You are on page 1of 90

Proposed Security

Assessment & Authorization
for U.S. Government Cloud Computing

Draft version 0.96
November 2, 2010




Preface

Proposed Security Assessment and Authorization for
U.S. Government Cloud Computing:

Over the past 18 months, an inter-agency team comprised of the National Institute
of Standards and Technology (NIST), General Services Administration (GSA), the CIO
Council and working bodies such as the Information Security and Identity Management
Committee (ISIMC), has worked on developing the Proposed Security Assessment and
Authorization for U.S. Government Cloud Computing. This team evaluated security
controls and multiple Assessment and Authorization models for U.S. Government Cloud
Computing as outlined in this document.

The attached document is a product of 18 months of collaboration with State and
Local Governments, Private Sector, NGO’s and Academia. This marks an early step
toward our goal of deploying secure cloud computing services to improve performance
and lower the cost of government operations, but we need to improve this document
through your input.

Often stated, but still true, we recognize that we do not have a monopoly on the
best ideas. We seek your input, knowledge, and experience to help us frame appropriate
security controls and processes for the Federal Government’s journey to cloud
computing. The attached document is a draft and is designed to encourage robust debate
on the best path forward.

Comments on the documents should be submitted online at www.FedRAMP.gov by
December 2
nd
. We look forward to your active engagement and substantive comments.


Vivek Kundra
U.S. Chief Information Officer
To Submit Comments
Comments on the documents can be submitted using the FedRAMP online comment form
available at www.FedRAMP.gov through 11:59 pm Eastern Time on December 2
nd
. Comments
can be made either anonymously or by providing contact information, if attribution or follow up
is requested. At the conclusion of the comment period, a joint tiger team of representatives from
across government will review the comments for inclusion in the final documents.

Press inquiries should be directed to Sara Merriam, GSA’s Press Secretary, at 202-501-
9139.

The comment form asks for the following information:
x Organization Type: Please indicate whether you are reporting your comment as a member of
government, industry, or the community-at-large.
x Company or Agency Name: This optional field will allow you to provide attribution to the
agency or company that you work for.
x Document Name: To comment on this document, please select the first item in the list,
“FedRAMP: Security Controls, Guidelines & Process for US Government Cloud
Computing”. If commenting on the reference documents, please indicate to which reference
document your comment relates.
x Section Number: Please indicate to which section number or section name your comment
relates. Examples from this text would be “2. FedRAMP Security Controls”, “FedRAMP
Security Controls” or “2”. This is meant to assist the review team in locating the context for
your comment.
x Page Number: Please indicate the page number on which your comment relates. Page
numbers are found at the bottom of each page in each document.
x Line or Table Number: Through the documents, the text has a line number on the left hand
side of the page. Please reference the line number in question; or in the case of tables, the
table’s unique identifier in the left . Examples from this text would be “530” or “AC-1”.
x Comment Type: To facilitate review and action of the comments, please identify your
comment into one of the following categories.
o Editorial – The comment relates to the text’s wording or formatting but does not
impact the underlying content of the text.
o Policy – The comment relates to specific government policy or a requested change
thereto.
o Procedural – The comment relates to the proposed process by which FedRAMP will
conduct operations.
o Question – The comment is a question about either the intent or interpretation of the
text. It is anticipated that an FAQ document will be drafted as a result of questions
received.
o Technical – The comment relates to either the technical implementation of a control,
assessment procedure, template or process in one of the documents.
o Other – If your comment doesn’t fit into one of the other categories, please use this
categorization.
x Visibility – Either Public if the comment or its resulting answer should be posted to the
general public or if a response should only be sent to the specific commentator. If private,
please include contact information.
x Comment – Please enter your comment here.
x Proposed Resolution – If your comment relates to a change, please identify your suggested
resolution within this field.
x Contact Information – If you would like a direct response to your comment, please include
contact information in the form of your name and email address. Please note that all contact
information will be kept confidential.
Document Organization & Reference
Material
This document describes the U.S. Government’s proposed Assessment and Authorization
(A&A) for U.S. Government Cloud Computing. The document is organized in to three
Chapters, each chapter details a necessary element in creating a framework from which a
government-wide A&A could function. The three chapters are as follows:
Chapter 1: Cloud Computing Security Requirement Baseline
This chapter presents a list of baseline security controls for Low and Moderate
impact Cloud systems. NIST Special Publication 800-53R3 provided the foundation
for the development of these security controls.
Chapter 2: Continuous Monitoring
This chapter describes the process under which authorized cloud computing systems
will be monitored. This section defines continuous monitoring deliverables,
reporting frequency and responsibility for cloud service provider compliance with
FISMA.
Chapter 3: Potential Assessment & Authorization Approach
This chapter describes the proposed operational approach for A&A’s for cloud
computing systems. This reflects upon all aspects of an authorization (including
sponsorship, leveraging, maintenance and continuous monitoring), a joint
authorization process, and roles and responsibilities for Federal agencies and Cloud
Service Providers in accordance with the Risk Management Framework detailed in
NIST Special Publication 800-37R1.
Reference Material
In addition to the three chapters detailed above, the following artifacts are also available
as reference material:
x Assessment Procedures
The assessment procedures are intended to be used by independent 3rd party
assessors in their review of cloud service provider systems and the
corresponding development of the security assessment, risk assessment
reports.
x Security Documentation Templates
The templates required for completing all the artifacts for assessment &
authorization are available as reference material. Cloud Service Providers can
use the templates to develop and submit artifacts for assessment &
authorization.
Acronym Definitions

Term Definition
A&A
Assessment and Authorization
AC
Access Control
ASHRAE
American Society of Heating, Refrigerating and Air-conditioning
Engineers
AT
Awareness and Training
ATO
Authority to Operate
AU
Audit and Accountability
CA
Assessment and Authorization
CCP
Configuration Change Control process
CIS
Center for Internet Security
CM
Configuration Management
CMP
Continuous Monitoring Plan
CP
Contingency Planning
CSP
Cloud Service Provider
FCCI
Federal Cloud Computing Initiative
FDCC
Federal Desktop Core Configuration
FedRAMP
Federal Risk and Authorization Management Program
FIPS
Federal Information Processing Standard
FISMA
Federal Information Security Management Act
IA
Identification and Authentication
ICAM
Identity, Credential and Access Management
IR
Incident Response
ISIMC
Information Security and Identity Management Committee
IV&V
Independent Validation & Verification
JAB
Joint Authorization Board
MA
Maintenance
MP
Media Protection
NIST
National Institute of Standards & Technology
PE
Physical and Environmental Protection
PIA
Privacy Impact Assessment
PL
Planning
Term Definition
POA&M
Plan of Action & Milestones
POSV
Proprietary Operating System Vendor
PS
Personnel Security
RA
Risk Assessment
RMF
Risk Management Framework
SA
System and Services Acquisition
SAR
Security Assessment Report
SC
System and Communications Protection
SCAP
Security Content Automation Protocol
SDLC
System Development Life Cycle
SI
System and Information Integrity
SSP
System Security Plan
TIC
Trusted Internet Connection
USGCB
United States Government Configuration Baseline



Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Draft Version 0.96
Table of Contents
Table of Contents
Chaptei 0neǣ Clouu Computing Secuiity Requiiements Baseline ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͳ
ͳǤͳǤ Access Contiol ȋACȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵
ͳǤʹǤ Awaieness anu Tiaining ȋATȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͸
ͳǤ͵Ǥ Auuit anu Accountability ȋA0Ȍ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͹
ͳǤͶǤ Assessment anu Authoiization ȋCAȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͳͲ
ͳǤͷǤ Configuiation Nanagement ȋCNȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͳͳ
ͳǤ͸Ǥ Contingency Planning ȋCPȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͳ͵
ͳǤ͹Ǥ Iuentification anu Authentication ȋIAȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͳͷ
ͳǤͺǤ Inciuent Response ȋIRȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͳͺ
ͳǤͻǤ Naintenance ȋNAȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͳͻ
ͳǤͳͲǤ Neuia Piotection ȋNPȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ʹͲ
ͳǤͳͳǤ Physical anu Enviionmental Piotection ȋPEȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ʹͳ
ͳǤͳʹǤ Planning ȋPLȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ʹ͵
ͳǤͳ͵Ǥ Peisonnel Secuiity ȋPSȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ʹͶ
ͳǤͳͶǤ Risk Assessment ȋRAȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ʹͷ
ͳǤͳͷǤ System anu Seivices Acquisition ȋSAȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ʹ͸
ͳǤͳ͸Ǥ System anu Communications Piotection ȋSCȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ʹ͹
ͳǤͳ͹Ǥ System anu Infoimation Integiity ȋSIȌ ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵ͳ
Chaptei Twoǣ Continuous Nonitoiing ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵ͷ
ʹǤͳǤ Intiouuction ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵͸
ʹǤʹǤ Puipose ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵͸
ʹǤ͵Ǥ Backgiounu ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵͸
ʹǤͶǤ Continuous Nonitoiing Requiiements ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵͹
ʹǤͷǤ Repoiting anu Continuous Nonitoiing ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵͹
ʹǤ͸Ǥ Routine Systems Change Contiol PiocessǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵ͻ
ʹǤ͹Ǥ FISNA Repoiting Requiiements ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͵ͻ
ʹǤͺǤ 0nǦgoing Testing of Contiols anu Changes to Secuiity Contiols Piocess Ǥ ͶͲ
ʹǤͻǤ Inciuent Response ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ Ͷͳ
ʹǤͳͲǤ Inuepenuent veiification anu valiuation ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ Ͷ͵
Chaptei Thieeǣ Potential Assessment Ƭ Authoiization Appioach ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ Ͷͷ
͵ǤͳǤ Intiouuction ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ Ͷ͸
͵ǤʹǤ 0veiview ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ Ͷ͹
͵Ǥ͵Ǥ uoveinance ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ Ͷͺ
͵ǤͶǤ Assessment anu Authoiization Piocesses ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͷʹ
͵ǤͷǤ Authoiization Naintenance Piocess ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͹Ͳ
͵Ǥ͸Ǥ Authoiization Leveiaging Piocess ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͹ͳ
͵Ǥ͹Ǥ Communications Piocess ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͹ʹ
͵ǤͺǤ Change Nanagement Piocess ǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤǤ ͹ͺ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Executive 0veiview

Page i
Executive Overview ͳ
The ability to embrace cloud computing capabilities for federal departments and agencies brings ʹ
advantages and opportunities for increased efficiencies, cost savings, and green computing ͵
technologies. However, cloud computing also brings new risks and challenges to securely use Ͷ
cloud computing capabilities as good stewards of government data. In order to address these ͷ
concerns, the U.S. Chief Information Officer (U.S. CIO) requested the Federal CIO Council ͸
launch a government-wide risk and authorization management program. This document ͹
describes a government-wide Federal Risk and Authorization Management Program (FedRAMP) ͺ
to provide joint security assessment, authorizations and continuous monitoring of cloud ͻ
computing services for all Federal Agencies to leverage. ͳͲ
Cloud computing is not a single capability, but a collection of essential characteristics that are ͳͳ
manifested through various types of technology deployment and service models. A wide range of ͳʹ
technologies fall under the title “cloud computing,” and the complexity of their various ͳ͵
implementations may result in confusion among program managers. The guidelines embraced in ͳͶ
this document, represent a subset of the National Institute of Standards and Technology (NIST) ͳͷ
definition of cloud computing, with three service models; Software as a Service, Platform as a ͳ͸
Service, and Infrastructure as a Service (SaaS, PaaS, and IaaS). ͳ͹
The decision to embrace cloud computing technology is a risk-based decision, not a technology- ͳͺ
based decision. As such, this decision from a risk management perspective requires inputs from ͳͻ
all stakeholders, including the CIO, CISO, Office of General Counsel (OGC), privacy official ʹͲ
and the program owner. Once the business decision has been made to move towards a cloud ʹͳ
computing environment, agencies must then determine the appropriate manner for their security ʹʹ
assessments and authorizations. ʹ͵
CLOUD COMPUTING AND GOVERNMENT-WIDE RISK AND AUTHORIZATION ʹͶ
Cloud Computing systems are hosted on large, multi-tenant infrastructures. This shared ʹͷ
infrastructure provides the same boundaries and security protocols for each customer. In such an ʹ͸
environment, completing the security assessment and authorization process separately by each ʹ͹
customer is redundant. Instead, a government-wide risk and authorization program would enable ʹͺ
providers and the program office to complete the security assessment and authorization process ʹͻ
once and share the results with customer agencies. ͵Ͳ
Additionally, the Federal Information Security Management Act (FISMA) and NIST special ͵ͳ
publications provide Federal Agencies with guidance and framework needed to securely use ͵ʹ
cloud systems. However, interpretation and application of FISMA requirements and NIST ͵͵
Standards vary greatly from agency to agency. Not only do agencies have varying numbers of ͵Ͷ
security requirements at or above the NIST baseline, many times additional requirements from ͵ͷ
multiple agencies are not compatible on the same system. A government-wide risk and ͵͸
authorization program for cloud computing would allow agencies to completely leverage the ͵͹
work of an already completed authorization or only require an agency to complete delta ͵ͺ
requirements (i.e. unique requirements for that individual agency). ͵ͻ
Finally, security authorizations have become increasingly time-consuming and costly both for ͶͲ
the Federal Government and private industry. As depicted in Figure 1, government-wide risk and Ͷͳ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Executive 0veiview

Page ii
Figure 1: FedRAMP eliminates redundancy.
authorization program will promote faster and cost- Ͷʹ
effective acquisition of cloud computing systems by Ͷ͵
using an ‘authorize once, use many’ approach to ͶͶ
leveraging security authorizations. Additionally, Ͷͷ
such a program will promote the Administration’s Ͷ͸
goal of openness and transparency in government. Ͷ͹
All of the security requirements, processes, and Ͷͺ
templates will have to be made publicly available Ͷͻ
for consumption not only by Federal agencies but ͷͲ
private vendors as well. This will allow Federal ͷͳ
Agencies to leverage this work at their agency but private industry will also finally have the full ͷʹ
picture of what a security authorization will entail prior to being in a contractual relationship ͷ͵
with an agency. ͷͶ
STANDARDIZED ASSESSMENT & AUTHORIZATION: FedRAMP ͷͷ
The Federal Risk and Authorization Management Program (FedRAMP) is designed to solve the ͷ͸
security authorization problems highlighted by cloud computing. FedRAMP will provide a ͷ͹
unified government-wide risk management process for cloud computing systems. FedRAMP will ͷͺ
work in an open and transparent manner with Federal Agencies and private industry about the ͷͻ
Assessment and Authorization process. ͸Ͳ
Through this government-wide approach, FedRAMP will enable agencies to either use or ͸ͳ
leverage authorizations with an: ͸ʹ
x Interagency vetted approach using common security requirements; ͸͵
x Consistent application of Federal security requirements; ͸Ͷ
x Consolidated risk management; and ͸ͷ
x Increased effectiveness and management cost savings. ͸͸
In addition, FedRAMP will work in collaboration with the CIO Council and Information ͸͹
Security and Identity Management Committee (ISIMC) to constantly refine and keep this ͸ͺ
document up to date with cloud computing security best practices. Separate from FedRAMP, ͸ͻ
ISIMC has developed guidance for agency use on the secure use of cloud computing in Federal ͹Ͳ
Security Guidelines for Cloud Computing. ͹ͳ
TRANSPARENT PATH FOR SECURE ADOPTION OF CLOUD COMPUTING ͹ʹ
The security guidance and FedRAMP assessment and authorization process aims to develop ͹͵
robust cloud security governance for the Federal Government. The collective work that follows ͹Ͷ
represents collaboration amongst security experts and representatives throughout government ͹ͷ
including all of the CIO Council Agencies. ͹͸
By following the requirements and processes in this document, Federal agencies will be able to ͹͹
take advantage of cloud based solutions to provide more efficient and secure IT solutions when ͹ͺ
delivering products and services to its customers. ͹ͻ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Page 1
Chapter One: Cloud Computing
Security Requirements Baseline
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 2
1. Cloud Computing Security Requirements Baseline ͺͲ
This chapter identifies (by security control number and name) the security controls from NIST ͺͳ
Special Publication 800-53, Revision 3, Recommended Security Controls for Federal ͺʹ
Information Systems and Organizations (as amended). These controls have been agreed to by a ͺ͵
Joint Approval Board made up of users from GSA, DHS & DOD for use within information ͺͶ
systems providing cloud computing services to the Federal government. ͺͷ
The security controls contained in this publication work in concert with NIST Special ͺ͸
Publication 800-53, Revision 3. Table 1 (begins on page 3) specifies control parameter ͺ͹
definitions and additional requirements or guidance in addition to NIST Special Publication 800- ͺͺ
53, Revision 3 for a FedRAMP A&A package. NIST Special Publication 800-53, Revision 3 ͺͻ
details security controls that apply to all federal information systems, and authorizing officials ͻͲ
and information system owners have the authority and responsibility to develop security plans ͻͳ
which define how the controls are implemented within their particular information systems and ͻʹ
environments of operation. ͻ͵
In the case of FedRAMP, two sets of security controls have been defined for low-impact and ͻͶ
moderate-impact cloud information systems respectively. The impact levels are based on the ͻͷ
sensitivity and criticality of the federal information being processed, stored, and transmitted by ͻ͸
cloud information systems as defined in Federal Information Processing Standard 199. All NIST ͻ͹
security standards and guidelines used to define the requirements for the FedRAMP cloud ͻͺ
computing initiative are publicly available at http://csrc.nist.gov. ͻͻ
The FedRAMP defined security controls are presented in Table 1: FedRAMP Security Controls. ͳͲͲ
This table is organized by the 17 control families identified in NIST Special Publication 800-53, ͳͲͳ
Revision 3. The table presents the following information: ͳͲʹ
x Control Number and Name – The control number and control name relate to the control ͳͲ͵
as defined in NIST Special Publication 800-53, Revision 3. ͳͲͶ
x Control Baseline – The control is listed in either the Low or Moderate impact column ͳͲͷ
where applicable to that baseline. If the control is not applicable, a blank will appear in ͳͲ͸
that column. If a control enhancement is applicable, the enhancement is designated ͳͲ͹
inside of parenthesis. Additional security controls and control enhancements that are ͳͲͺ
not included in the low and moderate control baselines defined in NIST Special ͳͲͻ
Publication 800-53 Revision 3 (Appendix D) are denoted in bold font. For example, ͳͳͲ
AC-2 : Control is included in the NIST Baseline ͳͳͳ
AC-2 (1) : Control enhancement is included in the NIST Baseline ͳͳʹ
AC-2 (7) : FedRAMP specific control enhancement. ͳͳ͵
x Control Parameter Requirements – Certain controls are defined with implementation ͳͳͶ
parameters. These parameters identify the scope, frequency and other considerations for ͳͳͷ
how cloud service providers address specific controls and enhancements. ͳͳ͸
x Additional Requirements & Guidance – These entries represent additional required ͳͳ͹
security controls for cloud computing applications and environments of operation ͳͳͺ
selected from the security control catalog in NIST Special Publication 800-53 Revision 3 ͳͳͻ
(Appendix F). Required parameter values for the variable parts of security controls and ͳʹͲ
control enhancements (designated by assignment and selection statements) are also ͳʹͳ
provided. ͳʹʹ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 3
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
1.1. Access Control (AC)
AC-1 Access Control Policy and
Procedures
AC-1 AC-1 AC-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
AC-2

