Control Tailoring Workbook (CTW)

cagamosisthingyΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 5 μήνες)

285 εμφανίσεις

Control Tai l ori ng Workbook (CTW)

<Informati on System Name>, <Date>





Control Tailoring Workbook (CTW)




<Vendor>

<Information System Name>

Version 1.0


July 11
, 2012


Company Sensitive and Proprietary

For Authorized Use Only




<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>



Page
2

of
72


Table of Contents

Table of Contents

ABOUT THIS DOCUMENT
................................
................................
................................
.........
4

Who should use this document?
................................
................................
..............................
4

Conventions used in this document

................................
................................
.........................
4

How to contact us
................................
................................
................................
...................
5

1.

INTRODUCTION

................................
................................
................................
..............
6

1.1 Purpose

................................
................................
................................
............................
6

1.2 Scope

................................
................................
................................
...............................
6

1.3 System Description
................................
................................
................................
............
6

2.

WORKBOOK FORMAT AND INSTRUCTIONS
................................
................................
.......
7

AP
PENDIX A.


ACRONYMS
................................
................................
................................
.....

71

APPENDIX B.


REFERENCES

................................
................................
................................
...

72


List of Tables



Table 1: FedRAMP Control Tailoring Workbook

................................
................................
........
8

<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>


Dra
ft Version 0.1

Page
3

of
72

Document Revision History

Document Revision History


Date

Description

Version

Author

05/02/2012

Document

Publication

1.0

FedRAMP Office

07/11/2012

Formatting Updates, RA
-
5
modi fi ed

1.0

FedRAMP Offi ce





<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
4

of
72


ABOUT THIS DOCUMENT

This document is released

originally

in template format. Once populated with content, this
document will include detailed information about service provider
information security controls.

Who should use this document?

This document is intended to be used by service providers who are applyin
g for an Authorization
to Operate (ATO) through the U.S. federal government FedRAMP program.


This template provides a sample format for preparing a Report for the Cloud Service Provider
(CSP) information system. The template follows guidance as set forth

in NIST Special
Publication 800
-
53 Revision 3, and is intended to be used as a guide. Modify the format as
necessary to comply with your internal policies and Federal Risk and Authorization Management
Program (FedRAMP) requirements.


Conventions used in

this document

This document uses the following typographical conventions:


Italic


Italics are u
sed for email addresses, security control assignments parameters, and formal
document names.


Italic blue

in a box


Italic blue text in a blue box ind
icates instructions to the individual filling out the template.




Bold


Bold text indicates a parameter or an additional requirement.


Constant width


Constant width text is used for text that is representative of characters that would show up o
n
a computer screen.


<
Brackets
>


Bold blue
t
ext in brackets indicate
s a user defined variable

that should be replaced with a
specific name. Once replaced, the brackets should be removed.


Notes


Notes are found between parallel lines and include

additional information that may be helpful
to the users of this template.



Note:


This is a note.


Instruction: This is an instruction to the individual filling out o
f the template.

<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
5

of
72



Sans Serif


Sans Serif text is used for tables, table captions, figure captions, and table of contents.


Sans Serif Gray


Sans Serif
gray text is

used for examples.


Tips include information designed to help simply the process.




Tip
:


This is a tip.


How to contact us

If you have questions about something in this document, or how to fill it out, please write to:



info@fedramp.gov


For mo
re information about the FedRAMP project, please see the website at:



http://www.fedramp.gov



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
6

of
72




1.

INTRODUCTION

The Federal Risk and Authorization Management Program (FedRAMP) Control Tailoring
Workbook (CTW)
describes

the FedRAMP security controls that the cloud service providers are
responsible for implementing and assessing in their cloud environment.

The FedRAMP security controls are based on the
NIST Special Publication (SP) 800
-
53,
Revision 3 Recommended

Security

Controls for Federal Information Systems and Organizations

(as amended).

FedRAMP security controls specify control parameter definitions and additional
requirements or guidance in addition to NIST Special Publication 800
-
53, R3 for a FedRAMP
authorization

package.

In the case of FedRAMP, two sets of security controls have been defined
, one set for Low
impact
and
another set for Moderate impact cloud information system

respectively. The impact levels
are based on the sensitivity and criticality of the fede
ral information being processed, stored, and
transmitted by cloud information systems as defined in Federal Information Processing Standard
199

(FIPS
-
199)
.

The FedRAMP CTW consists of 297 security controls, 251 controls come from the NIST SP
800
-
53 R3 for
a Moderate impact system and 46 additional controls are the enhancements
specific to the cloud environment.

1
.1 Purpose

The purpose of this CTW template is twofold: 1) to provide the CSPs with a listing of the
FedRAMP security controls applicable for a clo
ud environment for a Low and Moderate impact
system and 2) to find out what the exception scenarios are for the candidate service offering so
that the platform can be pre
-
qualified before resources are used to develop all of the other
requisite FedRAMP doc
umentation requirements.

The CTW provides CSPs with description of the management, operational and technical controls
and any compensating controls using FedRAMP defined organization parameters. The JAB will
perform a preliminary assessment of the securit
y control exception scenarios against JAB
established risk acceptability criteria and make a determination as to whether the candidate
system should be accepted into the FedRAMP program.

1
.2 Scope

The CTW consists of the NIST SP 800
-
53 R3 management, opera
tional, and technical controls
along with the enhancements specific for the cloud environment to create the FedRAMP security
controls.


1
.3 System Description

The
<
Information System Name or Acronym
>

system has been determined to have a security
categoriz
ation of
<
Moderate/
Low
>.


<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
7

of
72





2.

WORKBOOK FORMAT AND INSTRUCTIONS

The table below provides the FedRAMP security control baseline for CTW.
This table is
organized by the 17 control families identi
fied in NIST SP

800
-
53, R3. The table presents the
following in
formation

for all FedRAMP baseline

security controls as part of the CTW
:



Control Number and Name



The control number and control name relate to the control
as defi
ned in NIST SP
800
-
53, R3.



Control Baseline



The control is listed in either the Low or Mod
erate impact column
where applicable to that baseline. If the control is not applicable, “Not Selected” will
appear in that column. If a control enhancement is applicable, the enhancement is
designated inside of parenthesis. Additional security controls an
d control enhancements
that are not included in the low and moderate control baselines def
ined in NIST SP

800
-
53 R3 (Appendix D)
and are the FedRAMP cloud computing enhancements
are denoted
in
bold

font.



