Planning for FedRAMP’s NIST SP 800-53 Rev 5 Baseline

Overview of the draft release of NIST SP 800-53 Rev. 5 for FedRAMP

Table of Contents

FedRAMP - Major Regulatory Release
(NIST SP 800-53 Rev. 4 to Rev. 5)

Abstract

In 2020, the National Institute for Standards and Technology (NIST) published the final version of SP 800-53 Revision 5 and SP 800-53B, Control Baselines for Information Systems and Organizations. This represents a multi-year effort to develop a more reflective security and privacy controls integration. While the framework natively still applies only to federal agencies and their information systems, NIST is encouraging the document to be more applicable to both non-federal and private organizations 

The FedRAMP PMO has since worked with the Joint Authorization Board (JAB) over that time to further develop the FedRAMP baselines in alignment with NIST’s Rev. 5 update (draft most recently published December 21, 2021). As noted in NIST and FedRAMP PMO notices, key changes to the security requirements are more on threat-based methodologies (outcome based), empirical attack data, systems engineering, and supply chain best practices.

This post is intended to provide FedRAMP stakeholders (CSP’s, 3PAO’s, Federal Agencies, Research Institutions) better visibility into the FedRAMP draft release of NIST SP 800-53 Rev. 5 to assist in your data analysis for the upcoming comment period, technical, and business impacts.

Aggregate FedRAMP View (NIST SP 800-53 Rev. 4 to Rev. 5 Comparison)

In the FedRAMP PMO Rev 5 blog post, they provided the following control impacts from a NIST SP 800-53 Rev. 5 to a FedRAMP PMO Rev. 5 comparison [not a comparison of NIST SP 800-53 Rev. 4 to Rev. 5)
  • Low Baseline – FedRAMP added 1 additional control (above the NIST baseline)
  • Moderate Baseline – FedRAMP added 17 additional controls (above the NIST baseline)
  • High Baseline – FedRAMP added 22 additional controls (above the NIST baseline)
As we evaluated the security controls, we wanted to also include impacts from NIST SP 800-53 Rev. 4 to Rev. 5 FedRAMP PMO security control perspective. Summarized below are some of the key control number changes proposed with more control detail in Appendix.

 

High Baseline

Moderate Baseline

Low Baseline

FedRAMP (Rev 4) Baseline

421

325

125

Controls & Enhancements withdrawn

(FedRAMP PMO and NIST)

-74

-62

-3

Subtotal

347

263

122

FedRAMP & NIST (Rev 5) Controls Added*

+45

+41

+28

Subtotal

392

304

150

Controls withdrawn, but consolidated/ merged*

+21

+16

+2

Total

413

320

152

*Withdrawn controls consolidated to a new control were not counted twice

The question we’re all trying to discern is what does the new revision really mean in terms of material changes and level of impact to CSPs? Sheer number of controls is one thing, but the extent of what the control is asking for is something else entirely.

FedRAMP Control Parameter Changes

Security control parameter changes should also be taken into consideration when looking to evaluate the security control deltas. Due to the timing of the release and our feedback, we wanted to get out some initial thoughts out. We will have a follow-up to this blog with the parameter changes once the PMO baseline is considered final.

Let Your Voice Be Heard

Published in earlier guidance – the FedRAMP PMO has established a general timeline on how the review process will proceed. This is very similar to the standard NIST publications/releases.

It’s important that the FedRAMP business community get involved to ensure a more refined work product in the end.

  • Cloud Service Providers (CSP) – look to understand what’s being asked of you. What material differences can you identify? What feedback can you give the FedRAMP PMO to promote a reasonable interpretation of the requirements and security risk?
  • Third Party Assessment Organizations (3PAO) – understand the requirements (withdrawn, consolidated, and net-new). Do your own analysis and determine any material changes within the new proposed baseline. What’s missing? How do you advise or test the CSP’s against these requirements?
  • Government direct and research community stakeholders – it’s really important that your feedback is part of the baseline. The more integrated the FedRAMP baseline is from the viewpoint of an agency, the more reciprocity is achieved across government.
  • Industry Best Practice stakeholders – promoting industry best practices amongst our government should be a civic duty. Share your thoughts and insights to ensure this truly is the greatest good security requirements and practices for government.

 

The FedRAMP PMO has released an initial draft of the FedRAMP Rev. 5 for your review and comment. As noted in the release, industry feedback will be accepted through info@fedramp.gov via this format by Friday, April 1, 2022.