Account Management AC-2 AC-2
AC-2 (1)
AC-2 (2)
AC-2 (3)
AC-2 (4)
AC-2 (7)
AC-2j.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
AC-2 (2)
[Assignment: organization-defined time period for each
type of account (temporary and emergency)]
Parameter: [no more than ninety days for temporary and
emergency account types]
AC-2 (3)
[Assignment: organization-defined time period]
Parameter: [ninety days for user accounts]
See additional requirements and guidance.
AC-2 (3)
Requirement: The service provider defines the time
period for non-user accounts (e.g., accounts
associated with devices). The time periods are
approved and accepted by the JAB.


AC-3 Access Enforcement AC-3 AC-3
AC-3 (3)
AC-3 (3)
[Assignment: organization-defined nondiscretionary
access control policies]
Parameter: [role-based access control]
[Assignment: organization-defined set of users and
resources]
Parameter: [all users and resources]

AC-3 (3)
Requirement: The service provider:
a. Assigns user accounts and authenticators in
accordance within service provider's role-based
access control policies;
b. Configures the information system to request
user ID and authenticator prior to system access;
and
c. Configures the databases containing federal
information in accordance with service provider's
security administration guide to provide role-based
access controls enforcing assigned privileges and
permissions at the file, table, row, column, or cell
level, as appropriate.


AC-4 Information Flow
Enforcement
Not
Selected
AC-4 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 4
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
AC-5 Separation of Duties Not
Selected
AC-5 None. None.
AC-6 Least Privilege Not
Selected
AC-6
AC-6 (1)
AC-6 (2)
AC-6 (1)
[Assignment: organization-defined list of security functions
(deployed in hardware, software, and firmware and
security-relevant information]
Parameter: See additional requirements and guidance.
AC-6 (2)
[Assignment: organization-defined list of security functions
or security-relevant information]
Parameter: [all security functions]
AC-6 (1)
Requirement: The service provider defines the list of
security functions. The list of functions is approved
and accepted by the JAB.
AC-6 (2)
Guidance: Examples of security functions include
but are not limited to: establishing system accounts,
configuring access authorizations (i.e., permissions,
privileges), setting events to be audited, and setting
intrusion detection parameters, system
programming, system and security administration,
other privileged functions.
AC-7 Unsuccessful Login
Attempts
AC-7 AC-7 AC-7a.
[Assignment: organization-defined number]
Parameter: [not more than three]
AC-7a.
[Assignment: organization-defined time period]
Parameter: [fifteen minutes]
AC-7b.
[Selection: locks the account/node for an [Assignment:
organization-defined time period]; locks the account/node
until released by an administrator; delays next login
prompt according to [Assignment: organization-defined
delay algorithm]]
Parameter: [locks the account/node for thirty minutes]
None.
AC-8 System Use Notification AC-8 AC-8 None. None.
AC-10 Concurrent Session Control Not
Selected
AC-10 AC-10
[Assignment: organization-defined number]
Parameter: [one session]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 5
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
AC-11 Session Lock Not
Selected
AC-11
AC-11 (1)
AC-11a.
[Assignment: organization-defined time period]
Parameter: [fifteen minutes]

None.
AC-14 Permitted Actions Without
Identification/
Authentication
AC-14 AC-14
AC-14 (1)
None. None.
AC-16 Security Attributes Not
Selected
AC-16 AC-16
Assignment: organization-defined security attributes]
Parameter: See additional requirements and guidance.
AC-16
Requirement: The service provider defines the
security attributes. The security attributes need to
be approved and accepted by JAB.