Control Parameter Requirements



Certain controls a
re defined with implementation
parameters. These parameters identify the scope, frequency and other considerations for
how cloud service providers address specific controls and enhancements.

Required
parameter values for the variable parts of security cont
rols and control enhancements
(designated by assignment and selection statements)
.



Additional Requirements & Guidance



These entrie
s represent additional
security
requirements

for cloud computing applications and environments of operation.




Tip
:


Use

NIST SP

800
-
53 R3 to better understand security controls
.

Instruction: Insert a brief high
-
level description of the system and include the purpose and
system environment. This section should be consistent with the latest description from the
System Security Plan (SSP).

Instruction: The right
-
han
d most column of the CTW labeled “Service Provider
Exceptions” needs to be filled out by the CSP. In this column CSPs should describe any
setting in the system that is different from either the stated Control Parameter Requirements
or the stated Additional

Requirements and Guidance. If a parameter or requirement simply
does not exist in the candidate service offering, that should be noted. If the candidate
service offering uses an alternative or compensating control, that should be noted with a
brief explan
ation of how the alternative control works.


If the CSP system meets all requirements and parameters, enter “Meets” in the last column.


If a control does not exist but is planned for future implementation, that information should
be noted along with a bri
ef explanation of how the control will be implemented in the future.
For planned controls, an anticipated implementation date should also be noted.

<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
8

of
72


Table 1.

FedRAMP Control Tailoring Workbook

Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

Access Control (AC)

AC
-
1

Access Control
Pol i cy and
Procedures

AC
-
1

AC
-
1

AC
-
1

[Assignment: organization
-
defined
frequency]

Parameter: [at least annually]

None



AC
-
2

Account
Management

AC
-
2

AC
-
2

AC
-
2j

[Ass
i gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



AC
-
2 (1)

None

None



AC
-
2 (2)

AC
-
2 (2)

[Assignment: organization
-
defined
time period for each type of account
(temporary and emergency)]

Parameter: [no more than ninety

days
for temporary and emergency
account types]

None



AC
-
2 (3)

AC
-
2 (3)

[Assignment: organization
-
defined
time period]

Parameter: [ninety days for user
accounts]

AC
-
2 (3)

Requirement: The service
provider defines the time
period for non
-
user accounts

(e.g., accounts associated with
devices). The time periods are
approved and accepted by the
JAB.



AC
-
2 (4)

None

None



AC
-
2 (7)

None

None




<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
9

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AC
-
3

Access
Enforcement

AC
-
3

AC
-
3

None

None



AC
-
3 (3)

AC
-
3 (3)

[
Assignment: organization
-
defin
ed
nondiscretionary access control
policies
]

Parameter: [role
-
based access
control]

[Assignment: organization
-
defined set
of users and resources]

Parameter: [all users and resources]

AC
-
3 (3)

Requirement:
The service
provider:

a. Assigns user accounts a
nd
authenti cators i n accordance
wi thi n servi ce provi der's rol e
-
based access control pol i cies;

b. Confi gures the i nformati on
system to request user ID and
authenti cator pri or to system
access; and

c. Confi gures the databases
contai ni ng federal i nformati on
i n accordance wi th servi ce
provi der's securi ty
admi ni stration gui de to provi de
rol e
-
based access control s
enforci ng assi gned pri vi leges
and permi ssi ons at the fi l e,
tabl e, row, col umn, or cel l l evel,
as appropri ate.



AC
-
4

I nformati on
Fl ow
Enforcement

N
ot
Sel ected

AC
-
4

None

None


<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
10

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AC
-
5

Separati on of
Duti es

Not
Sel ected

AC
-
5

None

None



AC
-
6

Least Pri vi l ege

Not
Sel ected

AC
-
6

None

None



AC
-
6 (1)

AC
-
6 (1)

[
Assignment: organization
-
defined list
of security functions (deployed in
hardware, softwar
e, and firmware
and security
-
relevant information
]

Parameter: See additional
requirements and guidance.

AC
-
6 (1)

Requirement: The service
provider defines the list of
security functions. The list of
functions is approved and
accepted by the JAB.



AC
-
6 (2)

AC
-
6 (2)

[Assignment: organization
-
defined list
of security functions or security
-
relevant information]

Parameter: [all security functions]

AC
-
6 (2)

Guidance: Examples of security
functions include but are not
limited to: establishing system
accoun
ts, configuring access
authorizations (i.e.,
permissions, privileges), setting
events to be audited, and
setting intrusion detection
parameters, system
programming, system and
security administration, other
privileged functions.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
11

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AC
-
7

Unsuccessful
Login
Attempts

AC
-
7

AC
-
7


AC
-
7a.
[Assignment: organization
-
defined number]
Parameter: [not
more than three]
AC
-
7a.
[Assignment:
organization
-
defined time
period]
Parameter: [fifteen minutes]
AC
-
7b.
[Selection: locks the
account/n
ode for an [Assignment:
organization
-
defined time period];
locks the account/node until released
by an administrator; delays next login
prompt according to [Assignment:
organization
-
defined delay
algorithm]]
Parameter: [locks the
account/node for thirty mi
nutes]

None



AC
-
8

System Use
Notification

AC
-
8

AC
-
8

None

AC
-
8

Requirement: The service
provider shall determine
elements of the cloud
environment that require the
System Use Notification control.
The elements of the cloud
environment that require
Sy
stem Use Noti fi cati on are
approved and accepted by the
JAB.

Requi rement: The servi ce
provi der shal l determi ne how
System Use Noti fi cati on i s goi ng
to be veri fi ed and provi de
appropri ate peri odi city of the


<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
12

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

check. The System Use
Noti fi cati on veri fi cati on and

peri odi ci ty are approved and
accepted by the JAB.

Gui dance: I f performed as part
of a Confi gurati on Basel ine
check, then the % of i tems
requi ri ng setti ng that are
checked and that pass (or fai l )
check can be provi ded.

