":"statement","parts":[{"id":"KSI-AFR-04_smt_01","name":"item","prose":"Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Vulnerability Detection and Response"},{"id":"KSI-AFR-05","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Risk Monitoring","resource-fragment":"ca-7.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security and Privacy Representatives","resource-fragment":"cm-3.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Impact Analyses","resource-fragment":"cm-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Periodic Review","resource-fragment":"cm-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Response to Audit Logging Process Failures","resource-fragment":"au-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Plan of Action and Milestones","resource-fragment":"ca-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Continuous Monitoring","resource-fragment":"ca-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Vulnerability Monitoring and Scanning","resource-fragment":"ra-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Update Vulnerabilities to Be Scanned","resource-fragment":"ra-5.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Unsupported System Components","resource-fragment":"sa-22"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Flaw Remediation","resource-fragment":"si-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Flaw Remediation Status","resource-fragment":"si-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Malicious Code Protection","resource-fragment":"si-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security Alerts, Advisories, and Directives","resource-fragment":"si-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Integration of Detection and Response","resource-fragment":"si-7.7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Input Validation","resource-fragment":"si-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Error Handling","resource-fragment":"si-11"},{"href":"https://fedramp.gov/docs/significant-change-notifications","text":"Significant Change Notifications"}],"parts":[{"id":"KSI-AFR-05_smt","name":"statement","parts":[{"id":"KSI-AFR-05_smt_01","name":"item","prose":"Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Significant Change Notifications"},{"id":"KSI-AFR-06","links":[{"href":"https://fedramp.gov/docs/collaborative-continuous-monitoring","text":"Collaborative Continuous Monitoring"}],"parts":[{"id":"KSI-AFR-06_smt","name":"statement","parts":[{"id":"KSI-AFR-06_smt_01","name":"item","prose":"Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Collaborative Continuous Monitoring"},{"id":"KSI-AFR-07","links":[{"href":"https://fedramp.gov/docs/recommended-secure-configuration","text":"Recommended Secure Configuration"}],"parts":[{"id":"KSI-AFR-07_smt","name":"statement","parts":[{"id":"KSI-AFR-07_smt_01","name":"item","prose":"Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Recommended Secure Configuration (RSC) guidance process and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Recommended Secure Configuration"},{"id":"KSI-AFR-08","links":[{"href":"https://fedramp.gov/docs/fedramp-security-inbox","text":"FedRAMP Security Inbox"}],"parts":[{"id":"KSI-AFR-08_smt","name":"statement","parts":[{"id":"KSI-AFR-08_smt_01","name":"item","prose":"Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"FedRAMP Security Inbox"},{"id":"KSI-AFR-09","links":[{"href":"https://fedramp.gov/docs/persistent-validation-and-assessment","text":"Persistent Validation and Assessment"}],"parts":[{"id":"KSI-AFR-09_smt","name":"statement","parts":[{"id":"KSI-AFR-09_smt_01","name":"item","prose":"Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) process, and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Persistent Validation and Assessment"},{"id":"KSI-AFR-10","links":[{"href":"https://fedramp.gov/docs/incident-communications-procedures","text":"Incident Communications Procedures"}],"parts":[{"id":"KSI-AFR-10_smt","name":"statement","parts":[{"id":"KSI-AFR-10_smt_01","name":"item","prose":"Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Incident Communications Procedures"},{"id":"KSI-AFR-11","links":[{"href":"https://fedramp.gov/docs/using-cryptographic-modules","text":"Using Cryptographic Modules"}],"parts":[{"id":"KSI-AFR-11_smt","name":"statement","parts":[{"id":"KSI-AFR-11_smt_01","name":"item","prose":"Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations."}]}],"props":[{"name":"label","value":"KSI-AFR-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Using Cryptographic Modules"}]},{"id":"KSI-CED","parts":[{"name":"overview","prose":"# THEME\n\nA secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them *regularly* to ensure their knowledge is satisfactory."}],"props":[{"name":"sort-id","value":"029"}],"title":"Cybersecurity Education","controls":[{"id":"KSI-CED-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Literacy Training and Awareness","resource-fragment":"at-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Insider Threat","resource-fragment":"at-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Social Engineering and Mining","resource-fragment":"at-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Processing Personally Identifiable Information","resource-fragment":"at-3.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Training Records","resource-fragment":"at-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Breach","resource-fragment":"ir-2.3"}],"parts":[{"id":"KSI-CED-01_smt","name":"statement","parts":[{"id":"KSI-CED-01_smt_01","name":"item","prose":"Require and monitor the effectiveness of training given to all employees on policies, procedures, and security-related topics."}]}],"props":[{"name":"label","value":"KSI-CED-01"},{"name":"sort-id","value":"012"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"General Education"},{"id":"KSI-CED-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Literacy Training and Awareness","resource-fragment":"at-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Social Engineering and Mining","resource-fragment":"at-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Role-based Training","resource-fragment":"at-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Anti-counterfeit Training","resource-fragment":"sr-11.1"}],"parts":[{"id":"KSI-CED-02_smt","name":"statement","parts":[{"id":"KSI-CED-02_smt_01","name":"item","prose":"Require and monitor the effectiveness of role-specific training for high risk roles, including at least roles with privileged access."}]}],"props":[{"name":"label","value":"KSI-CED-02"},{"name":"sort-id","value":"013"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Role-Specific Education"},{"id":"KSI-CED-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Contingency Training","resource-fragment":"cp-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Training","resource-fragment":"ir-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Agreements","resource-fragment":"ps-6"}],"parts":[{"id":"KSI-CED-03_smt","name":"statement","parts":[{"id":"KSI-CED-03_smt_01","name":"item","prose":"Require and monitor the effectiveness of role-specific training provided to development and engineering staff that covers best practices for delivering secure software."}]}],"props":[{"name":"label","value":"KSI-CED-03"},{"name":"sort-id","value":"014"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Development and Engineering Education"},{"id":"KSI-CED-04","parts":[{"id":"KSI-CED-04_smt","name":"statement","parts":[{"id":"KSI-CED-04_smt_01","name":"item","prose":"Require and monitor the effectiveness of role-specific training to staff involved with incident response or disaster recovery."}]}],"props":[{"name":"label","value":"KSI-CED-04"},{"name":"sort-id","value":"015"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Incident Response and Disaster Recovery Education"}]},{"id":"KSI-CMT","parts":[{"name":"overview","prose":"# THEME\n\nA secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly."}],"props":[{"name":"sort-id","value":"030"}],"title":"Change Management","controls":[{"id":"KSI-CMT-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Event Logging","resource-fragment":"au-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Change Control","resource-fragment":"cm-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Testing, Validation, and Documentation of Changes","resource-fragment":"cm-3.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Verification of Controls","resource-fragment":"cm-4.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Settings","resource-fragment":"cm-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Unauthorized Component Detection","resource-fragment":"cm-8.