Historically speaking, a similar approach was taken when FedRAMP released the initial baseline associated with NIST SP 800-53 Rev. 4. CSPs were provided a period of time to review the new controls, provide feedback on if the parameter was accurate or if the control should even be included in the baseline. After that time period came and went, FedRAMP finalized their baseline for all to use. At that time, it was not an instantaneous adoption. FedRAMP worked with each CSP to determine at what point in the process would they look to uplift to the new baseline. This is primarily because new security controls must first be implemented and that just doesn’t happen overnight. FedRAMP knows this. You will have time to implement the controls and then have it properly tested by your 3PAO.

FedRAMP has not officially said what that the time period will look like, but if history repeats itself, it may look similar to something like this:

  • CSPs with an existing ATO will uplift to the new baseline at their next annual, or the one after, depending on the ATO date
  • If a CSP is in the middle of their initial assessment, they will be allowed to continue under NIST SP 800-53 Rev. 4, but will be expected to uplift to Rev. 5 during their first annual
  • If a CSP is in the early stages of FedRAMP preparation and has not started an assessment, it will truly depend how early it is in the process. However most likely, these CSPs will need to look at the new baseline and have a strategy around how those new controls will be implemented. This will probably be handled on a case-by-case basis with the CSP and the FedRAMP PMO.

Summary

Major releases of the NIST SP 800-53 security guidance does not come along often and takes several years to be fully evaluated, revised, impacted, and implemented.

The number of security controls (plus or minus) does not necessarily equate level of effort or material impacts from a regulation perspective. Complexity of the control, parameter changes (frequency/how restrictive) and technical feasibility for the cloud service provider to implement is what will drive impacts on what these regulations mean to the FedRAMP community. Another key aspect to consider is the shared responsibility model with underlying infrastructure as a service or platform as a service provider. This new baseline will impact the number of controls or portions of controls are fully inherited or partially inherited by these providers.

As noted above, take the time to review and provide feedback. You can’t complain about the process if you haven’t taken the time to response and be heard.

Our initial review and research are providing a more detailed view into potential impacts (Draft release from the FedRAMP PMO – subject to change based on feedback), but further research and discussions will be needed to better understand material impacts. Fortreum will look to release more content in the future (especially once this publication is final) to assist the FedRAMP community in understanding the full impacts of these changes.

Appendix A: Key Control Considerations

Control Family

Controls

Control Name

Identification and Authentication

IA-05 (11)*

Authenticator Management | Hardware Token-based Authentication

Identification and Authentication

IA-08 (03)*

Identification and Authentication | Use of FICAM-Approved Products

System and Information Integrity

SI-16

Memory Protection

*Indicates controls removed from NIST 800-53 Rev. 5 but consolidated into another control in the baseline.

Controls Removed from the FedRAMP Moderate Baseline (62)

Control Family

Controls

Control Name

Access Control

AC-02 (10)*

Account Management | Shared / Group Account Credential Termination

Access Control

AC-04 (21)

Information Flow Enforcement | Physical / Logical Separation of Information Flows

Access Control

AC-10

Concurrent Session Control

Access Control

AC-17 (09)

Remote Access | Disconnect / Disable Access

Audit and Accountability

AU-02 (03)*

Audit Events | Reviews and Updates

Audit and Accountability

AU-08 (01)

Time Stamps | Synchronization with Authoritative Time Source

Audit and Accountability

AU-09 (02)

Protection Of Audit Information | Store on Separate Physical Systems Or Components

Security Assessment and Authorization

CA-02 (02)

Control Assessments | Specialized Assessments

Security Assessment and Authorization

CA-02 (03)

Security Assessments | External Organizations

Security Assessment and Authorization

CA-03 (03)

System Interconnections | Unclassified Non-National Security System Connections

Security Assessment and Authorization

CA-03 (05)

System Interconnections | Restrictions on External System Connections

Security Assessment and Authorization

CA-08

Penetration Testing

Security Assessment and Authorization

CA-08 (01)

Penetration Testing | Independent Penetration Testing Agent or Team

Configuration Management

CM-02 (01)*

Baseline Configuration | Reviews and Updates

Configuration Management

CM-05 (03)

Access Restrictions for Change | Signed Components

Configuration Management

CM-08 (05)*

Information System Component Inventory | No Duplicate Accounting of Components

Configuration Management

CM-10 (01)