AC-17 Remote Access AC-17 AC-17
AC-17 (1)
AC-17 (2)
AC-17 (3)
AC-17 (4)
AC-17 (5)
AC-17 (7)
AC-17 (8)
AC-17 (5)
[Assignment: organization-defined frequency]
Parameter: [continuously, real time]
AC-17 (7)
[Assignment: organization-defined list of security functions
and security-relevant information]
Parameter: See additional requirements and guidance.
AC-17 (8)
[Assignment: organization-defined networking protocols
within the information system deemed to be non-secure]
Parameter: [tftp, (trivial ftp); X-Windows, Sun Open
Windows; FTP; TELNET; IPX/SPX; NETBIOS; Bluetooth;
RPC-services, like NIS or NFS; rlogin, rsh, rexec; SMTP
(Simple Mail Transfer Protocol); RIP (Routing Information
Protocol); DNS (Domain Name Services); UUCP (Unix-
Unix Copy Protocol); NNTP (Network News Transfer
Protocol); NTP (Network Time Protocol); Peer-to-Peer]
AC-17 (7)
Requirement: The service provider defines the list of
security functions and security relevant information.
Security functions and the implementation of such
functions are approved and accepted by the JAB.
Guidance: Security functions include but are not
limited to: establishing system accounts; configuring
access authorizations; performing system
administration functions; and auditing system events
or accessing event logs; SSH, and VPN.
AC-17 (8)
Requirement: Networking protocols implemented by
the service provider are approved and accepted by
JAB.
Guidance: Exceptions to restricted networking
protocols are granted for explicitly identified
information system components in support of
specific operational requirements.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 6
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
AC-18 Wireless Access AC-18 AC-18
AC-18 (1)
AC-18 (2)
AC-18 (3)
AC-18 (4)
AC-18 (5)
AC-18 (2)
[Assignment: organization-defined frequency]
Parameter: [at least quarterly]
None.
AC-19 Access Control for Mobile
Devices
AC-19 AC-19
AC-19 (1)
AC-19 (2)
AC-19 (3)
AC-19g.
[Assignment: organization-defined inspection and
preventative measures]
Parameter: See additional requirements and guidance.
AC-19g.
Requirement: The service provider defines
inspection and preventative measures. The
measures are approved and accepted by JAB.
AC-20 Use of External Information
Systems
AC-20 AC-20
AC-20 (1)
AC-20 (2)
None. None.
AC-21 User-Based Collaboration
and Information Sharing
Not
Selected
AC-21 AC-21a.
[Assignment: organization-defined information sharing
circumstances where user discretion is required]
Parameter: See additional requirements and guidance.
AC-21b.
[Assignment: list of organization-defined information
sharing circumstances and automated mechanisms or
manual processes required]
Parameter: See additional requirements and guidance.
AC-21a.
Requirement: The service consumer defines
information sharing circumstances where user
discretion is required.
AC-21b.
Requirement: The service provider defines the
mechanisms or manual processes for the
information sharing circumstances defined by the
service consumer.
AC-22 Publicly Accessible Content AC-22 AC-22 AC-22d.
[Assignment: organization-defined frequency]
Parameter: [at least quarterly]
None.
1.2. Awareness and Training (AT)
AT-1 Security Awareness and
Training Policy and
Procedures
AT-1 AT-1 AT-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
AT-2 Security Awareness AT-2 AT-2 AT-2
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 7
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
AT-3 Security Training AT-3 AT-3 AT-3
[Assignment: organization-defined frequency]
Parameter: [at least every three years]
None.
AT-4 Security Training Records AT-4 AT-4 AT-4b.
[Assignment: organization-defined frequency]
Parameter: [At least three years]
None.
AT-5 Contacts With Security
Groups and Associations
Not
Selected
AT-5 None None.
1.3. Audit and Accountability (AU)
AU-1 Audit and Accountability
Policy and Procedures
AU-1 AU-1 AU-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 8
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
AU-2 Auditable Events AU-2 AU-2
AU-2 (3)
AU-2 (4)
AU-2a.
[Assignment: organization-defined list of auditable events]
Parameter: [Successful and unsuccessful account logon
events, account management events, object access,
policy change, privilege functions, process tracking, and
system events. For Web applications: all administrator
activity, authentication checks, authorization checks, data
deletions, data access, data changes, and permission
changes]
AU-2d.
[Assignment: organization-defined subset of the auditable
events defined in AU-2 a. to be audited]
Parameter: See additional requirements and guidance.
AU-2d.
[Assignment: organization-defined frequency of (or
situation requiring) auditing for each identified event].
Parameter: [continually]
AU-2 (3)
[Assignment: organization-defined frequency]
Parameter: [annually or whenever there is a change in the
threat environment]
AU-2d.
Requirement: The service provider defines the
subset of auditable events from AU-2a to be
audited. The events to be audited are approved
and accepted by JAB.
AU-2 (3)
Guidance: Annually or whenever changes in the
threat environment are communicated to the service
provider by the JAB.
AU-2
Requirement: The service provider configures the
auditing features of operating systems, databases,
and applications to record security-related events, to
include logon/logoff and all failed access attempts.
AU-3 Content of Audit Records AU-3 AU-3
AU-3 (1)
AU-3 (1)
[Assignment: organization-defined additional, more
detailed information]
Parameter: [session, connection, transaction, or activity
duration; for client-server transactions, the number of
bytes received and bytes sent; additional informational
messages to diagnose or identify the event;
characteristics that describe or identify the object or
resource being acted upon]
AU-3 (1)
Requirement: The service provider defines audit
record types. The audit record types are approved
and accepted by the JAB.
Guidance: For client-server transactions, the
number of bytes sent and received gives
bidirectional transfer information that can be helpful
during an investigation or inquiry.
AU-4 Audit Storage Capacity AU-4 AU-4 None. None.
AU-5 Response to Audit
Processing Failures
AU-5 AU-5 AU-5b
[Assignment: Organization-defined actions to be taken]
Parameter: [low-impact: overwrite oldest audit records;
moderate-impact: shut down]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 9
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
AU-6 Audit Review, Analysis, and
Reporting
AU-6 AU-6
AU-6 (1)
AU-6 (3)
AU-6a.
[Assignment: organization-defined frequency]
Parameter: [at least weekly]
None.
AU-7 Audit Reduction and Report
Generation
Not
Selected
AU-7
AU-7 (1)
None. None.
AU-8 Time Stamps AU-8 AU-8
AU-8 (1)
AU-8 (1)
[Assignment: organization-defined frequency]
Parameter: [at least hourly]
AU-8 (1)
[Assignment: organization-defined authoritative time
source]
Parameter: [http://tf.nist.gov/tf-cgi/servers.cgi].
AU-8 (1)
Requirement: The service provider selects primary
and secondary time servers used by the NIST
Internet time service. The secondary server is
selected from a different geographic region than the
primary server.
Requirement: The service provider synchronizes the
system clocks of network computers that run
operating systems other than Windows to the
Windows Server Domain Controller emulator or to
the same time source for that server.
Guidance: Synchronization of system clocks
improves the accuracy of log analysis.
AU-9 Protection of Audit
Information
AU-9 AU-9
AU-9 (2)
AU-9 (2)
[Assignment: organization-defined frequency]
Parameter: [at least weekly]
None.
AU-10 Non-Repudiation Not
Selected
AU-10
AU-10 (5)


AU-10 (5)
[Selection: FIPS-validated; NSA-approved]
Parameter: See additional requirements and guidance.
AU-10 (5)
Requirement: The service provider implements
FIPS-140-2 validated cryptography (e.g., DOD PKI
Class 3 or 4 tokens) for service offerings that
include Software-as-a-Service (SaaS) with email.
AU-11 Audit Record Retention AU-11 AU-11 AU-11
[Assignment: organization-defined time period consistent
with records retention policy]
Parameter: [at least ninety days]
AU-11
Requirement: The service provider retains audit
records on-line for at least ninety days and further
preserves audit records off-line for a period that is in
accordance with NARA requirements.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 10
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
AU-12 Audit Generation AU-12 AU-12 AU-12a.
[Assignment: organization-defined information system
components]
Parameter: [all information system components where
audit capability is deployed]
None.
1.4. Assessment and Authorization (CA)
CA-1 Security Assessment and
Authorization Policies and
Procedures
CA-1 CA-1 CA-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
CA-2 Security Assessments CA-2
CA-2 (1)
CA-2
CA-2 (1)
CA-2b.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
CA-3 Information System
Connections
CA-3 CA-3 None. None.
CA-5 Plan of Action and
Milestones
CA-5 CA-5 CA-5b.
[Assignment: organization-defined frequency]
Parameter: [at least quarterly]
None.
CA-6 Security Authorization CA-6 CA-6 CA-6c.
[Assignment: organization-defined frequency]
Parameter: [at least every three years or when a
significant change occurs]
CA-6c.
Guidance: Significant change is defined in NIST
Special Publication 800-37 Revision 1, Appendix F.
The service provider describes the types of changes
to the information system or the environment of
operations that would require a reauthorization of
the information system. The types of changes are
approved and accepted by the JAB.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 11
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
CA-7 Continuous Monitoring CA-7
CA-7 (2)
CA-7
CA-7 (2)
CA-7d.
[Assignment: organization-defined frequency]
Parameter: [monthly]
CA-7 (2)
[Assignment: organization-defined frequency]
Parameter: [annually]
[Selection: announced; unannounced]
Parameter: [unannounced]
[Selection: in-depth monitoring; malicious user testing;
penetration testing; red team exercises]
Parameter: [penetration testing]
[Assignment: organization-defined other forms of security
assessment]
Parameter: [in-depth monitoring]
None.
1.5. Configuration Management (CM)
CM-1 Configuration Management
Policy and Procedures
CM-1 CM-1 CM-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
CM-2 Baseline Configuration CM-2 CM-2
CM-2 (1)
CM-2 (3)
CM-2 (5)
CM-2 (1) (a)
[Assignment: organization-defined frequency]
Parameter: [annually]
CM-2 (1) (b)
[Assignment: organization-defined circumstances]
Parameter: [a significant change]
CM-2 (5) (a)
[Assignment: organization-defined list of software
programs authorized to execute on the information
system]
Parameter: See additional requirements and guidance.
CM-2 (1) (b)
Guidance: Significant change is defined in NIST
Special Publication 800-37 Revision 1, Appendix F.
The service provider describes the types of changes
to the information system or the environment of
operations that would require a review and update
of the baseline configuration. The types of changes
are approved and accepted by the JAB.
CM-2 (5) (a)
Requirement: The service provider defines and
maintains a list of software programs authorized to
execute on the information system. The list of
authorized programs is approved and accepted by
the JAB.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 12
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
CM-3 Configuration Change
Control
CM-3 CM-3
CM-3 (2)
CM-3f.
[Assignment: organization-defined configuration change
control element]
Parameter: See additional requirements and guidance.
[Selection (one or more): [Assignment: organization-
defined frequency]; [Assignment: organization-defined
configuration change conditions]]
Parameter: See additional requirements and guidance.