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Controlled Maintenance","resource-fragment":"ma-2"}],"parts":[{"id":"KSI-CMT-01_smt","name":"statement","parts":[{"id":"KSI-CMT-01_smt_01","name":"item","prose":"Log and monitor modifications to the cloud service offering."}]}],"props":[{"name":"label","value":"KSI-CMT-01"},{"name":"sort-id","value":"016"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Log and Monitor Changes"},{"id":"KSI-CMT-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Baseline Configuration","resource-fragment":"cm-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Change Control","resource-fragment":"cm-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Restrictions for Change","resource-fragment":"cm-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Settings","resource-fragment":"cm-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Least Functionality","resource-fragment":"cm-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Updates During Installation and Removal","resource-fragment":"cm-8.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Malicious Code Protection","resource-fragment":"si-3"}],"parts":[{"id":"KSI-CMT-02_smt","name":"statement","parts":[{"id":"KSI-CMT-02_smt_01","name":"item","prose":"Execute changes though redeployment of version controlled immutable resources rather than direct modification wherever possible"}]}],"props":[{"name":"label","value":"KSI-CMT-02"},{"name":"sort-id","value":"017"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Redeployment"},{"id":"KSI-CMT-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Change Control","resource-fragment":"cm-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Testing, Validation, and Documentation of Changes","resource-fragment":"cm-3.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Verification of Controls","resource-fragment":"cm-4.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Flaw Remediation","resource-fragment":"si-2"}],"parts":[{"id":"KSI-CMT-03_smt","name":"statement","parts":[{"id":"KSI-CMT-03_smt_01","name":"item","prose":"Automate persistent testing and validation of changes throughout deployment."}]}],"props":[{"name":"label","value":"KSI-CMT-03"},{"name":"sort-id","value":"018"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Automated Testing and Validation"},{"id":"KSI-CMT-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Change Control","resource-fragment":"cm-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Testing, Validation, and Documentation of Changes","resource-fragment":"cm-3.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security and Privacy Representatives","resource-fragment":"cm-3.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Restrictions for Change","resource-fragment":"cm-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Periodic Review","resource-fragment":"cm-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Management Plan","resource-fragment":"cm-9"}],"parts":[{"id":"KSI-CMT-04_smt","name":"statement","parts":[{"id":"KSI-CMT-04_smt_01","name":"item","prose":"Always follow a documented change management procedure."}]}],"props":[{"name":"label","value":"KSI-CMT-04"},{"name":"sort-id","value":"019"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Change Management Procedure"}]},{"id":"KSI-CNA","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system."}],"props":[{"name":"sort-id","value":"031"}],"title":"Cloud Native Architecture","controls":[{"id":"KSI-CNA-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Managed Access Control Points","resource-fragment":"ac-17.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Internal System Connections","resource-fragment":"ca-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Periodic Review","resource-fragment":"cm-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Deny by Default — Allow by Exception","resource-fragment":"sc-7.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Spam Protection","resource-fragment":"si-8"}],"parts":[{"id":"KSI-CNA-01_smt","name":"statement","parts":[{"id":"KSI-CNA-01_smt_01","name":"item","prose":"Configure all machine-based information resources to limit inbound and outbound network traffic."}]}],"props":[{"name":"label","value":"KSI-CNA-01"},{"name":"sort-id","value":"021"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Restrict Network Traffic"},{"id":"KSI-CNA-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Managed Access Control Points","resource-fragment":"ac-17.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Authentication and Encryption","resource-fragment":"ac-18.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Disable Wireless Networking","resource-fragment":"ac-18.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Limits on Authorized Use","resource-fragment":"ac-20.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Internal System Connections","resource-fragment":"ca-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Points","resource-fragment":"sc-7.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"External Telecommunications Services","resource-fragment":"sc-7.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Deny by Default — Allow by Exception","resource-fragment":"sc-7.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Route Traffic to Authenticated Proxy Servers","resource-fragment":"sc-7.8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Transmission Confidentiality and Integrity","resource-fragment":"sc-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Network Disconnect","resource-fragment":"sc-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Input Validation","resource-fragment":"si-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Error Handling","resource-fragment":"si-11"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Memory Protection","resource-fragment":"si-16"}],"parts":[{"id":"KSI-CNA-02_smt","name":"statement","parts":[{"id":"KSI-CNA-02_smt_01","name":"item","prose":"Design systems to minimize the attack surface and minimize lateral movement if compromised."}]}],"props":[{"name":"label","value":"KSI-CNA-02"},{"name":"sort-id","value":"022"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Minimize the Attack Surface"},{"id":"KSI-CNA-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Termination","resource-fragment":"ac-12"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Managed Access Control Points","resource-fragment":"ac-17.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Internal System Connections","resource-fragment":"ca-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information in Shared System Resources","resource-fragment":"sc-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Boundary Protection","resource-fragment":"sc-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Split Tunneling for Remote Devices","resource-fragment":"sc-7.7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Transmission Confidentiality and Integrity","resource-fragment":"sc-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Network Disconnect","resource-fragment":"sc-10"}],"parts":[{"id":"KSI-CNA-03_smt","name":"statement","parts":[{"id":"KSI-CNA-03_smt_01","name":"item","prose":"Use logical networking and related capabilities to enforce traffic flow controls."}]}],"props":[{"name":"label","value":"KSI-CNA-03"},{"name":"sort-id","value":"023"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Enforce Traffic Flow"},{"id":"KSI-CNA-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Baseline Configuration","resource-fragment":"cm-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Malicious Code Protection","resource-fragment":"si-3"}],"parts":[{"id":"KSI-CNA-04_smt","name":"statement","parts":[{"id":"KSI-CNA-04_smt_01","name":"item","prose":"Use immutable infrastructure with strictly defined functionality and privileges by default."}]}],"props":[{"name":"label","value":"KSI-CNA-04"},{"name":"sort-id","value":"024"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Immutable Infrastructure"},{"id":"KSI-CNA-05","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Denial-of-service Protection","resource-fragment":"sc-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Spam Protection","resource-fragment":"si-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automatic Updates","resource-fragment":"si-8.2"}],"parts":[{"id":"KSI-CNA-05_smt","name":"statement","parts":[{"id":"KSI-CNA-05_smt_01","name":"item","prose":"Protect against denial of service attacks and other unwanted activity."