Software Usage Restrictions | Open-Source Software

Contingency Planning

CP-02 (02)

Contingency Plan | Capacity Planning

Contingency Planning

CP-09 (03)

System Backup | Separate Storage for Critical Information

Identification and Authentication

IA-02 (03)*

Identification And Authentication | Local Access to Privileged Accounts

Identification and Authentication

IA-02 (11)*

Identification And Authentication | Remote Access – Separate Device

Identification and Authentication

IA-05 (03)*

Authenticator Management | In-Person or Trusted Third-Party Registration

Identification and Authentication

IA-05 (04)*

Authenticator Management | Automated Support for Password Strength Determination

Identification and Authentication

IA-05 (11)*

Authenticator Management | Hardware Token-Based Authentication

Identification and Authentication

IA-08 (03)*

Identification And Authentication | Use of FICAM-Approved Products

Incident Response

IR-07 (02)

Incident Response Assistance | Coordination with External Providers

Incident Response

IR-09

Information Spillage Response

Incident Response

IR-09 (01)

Information Spillage Response | Responsible Personnel

Incident Response

IR-09 (02)

Information Spillage Response | Training

Incident Response

IR-09 (03)

Information Spillage Response | Post-Spill Operations

Incident Response

IR-09 (04)

Information Spillage Response | Exposure to Unauthorized Personnel

Maintenance

MA-04 (02)*

Nonlocal Maintenance | Document Nonlocal Maintenance

Maintenance

MA-05 (01)

Maintenance Personnel | Individuals Without Appropriate Access

Media Protection

MP-05 (04)*

Media Transport | Cryptographic Protection

Media Protection

MP-06 (02)

Media Sanitization | Equipment Testing

Media Protection

MP-07 (01)*

Media Use | Prohibit Use Without Owner

Physical and Environmental Protection

PE-13 (02)

Fire Protection | Suppression Systems — Automatic Activation and Notification

Physical and Environmental Protection

PE-13 (03)*

Fire Protection | Automatic Fire Suppression

Physical and Environmental Protection

PE-14 (02)

Temperature And Humidity Controls | Monitoring with Alarms / Notifications

Planning

PL-02 (03)*

System Security Plan | Plan / Coordinate with Other Organizational Entities

Personnel Security

PS-03 (03)

Personnel Screening | Information with Special Protection Measures

Risk Assessment

RA-05 (01)*

Vulnerability Scanning | Update Tool Capability

Risk Assessment

RA-05 (06)

Vulnerability Scanning | Automated Trend Analyses

Risk Assessment

RA-05 (08)

Vulnerability Scanning | Review Historic Audit Logs

System and Services Acquisition

SA-04 (08)

Acquisition Process | Continuous Monitoring Plan

System and Services Acquisition

SA-09 (01)

External Information Systems | Risk Assessments / Organizational Approvals

System and Services Acquisition

SA-09 (04)

External Information Systems | Consistent Interests of Consumers and Providers

System and Services Acquisition

SA-09 (05)

External System Services | Processing, Storage, And Service Location

System and Services Acquisition

SA-10 (01)

Developer Configuration Management | Software /
Firmware Integrity Verification

System and Services Acquisition

SA-11 (01)

Developer Security Testing and Evaluation | Static Code Analysis

System and Services Acquisition

SA-11 (02)

Developer Security Testing and Evaluation | Threat and Vulnerability Analyses

System and Services Acquisition

SA-11 (08)

Developer Security Testing and Evaluation | Dynamic Code Analysis

System and Communications Protection

SC-06

Resource Availability

System and Communications Protection

SC-07 (13)

Boundary Protection | Isolation of Security Tools /
Mechanisms / Support Components

System and Communications Protection

SC-12 (02)

Cryptographic Key Establishment and Management |
Symmetric Keys

System and Communications Protection

SC-12 (03)

Cryptographic Key Establishment and Management |
Asymmetric Keys

System and Communications Protection

SC-19

Voice Over Internet Protocol

System and Information Integrity

SI-03 (01)

Malicious Code Protection | Central Management

System and Information Integrity

SI-03 (02)*

Malicious Code Protection | Automatic Updates

System and Information Integrity

SI-03 (07)*

Malicious Code Protection | Nonsignature-Based Detection

System and Information Integrity

SI-04 (14)

System Monitoring | Wireless Intrusion Detection

System and Information Integrity

SI-08 (01)

Spam Protection | Central Management

*Indicates controls removed from NIST 800-53 Rev. 5 but consolidated into another control in the baseline.