Requi rement: I f not performed
as part

of a Confi gurati on
Basel i ne check, then there must
be documented agreement on
how to provi de resul ts of
veri fi cati on and the necessary
peri odi ci ty of the veri fi cati on by
the servi ce provi der. The
documented agreement on how
to provi de veri fi cati on of the
resul ts are approved and
accepted by the JAB.

AC
-
10

Concurrent
Sessi on
Control

Not
Sel ected

AC
-
10

AC
-
10

[Assi gnment: organi zati on
-
defi ned
number]

Parameter: [one sessi on]

None



AC
-
11

Sessi on Lock

Not
Sel ected

AC
-
11

AC
-
11a

[Assi gnment: organi zati
on
-
defi ned
ti me peri od]

Parameter: [fi fteen mi nutes]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
13

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AC
-
11 (1)



AC
-
11 (1)

Guidance: For IaaS and PaaS
.



AC
-
14

Permi tted
Acti ons
Wi thout
I denti fi cati on/
Authenti cati on

AC
-
14


AC
-
14

None

None



AC
-
14 (1)

None

None


AC
-
16

Securi ty
Att
ri butes

Not
Sel ected

AC
-
16

AC
-
16

Assi gnment: organi zati on
-
defi ned
securi ty attri butes]

Parameter: See addi ti onal
requi rements and gui dance.

AC
-
16

Requi rement:

I f the servi ce
provi der offers the capabi li ty of
defi ni ng securi ty attri butes,
then the securi t
y attri butes
need to be approved and
accepted by JAB.



AC
-
17

Remote Access

AC
-
17

AC
-
17

None

None


AC
-
17 (1)

None

None



AC
-
17 (2)

None


None



AC
-
17 (3)

None

None



AC
-
17 (4)

None

None



AC
-
17 (5)

AC
-
17 (5
)

[Assignment: organization
-
defined
frequency]

Parameter: [continuously, real time]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
14

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AC
-
17 (7)

AC
-
17 (7)

[Assignment: organization
-
defined list
of security functions and security
-
relevant information]

Parameter: See additional
requirements and g
uidance.

AC
-
17 (7)

Requirement: The service
provider defines the list of
security functions and security
relevant information. Security
functions and the
implementation of such
functions are approved and
accepted by the JAB.

Guidance: Security functions
i
nclude but are not limited to:
establishing system accounts;
configuring access
authorizations; performing
system administration
functions; and auditing system
events or accessing event logs;
SSH, and VPN.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
15

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AC
-
17 (8)


AC
-
17 (8)

[
Assignment: organizat
ion
-
defined
networking protocols within the
information system deemed to be
non
-
secure
]

Parameter:
[tftp, (trivial ftp); X
-
Windows, Sun Open Windows; FTP;
TELNET; IPX/SPX;
NETBIOS; Bluetooth;
RPC
-
services, like NIS or NFS; rlogin,
rsh, rexec; SMTP (Simple Mail
Transfer Protocol); RIP (Routing
Information Protocol); DNS (Domain
Name Services); UUCP (Unix
-
Unix
Copy Pr
otocol); NNTP (Network News
Transfer Protocol); NTP (Network
Time Protocol); Peer
-
to
-
Peer
]


AC
-
17 (8)

Requirement: Networking
protocols implemented by the
service provider are approved
and accepted by JAB.

Guidance: Exceptions to
restricted networking prot
ocols
are granted for explicitly
identified information system
components in support of
specific operational
requirements.



AC
-
18

Wi rel ess
Access

AC
-
18

AC
-
18

None

None



AC
-
18 (1)

None

None



AC
-
18 (2)

AC
-
18 (2)

[Assignment: organization
-
define
d
frequency]

Parameter: [at l east quarterl y]


None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
16

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AC
-
19

Access Control
for Mobi l e
Devi ces

AC
-
19

AC
-
19

AC
-
19g

[Assi gnment: organi zati on
-
defi ned
i nspecti on and preventati ve
measures]

Parameter: See addi ti onal
requi rements and gui dance.

AC
-
19g

Requi r
ement: The servi ce
provi der defi nes i nspecti on and
preventati ve measures. The
measures are approved and
accepted by JAB.



AC
-
19 (1)

None

None



AC
-
19 (2)

None


None



AC
-
19 (3)

None

None



AC
-
20

Use of External
I nformati on
Systems

AC
-
20

AC
-
20

None

None



AC
-
20 (1)

None

None



AC
-
20 (2)

None

None



AC
-
22

Publ i cl y
Accessi bl e
Content

AC
-
22

AC
-
22

AC
-
22d

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east quarterl y]

None



Awareness and Training (AT)

AT
-
1

Securi t
y
Awareness
and Trai ni ng
Pol i cy and
Procedures

AT
-
1

AT
-
1

AT
-
1

[Assignment: organization
-
defined
frequency]

Parameter: [at least annually]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
17

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AT
-
2

Securi ty
Awareness

AT
-
2

AT
-
2

AT
-
2

[Assignment: organization
-
defined
frequency]

Parameter: [at le
ast annually]

None



AT
-
3

Securi ty
Trai ni ng

AT
-
3

AT
-
3

AT
-
3

[Assignment: organization
-
defined
frequency]

Parameter: [
at least every three
years]

None



AT
-
4

Security
Training
Records

AT
-
4

AT
-
4

AT
-
4b

[Assi gnment: organi zati on
-
defi ned
frequency]

Param
eter:
[At l east three years
]

None


Audit and Accountability (AU)

AU
-
1

Audi t and
Accountabi l i ty
Pol i cy and
Procedures

AU
-
1

AU
-
1

AU
-
1

[Assignment: organization
-
defined
frequency]

Parameter: [at least annually]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
18

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AU
-
2

Audi tabl e
Events

AU
-
2


AU
-
2

AU
-
2a

[Assi gnment: organi zati on
-
defi ned l ist
of audi tabl e events]

Parameter: [Successful and
unsuccessful account l ogon events,
account management events, obj ect
access, pol i cy change, pri vi lege
functi ons, process tracki ng, and
system events. For Web a
ppl i cations:
al l admi ni strator acti vity,
authenti cati on checks, authori zati on
checks, data del eti ons, data access,
data changes, and permi ssi on
changes]

None




AU
-
2d

[Assi gnment: organi zati on
-
defi ned
subset of the audi tabl e events
defi ned i n AU
-
2 a. t
o be audi ted]

Parameter: See addi ti onal
requi rements and gui dance.