}]}],"props":[{"name":"label","value":"KSI-CNA-05"},{"name":"sort-id","value":"025"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Unwanted Activity"},{"id":"KSI-CNA-06","parts":[{"id":"KSI-CNA-06_smt","name":"statement","parts":[{"id":"KSI-CNA-06_smt_01","name":"item","prose":"Design systems for high availability and rapid recovery."}]}],"props":[{"name":"label","value":"KSI-CNA-06"},{"name":"sort-id","value":"026"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"High Availability"},{"id":"KSI-CNA-07","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Managed Access Control Points","resource-fragment":"ac-17.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Baseline Configuration","resource-fragment":"cm-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Baseline Selection","resource-fragment":"pl-10"}],"parts":[{"id":"KSI-CNA-07_smt","name":"statement","parts":[{"id":"KSI-CNA-07_smt_01","name":"item","prose":"Ensure cloud-native *information resources* are implemented based on host provider's best practices and documented guidance."}]}],"props":[{"name":"label","value":"KSI-CNA-07"},{"name":"sort-id","value":"027"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Best Practices"},{"id":"KSI-CNA-08","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Independent Assessors","resource-fragment":"ca-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Independent Assessment","resource-fragment":"ca-7.1"}],"parts":[{"id":"KSI-CNA-08_smt","name":"statement","parts":[{"id":"KSI-CNA-08_smt_01","name":"item","prose":"Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state."}]}],"props":[{"name":"label","value":"KSI-CNA-08"},{"name":"sort-id","value":"028"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Persistent Assessment and Automated Enforcement"}]},{"id":"KSI-IAM","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will protect user data, control access, and apply zero trust principles."}],"props":[{"name":"sort-id","value":"032"}],"title":"Identity and Access Management","controls":[{"id":"KSI-IAM-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Account Management","resource-fragment":"ac-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identification and Authentication (Organizational Users)","resource-fragment":"ia-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Multi-factor Authentication to Privileged Accounts","resource-fragment":"ia-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Multi-factor Authentication to Non-privileged Accounts","resource-fragment":"ia-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access to Accounts — Replay Resistant","resource-fragment":"ia-2.8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Authenticator Management","resource-fragment":"ia-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identification and Authentication (Non-organizational Users)","resource-fragment":"ia-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Authenticity","resource-fragment":"sc-23"}],"parts":[{"id":"KSI-IAM-01_smt","name":"statement","parts":[{"id":"KSI-IAM-01_smt_01","name":"item","prose":"Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication."}]}],"props":[{"name":"label","value":"KSI-IAM-01"},{"name":"sort-id","value":"029"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Phishing-Resistant MFA"},{"id":"KSI-IAM-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Account Management","resource-fragment":"ac-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Enforcement","resource-fragment":"ac-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Multi-factor Authentication to Privileged Accounts","resource-fragment":"ia-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Multi-factor Authentication to Non-privileged Accounts","resource-fragment":"ia-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access to Accounts — Replay Resistant","resource-fragment":"ia-2.8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Password-based Authentication","resource-fragment":"ia-5.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Public Key-based Authentication","resource-fragment":"ia-5.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Protection of Authenticators","resource-fragment":"ia-5.6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Authentication Feedback","resource-fragment":"ia-6"}],"parts":[{"id":"KSI-IAM-02_smt","name":"statement","parts":[{"id":"KSI-IAM-02_smt_01","name":"item","prose":"Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA."}]}],"props":[{"name":"label","value":"KSI-IAM-02"},{"name":"sort-id","value":"030"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Passwordless Authentication"},{"id":"KSI-IAM-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Account Management","resource-fragment":"ac-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Temporary and Emergency Account Management","resource-fragment":"ac-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Flow Enforcement","resource-fragment":"ac-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Privileged Accounts","resource-fragment":"ac-6.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Device Identification and Authentication","resource-fragment":"ia-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Public Key-based Authentication","resource-fragment":"ia-5.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Privileged Access","resource-fragment":"ra-5.5"}],"parts":[{"id":"KSI-IAM-03_smt","name":"statement","parts":[{"id":"KSI-IAM-03_smt_01","name":"item","prose":"Enforce appropriately secure authentication methods for non-user accounts and services."}]}],"props":[{"name":"label","value":"KSI-IAM-03"},{"name":"sort-id","value":"031"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Non-User Accounts"},{"id":"KSI-IAM-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Account Management","resource-fragment":"ac-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated System Account Management","resource-fragment":"ac-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Temporary and Emergency Account Management","resource-fragment":"ac-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Disable Accounts","resource-fragment":"ac-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Audit Actions","resource-fragment":"ac-2.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Dynamic Privilege Management","resource-fragment":"ac-2.6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Enforcement","resource-fragment":"ac-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Flow Enforcement","resource-fragment":"ac-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Separation of Duties","resource-fragment":"ac-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Least Privilege","resource-fragment":"ac-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Authorize Access to Security Functions","resource-fragment":"ac-6.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Non-privileged Access for Nonsecurity Functions","resource-fragment":"ac-6.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Privileged Accounts","resource-fragment":"ac-6.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Review of User Privileges","resource-fragment":"ac-6.7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Log Use of Privileged Functions","resource-fragment":"ac-6.9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Prohibit Non-privileged Users from Executing Privileged Functions","resource-fragment":"ac-6.10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Unsuccessful Logon Attempts","resource-fragment":"ac-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Limits on Authorized Use","resource-fragment":"ac-20.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Remote Access","resource-fragment":"ac-17"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access by Subset of Privileged Users","resource-fragment":"au-9.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Restrictions for Change","resource-fragment":"cm-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Least Functionality","resource-fragment":"cm-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Prevent Program Execution","resource-fragment":"cm-7.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Authorized Software — Allow-by-exception","resource-fragment":"cm-7.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Management Plan","resource-fragment":"cm-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identifier Management","resource-fragment":"ia-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identify User Status","resource-fragment":"ia-4.