Controls Removed from the FedRAMP High Baseline (74)

Control Family

Controls

Control Name

Access Control

AC-02 (10)*

Account Management | Shared / Group Account Credential Termination

Access Control

AC-04 (08)

Information Flow Enforcement | Security Policy Filters

Access Control

AC-04 (21)

Information Flow Enforcement | Physical / Logical Separation of Information Flows

Access Control

AC-07 (02)

Unsuccessful Logon Attempts | Purge / Wipe Mobile Device

Access Control

AC-12 (01)

Session Termination | User-Initiated Logouts / Message Displays

Access Control

AC-17 (09)

Remote Access | Disconnect / Disable Access

Awareness and Training

AT-03 (03)

Security Training | Practical Exercises

Awareness and Training

AT-03 (04)

Security Training | Suspicious Communications and Anomalous System Behavior

Audit and Accountability

AU-02 (03)*

Audit Events | Reviews and Updates

Audit and Accountability

AU-03 (02)

Content Of Audit Records | Centralized Management Of Planned Audit Record Content

Audit and Accountability

AU-06 (10)*

Audit Review, Analysis, And Reporting | Audit Level Adjustment

Audit and Accountability

AU-08 (01)

Time Stamps | Synchronization with Authoritative Time Source

Security Assessment and Authorization

CA-02 (03)

Security Assessments | External Organizations

Security Assessment and Authorization

CA-03 (03)

System Interconnections | Unclassified Non-National Security System Connections

Security Assessment and Authorization

CA-03 (05)

System Interconnections | Restrictions on External System Connections

Security Assessment and Authorization

CA-07 (03)

Continuous Monitoring | Trend Analyses

Configuration Management

CM-02 (01)*

Baseline Configuration | Reviews and Updates

Configuration Management

CM-05 (02)

Access Restrictions for Change | Review System Changes

Configuration Management

CM-05 (03)

Access Restrictions for Change | Signed Components

Configuration Management

CM-08 (05)*

Information System Component Inventory | No Duplicate Accounting of Components

Configuration Management

CM-10 (01)

Software Usage Restrictions | Open-Source Software

Configuration Management

CM-11 (01)*

User-Installed Software | Alerts for Unauthorized Installations

Contingency Planning

CP-02 (04)*

Contingency Plan | Resume All Missions / Business Functions

Identification and Authentication

IA-02 (03)*

Identification And Authentication | Local Access to Privileged Accounts

Identification and Authentication

IA-02 (04)*

Identification And Authentication | Local Access to Non-Privileged Accounts

Identification and Authentication

IA-02 (09)*

Identification And Authentication | Network Access to Non-Privileged Accounts – Replay Resistant

Identification and Authentication

IA-02 (11)*

Identification And Authentication | Remote Access – Separate Device

Identification and Authentication

IA-05 (03)*

Authenticator Management | In-Person or Trusted Third-Party Registration

Identification and Authentication

IA-05 (04)*

Authenticator Management | Automated Support for Password Strength Determination

Identification and Authentication

IA-05 (11)*

Authenticator Management | Hardware Token-Based Authentication

Identification and Authentication

IA-08 (03)*

Identification And Authentication | Use of FICAM-Approved Products

Incident Response

IR-04 (03)

Incident Handling | Continuity of Operations

Incident Response

IR-04 (08)

Incident Handling | Correlation with External Organizations

Incident Response

IR-07 (02)

Incident Response Assistance | Coordination with External Providers

Incident Response

IR-09

Information Spillage Response

Incident Response

IR-09 (01)

Information Spillage Response | Responsible Personnel

Incident Response

IR-09 (02)

Information Spillage Response | Training

Incident Response

IR-09 (03)

Information Spillage Response | Post-Spill Operations

Incident Response

IR-09 (04)

Information Spillage Response | Exposure to Unauthorized Personnel

Maintenance

MA-04 (02)*

Nonlocal Maintenance | Document Nonlocal Maintenance

Maintenance

MA-04 (06)

Nonlocal Maintenance | Cryptographic Protection

Media Protection

MP-05 (04)*

Media Transport | Cryptographic Protection

Media Protection

MP-07 (01)*

Media Use | Prohibit Use Without Owner

Physical and Environmental Protection

PE-13 (03)*

Fire Protection | Automatic Fire Suppression

Physical and Environmental Protection

PE-14 (02)