CM-3f.
Requirement: The service provider defines the
configuration change control element and the
frequency or conditions under which it is convened.
The change control element and
frequency/conditions of use are approved and
accepted by the JAB.
Requirement: The service provider establishes a
central means of communicating major changes to
or developments in the information system or
environment of operations that may affect its
services to the federal government and associated
service consumers (e.g., electronic bulletin board,
web status page). The means of communication
are approved and accepted by the JAB.
CM-4 Security Impact Analysis CM-4 CM-4 None. None.
CM-5 Access Restrictions for
Change
Not
Selected
CM-5
CM-5 (1)
CM-5 (5)
CM-5 (5) (b)
[Assignment: organization-defined frequency]
Parameter: [at least quarterly]
None.
CM-6 Configuration Settings CM-6 CM-6
CM-6 (1)
CM-6 (3)
CM-6a.
[Assignment: organization-defined security configuration
checklists]
Parameter: [United States Government Configuration
Baseline (USGCB)]
CM-6a.
Requirement: The service provider uses the Center
for Internet Security guidelines (Level 1) to establish
configuration settings or establishes its own
configuration settings if USGCB is not available.
Configuration settings are approved and accepted
by the JAB.
CM-6a
Requirement: The service provider ensures that
checklists for configuration settings are Security
Content Automation Protocol (SCAP) validated or
SCAP compatible (if validated checklists are not
available.
CM-6a.
Guidance: Information on the USGCB checklists
can be found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usg
cbfdcc.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 13
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
CM-7 Least Functionality CM-7 CM-7
CM-7 (1)
CM-7
[Assignment: organization-defined list of prohibited or
restricted functions, ports, protocols, and/or services]
Parameter: [United States Government Configuration
Baseline (USGCB)]
CM-7 (1)
[Assignment: organization-defined frequency]
Parameter: [at least quarterly]
CM-7
Requirement: The service provider uses the Center
for Internet Security guidelines (Level 1) to establish
list of prohibited or restricted functions, ports,
protocols, and/or services or establishes its own list
of prohibited or restricted functions, ports, protocols,
and/or services if USGCB is not available. The list
of prohibited or restricted functions, ports, protocols,
and/or services is approved and accepted by the
JAB.
CM-7
Guidance: Information on the USGCB checklists
can be found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usg
cbfdcc.
CM-8 Information System
Component Inventory
CM-8 CM-8
CM-8 (1)
CM-8 (3)
CM-8 (5)
CM-8d.
[Assignment: organization-defined information deemed
necessary to achieve effective property accountability]
Parameter: See additional requirements and guidance.
CM-8 (3) (a)
[Assignment: organization-defined frequency]
Parameter: [Continuously, using automated mechanisms
with a maximum five-minute delay in detection.]
CM-8d.
Requirement: The service provider defines
information deemed necessary to achieve effective
property accountability. Property accountability
information is approved and accepted by the JAB.
Guidance: Information deemed necessary to
achieve effective property accountability may
include hardware inventory specifications
(manufacturer, type, model, serial number, physical
location), software license information, information
system/component owner, and for a networked
component/device, the machine name and network
address.

CM-9 Configuration Management
Plan
CM-9 None. None.
1.6. Contingency Planning (CP)
CP-1 Contingency Planning
Policy and Procedures
CP-1 CP-1 CP-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 14
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
CP-2 Contingency Plan CP-2 CP-2
CP-2 (1)
CP-2 (2)
CP-2b.
[Assignment: organization-defined list of key contingency
personnel (identified by name and/or by role) and
organizational elements]
Parameter: See additional requirements and guidance.
CP-2d.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
CP-2f.
[Assignment: organization-defined list of key contingency
personnel (identified by name and/or by role) and
organizational elements]
Parameter: See additional requirements and guidance.
CP-2b.
Requirement: The service provider defines a list of
key contingency personnel (identified by name
and/or by role) and organizational elements. The
contingency list includes designated FedRAMP
personnel.
CP-2f.
Requirement: The service provider defines a list of
key contingency personnel (identified by name
and/or by role) and organizational elements. The
contingency list includes designated FedRAMP
personnel.
CP-3 Contingency Training CP-3 CP-3 CP-3
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
CP-4 Contingency Plan Testing
and Exercises
CP-4 CP-4
CP-4 (1)
CP-4a.
[Assignment: organization-defined frequency]
Parameter: [at least annually for moderate impact
systems; at least every three years for low impact
systems]
[Assignment: organization-defined tests and/or exercises]
Parameter: [functional exercises for moderate impact
systems; classroom exercises/table top written tests for
low impact systems]
CP-4a.
Requirement: The service provider develops test
plans in accordance with NIST Special Publication
800-34 (as amended) and provides plans to
FedRAMP prior to initiating testing. Test plans are
approved and accepted by the JAB.
CP-6 Alternate Storage Site Not
Selected
CP-6
CP-6 (1)
CP-6 (3)
None. None.
CP-7 Alternate Processing Site Not
Selected
CP-7
CP-7 (1)
CP-7 (2)
CP-7 (3)
CP-7 (5)
CP-7a.
[Assignment: organization-defined time period consistent
with recovery time objectives]
Parameter: See additional requirements and guidance.
CP-7a.
Requirement: The service provider defines a time
period consistent with the recovery time objectives
and business impact analysis. The time period is
approved and accepted by the JAB.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 15
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
CP-8 Telecommunications
Services
Not
Selected
CP-8
CP-8 (1)
CP-8 (2)
CP-8
[Assignment: organization-defined time period]
Parameter: See additional requirements and guidance.
CP-8
Requirement: The service provider defines a time
period consistent with the business impact analysis.
The time period is approved and accepted by the
JAB.
CP-9 Information System Backup CP-9 CP-9
CP-9 (1)
CP-9 (3)
CP-9a.
[Assignment: organization-defined frequency consistent
with recovery time and recovery point objectives]
Parameter: [daily incremental; weekly full]
CP-9b.
[Assignment: organization-defined frequency consistent
with recovery time and recovery point objectives]
Parameter: [daily incremental; weekly full]
CP-9c.
[Assignment: organization-defined frequency consistent
with recovery time and recovery point objectives]
Parameter: [daily incremental; weekly full]
CP-9 (1)
[Assignment: organization-defined frequency]
Parameter: [at least annually]
CP-9a.
Requirement: The service provider maintains at
least three backup copies of user-level information
(at least one of which is available online) or provides
an equivalent alternative. The backup storage
capability is approved and accepted by the JAB.
CP-9b.
Requirement: The service provider maintains at
least three backup copies of system-level
information (at least one of which is available online)
or provides an equivalent alternative. The backup
storage capability is approved and accepted by the
JAB.
CP-9c.
Requirement: The service provider maintains at
least three backup copies of information system
documentation including security information (at
least one of which is available online) or provides an
equivalent alternative. The backup storage
capability is approved and accepted by the JAB.
CP-10 Information System
Recovery and
Reconstitution
CP-10 CP-10
CP-10 (2)
CP-10 (3)
CP-10 (3)
[Assignment: organization-defined circumstances that can
inhibit recovery and reconstitution to a known state]
Parameter: See additional requirements and guidance.
CP-10 (3)
Requirement: The service provider defines
circumstances that can inhibit recovery and
reconstitution to a known state in accordance with
the contingency plan for the information system and
business impact analysis.
1.7. Identification and Authentication (IA)
IA-1 Identification and
Authentication Policy and
Procedures
IA-1 IA-1 IA-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 16
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
IA-2 Identification and
Authentication
(Organizational Users)
IA-2
IA-2 (1)
IA-2
IA-2 (1)
IA-2 (2)
IA-2 (3)
IA-2 (8)
IA-2 (8)
[Assignment: organization-defined replay-resistant
authentication mechanisms]
Parameter: See additional requirements and guidance.
IA-2 (8)
Requirement: The service provider defines replay-
resistant authentication mechanisms. The
mechanisms are approved and accepted by the
JAB.
IA-3 Device Identification and
Authentication
Not
Selected
IA-3 IA-3
[Assignment: organization-defined list of specific and/or
types of devices]
Parameter: See additional requirements and guidance.
IA-3
Requirement: The service provider defines a list a
specific devices and/or types of devices. The list of
devices and/or device types is approved and
accepted by the JAB.
IA-4 Identifier Management IA-4 IA-4
IA-4 (4)
IA-4d.
[Assignment: organization-defined time period]
Parameter: [at least two years]
IA-4e.
[Assignment: organization-defined time period of
inactivity]
Parameter: [ninety days for user identifiers]
Parameter: See additional requirements and guidance.
IA-4 (4)
[Assignment: organization-defined characteristic
identifying user status]
Parameter: [contractors; foreign nationals]
IA-4e.
Requirement: The service provider defines time
period of inactivity for device identifiers. The time
period is approved and accepted by JAB.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 17
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
IA-5 Authenticator Management IA-5
IA-5 (1)
IA-5
IA-5 (1)
IA-5 (2)
IA-5 (3)
IA-5 (6)
IA-5 (7)
IA-5g.
[Assignment: organization-defined time period by
authenticator type]
Parameter: [sixty days]