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Cryptographic Module Authentication","resource-fragment":"ia-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Position Risk Designation","resource-fragment":"ps-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Screening","resource-fragment":"ps-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Termination","resource-fragment":"ps-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Transfer","resource-fragment":"ps-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Agreements","resource-fragment":"ps-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Position Descriptions","resource-fragment":"ps-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Privileged Access","resource-fragment":"ra-5.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Separation of System and User Functionality","resource-fragment":"sc-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Authenticity","resource-fragment":"sc-23"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Process Isolation","resource-fragment":"sc-39"}],"parts":[{"id":"KSI-IAM-04_smt","name":"statement","parts":[{"id":"KSI-IAM-04_smt_01","name":"item","prose":"Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services."}]}],"props":[{"name":"label","value":"KSI-IAM-04"},{"name":"sort-id","value":"032"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Just-in-Time Authorization"},{"id":"KSI-IAM-05","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Inactivity Logout","resource-fragment":"ac-2.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Dynamic Privilege Management","resource-fragment":"ac-2.6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Enforcement","resource-fragment":"ac-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Flow Enforcement","resource-fragment":"ac-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Least Privilege","resource-fragment":"ac-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Termination","resource-fragment":"ac-12"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Permitted Actions Without Identification or Authentication","resource-fragment":"ac-14"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Remote Access","resource-fragment":"ac-17"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Monitoring and Control","resource-fragment":"ac-17.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Protection of Confidentiality and Integrity Using Encryption","resource-fragment":"ac-17.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Managed Access Control Points","resource-fragment":"ac-17.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Use of External Systems","resource-fragment":"ac-20"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Limits on Authorized Use","resource-fragment":"ac-20.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configure Systems and Components for High-risk Areas","resource-fragment":"cm-2.7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Management Plan","resource-fragment":"cm-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identification and Authentication (Organizational Users)","resource-fragment":"ia-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Device Identification and Authentication","resource-fragment":"ia-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identifier Management","resource-fragment":"ia-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identify User Status","resource-fragment":"ia-4.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Public Key-based Authentication","resource-fragment":"ia-5.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Protection of Authenticators","resource-fragment":"ia-5.6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Re-authentication","resource-fragment":"ia-11"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Position Risk Designation","resource-fragment":"ps-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Screening","resource-fragment":"ps-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Termination","resource-fragment":"ps-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Transfer","resource-fragment":"ps-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Access Agreements","resource-fragment":"ps-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information in Shared System Resources","resource-fragment":"sc-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Secure Name/Address Resolution Service (Authoritative Source)","resource-fragment":"sc-20"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Secure Name/Address Resolution Service (Recursive or Caching Resolver)","resource-fragment":"sc-21"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Architecture and Provisioning for Name/Address Resolution Service","resource-fragment":"sc-22"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Authenticity","resource-fragment":"sc-23"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Process Isolation","resource-fragment":"sc-39"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Malicious Code Protection","resource-fragment":"si-3"}],"parts":[{"id":"KSI-IAM-05_smt","name":"statement","parts":[{"id":"KSI-IAM-05_smt_01","name":"item","prose":"Configure identity and access management with measures that always verify each user or device can only access the resources they need."}]}],"props":[{"name":"label","value":"KSI-IAM-05"},{"name":"sort-id","value":"033"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Least Privilege"},{"id":"KSI-IAM-06","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Account Management","resource-fragment":"ac-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated System Account Management","resource-fragment":"ac-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Disable Accounts","resource-fragment":"ac-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Disable Accounts for High-risk Individuals","resource-fragment":"ac-2.13"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Unsuccessful Logon Attempts","resource-fragment":"ac-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Termination","resource-fragment":"ps-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Personnel Sanctions","resource-fragment":"ps-8"}],"parts":[{"id":"KSI-IAM-06_smt","name":"statement","parts":[{"id":"KSI-IAM-06_smt_01","name":"item","prose":"Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity"}]}],"props":[{"name":"label","value":"KSI-IAM-06"},{"name":"sort-id","value":"034"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Suspicious Activity"},{"id":"KSI-IAM-07","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Temporary and Emergency Account Management","resource-fragment":"ac-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Disable Accounts","resource-fragment":"ac-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Disable Accounts for High-risk Individuals","resource-fragment":"ac-2.13"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Review of User Privileges","resource-fragment":"ac-6.7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identify User Status","resource-fragment":"ia-4.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identity Proofing","resource-fragment":"ia-12"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identity Evidence","resource-fragment":"ia-12.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identity Evidence Validation and Verification","resource-fragment":"ia-12.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Address Confirmation","resource-fragment":"ia-12.5"}],"parts":[{"id":"KSI-IAM-07_smt","name":"statement","parts":[{"id":"KSI-IAM-07_smt_01","name":"item","prose":"Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation."}]}],"props":[{"name":"label","value":"KSI-IAM-07"},{"name":"sort-id","value":"035"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Automated Account Management"}]},{"id":"KSI-INR","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement."}],"props":[{"name":"sort-id","value":"033"}],"title":"Incident Response","controls":[{"id":"KSI-INR-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Handling","resource-fragment":"ir-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Incident Handling Processes","resource-fragment":"ir-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Reporting","resource-fragment":"ir-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Reporting","resource-fragment":"ir-6.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Supply Chain Coordination","resource-fragment":"ir-6.