AU
-
2d.

[Assignment: organization
-
defined
frequency of (or situation requiring)
auditing for each identified event].

Parameter: [continually]

AU
-
2d

Requi rement: The servi ce
provi der defi nes
the subset of
audi tabl e events from AU
-
2a to
be audi ted. The events to be
audi ted are approved and
accepted by JAB.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
19

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AU
-
2 (3)

AU
-
2 (3)

[Assignment: organization
-
defined
frequency]

Parameter: [annually or whenever
there is a change in the threat
envi
ronment]

AU
-
2 (3)

Guidance: Annually or
whenever changes in the threat
environment are communicated
to the service provider by the
JAB.



AU
-
2 (4)

None

AU
-
2 (4)

Requirement: The service
provider configures the auditing
features of operating systems,
databases, and applications to
record security
-
related events,
to include logon/logoff and all
failed access attempts.



AU
-
3

Content of
Audi t Records

AU
-
3

AU
-
3

None

None



AU
-
3 (1)

AU
-
3 (1)

[
Assignment: organization
-
defined
additional, more detail
ed
information
]
Parameter: [s
ession, connection,
transaction, or activity duration; for
client
-
server transactions, the
number of bytes received and bytes
sent; additional informati
onal
messages to diagnose or identify the
event; characteristics that describe or
identify the object or resource being
acted upon]

AU
-
3 (1)

Requirement: The service
provider defines audit record
types. The audit record types
are approved and accepted by
the JAB.

Guidance: For client
-
server
transactions, the number of
bytes sent and received gives
bidirectional transfer
information that can be helpful
during an investigation or
inquiry.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
20

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AU
-
4

Audi t Storage
Capaci ty

AU
-
4

AU
-
4

None

None



AU
-
5

Respo
nse to
Audi t
Processi ng
Fai l ures

AU
-
5

AU
-
5

AU
-
5b

[Assignment: Organization
-
defined
actions to be taken]

Parameter: [low
-
impact: overwrite
oldest audit records; moderate
-
impact: shut down]

None



AU
-
6

Audi t Revi ew,
Anal ysi s, and
Reporti ng

AU
-
6

A
U
-
6

AU
-
6a

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east weekl y]

None



AU
-
6

(1)

None

None



AU
-
6

(3)

None

None



AU
-
7

Audi t
Reducti on and
Report
Generati on

Not
Sel ected

AU
-
7

None

None


AU
-
7 (1)

None

None


AU
-
8

Ti me S
tamps

AU
-
8

AU
-
8

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
21

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AU
-
8 (1)



AU
-
8 (1)

[
Assignment: organization
-
defined

f
requency
]

Parameter 1: [at l east hourl y]

AU
-
8 (1)

Requirement: The service
provider selects primary and
secondary time servers used by
the NIST Internet time servic
e.
The secondary server is selected
from a different geographic
region than the primary server.


Requirement: The service
provider synchronizes the
system clocks of network
computers that run operating
systems other than Windows to
the Windows Server Domai
n
Control l er emul ator or to the
same ti me source for that
server.

Gui dance: Synchroni zati on of
system cl ocks i mproves the
accuracy of l og anal ysis.





AU
-
8 (1)

[Assignment: organization
-
defined
authoritative time source]

Parameter 2: [http://tf.nis
t.gov/tf
-
cgi/servers.cgi].



AU
-
9

Protecti on of
Audi t
I nformati on

AU
-
9

AU
-
9

None

None



AU
-
9

(2)

AU
-
9 (2)

[
Assignment: organization
-
defined
frequency
]

Parameter: [at l east weekl y]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
22

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

AU
-
10

Non
-
Repudi ati on

Not
Sel ected

AU
-
10

None

None



AU
-
10 (5)

AU
-
10 (5)

[
Selection: FIPS
-
validated; NSA
-
approved
]

Parameter: See additional
requirements and guidance.

AU
-
10 (5)

Requirement: The service
provider implements FIPS
-
140
-
2
val i dated cryptography (e.g.,
DOD PKI Cl ass 3 or 4 tokens) for
servi ce offe
ri ngs that i ncl ude
Software
-
as
-
a
-
Servi ce (SaaS)
wi th emai l.



AU
-
11

Audi t Record
Retenti on

AU
-
11

AU
-
11

AU
-
11

[Assi gnment: organi zati on
-
defi ned
ti me peri od consi stent wi th records
retenti on pol i cy]

Parameter: [at l east ni nety days]

AU
-
11

Requi rement
: The servi ce
provi der retai ns audi t records
on
-
l i ne for at l east ni nety days
and further preserves audi t
records off
-
l i ne for a peri od that
i s i n accordance wi th NARA
requi rements.



AU
-
12

Audi t
Generati on

AU
-
12

AU
-
12

AU
-
12a

[Assi gnment: organi zati o
n
-
defi ned
i nformati on system components]

Parameter: [al l i nformati on system
components where audi t capabi l ity i s
depl oyed]

None



Assessment and Authorization (CA)



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
23

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CA
-
1

Securi ty
Assessment
and
Authori zati on
Pol i ci es and
Procedures

CA
-
1

CA
-
1

CA
-
1

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



CA
-
2

Securi ty
Assessments

CA
-
2

CA
-
2

CA
-
2b

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



CA
-
2

(1)

CA
-
2 (1)

None

None



CA
-
3

I nfo
rmati on
System
Connecti ons

CA
-
3

CA
-
3

None

None



CA
-
5

Pl an of Acti on
and
Mi l estones

CA
-
5

CA
-
5

CA
-
5b

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east quarterl y]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
24

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CA
-
6

Securi ty
Authori zati on

CA
-
6

CA
-
6

CA
-
6c

[Assi gnment: or
gani zati on
-
defi ned
frequency]

Parameter: [
at l east every three years
or when a si gni fi cant change occurs
]

CA
-
6c

Gui dance: Si gni fi cant change i s
defi ned i n NI ST Speci al
Publ i cati on 800
-
37 Revi sion 1,
Appendi x F. The servi ce
provi der descri bes the types of

changes to the i nformati on
system or the envi ronment of
operati ons that woul d requi re a
reauthori zati on of the
i nformati on system. The types
of changes are approved and
accepted by the JAB.