Temperature And Humidity Controls | Monitoring with Alarms / Notifications

Planning

PL-02 (03)*

System Security Plan | Plan / Coordinate with Other Organizational Entities

Personnel Security

PS-03 (03)

Personnel Screening | Information with Special Protection Measures

Risk Assessment

RA-05 (01)*

Vulnerability Scanning | Update Tool Capability

Risk Assessment

RA-05 (06)

Vulnerability Scanning | Automated Trend Analyses

Risk Assessment

RA-05 (08)

Vulnerability Scanning | Review Historic Audit Logs

Risk Assessment

RA-05 (10)

Vulnerability Scanning | Correlate Scanning Information

System and Services Acquisition

SA-04 (08)

Acquisition Process | Continuous Monitoring Plan

System and Services Acquisition

SA-09 (01)

External Information Systems | Risk Assessments /
Organizational Approvals

System and Services Acquisition

SA-09 (04)

External Information Systems | Consistent Interests of Consumers and Providers

System and Services Acquisition

SA-10 (01)

Developer Configuration Management | Software /
Firmware Integrity Verification

System and Services Acquisition

SA-11 (01)

Developer Security Testing and Evaluation | Static Code Analysis

System and Services Acquisition

SA-11 (02)

Developer Security Testing and Evaluation | Threat and Vulnerability Analyses

System and Services Acquisition

SA-11 (08)

Developer Security Testing and Evaluation | Dynamic Code Analysis

System and Services Acquisition

SA-12*

Supply Chain Protection

System and Communications Protection

SC-06

Resource Availability

System and Communications Protection

SC-07 (10)

Boundary Protection | Prevent Unauthorized Exfiltration

System and Communications Protection

SC-07 (13)

Boundary Protection | Isolation of Security Tools /
Mechanisms / Support Components

System and Communications Protection

SC-12 (02)

Cryptographic Key Establishment and Management |
Symmetric Keys

System and Communications Protection

SC-12 (03)

Cryptographic Key Establishment and Management |
Asymmetric Keys

System and Communications Protection

SC-19

Voice Over Internet Protocol

System and Communications Protection

SC-23 (01)

Session Authenticity | Invalidate Session Identifiers at Logout

System and Information Integrity

SI-02 (01)

Flaw Remediation | Central Management

System and Information Integrity

SI-03 (01)

Malicious Code Protection | Central Management

System and Information Integrity

SI-03 (02)*

Malicious Code Protection | Automatic Updates

System and Information Integrity

SI-03 (07)*

Malicious Code Protection | Non signature-Based Detection

System and Information Integrity

SI-04 (18)

Information System Monitoring | Analyze Traffic / Covert Exfiltration

System and Information Integrity

SI-04 (24)

Information System Monitoring | Indicators of Compromise

System and Information Integrity

SI-07 (14)

Software, Firmware, And Information Integrity | Binary or Machine Executable Code

System and Information Integrity

SI-08 (01)

Spam Protection | Central Management

*Indicates controls removed from NIST 800-53 Rev. 5 but consolidated into another control in the baseline.

Controls Added to the FedRAMP Low Baseline (28)

Control Family

Controls

Control Name

Awareness and Training

AT-02 (02)

Literacy Training and Awareness | Insider Threat

Security Assessment and Authorization

CA-07 (04)

Continuous Monitoring | Risk Monitoring

Configuration Management

CM-05

Access Restrictions for Change

Identification and Authentication

IA-02 (02)

Identification And Authentication (Organizational Users) | Multi-Factor Authentication to Non-Privileged Accounts

Identification and Authentication

IA-02 (08)

Identification And Authentication (Organizational Users) | Access to Accounts — Replay Resistant

Identification and Authentication

IA-11

Re-Authentication

Planning

PL-04 (01)

Rules Of Behavior | social media And External Site/Application Usage Restrictions

Planning

PL-10

Baseline Selection

Planning

PL-11

Baseline Tailoring

Personnel Security

PS-09

Position Descriptions

Risk Assessment

RA-03 (01)

Risk Assessment | Supply Chain Risk Assessment

Risk Assessment

RA-05 (02)

Vulnerability Monitoring and Scanning | Update Vulnerabilities to be Scanned

Risk Assessment

RA-05 (11)