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Assistance","resource-fragment":"ir-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automation Support for Availability of Information and Support","resource-fragment":"ir-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Plan","resource-fragment":"ir-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Breaches","resource-fragment":"ir-8.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System-generated Alerts","resource-fragment":"si-4.5"}],"parts":[{"id":"KSI-INR-01_smt","name":"statement","parts":[{"id":"KSI-INR-01_smt_01","name":"item","prose":"Always follow a documented incident response procedure."}]}],"props":[{"name":"label","value":"KSI-INR-01"},{"name":"sort-id","value":"036"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Incident Response Procedure"},{"id":"KSI-INR-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Testing","resource-fragment":"ir-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Handling","resource-fragment":"ir-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Incident Handling Processes","resource-fragment":"ir-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Monitoring","resource-fragment":"ir-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Plan","resource-fragment":"ir-8"}],"parts":[{"id":"KSI-INR-02_smt","name":"statement","parts":[{"id":"KSI-INR-02_smt_01","name":"item","prose":"Maintain a log of incidents and periodically review past incidents for patterns or vulnerabilities."}]}],"props":[{"name":"label","value":"KSI-INR-02"},{"name":"sort-id","value":"037"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Incident Logging"},{"id":"KSI-INR-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Testing","resource-fragment":"ir-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Handling","resource-fragment":"ir-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Incident Handling Processes","resource-fragment":"ir-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Plan","resource-fragment":"ir-8"}],"parts":[{"id":"KSI-INR-03_smt","name":"statement","parts":[{"id":"KSI-INR-03_smt_01","name":"item","prose":"Generate after action reports and *regularly* incorporate lessons learned into operations."}]}],"props":[{"name":"label","value":"KSI-INR-03"},{"name":"sort-id","value":"038"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Incident After Action Reports"}]},{"id":"KSI-MLA","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will monitor, log, and audit all important events, activity, and changes."}],"props":[{"name":"sort-id","value":"034"}],"title":"Monitoring, Logging, and Auditing","controls":[{"id":"KSI-MLA-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Monitoring and Control","resource-fragment":"ac-17.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Limits on Authorized Use","resource-fragment":"ac-20.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Event Logging","resource-fragment":"au-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Content of Audit Records","resource-fragment":"au-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Additional Audit Information","resource-fragment":"au-3.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Audit Log Storage Capacity","resource-fragment":"au-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Response to Audit Logging Process Failures","resource-fragment":"au-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Process Integration","resource-fragment":"au-6.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Correlate Audit Record Repositories","resource-fragment":"au-6.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Audit Record Reduction and Report Generation","resource-fragment":"au-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automatic Processing","resource-fragment":"au-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Time Stamps","resource-fragment":"au-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Protection of Audit Information","resource-fragment":"au-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Audit Record Retention","resource-fragment":"au-11"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Incident Handling Processes","resource-fragment":"ir-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Tools and Mechanisms for Real-time Analysis","resource-fragment":"si-4.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Inbound and Outbound Communications Traffic","resource-fragment":"si-4.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Integration of Detection and Response","resource-fragment":"si-7.7"}],"parts":[{"id":"KSI-MLA-01_smt","name":"statement","parts":[{"id":"KSI-MLA-01_smt_01","name":"item","prose":"Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes."}]}],"props":[{"name":"label","value":"KSI-MLA-01"},{"name":"sort-id","value":"039"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Security Information and Event Management (SIEM)"},{"id":"KSI-MLA-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Audit Actions","resource-fragment":"ac-2.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Log Use of Privileged Functions","resource-fragment":"ac-6.9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Event Logging","resource-fragment":"au-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Audit Record Review, Analysis, and Reporting","resource-fragment":"au-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Process Integration","resource-fragment":"au-6.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Monitoring","resource-fragment":"si-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Inbound and Outbound Communications Traffic","resource-fragment":"si-4.4"}],"parts":[{"id":"KSI-MLA-02_smt","name":"statement","parts":[{"id":"KSI-MLA-02_smt_01","name":"item","prose":"*Regularly* review and audit logs."}]}],"props":[{"name":"label","value":"KSI-MLA-02"},{"name":"sort-id","value":"040"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Audit Logging"},{"id":"KSI-MLA-05","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Continuous Monitoring","resource-fragment":"ca-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Baseline Configuration","resource-fragment":"cm-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Settings","resource-fragment":"cm-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Integration of Detection and Response","resource-fragment":"si-7.7"}],"parts":[{"id":"KSI-MLA-05_smt","name":"statement","parts":[{"id":"KSI-MLA-05_smt_01","name":"item","prose":"Perform Infrastructure as Code and configuration evaluation and testing."}]}],"props":[{"name":"label","value":"KSI-MLA-05"},{"name":"sort-id","value":"043"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Infrastructure as Code"},{"id":"KSI-MLA-07","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Audit Actions","resource-fragment":"ac-2.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Log Use of Privileged Functions","resource-fragment":"ac-6.9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Monitoring and Control","resource-fragment":"ac-17.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Limits on Authorized Use","resource-fragment":"ac-20.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Event Logging","resource-fragment":"au-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automatic Processing","resource-fragment":"au-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Audit Record Generation","resource-fragment":"au-12"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Inbound and Outbound Communications Traffic","resource-fragment":"si-4.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System-generated Alerts","resource-fragment":"si-4.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Integration of Detection and Response","resource-fragment":"si-7.7"}],"parts":[{"id":"KSI-MLA-07_smt","name":"statement","parts":[{"id":"KSI-MLA-07_smt_01","name":"item","prose":"Maintain a list of information resources and event types that will be monitored, logged, and audited, then do so."}]}],"props":[{"name":"label","value":"KSI-MLA-07"},{"name":"sort-id","value":"045"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Event Types"},{"id":"KSI-MLA-08","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Error Handling","resource-fragment":"si-11"}],"parts":[{"id":"KSI-MLA-08_smt","name":"statement","parts":[{"id":"KSI-MLA-08_smt_01","name":"item","prose":"Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity."}]}],"props":[{"name":"label","value":"KSI-MLA-08"},{"name":"sort-id","value":"046"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Log Data Access"}]},{"id":"KSI-PIY","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will have intentional, organized, universal guidance for how every *information resource*, including personnel, is secured."