CA
-
7

Conti nuous
Moni tori ng

CA
-
7

CA
-
7

CA
-
7d

[Assi gnment: orga
ni zati on
-
defi ned
frequency]

Parameter: [monthl y]

None









CA
-
7

(2)

CA
-
7 (2)

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter

1
: [annual l y]

[Sel ecti on: announced; unannounced]

Parameter

2
: [unannounced]

[Sel ecti on: i n
-
depth moni tori ng;
mal i ci ou
s user testi ng; penetrati on
testi ng; red team exerci ses]

Parameter

3
: [penetrati on testi ng]

[Assi gnment: organi zati on
-
defi ned
other forms of securi ty assessment]

Parameter

4
: [i n
-
depth moni tori ng]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
25

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

Configuration Management (CM)

CM
-
1

Confi gurati on

Management
Pol i cy and
Procedures

CM
-
1

CM
-
1

CM
-
1

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



CM
-
2

Basel i ne
Confi gurati on

CM
-
2

CM
-
2

None

None



CM
-
2 (1)

CM
-
2 (1) (a)

[
Assi gnment: organi zati on
-
defi ned
freque
ncy
]

Parameter: [annual l y]

None





CM
-
2 (1) (b)

[Assi gnment: organi zati on
-
defi ned
ci rcumstances]

Parameter: [a si gni fi cant change]

CM
-
2 (1) (b)

Gui dance: Si gni fi cant change i s
defi ned i n NIS
T Speci al
Publ i cati on 800
-
37 Revi sion 1,
Appendi x F. The servi ce
provi der descri bes the types of
changes to the i nformati on
system or the envi ronment of
operati ons that woul d requi re a
revi ew and update of the
basel i ne confi gurati on. The
types of changes

are approved
and accepted by the JAB.



CM
-
2 (3)

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
26

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CM
-
2 (5)

CM
-
2 (5) (a)

[Assi gnment: organi zati on
-
defi ned l ist
of software programs authori zed to
execute on the i nformati on system]

Parameter: See addi ti onal
requi rements and gui dance.

CM
-
2 (5) (a)

Requi rement: The servi ce
provi der defi nes and mai ntai ns
a l i st of software programs
authori zed to execute on the
i nformati on system. The l i st of
authori zed programs i s
approved and accepted by the
JAB.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
27

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CM
-
3

Confi gurati on
Change
Control

No
t
Selected

CM
-
3

CM
-
3f

[Assi gnment: organi zati on
-
defi ned
confi gurati on change control
el ement]

Parameter: See addi ti onal
requi rements and gui dance.

[Sel ecti on (one or more):
[Assi gnment: organi zati on
-
defi ned
frequency]; [Assi gnment:
organi zati on
-
defi ned c
onfi gurati on
change condi ti ons]]

Parameter: See addi ti onal
requi rements and gui dance.

CM
-
3f

Requi rement: The servi ce
provi der defi nes the
confi gurati on change control
el ement and the frequency or
condi ti ons under whi ch i t i s
convened. The change control
e
l ement and
frequency/condi ti ons of use are
approved and accepted by the
JAB.

Requi rement: The servi ce
provi der establ i shes a central
means of communi cati ng maj or
changes to or devel opments i n
the i nformati on system or
envi ronment of operati ons that
may aff
ect i ts servi ces to the
federal government and
associ ated servi ce consumers
(e.g., el ectroni c bul l eti n board,
web status page). The means of
communi cati on are approved
and accepted by the JAB.



CM
-
3 (2)

None

None



CM
-
4

Securi ty
I mpact
Anal ysi s

CM
-
4

CM
-
4


None

None



CM
-
5

Access
Not
CM
-
5

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
28

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

Restri cti ons
for Change

Sel ected

CM
-
5

(1)

None

None



CM
-
5

(5)

CM
-
5 (5) (b)

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east quarterl y]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
29

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CM
-
6

Confi gurati on
Setti ngs


CM
-
6


CM
-
6

CM
-
6a
[Assi gnment: organi zati on
-
defi ned securi ty confi gurati on
checkl i sts]
Parameter: [Uni ted States
Government Confi gurati on Basel ine
(USGCB)]

CM
-
6a

Requi rement
:
Use USGCB
configuration checklists if
available. If not available, the
service

provider uses
configuration settings based on
industry best practices such as
Center for Internet Security
guidelines. Otherwise, the
service provider establishes
their own configuration
settings. Indicate if checklists
from outside organizations are
used
. Indicate if checklists for
configuration settings are
Security Content Automation
Protocol (SCAP) validated or
SCAP compatible (if validated
checklists are not available).
Configuration settings are
ap
proved and accepted by the
JAB.


CM
-
6a

Gui dance:

I nfo
rmati on on the
USGCB checkl i sts can be found
at:
http://usgcb.ni st.gov/us
gcb_faq
.html#usgcbfaq_usgcbfdcc
.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
30

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CM
-
6 (1)

None

None



CM
-
6

(3)

None

None



CM
-
7

Least
Functi onal i ty

CM
-
7

CM
-
7

CM
-
7

[Assi gnment: organi zati on
-
defi ned l ist
of prohi bi te
d or restri cted functi ons,
ports, protocol s, and/or servi ces]

Parameter: [Uni ted States
Government Confi gurati on Basel ine
(USGCB)]

CM
-
7

Requi rement: The servi ce
provi der shal l use the Center for
I nternet Securi ty gui del i nes
(Level 1) to establ i sh l i st of

prohi bi ted or restri cted
functi ons, ports, protocol s,
and/or servi ces or establ i shes
i ts own l i st of prohi bi ted or
restri cted functi ons, ports,
protocol s, and/or servi ces i f
USGCB i s not avai l able. The l i st
of prohi bi ted or restri cted
functi ons, ports, p
rotocol s,
and/or servi ces are approved
and accepted by the JAB.

CM
-
7

Gui dance: Informati on on the
USGCB checkl i sts can be found
at:
http://usgcb.ni st.gov/usgcb_faq
.html#usgcbfaq_usgcbfdcc.