Vulnerability Monitoring and Scanning | Public Disclosure Program

Risk Assessment

RA-07

Risk Response

System and Services Acquisition

SA-04 (10)

Acquisition Process | Use of Approved PIV Products

System and Services Acquisition

SA-08

Security And Privacy Engineering Principles

System and Services Acquisition

SA-22

Unsupported System Components

Supply Chain Risk Management Family

SR-01

Policy And Procedures

Supply Chain Risk Management Family

SR-02

Supply Chain Risk Management Plan

Supply Chain Risk Management Family

SR-02 (01)

Supply Chain Risk Management Plan | Establish SCRM Team

Supply Chain Risk Management Family

SR-03

Supply Chain Controls and Processes

Supply Chain Risk Management Family

SR-05

Acquisition Strategies, Tools, and Methods

Supply Chain Risk Management Family

SR-08

Notification Agreements

Supply Chain Risk Management Family

SR-10

Inspection Of Systems or Components

Supply Chain Risk Management Family

SR-11

Component Authenticity

Supply Chain Risk Management Family

SR-11 (01)

Component Authenticity | Anti-Counterfeit Training

Supply Chain Risk Management Family

SR-11 (02)

Component Authenticity | Configuration Control for Component Service And Repair

Supply Chain Risk Management Family

SR-12

Component Disposal

Controls Added to the FedRAMP Moderate Baseline (41)

Control Family

Controls

Control Name

Access Control

AC-02 (13)

Account Management | Disable Accounts for High-Risk Individuals

Access Control

AC-06 (07)

Least Privilege | Review of User Privileges

Access Control

AC-18 (03)

Wireless Access | Disable Wireless Networking

Awareness and Training

AT-02 (03)

Literacy Training and Awareness | Social Engineering And Mining

Security Assessment and Authorization

CA-07 (04)

Continuous Monitoring | Risk Monitoring

Configuration Management

CM-03 (02)

Configuration Change Control | Testing, Validation, and Documentation of Changes

Configuration Management

CM-03 (04)

Configuration Change Control | Security and Privacy Representatives

Configuration Management

CM-04 (02)

Impact Analyses | Verification of Controls

Configuration Management

CM-12

Information Location

Configuration Management

CM-12 (01)

Information Location | Automated Tools to Support Information Location

Contingency Planning

CP-09 (08)

System Backup | Cryptographic Protection

Identification and Authentication

IA-02 (06)

Identification and Authentication (Organizational Users) | Access to Accounts —Separate Device

Identification and Authentication

IA-11

Re-Authentication

Identification and Authentication

IA-12

Identity Proofing

Identification and Authentication

IA-12 (02)

Identity Proofing | Identity Evidence

Identification and Authentication

IA-12 (03)

Identity Proofing | Identity Evidence Validation and Verification

Identification and Authentication

IA-12 (05)

Identity Proofing | Address Confirmation

Incident Response

IR-06 (03)

Incident Reporting | Supply Chain Coordination

Physical and Environmental Protection

PE-13 (01)

Fire Protection | Detection Systems — Automatic Activation and Notification

Planning

PL-10

Baseline Selection

Planning

PL-11

Baseline Tailoring

Personnel Security

PS-09

Position Descriptions

Risk Assessment

RA-03 (01)

Risk Assessment | Supply Chain Risk Assessment

Risk Assessment

RA-05 (11)

Vulnerability Monitoring and Scanning | Public Disclosure Program

Risk Assessment

RA-07

Risk Response

Risk Assessment

RA-09

Criticality Analysis

System and Services Acquisition

SA-15

Development Process, Standards, and Tools

System and Services Acquisition

SA-15 (03)

Development Process, Standards, and Tools | Criticality Analysis

System and Services Acquisition

SA-22

Unsupported System Components

Supply Chain Risk Management Family

SR-01

Policy And Procedures

Supply Chain Risk Management Family

SR-02

Supply Chain Risk Management Plan

Supply Chain Risk Management Family

SR-02 (01)

Supply Chain Risk Management Plan | Establish SCRM Team

Supply Chain Risk Management Family

SR-03

Supply Chain Controls and Processes

Supply Chain Risk Management Family

SR-05

Acquisition Strategies, Tools, and Methods

Supply Chain Risk Management Family

SR-06

Supplier Assessments and Reviews

Supply Chain Risk Management Family

SR-08

Notification Agreements

Supply Chain Risk Management Family

SR-10

Inspection of Systems or Components

Supply Chain Risk Management Family

SR-11

Component Authenticity

Supply Chain Risk Management Family

SR-11 (01)