IA-5 (1) (a)
[Assignment: organization-defined requirements for case
sensitivity, number of characters, mix of upper-case
letters, lower-case letters, numbers, and special
characters, including minimum requirements for each
type]
Parameter: [case sensitive, minimum of twelve
characters, and at least one each of upper-case letters,
lower-case letters, numbers, and special characters]
IA-5 (1) (b)
[Assignment: organization-defined number of changed
characters]
Parameter: [at least one or as determined by the
information system (where possible)]
IA-5 (1) (d)
[Assignment: organization-defined numbers for lifetime
minimum, lifetime maximum]
Parameter: [one day minimum, sixty day maximum]
IA-5 (1) (e)
[Assignment: organization-defined number]
Parameter: [twenty four]
IA-5 (3)
[Assignment: organization-defined types of and/or specific
authenticators]
Parameter: [HSPD12 smart cards]
IA-5 (1) (a)
Guidance: Mobile devices are excluded from the
password complexity requirement.
IA-6 Authenticator Feedback IA-6 IA-6 None. None.
IA-7 Cryptographic Module
Authentication
IA-7 IA-7 None. None.
IA-8 Identification and
Authentication (Non-
Organizational Users)
IA-8 IA-8 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 18
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
1.8. Incident Response (IR)
IR-1 Incident Response Policy
and Procedures
IR-1 IR-1 IR-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
IR-2 Incident Response Training IR-2 IR-2 IR-2b.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
IR-3 Incident Response Testing
and Exercises
Not
Selected
IR-3 IR-3
[Assignment: organization-defined frequency]
Parameter: [annually]
[Assignment: organization-defined tests and/or exercises]
Parameter: See additional requirements and guidance.
IR-3
Requirement: The service provider defines tests
and/or exercises in accordance with NIST Special
Publication 800-61 (as amended).
IR-3
Requirement: The service provider provides test
plans to FedRAMP annually. Test plans are
approved and accepted by the JAB prior to test
commencing.
IR-4 Incident Handling IR-4 IR-4
IR-4 (1)
None. IR-4
Requirement: The service provider ensures that
individuals conducting incident handling meet
personnel security requirements commensurate with
the criticality/sensitivity of the information being
processed, stored, and transmitted by the
information system.

IR-5 Incident Monitoring IR-5 IR-5 None. None.
IR-6 Incident Reporting IR-6 IR-6
IR-6 (1)
IR-6a.
[Assignment: organization-defined time period]
Parameter: [US-CERT incident reporting timelines as
specified in NIST Special Publication 800-61 (as
amended)]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 19
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
IR-7 Incident Response
Assistance
IR-7 IR-7
IR-7 (1)
IR-7 (2)
None. None.
IR-8 Incident Response Plan IR-8 IR-8 IR-8b.
[Assignment: organization-defined list of incident
response personnel (identified by name and/or by role)
and organizational elements]
Parameter: See additional requirements and guidance.
IR-8c.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
IR-8e.
[Assignment: organization-defined list of incident
response personnel (identified by name and/or by role)
and organizational elements]
Parameter: See additional requirements and guidance.
IR-8b.
Requirement: The service provider defines a list of
incident response personnel (identified by name
and/or by role) and organizational elements. The
incident response list includes designated
FedRAMP personnel.
IR-8e.
Requirement: The service provider defines a list of
incident response personnel (identified by name
and/or by role) and organizational elements. The
incident response list includes designated
FedRAMP personnel.
1.9. Maintenance (MA)
MA-1 System Maintenance Policy
and Procedures
MA-1 MA-1 MA-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
MA-2 Controlled Maintenance MA-2 MA-2
MA-2 (1)
None. None.
MA-3 Maintenance Tools Not
Selected
MA-3
MA-3 (1)
MA-3 (2)
MA-3 (3)
None. None.
MA-4 Non-Local Maintenance MA-4 MA-4
MA-4 (1)
MA-4 (2)
None. None.
MA-5 Maintenance Personnel MA-5 MA-5 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 20
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
MA-6 Timely Maintenance Not
Selected
MA-6 MA-6
[Assignment: organization-defined list of security-critical
information system components and/or key information
technology components]
Parameter: See additional requirements and guidance.
[Assignment: organization-defined time period]
Parameter: See additional requirements and guidance.


MA-6
Requirement: The service provider defines a list of
security-critical information system components
and/or key information technology components.
The list of components is approved and accepted by
the JAB.
Requirement: The service provider defines a time
period to obtain maintenance and spare parts in
accordance with the contingency plan for the
information system and business impact analysis.
The time period is approved and accepted by the
JAB.
1.10. Media Protection (MP)
MP-1 Media Protection Policy and
Procedures
MP-1 MP-1 MP-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
MP-2 Media Access MP-2 MP-2
MP-2 (1)
MP-2
[Assignment: organization-defined types of digital and
non-digital media]
Parameter: See additional requirements and guidance.
[Assignment: organization-defined list of authorized
individuals]
Parameter: See additional requirements and guidance.
[Assignment: organization-defined security measures]
Parameter: See additional requirements and guidance.
MP-2
Requirement: The service provider defines types of
digital and non-digital media. The media types are
approved and accepted by the JAB.
Requirement: The service provider defines a list of
individuals with authorized access to defined media
types. The list of authorized individuals is approved
and accepted by the JAB.
Requirement: The service provider defines the types
of security measures to be used in protecting
defined media types. The security measures are
approved and accepted by the JAB.
MP-3 Media Marking Not
Selected
MP-3 MP-3b.
[Assignment: organization-defined list of removable media
types]
Parameter: [no removable media types]
[Assignment: organization-defined controlled areas]
Parameter: [not applicable]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 21
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
MP-4 Media Storage Not
Selected
MP-4
MP-4 (1)
MP-4a.
[Assignment: organization-defined types of digital and
non-digital media]
Parameter: [magnetic tapes, external/removable hard
drives, flash/thumb drives, diskettes, compact disks and
digital video disks]
[Assignment: organization-defined controlled areas]
Parameter: See additional requirements and guidance.
[Assignment: organization-defined security measures]
Parameter: [for digital media, encryption using a FIPS
140-2 validated encryption module; for non-digital media,
secure storage in locked cabinets or safes]
MP-4a.
Requirement: The service provider defines
controlled areas within facilities where the
information and information system reside.