CM
-
7 (1)

CM
-
7 (1)

[Assi gnment: organi zati on
-
defi ned
frequency
]

Parameter: [at l east quarterl y]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
31

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CM
-
8

I nformati on
System
Component
I nventory

CM
-
8


CM
-
8

CM
-
8d

[Assi gnment: organi zati on
-
defi ned
i nformati on deemed necessary to
achi eve effecti ve property
accountabi l ity]

Parameter: See addi ti onal
requi rements an
d gui dance.

CM
-
8d

Requi rement
: The servi ce
provi der defi nes i nformati on
deemed necessary to achi eve
effecti ve property
accountabi l ity. Property
accountabi l ity i nformati on are
approved and accepted by the
JAB.

Gui dance
: I nformati on deemed
necessary to achi
eve effecti ve
property accountabi lity may
i ncl ude hardware i nventory
speci fi cations (manufacturer,
type, model, seri al number,
physi cal l ocation), software
l i cense i nformati on, i nformation
system/component owner, and
for a networked
component/devi ce, the
m
achi ne name and network
address.



CM
-
8 (1)

None

None



CM
-
8 (3)

CM
-
8 (3) (a)

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [Conti nuousl y, usi ng
automated mechani sms wi th a
maxi mum fi ve
-
mi nute del ay i n
detecti on.]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
32

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CM
-
8 (5)

No
ne

None



CM
-
9

Confi gurati on
Management
Pl an

Not
Sel ected

CM
-
9

None

None






Contingency Planning (CP)

CP
-
1

Conti ngency
Pl anni ng Policy
and
Procedures

CP
-
1

CP
-
1

CP
-
1

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

No
ne



CP
-
2

Conti ngency
Pl an

CP
-
2

CP
-
2



CP
-
2b

[Assi gnment: organi zati on
-
defi ned l ist
of key conti ngency personnel
(i denti fi ed by name and/or by rol e)
and organi zati onal el ements]

Parameter: See addi ti onal
requi rements and gui dance.

CP
-
2b

Requi rement:

The servi ce
provi der defi nes a l i st of key
conti ngency personnel
(i denti fi ed by name and/or by
rol e) and organi zati onal
el ements. The conti ngency l i st
i ncl udes desi gnated FedRAMP
personnel.



CP
-
2d

[Assi gnment: organi zati on
-
defi ned
frequency]

Parame
ter: [at l east annual l y]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
33

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate



CP
-
2f

[Assi gnment: organi zati on
-
defi ned l ist
of key conti ngency personnel
(i denti fi ed by name and/or by rol e)
and organi zati onal el ements]

Parameter: See addi ti onal
requi rements and gui dance.


CP
-
2f

Requi rement: The servi ce
provi der defi nes a l i st of key
conti ngency personnel
(i denti fi ed by name and/or by
rol e) and organi zati onal
el ements. The conti ngency l i st
i ncl udes desi gnated FedRAMP
personnel.



CP
-
2 (1)

None

None



CP
-
2 (2)

None

None



CP
-
3

Conti ngency
Trai ni ng

CP
-
3

CP
-
3

CP
-
3

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



CP
-
4

Conti ngency
Pl an Testi ng
and Exerci ses

CP
-
4

CP
-
4

CP
-
4a

[Assi gnment: organi zati on
-
defi ned
fr
equency]

Parameter

1
: [at l east annual ly for
moderate i mpact systems; at l east
every three years for l ow i mpact
systems]

[Assi gnment: organi zati on
-
defi ned
tests and/or exerci ses]

Parameter

2
: [functi onal exerci ses for
moderate i mpact systems; cl assroom
e
xerci ses/tabl e top wri tten tests for
l ow i mpact systems]

CP
-
4a

Requi rement: The servi ce
provi der devel ops test pl ans i n
accordance wi th NI ST Speci al
Publ i cati on 800
-
34 (as
amended) and provi des pl ans to
FedRAM
P pri or to i ni ti ati ng
testi ng.
Test pl ans are a
pproved
and accepted by the JAB.



CP
-
4 (1)

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
34

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CP
-
6

Al ternate
Storage Si te

Not
Sel ected

CP
-
6

None

None



CP
-
6 (1)

None

None



CP
-
6 (3)

None

None



CP
-
7

Al ternate
Processi ng Si te

Not
Sel ected

CP
-
7

CP
-
7a

[Assi gnment: organi zati on
-
d
efi ned
ti me peri od consi stent wi th recovery
ti me obj ecti ves]

Parameter: See addi ti onal
requi rements and gui dance.

CP
-
7a

Requi rement: The servi ce
provi der defi nes a ti me peri od
consi stent wi th the recovery
ti me obj ecti ves and busi ness
i mpact anal ysis. Th
e ti me
peri od i s approved and
accepted by the JAB.



CP
-
7 (1)

None

None



CP
-
7 (2)

None


None



CP
-
7 (3)

None

None



CP
-
7 (5)

None

None



CP
-
8

Tel ecommuni c
ati ons Servi ces

Not
Sel ected

CP
-
8

CP
-
8

[Assi gnment: organi zati on
-
defi ned
ti me peri od]

Parameter: See addi ti onal
requi rements and gui dance.

CP
-
8

Requi rement: The servi ce
provi der defi nes a ti me peri od
consi stent wi th the busi ness
i mpact anal ysis. The ti me
peri od i s approved and
accepted by t
he JAB.



CP
-
8 (1)

None

None



CP
-
8 (2)

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
35

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CP
-
9

I nformati on
System Backup

CP
-
9

CP
-
9





CP
-
9a

[Assi gnment: organi zati on
-
defi ned
frequency consi stent wi th recovery
ti me and recovery poi nt obj ecti ves]

Parameter: [dai l y i ncremental; weekl
y
ful l ]

CP
-
9

Requi rement
: The servi ce
provi der shal l determi ne what
el ements of the cl oud
envi ronment requi re the
Informati on System Backup
control. The cl oud envi ronment
el ements requi ri ng Informati on
System Backup are approved
and accepted by the JAB.

R
equi rement
: The servi ce
provi der shal l determi ne how
Informati on System Backup i s
goi ng to be veri fi ed and
appropri ate peri odi city of the
check. The veri fi cati on and
peri odi ci ty of the Informati on
System Backup are approved
and accepted by the JAB.