Component Authenticity | Anti-Counterfeit Training

Supply Chain Risk Management Family

SR-11 (02)

Component Authenticity | Configuration Control for Component Service and Repair

Supply Chain Risk Management Family

SR-12

Component Disposal

Controls Added to the FedRAMP High Baseline (45)

Control Family

Controls

Control Name

Access Control

AC-04 (04)

Information Flow Enforcement | Flow Control of Encrypted Information

Awareness and Training

AT-02 (03)

Literacy Training and Awareness | Social Engineering And Mining

Security Assessment and Authorization

CA-03 (06)

Information Exchange | Transfer Authorizations

Security Assessment and Authorization

CA-07 (04)

Continuous Monitoring | Risk Monitoring

Configuration Management

CM-04 (02)

Impact Analyses | Verification of Controls

Configuration Management

CM-12

Information Location

Configuration Management

CM-12 (01)

Information Location | Automated Tools to Support Information Location

Contingency Planning

CP-09 (08)

System Backup | Cryptographic Protection

Identification and Authentication

IA-02 (06)

Identification And Authentication (Organizational Users) | Access to Accounts —Separate Device

Identification and Authentication

IA-11

Re-Authentication

Identification and Authentication

IA-12

Identity Proofing

Identification and Authentication

IA-12 (02)

Identity Proofing | Identity Evidence

Identification and Authentication

IA-12 (03)

Identity Proofing | Identity Evidence Validation and Verification

Identification and Authentication

IA-12 (04)

Identity Proofing | In-Person Validation and Verification

Identification and Authentication

IA-12 (05)

Identity Proofing | Address Confirmation

Incident Response

IR-04 (11)

Incident Handling | Integrated Incident Response Team

Incident Response

IR-06 (03)

Incident Reporting | Supply Chain Coordination

Planning

PL-10

Baseline Selection

Planning

PL-11

Baseline Tailoring

Personnel Security

PS-09

Position Descriptions

Risk Assessment

RA-03 (01)

Risk Assessment | Supply Chain Risk Assessment

Risk Assessment

RA-05 (11)

Vulnerability Monitoring and Scanning | Public Disclosure Program

Risk Assessment

RA-07

Risk Response

Risk Assessment

RA-09

Criticality Analysis

System and Services Acquisition

SA-04 (05)

Acquisition Process | System, Component, And Service Configurations

System and Services Acquisition

SA-15 (03)

Development Process, Standards, and Tools | Criticality Analysis

System and Services Acquisition

SA-21

Developer Screening

System and Services Acquisition

SA-22

Unsupported System Components

System and Information Integrity

SI-04 (10)

System Monitoring | Visibility of Encrypted Communications

System and Information Integrity

SI-04 (12)

System Monitoring | Automated Organization-Generated Alerts

System and Information Integrity

SI-07 (15)

Software, Firmware, and Information Integrity | Code Authentication

Supply Chain Risk Management Family

SR-01

Policy And Procedures

Supply Chain Risk Management Family

SR-02

Supply Chain Risk Management Plan

Supply Chain Risk Management Family

SR-02 (01)

Supply Chain Risk Management Plan | Establish SCRM Team

Supply Chain Risk Management Family

SR-03

Supply Chain Controls and Processes

Supply Chain Risk Management Family

SR-05

Acquisition Strategies, Tools, And Methods

Supply Chain Risk Management Family

SR-06

Supplier Assessments and Reviews

Supply Chain Risk Management Family

SR-08

Notification Agreements

Supply Chain Risk Management Family

SR-09

Tamper Resistance and Detection

Supply Chain Risk Management Family

SR-09 (01)

Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle

Supply Chain Risk Management Family

SR-10

Inspection of Systems or Components

Supply Chain Risk Management Family

SR-11

Component Authenticity

Supply Chain Risk Management Family

SR-11 (01)

Component Authenticity | Anti-Counterfeit Training

Supply Chain Risk Management Family

SR-11 (02)

Component Authenticity | Configuration Control for Component Service and Repair

Supply Chain Risk Management Family

SR-12

Component Disposal

Recent Insights

Contact us to discuss your cyber and cloud business needs. We’re happy to share our insights and work with you as your business evolves.