MP-5 Media Transport Not
Selected
MP-5
MP-5 (2)
MP-5 (4)
MP-5a.
[Assignment: organization-defined types of digital and
non-digital media]
Parameter: [magnetic tapes, external/removable hard
drives, flash/thumb drives, diskettes, compact disks and
digital video disks]
[Assignment: organization-defined security measures]
Parameter: [for digital media, encryption using a FIPS
140-2 validated encryption module]
MP-5a.
Requirement: The service provider defines security
measures to protect digital and non-digital media in
transport. The security measures are approved and
accepted by the JAB.
MP-6 Media Sanitization MP-6 MP-6
MP-6 (4)
None. None.
1.11. Physical and Environmental Protection (PE)
PE-1 Physical and Environmental
Protection Policy and
Procedures
PE-1 PE-1 PE-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
PE-2 Physical Access
Authorizations
PE-2 PE-2
PE-2 (1)
PE-2c.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
PE-2 (1)
Requirement: The service provider provides
physical access to the facility where information
systems reside based on position, role, and need-
to-know.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 22
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
PE-3 Physical Access Control PE-3 PE-3 PE-3f.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
PE-3g.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
PE-4 Access Control for
Transmission Medium
Not
Selected
PE-4 None. None.
PE-5 Access Control for Output
Devices
Not
Selected
PE-5 None. None.
PE-6 Monitoring Physical Access PE-6 PE-6
PE-6 (1)
PE-6b.
[Assignment: organization-defined frequency]
Parameter: [at least semi-annually]
None.
PE-7 Visitor Control PE-7 PE-7
PE-7 (1)
None. None.
PE-8 Access Records PE-8 PE-8 PE-8b.
[Assignment: organization-defined frequency]
Parameter: [at least monthly]
None.
PE-9 Power Equipment and
Power Cabling
Not
Selected
PE-9 None. None.
PE-10 Emergency Shutoff Not
Selected
PE-10 PE-10b.
[Assignment: organization–defined location by information
system or system component]
Parameter: See additional requirements and guidance.
PE-10b.
Requirement: The service provider defines
emergency shutoff switch locations. The locations
are approved and accepted by the JAB.
PE-11 Emergency Power Not
Selected
PE-11
PE-11 (1)
None. None.
PE-12 Emergency Lighting PE-12 PE-12 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 23
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
PE-13 Fire Protection PE-13 PE-13
PE-13 (1)
PE-13 (2)
PE-13 (3)
None. None.
PE-14 Temperature and Humidity
Controls
PE-14 PE-14
PE-14 (1)
PE-14a.
[Assignment: organization-defined acceptable levels]
Parameter: [consistent with American Society of Heating,
Refrigerating and Air-conditioning Engineers (ASHRAE)
document entitled Thermal Guidelines for Data
Processing Environments]
PE-14b.
[Assignment: organization-defined frequency]
Parameter: [continuously]
PE-14a.
Requirements: The service provider measures
temperature at server inlets and humidity levels by
dew point.
PE-15 Water Damage Protection PE-15 PE-15 None. None.
PE-16 Delivery and Removal PE-16 PE-16 PE-16
[Assignment: organization-defined types of information
system components]
Parameter: [all information system components]
None.
PE-17 Alternate Work Site Not
Selected
PE-17 PE-17a.
[Assignment: organization-defined management,
operational, and technical information system security
controls]
Parameter: See additional requirements and guidance.
PE-17a.
Requirement: The service provider defines
management, operational, and technical information
system security controls for alternate work sites.
The security controls are approved and accepted by
the JAB.
PE-18 Location of Information
System Components
Not
Selected
PE-18 None. None.
1.12. Planning (PL)
PL-1 Security Planning Policy
and Procedures
PL-1 PL-1 PL-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 24
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
PL-2 System Security Plan PL-2 PL-2
PL-2 (2)
PL-2b.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
PL-4 Rules of Behavior PL-4 PL-4 None. None.
PL-5 Privacy Impact Assessment PL-5 PL-5 None. None.
PL-6 Security-Related Activity
Planning
PL-6 PL-6 None. None.
1.13. Personnel Security (PS)
PS-1 Personnel Security Policy
and Procedures
PS-1 PS-1 PS-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
PS-2 Position Categorization PS-2 PS-2 PS-2c.
[Assignment: organization-defined frequency]
Parameter: [at least every three years]
None.
PS-3 Personnel Screening PS-3 PS-3 PS-3b.
[Assignment: organization-defined list of conditions
requiring rescreening and, where re-screening is so
indicated, the frequency of such rescreening]
Parameter: [for national security clearances; a
reinvestigation is required during the 5th year for top
secret security clearance, the 10th year for secret security
clearance, and 15th year for confidential security
clearance.
For moderate risk law enforcement and high impact public
trust level, a reinvestigation is required during the 5th
year. There is no reinvestigation for other moderate risk
positions or any low risk positions]
None.
PS-4 Personnel Termination PS-4 PS-4 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 25
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
PS-5 Personnel Transfer PS-5 PS-5 PS-5
[Assignment: organization-defined transfer or
reassignment actions]
Parameter: See additional requirements and guidance.
[Assignment: organization-defined time period following
the formal transfer action]
Parameter: [within five days]
PS-5
Requirement: The service provider defines transfer
or reassignment actions. Transfer or reassignment
actions are approved and accepted by the JAB.
PS-6 Access Agreements PS-6 PS-6 PS-6b.
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
PS-7 Third-Party Personnel
Security
PS-7 PS-7 None. None.
PS-8 Personnel Sanctions PS-8 PS-8 None. None.
1.14. Risk Assessment (RA)
RA-1 Risk Assessment Policy
and Procedures
RA-1 RA-1 RA-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
RA-2 Security Categorization RA-2 RA-2 None. None.
RA-3 Risk Assessment RA-3 RA-3 RA-3b.
[Selection: security plan; risk assessment report;
[Assignment: organization-defined document]]
Parameter: [security assessment report]
RA-3c.
[Assignment: organization-defined frequency]
Parameter: [at least every three years or when a
significant change occurs]
RA-3d.
[Assignment: organization-defined frequency]
Parameter: [at least every three years or when a
significant change occurs]
RA-3c.
Guidance: Significant change is defined in NIST
Special Publication 800-37 Revision 1, Appendix F.
RA-3d.
Guidance: Significant change is defined in NIST
Special Publication 800-37 Revision 1, Appendix F.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 26
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
RA-5 Vulnerability Scanning RA-5
RA-5 (1)
RA-5 (2)
RA-5 (3)
RA-5 (9)
RA-5
RA-5 (1)
RA-5 (2)
RA-5 (3)
RA-5 (9)
RA-5 (6)
RA-5a.
[Assignment: organization-defined frequency and/or
randomly in accordance with organization-defined
process]
Parameter: [quarterly operating system, web application,
and database scans (as applicable)]
RA-5d.
Assignment: organization-defined response times]
Parameter: [high-risk vulnerabilities mitigated within thirty
days; moderate risk vulnerabilities mitigated within ninety
days]
RA-5 (2)
[Assignment: organization-defined frequency]
Parameter: [continuously, before each scan]
None.
1.15. System and Services Acquisition (SA)
SA-1 System and Services
Acquisition Policy and
Procedures
SA-1 SA-1 SA-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
SA-2 Allocation of Resources SA-2 SA-2 None. None.
SA-3 Life Cycle Support SA-3 SA-3 None. None.
SA-4 Acquisitions SA-4 SA-4
SA-4 (1)
SA-4 (4)
SA-4 (7)
None. SA-4
Guidance: The use of Common Criteria (ISO/IEC
15408) evaluated products is strongly preferred.
See http://www.niap-ccevs.org/vpl or
http://www.commoncriteriaportal.org/products.html.
SA-5 Information System
Documentation
SA-5 SA-5
SA-5 (1)
SA-5 (3)
None. None.
SA-6 Software Usage
Restrictions
SA-6 SA-6 None. None.
SA-7 User-Installed Software SA-7 SA-7 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 27
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SA-8 Security Engineering
Principles
Not
Selected
SA-8 None. None.
SA-9 External Information
System Services
SA-9 SA-9
SA-9 (1)
SA-9 (1) (b)
[Assignment: organization-defined senior organizational
official].
Parameter: [Joint Authorization Board (JAB)]
SA-9 (1)
Requirement: The service provider documents all
existing outsourced security services and conducts
a risk assessment of future outsourced security
services. Future, planned outsourced services are
approved and accepted by the JAB.
SA-10 Developer Configuration
Management
Not
Selected
SA-10 None. None.
SA-11 Developer Security Testing SA-11
SA-11 (1)
SA-11
SA-11 (1)
None. SA-11 (1)
Requirement: The service provider submits a code
analysis report as part of the authorization package
and updates the report in any reauthorization
actions.
SA-11 (1)
Requirement: The service provider documents in
the Continuous Monitoring Plan, how newly
developed code for the information system is
reviewed.