CP
-
9a

Requi rement: The servi ce
provi der mai ntai ns at l east
three backup copi es of user
-
l evel i nformati on (at l east one
of whi ch i s avai l able onl i ne) or
provi des an equi val ent
al ternati ve. The backup storage
capabi l ity i s approved and
accepted by the JAB.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
36

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

CP
-
9b

[Assi gnment: organi zati on
-
defi ned
frequency consi stent wi th recovery
ti me and recovery poi nt obj ecti ves]

Parameter: [dai l y i ncremental; weekl y
ful l ]

CP
-
9b

Requi rement: The servi ce
provi der mai ntai ns at l east
three backup copi es of system
-
l evel i nfo
rmati on (at l east one
of whi ch i s avai l able onl i ne) or
provi des an equi val ent
al ternati ve. The backup storage
capabi l ity i s approved and
accepted by the JAB.



CP
-
9c

[Assi gnment: organi zati on
-
defi ned
frequency consi stent wi th recovery
ti me and recove
ry poi nt obj ecti ves]

Parameter: [dai l y i ncremental; weekl y
ful l ]

CP
-
9c

Requi rement: The servi ce
provi der mai ntai ns at l east
three backup copi es of
i nformati on system
documentati on i ncl udi ng
securi ty i nformati on (at l east
one of whi ch i s avai lable onl i ne)
or provi des an equi val ent
al ternati ve. The backup storage
capabi l ity i s approved and
accepted by the JAB.



CP
-
9 (1)

CP
-
9 (1)

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



CP
-
9 (3)

None

None



CP
-
10

I nformati
on
System
CP
-
10

CP
-
10

None

None



CP
-
10 (2)

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
37

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

Recovery and
Reconsti tuti on

CP
-
10 (3)

CP
-
10 (3)

[Assi gnment: organi zati on
-
defi ned
ci rcumstances that can i nhi bi t
recovery and reconsti tuti on to a
known state]

Parameter: See addi ti onal
requi
rements and gui dance.



CP
-
10 (3)

Requi rement: The servi ce
provi der defi nes ci rcumstances
that can i nhi bi t recovery and
reconsti tuti on to a known state
i n accordance wi th the
conti ngency pl an for the
i nformati on syst
em and
busi ness i mpact analysis.



Identification and Authentication (IA)

IA
-
1

I denti fi cati on
and
Authenti cati on
Pol i cy and
Procedures

IA
-
1

IA
-
1

IA
-
1

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



IA
-
2

I denti fi c
ati on
and
Authenti cati on
(Organi zati ona
l Users)

IA
-
2

IA
-
2

None

None



IA
-
2 (1)

IA
-
2 (1)

None

None









IA
-
2 (2)

None

None



IA
-
2 (3)

None

None



IA
-
2 (8)


IA
-
2 (8)

[Assi gnment: organi zati on
-
defi ned
repl ay
-
resi stant authenti cati on
mechani
sms]

Parameter: See addi ti onal
requi rements and gui dance.

IA
-
2 (8)

Requi rement: The servi ce
provi der defi nes repl ay
-
resi stant authenti cati on
mechani sms. The mechani sms
are approved and accepted by
the JAB.



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
38

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

IA
-
3

Devi ce
I denti fi cati on
and
Authenti cati
on

Not
Sel ected

IA
-
3

IA
-
3

[Assi gnment: organi zati on
-
defi ned l ist
of speci fi c and/or types of devi ces]

Parameter: See addi ti onal
requi rements and gui dance.

IA
-
3

Requi rement: The servi ce
provi der defi nes a l i st a speci fi c
devi ces and/or types of devi ces.

The l i st of devi ces and/or devi ce
types i s approved and accepted
by the JAB.



IA
-
4

I denti fi er
Management

IA
-
4

IA
-
4



IA
-
4d

[Assi gnment: organi zati on
-
defi ned
ti me peri od]

Parameter:
[at l east two years]

None



IA
-
4e

[Assi gnment: organi zati on
-
de
fi ned
ti me peri od of i nacti vi ty]

Parameter: [ni nety days for user
i denti fi ers]

Parameter: See addi ti onal
requi rements and gui dance.

IA
-
4e

Requi rement: The servi ce
provi der defi nes ti me peri od of
i nacti vi ty for devi ce i denti fi ers.
The ti me peri od i s app
roved
and accepted by JAB.



IA
-
4 (4)

IA
-
4 (4)

[Assi gnment: organi zati on
-
defi ned
characteri stic i denti fying user status]

Parameter: [contractors; forei gn
nati onal s]

None



IA
-
5

Authenti cator
Management

IA
-
5

IA
-
5


IA
-
5g

[Assi gnment: organi zati on
-
d
efi ned
ti me peri od by authenti cator type]

Parameter: [si xty days]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
39

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

IA
-
5 (1)







IA
-
5 (1) (a)

[Assi gnment: organi zati on
-
defi ned
requi rements for case sensi ti vi ty,
number of characters, mi x of upper
-
case l etters, l ower
-
case l etters,
numbers, and
speci al characters,
i ncl udi ng mi ni mum requi rements for
each type]

Parameter: [case sensi ti ve, mi ni mum
of twel ve characters, and at l east one
each of upper
-
case l etters, l ower
-
case
l etters, numbers, and speci al
characters]

IA
-
5 (1) (a)

Gui dance: Mobi l e devi
ces are
excl uded from the password
compl exi ty requi rement.