}],"props":[{"name":"sort-id","value":"035"}],"title":"Policy and Inventory","controls":[{"id":"KSI-PIY-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automation Support for Accuracy and Currency","resource-fragment":"cm-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Authorized Software — Allow-by-exception","resource-fragment":"cm-7.5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Component Inventory","resource-fragment":"cm-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Updates During Installation and Removal","resource-fragment":"cm-8.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Location","resource-fragment":"cm-12"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Tools to Support Information Location","resource-fragment":"cm-12.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identify Critical Assets","resource-fragment":"cp-2.8"}],"parts":[{"id":"KSI-PIY-01_smt","name":"statement","parts":[{"id":"KSI-PIY-01_smt_01","name":"item","prose":"Use authoritative sources to automatically maintain real-time inventories of all information resources."}]}],"props":[{"name":"label","value":"KSI-PIY-01"},{"name":"sort-id","value":"047"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Automated Inventory"},{"id":"KSI-PIY-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ac-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Sharing","resource-fragment":"ac-21"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"at-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"au-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ca-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"cm-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"cp-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Identify Critical Assets","resource-fragment":"cp-2.8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ia-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ir-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ma-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"mp-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"pe-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"pl-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Security and Privacy Plans","resource-fragment":"pl-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Rules of Behavior","resource-fragment":"pl-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Social Media and External Site/Application Usage Restrictions","resource-fragment":"pl-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ps-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ra-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Criticality Analysis","resource-fragment":"ra-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"sa-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"sc-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"si-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"sr-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Supply Chain Risk Management Plan","resource-fragment":"sr-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Supply Chain Controls and Processes","resource-fragment":"sr-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Component Authenticity","resource-fragment":"sr-11"}],"parts":[{"id":"KSI-PIY-02_smt","name":"statement","parts":[{"id":"KSI-PIY-02_smt_01","name":"item","prose":"Document the security objectives and requirements for each information resource or set of information resources."}]}],"props":[{"name":"label","value":"KSI-PIY-02"},{"name":"sort-id","value":"048"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Security Objectives and Requirements"},{"id":"KSI-PIY-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Public Disclosure Program","resource-fragment":"ra-5.11"}],"parts":[{"id":"KSI-PIY-03_smt","name":"statement","parts":[{"id":"KSI-PIY-03_smt_01","name":"item","prose":"Maintain a vulnerability disclosure program."}]}],"props":[{"name":"label","value":"KSI-PIY-03"},{"name":"sort-id","value":"049"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Vulnerability Disclosure Program"},{"id":"KSI-PIY-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Separation of Duties","resource-fragment":"ac-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Limit Personally Identifiable Information Elements","resource-fragment":"au-3.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security and Privacy Representatives","resource-fragment":"cm-3.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security and Privacy Architectures","resource-fragment":"pl-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Enterprise Architecture","resource-fragment":"pm-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Development Life Cycle","resource-fragment":"sa-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security and Privacy Engineering Principles","resource-fragment":"sa-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information in Shared System Resources","resource-fragment":"sc-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Mobile Code","resource-fragment":"sc-18"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Input Validation","resource-fragment":"si-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Error Handling","resource-fragment":"si-11"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Memory Protection","resource-fragment":"si-16"}],"parts":[{"id":"KSI-PIY-04_smt","name":"statement","parts":[{"id":"KSI-PIY-04_smt_01","name":"item","prose":"Monitor the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles."}]}],"props":[{"name":"label","value":"KSI-PIY-04"},{"name":"sort-id","value":"050"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"CISA Secure By Design"},{"id":"KSI-PIY-05","parts":[{"id":"KSI-PIY-05_smt","name":"statement","parts":[{"id":"KSI-PIY-05_smt_01","name":"item","prose":"Document methods used to evaluate *information resource* implementations."}]}],"props":[{"name":"label","value":"KSI-PIY-05"},{"name":"sort-id","value":"051"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Evaluate Implementations"},{"id":"KSI-PIY-06","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Separation of Duties","resource-fragment":"ac-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Control Assessments","resource-fragment":"ca-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordination with Related Plans","resource-fragment":"ir-3.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Security and Privacy Resources","resource-fragment":"pm-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Allocation of Resources","resource-fragment":"sa-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Development Life Cycle","resource-fragment":"sa-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Establish SCRM Team","resource-fragment":"sr-2.1"}],"parts":[{"id":"KSI-PIY-06_smt","name":"statement","parts":[{"id":"KSI-PIY-06_smt_01","name":"item","prose":"Monitor the effectiveness of the organization's investments in achieving security objectives."}]}],"props":[{"name":"label","value":"KSI-PIY-06"},{"name":"sort-id","value":"052"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Security Investment Effectiveness"},{"id":"KSI-PIY-07","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Risk Monitoring","resource-fragment":"ca-7.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Mobile Code","resource-fragment":"sc-18"}],"parts":[{"id":"KSI-PIY-07_smt","name":"statement","parts":[{"id":"KSI-PIY-07_smt_01","name":"item","prose":"Document risk management decisions for software supply chain security."}]}],"props":[{"name":"label","value":"KSI-PIY-07"},{"name":"sort-id","value":"053"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Supply Chain Risk Management"},{"id":"KSI-PIY-08","parts":[{"id":"KSI-PIY-08_smt","name":"statement","parts":[{"id":"KSI-PIY-08_smt_01","name":"item","prose":"Regularly measure executive support for achieving the organization’s security objectives."}]}],"props":[{"name":"label","value":"KSI-PIY-08"},{"name":"sort-id","value":"054"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Executive Support"}]},{"id":"KSI-RPL","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss during incidents and contingencies."}],"props":[{"name":"sort-id","value":"036"}],"title":"Recovery Planning","controls":[{"id":"KSI-RPL-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Resume Mission and Business Functions","resource-fragment":"cp-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Recovery and Reconstitution","resource-fragment":"cp-10"}],"parts":[{"id":"KSI-RPL-01_smt","name":"statement","parts":[{"id":"KSI-RPL-01_smt_01","name":"item","prose":"Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)."}]}],"props":[{"name":"label","value":"KSI-RPL-01"},{"name":"sort-id","value":"055"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Recovery Objectives"},{"id":"KSI-RPL-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Contingency Plan","resource-fragment":"cp-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Resume Mission and Business Functions","resource-fragment":"cp-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Alternate Storage Site","resource-fragment":"cp-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Separation from Primary Site","resource-fragment":"cp-6.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Accessibility","resource-fragment":"cp-6.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Alternate Processing Site","resource-fragment":"cp-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Separation from Primary Site","resource-fragment":"cp-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Accessibility","resource-fragment":"cp-7.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Priority of Service","resource-fragment":"cp-7.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Telecommunications Services","resource-fragment":"cp-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Priority of Service Provisions","resource-fragment":"cp-8.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Single Points of Failure","resource-fragment":"cp-8.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Recovery and Reconstitution","resource-fragment":"cp-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Transaction Recovery","resource-fragment":"cp-10.2"}],"parts":[{"id":"KSI-RPL-02_smt","name":"statement","parts":[{"id":"KSI-RPL-02_smt_01","name":"item","prose":"Develop and maintain a recovery plan that aligns with the defined recovery objectives."}]}],"props":[{"name":"label","value":"KSI-RPL-02"},{"name":"sort-id","value":"056"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Recovery Plan"},{"id":"KSI-RPL-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Retention of Previous Configurations","resource-fragment":"cm-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Alternate Storage Site","resource-fragment":"cp-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Backup","resource-fragment":"cp-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Recovery and Reconstitution","resource-fragment":"cp-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Transaction Recovery","resource-fragment":"cp-10.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Management and Retention","resource-fragment":"si-12"}],"parts":[{"id":"KSI-RPL-03_smt","name":"statement","parts":[{"id":"KSI-RPL-03_smt_01","name":"item","prose":"Perform system backups aligned with recovery objectives."}]}],"props":[{"name":"label","value":"KSI-RPL-03"},{"name":"sort-id","value":"057"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"System Backups"},{"id":"KSI-RPL-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-2.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Resume Mission and Business Functions","resource-fragment":"cp-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Contingency Plan Testing","resource-fragment":"cp-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordinate with Related Plans","resource-fragment":"cp-4.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Alternate Storage Site","resource-fragment":"cp-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Separation from Primary Site","resource-fragment":"cp-6.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Testing for Reliability and Integrity","resource-fragment":"cp-9.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Recovery and Reconstitution","resource-fragment":"cp-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Incident Response Testing","resource-fragment":"ir-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Coordination with Related Plans","resource-fragment":"ir-3.2"}],"parts":[{"id":"KSI-RPL-04_smt","name":"statement","parts":[{"id":"KSI-RPL-04_smt_01","name":"item","prose":"*Regularly* test the capability to recover from incidents and contingencies."}]}],"props":[{"name":"label","value":"KSI-RPL-04"},{"name":"sort-id","value":"058"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Recovery Testing"}]},{"id":"KSI-SVC","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will follow FedRAMP encryption policies, continuously verify *information resource* integrity, and restrict access to *third-party information resources*."}],"props":[{"name":"sort-id","value":"037"}],"title":"Service Configuration","controls":[{"id":"KSI-SVC-01","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Periodic Review","resource-fragment":"cm-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Tools to Support Information Location","resource-fragment":"cm-12.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Controlled Maintenance","resource-fragment":"ma-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security and Privacy Architectures","resource-fragment":"pl-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Boundary Protection","resource-fragment":"sc-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Process Isolation","resource-fragment":"sc-39"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Flaw Remediation Status","resource-fragment":"si-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Monitoring","resource-fragment":"si-4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Inspection of Systems or Components","resource-fragment":"sr-10"}],"parts":[{"id":"KSI-SVC-01_smt","name":"statement","parts":[{"id":"KSI-SVC-01_smt_01","name":"item","prose":"Implement improvements based on persistent evaluation of information resources for opportunities to improve security."}]}],"props":[{"name":"label","value":"KSI-SVC-01"},{"name":"sort-id","value":"059"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Continuous Improvement"},{"id":"KSI-SVC-02","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Policy and Procedures","resource-fragment":"ac-1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Protection of Confidentiality and Integrity Using Encryption","resource-fragment":"ac-17.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Cryptographic Protection","resource-fragment":"cp-9.8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Transmission Confidentiality and Integrity","resource-fragment":"sc-8"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Cryptographic Protection","resource-fragment":"sc-8.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Cryptographic Protection","resource-fragment":"sc-13"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Secure Name/Address Resolution Service (Authoritative Source)","resource-fragment":"sc-20"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Secure Name/Address Resolution Service (Recursive or Caching Resolver)","resource-fragment":"sc-21"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Architecture and Provisioning for Name/Address Resolution Service","resource-fragment":"sc-22"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Authenticity","resource-fragment":"sc-23"}],"parts":[{"id":"KSI-SVC-02_smt","name":"statement","parts":[{"id":"KSI-SVC-02_smt_01","name":"item","prose":"Encrypt or otherwise secure network traffic."}]}],"props":[{"name":"label","value":"KSI-SVC-02"},{"name":"sort-id","value":"060"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Network Encryption"},{"id":"KSI-SVC-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Audit Actions","resource-fragment":"ac-2.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Baseline Configuration","resource-fragment":"cm-2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automation Support for Accuracy and Currency","resource-fragment":"cm-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Retention of Previous Configurations","resource-fragment":"cm-2.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Configuration Settings","resource-fragment":"cm-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Periodic Review","resource-fragment":"cm-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Central Management","resource-fragment":"pl-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Baseline Selection","resource-fragment":"pl-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"System Documentation","resource-fragment":"sa-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security Alerts, Advisories, and Directives","resource-fragment":"si-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Inspection of Systems or Components","resource-fragment":"sr-10"}],"parts":[{"id":"KSI-SVC-04_smt","name":"statement","parts":[{"id":"KSI-SVC-04_smt_01","name":"item","prose":"Manage configuration of machine-based information resources using automation."