IA
-
5 (1) (b)

[Assi gnment: organi zati on
-
defi ned
number of changed characters]

Parameter: [at l east one or as
determi ned by the i nformati on
system (where possi ble)]

None



IA
-
5 (1) (d)

[A
ssi gnment: organi zati on
-
defi ned
numbers for l i feti me mi ni mum,
l i feti me maxi mum]

Parameter: [one day mi ni mum, si xty
day maxi mum]

None



IA
-
5 (1) (e)

[Assi gnment: organi zati on
-
defi ned
number]

Parameter: [twenty four]

None



IA
-
5 (2)

None



None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
40

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

IA
-
5 (3)

IA
-
5 (3)

[Assi gnment: organi zati on
-
defi ned
types of and/or speci fi c
authenti cators]

Parameter: [HSPD12 smart cards]

None



IA
-
5 (6)

None

None



IA
-
5 (7)

None

None



IA
-
6

Authenti cator

Feedback

IA
-
6

IA
-
6

No
ne

None



IA
-
7

Cryptographi c
Modul e
Authenti cati on

IA
-
7

IA
-
7

None

None



IA
-
8

I denti fi cati on
and
Authenti cati on
(Non
-
Organi zati onal
Users)

IA
-
8

IA
-
8

None

None



Incident Response (IR)

IR
-
1

I nci dent
Response
Pol i cy and
Procedures

IR
-
1

IR
-
1

IR
-
1

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



IR
-
2

I nci dent
Response
Trai ni ng

IR
-
2

IR
-
2

IR
-
2b

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l east annual l y]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
41

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

IR
-
3

I
nci dent
Response
Testi ng and
Exerci ses

Not
Sel ected

IR
-
3

IR
-
3

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [annual l y]

[Assi gnment: organi zati on
-
defi ned
tests and/or exerci ses]

Parameter: See addi ti onal
requi rements and gui dance.

IR
-
3

Requi re
ment: The servi ce
provi der defi nes tests and/or
exerci ses i n accordance wi th
NI ST Speci al Publ i cation 800
-
61
(as amended).

Requi rement: The servi ce
provi der provi des test pl ans to
FedRAMP annual l y. Test pl ans
are approved and accepted by
the JAB pri or to t
est
commenci ng.



IR
-
4

I nci dent
Handl i ng

IR
-
4

IR
-
4

None

IR
-
4

Requi rement: The servi ce
provi der ensures that
i ndi vi duals conducti ng i ncident
handl i ng meet personnel
securi ty requi rements
commensurate wi th the
cri ti cality/sensitivity of the
i nformati on
bei ng processed,
stored, and transmi tted by the
i nformati on system.



IR
-
4 (1)

None

None



IR
-
5

I nci dent
Moni tori ng

IR
-
5

IR
-
5

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
42

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

IR
-
6

I nci dent
Reporti ng

IR
-
6

IR
-
6

IR
-
6a

[Assi gnment: organi zati on
-
defi ned
ti me peri od]

Parameter: [US
-
CE
RT i nci dent
reporti ng ti mel i nes as speci fi ed i n
NIST Speci al Publ i cation 800
-
61 (as
amended)]

None



IR
-
6 (1)

None

None



IR
-
7

I nci dent
Response
Assi stance

IR
-
7

IR
-
7

None

None



IR
-
7 (1)

None

None



IR
-
7 (2)

None

None



IR
-
8

I nci dent
Resp
onse Pl an

IR
-
8

IR
-
8

IR
-
8b

[Assi gnment: organi zati on
-
defi ned l i st
of i nci dent response personnel
(i denti fi ed by name and/or by rol e)
and organi zati onal el ements]

Parameter: See addi ti onal
requi rements and gui dance.

IR
-
8b

Requi rement: The servi ce
provi d
er defi nes a l i st of
i nci dent response personnel
(i denti fi ed by name and/or by
rol e) and organi zati onal
el ements. The i nci dent
response l i st i ncl udes
desi gnated FedRAMP
personnel.



IR
-
8c

[Assi gnment: organi zati on
-
defi ned
frequency]

Parameter: [at l e
ast annual l y]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
43

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

IR
-
8e

[Assi gnment: organi zati on
-
defi ned l i st
of i nci dent response personnel
(i denti fi ed by name and/or by rol e)
and organi zati onal el ements]

Parameter: See addi ti onal
requi rements and gui dance.




IR
-
8e

Requi rement: The servi ce
pr
ovi der defi nes a l i st of
i nci dent response personnel
(i denti fi ed by name and/or by
rol e) and organi zati onal
el ements. The i nci dent
response l i st i ncl udes
desi gnated FedRAMP
personnel.



Maintenance (MA)

MA
-
1

System
Mai ntenance
Pol i cy and
Procedures

MA
-
1

MA
-
1

MA
-
1

[Assignment: organization
-
defined
frequency]

Parameter: [at least annually]

No
ne



MA
-
2

Control l ed
Mai ntenance

MA
-
2

MA
-
2

None

None



MA
-
2 (1)

None

None


MA
-
3

Mai ntenance
Tool s

Not
Sel ected

MA
-
3

None

None


MA
-
3 (1)

None

None


MA
-
3 (2)

None

None


MA
-
3 (3)

None

None


MA
-
4

Non
-
Local
Mai ntenance

MA
-
4

MA
-
4

None

None


MA
-
4 (1)

None

None


MA
-
4 (2)

None

None


MA
-
5

Mai ntenance
Personnel

MA
-
5

MA
-
5

None

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
44

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

MA
-
6

Ti mel y
Mai ntenance

Not
Sel ected

MA
-
6

MA
-
6

[A
ssi gnment: organi zati on
-
defi ned l i st
of securi ty
-
cri ti cal i nformation system
components and/or key i nformati on
technol ogy components]

Parameter: See addi ti onal
requi rements and gui dance.

[Assi gnment: organi zati on
-
defi ned
ti me peri od]

Parameter: See addi ti
onal
requi rements and gui dance.








MA
-
6

Requirement: The service
provider defines a list of
security
-
critical information
system components and/or key
information technology
components. The list of
components is approved and
accepted by the JAB.

Requ
irement: The service
provider defines a time period
to obtain maintenance and
spare parts in accordance with
the contingency plan for the
information system and
business impact analysis. The
time period is approved and
accepted by the JAB.



Media Protect
ion (MP)

MP
-
1

Medi a
Protecti on
Pol i cy and
Procedures

MP
-
1

MP
-
1

MP
-
1

[Assignment: organization
-
defined
frequency]

Parameter: [at least annually]

None



<Informati on System Name>Control Tai l ori ng Workbook (CTW)

<Versi on Number> / <Date>




Page
45

of
72


Control Number and
Name

Control Baseline

Control Parameter Requirements

Additional Requirements

and Guidance



Service Provider
Implemented Sett
ings
and Exceptions



Low

Moderate

MP
-
2

Medi a Access

MP
-
2

MP
-
2

MP
-
2



[Assignment: organization
-
defined
types of digital and non
-
di
gi tal medi a]

Parameter

1
: See addi ti onal
requi rements and gui dance