}]}],"props":[{"name":"label","value":"KSI-SVC-04"},{"name":"sort-id","value":"062"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Configuration Automation"},{"id":"KSI-SVC-05","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automation Support for Accuracy and Currency","resource-fragment":"cm-2.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Automated Unauthorized Component Detection","resource-fragment":"cm-8.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Cryptographic Protection","resource-fragment":"sc-13"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Authenticity","resource-fragment":"sc-23"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Software, Firmware, and Information Integrity","resource-fragment":"si-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Integrity Checks","resource-fragment":"si-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Inspection of Systems or Components","resource-fragment":"sr-10"}],"parts":[{"id":"KSI-SVC-05_smt","name":"statement","parts":[{"id":"KSI-SVC-05_smt_01","name":"item","prose":"Use cryptographic methods to validate the integrity of machine-based information resources."}]}],"props":[{"name":"label","value":"KSI-SVC-05"},{"name":"sort-id","value":"063"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Resource Integrity"},{"id":"KSI-SVC-06","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Protection of Confidentiality and Integrity Using Encryption","resource-fragment":"ac-17.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Public Key-based Authentication","resource-fragment":"ia-5.2"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Protection of Authenticators","resource-fragment":"ia-5.6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Cryptographic Key Establishment and Management","resource-fragment":"sc-12"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Public Key Infrastructure Certificates","resource-fragment":"sc-17"}],"parts":[{"id":"KSI-SVC-06_smt","name":"statement","parts":[{"id":"KSI-SVC-06_smt_01","name":"item","prose":"Automate management, protection, and regular rotation of digital keys, certificates, and other secrets."}]}],"props":[{"name":"label","value":"KSI-SVC-06"},{"name":"sort-id","value":"064"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Secret Management"},{"id":"KSI-SVC-07","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Risk Monitoring","resource-fragment":"ca-7.4"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Vulnerability Monitoring and Scanning","resource-fragment":"ra-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Risk Response","resource-fragment":"ra-7"}],"parts":[{"id":"KSI-SVC-07_smt","name":"statement","parts":[{"id":"KSI-SVC-07_smt_01","name":"item","prose":"Use a consistent, risk-informed approach for applying security patches."}]}],"props":[{"name":"label","value":"KSI-SVC-07"},{"name":"sort-id","value":"065"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Patching"},{"id":"KSI-SVC-08","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information in Shared System Resources","resource-fragment":"sc-4"}],"parts":[{"id":"KSI-SVC-08_smt","name":"statement","parts":[{"id":"KSI-SVC-08_smt_01","name":"item","prose":"Do not introduce or leave behind residual elements that could negatively affect confidentiality, integrity, or availability of *federal customer data* during operations."}]}],"props":[{"name":"label","value":"KSI-SVC-08"},{"name":"sort-id","value":"066"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Shared Resources"},{"id":"KSI-SVC-09","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Session Authenticity","resource-fragment":"sc-23"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Integrity Checks","resource-fragment":"si-7.1"}],"parts":[{"id":"KSI-SVC-09_smt","name":"statement","parts":[{"id":"KSI-SVC-09_smt_01","name":"item","prose":"Persistently validate the authenticity and integrity of communications between *machine-based* *information resources* using automation."}]}],"props":[{"name":"label","value":"KSI-SVC-09"},{"name":"sort-id","value":"067"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Communication Integrity"},{"id":"KSI-SVC-10","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Disposal","resource-fragment":"si-12.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Individual Requests","resource-fragment":"si-18.4"}],"parts":[{"id":"KSI-SVC-10_smt","name":"statement","parts":[{"id":"KSI-SVC-10_smt_01","name":"item","prose":"Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage."}]}],"props":[{"name":"label","value":"KSI-SVC-10"},{"name":"sort-id","value":"068"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Data Destruction"}]},{"id":"KSI-TPR","parts":[{"name":"overview","prose":"# THEME\n\nA secure *cloud service offering* will understand, monitor, and manage supply chain risks from *third-party information resources*."}],"props":[{"name":"sort-id","value":"038"}],"title":"Third-Party Information Resources","controls":[{"id":"KSI-TPR-03","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Use of External Systems","resource-fragment":"ac-20"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Supply Chain Risk Assessment","resource-fragment":"ra-3.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"External System Services","resource-fragment":"sa-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Developer Configuration Management","resource-fragment":"sa-10"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Developer Testing and Evaluation","resource-fragment":"sa-11"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Criticality Analysis","resource-fragment":"sa-15.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Unsupported System Components","resource-fragment":"sa-22"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Integrity Checks","resource-fragment":"si-7.1"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Acquisition Strategies, Tools, and Methods","resource-fragment":"sr-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Supplier Assessments and Reviews","resource-fragment":"sr-6"}],"parts":[{"id":"KSI-TPR-03_smt","name":"statement","parts":[{"id":"KSI-TPR-03_smt_01","name":"item","prose":"Identify and prioritize mitigation of potential supply chain risks."}]}],"props":[{"name":"label","value":"KSI-TPR-03"},{"name":"sort-id","value":"071"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Supply Chain Risk Management"},{"id":"KSI-TPR-04","links":[{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Use of External Systems","resource-fragment":"ac-20"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Information Exchange","resource-fragment":"ca-3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Supply Chain Coordination","resource-fragment":"ir-6.3"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"External Personnel Security","resource-fragment":"ps-7"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Vulnerability Monitoring and Scanning","resource-fragment":"ra-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"External System Services","resource-fragment":"sa-9"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Security Alerts, Advisories, and Directives","resource-fragment":"si-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Acquisition Strategies, Tools, and Methods","resource-fragment":"sr-5"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Supplier Assessments and Reviews","resource-fragment":"sr-6"},{"href":"#223bda8e-bbcd-45fb-b2a1-1f13e96e1197","text":"Notification Agreements","resource-fragment":"sr-8"}],"parts":[{"id":"KSI-TPR-04_smt","name":"statement","parts":[{"id":"KSI-TPR-04_smt_01","name":"item","prose":"Automatically monitor third party software *information resources* for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services."}]}],"props":[{"name":"label","value":"KSI-TPR-04"},{"name":"sort-id","value":"072"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"}],"title":"Supply Chain Risk Monitoring"}]}]}],"back-matter":{"resources":[{"uuid":"223bda8e-bbcd-45fb-b2a1-1f13e96e1197","title":"NIST SP 800-53 Rev 5 Catalog","rlinks":[{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/refs/tags/v1.4.0/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml","media-type":"application/xml"}]}]}}}