SA-12 Supply Chain Protection Not
Selected
SA-12 SA-12
[Assignment: organization-defined list of measures to
protect against supply chain threats]
Parameter: See additional requirements and guidance.
SA-12
Requirement: The service provider defines a list of
measures to protect against supply chain threats.
The list of protective measures is approved and
accepted by JAB.
1.16. System and Communications Protection (SC)
SC-1 System and
Communications Protection
Policy and Procedures
SC-1 SC-1 SC-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 28
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SC-2 Application Partitioning Not
Selected
SC-2 None. None.
SC-4 Information in Shared
Resources
Not
Selected
SC-4 None. None.
SC-5 Denial of Service Protection SC-5 SC-5 SC-5
[Assignment: organization-defined list of types of denial of
service attacks or reference to source for current list]
Parameter: See additional requirements and guidance.
SC-5
Requirement: The service provider defines a list of
types of denial of service attacks (including but not
limited to flooding attacks and software/logic
attacks) or provides a reference to source for
current list. The list of denial of service attack types
is approved and accepted by JAB.
SC-6 Resource Priority Not
Selected
SC-6 None None.
SC-7 Boundary Protection SC-7 SC-7
SC-7 (1)
SC-7 (2)
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-7 (4) (e)
[Assignment: organization-defined frequency]
Parameter: [at least annually]
SC-7 (8)
[Assignment: organization-defined internal
communications traffic]
Parameter: See additional requirements and guidance.
[Assignment: organization-defined external networks]
Parameter: See additional requirements and guidance.
SC-7 (13)
[Assignment: organization-defined key information
security tools, mechanisms, and support components]
Parameter: See additional requirements and guidance.




SC-7 (1)
Requirement: The service provider and service
consumer ensure that federal information (other
than unrestricted information) being transmitted
from federal government entities to external entities
using information systems providing cloud services
is inspected by TIC processes.
SC-7 (8)
Requirements: The service provider defines the
internal communications traffic to be routed by the
information system through authenticated proxy
servers and the external networks that are the
prospective destination of such traffic routing. The
internal communications traffic and external
networks are approved and accepted by JAB.
SC-7 (13)
Requirement: The service provider defines key
information security tools, mechanisms, and support
components associated with system and security
administration and isolates those tools,
mechanisms, and support components from other
internal information system components via
physically or logically separate subnets.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 29
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SC-8 Transmission Integrity Not
Selected
SC-8
SC-8 (1)
None. None.
SC-9 Transmission
Confidentiality
Not
Selected
SC-9
SC-9 (1)
SC-9 (1)
[Assignment: organization-defined alternative physical
measures]
Parameter: See additional requirements and guidance
SC-9(1)
Requirement: The service provider must implement
a hardened or alarmed carrier Protective
Distribution System (PDS) when transmission
confidentiality cannot be achieved through
cryptographic mechanisms.
SC-10 Network Disconnect Not
Selected
SC-10 SC-10
[Assignment: organization-defined time period]
Parameter: [thirty minutes for all RAS-based sessions;
thirty to sixty minutes for non-interactive users]
SC-10
Guidance: Long running batch jobs and other
operations are not subject to this time limit.
SC-11 Trusted Path Not
Selected
SC-11 SC-11
[Assignment: organization-defined security functions to
include at a minimum, information system authentication
and re-authentication]
Parameter: See additional requirements and guidance
SC-11
Requirement: The service provider defines the
security functions that require a trusted path,
including but not limited to system authentication,
re-authentication, and provisioning or de-
provisioning of services (i.e. allocating additional
bandwidth to a cloud user). The list of security
functions requiring a trusted path is approved and
accepted by JAB.
SC-12 Cryptographic Key
Establishment and
Management
SC-12 SC-12
SC-12 (2)
SC-12 (5)
SC-12 (2)
[Selection: NIST-approved, NSA-approved]
Parameter: [NIST-approved]


None.
SC-13 Use of Cryptography SC-13 SC-13
SC-13 (1)
None. None.
SC-14 Public Access Protections SC-14 SC-14 None. None.
SC-15 Collaborative Computing
Devices
SC-15 SC-15 SC-15a.
[Assignment: organization-defined exceptions where
remote activation is to be allowed]
Parameter: [no exceptions]
SC-15
Requirement: The information system provides
disablement (instead of physical disconnect) of
collaborative computing devices in a manner that
supports ease of use.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 30
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SC-16 Transmission of Security
Attributes
Not
Selected
SC-16 None. None.
SC-17 Public Key Infrastructure
Certificates
Not
Selected
SC-17 SC-17
[Assignment: organization-defined certificate policy]
Parameter: See additional requirements and guidance.
SC-17
Requirement: The service provider defines the
public key infrastructure certificate policy. The
certificate policy is approved and accepted by the
JAB.
SC-18 Mobile Code SC-18 SC-18
SC-18 (4)
SC-18 (4)
[Assignment: organization-defined software applications]
Parameter: See additional requirements and guidance.
[Assignment: organization-defined actions]
Parameter: See additional requirements and guidance.
SC-18 (4)
Requirement: The service provider defines the
software applications where the automatic execution
of mobile code is prevented by the information
system providing cloud services.
Requirement: The service provider defines the
actions to be taken prior to the information system
executing mobile code in the software applications
identified. Software applications and actions taken
by the service provider are approved by JAB.
SC-19 Voice Over Internet
Protocol
Not
Selected
SC-19 None. None.
SC-20 Secure Name /Address
Resolution Service
(Authoritative Source)
SC-20
SC-20 (1)
SC-20
SC-20 (1)
None. None.
SC-21 Secure Name/ Address
Resolution Service
(Recursive or Caching
Resolver)
Not
Selected
SC-21 None. None.
SC-22 Architecture and
Provisioning for
Name/Address Resolution
Service
Not
Selected
SC-22 None. None.
SC-23 Session Authenticity Not
Selected
SC-23 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 31
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SC-25 Thin Nodes Not
Selected
SC-25 None None.
SC-27 Operating System-
Independent Applications
Not
Selected
SC-27 SC-27
[Assignment: organization-defined operating system
independent applications].
Parameter: See additional requirements and guidance
SC-27
Requirement: The service provider and service
consumer define which applications must run
independent of operating system. The OS
Independent applications list is approved and
accepted by JAB.
SC-28 Protection of Information at
Rest
Not
Selected
SC-28
SC-28 (1)
None. None.
SC-30 Virtualization Techniques Not
Selected
SC-30 None None.
SC-32 Information System
Partitioning
Not
Selected
SC-32 None. None.
SC-33 Transmission Preparation
Integrity
Not
Selected
SC-33 None. None.
1.17. System and Information Integrity (SI)
SI-1 System and Information
Integrity Policy and
Procedures
SI-1 SI-1 SI-1
[Assignment: organization-defined frequency]
Parameter: [at least annually]
None.
SI-2 Flaw Remediation SI-2 SI-2
SI-2 (2)
SI-2 (2)
[Assignment: organization-defined frequency]
Parameter: [at least monthly]
None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 32
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SI-3 Malicious Code Protection SI-3 SI-3
SI-3 (1)
SI-3 (2)
SI-3 (3)
SI-3c.
[Assignment: organization-defined frequency]
Parameter: [at least weekly]
[Selection (one or more): block malicious code; quarantine
malicious code; send alert to administrator; [Assignment:
organization-defined action]]
Parameter: [block or quarantine malicious code, send
alert to administrator, send alert to FedRAMP}
None.

SI-4 Information System
Monitoring
SI-4 SI-4
SI-4 (2)
SI-4 (4)
SI-4 (5)
Si-4 (6)
SI-4a.
[Assignment: organization-defined monitoring objectives]
Parameter: [ensure the proper functioning of internal
processes and controls in furtherance of regulatory and
compliance requirements; examine system records to
confirm that the system is functioning in an optimal,
resilient, and secure state; identify irregularities or
anomalies that are indicators of a system malfunction or
compromise]
SI-4 (5)
[Assignment: organization-defined list of compromise
indicators]
Parameter: [protected information system files or
directories have been modified without notification from
the appropriate change/configuration management
channels; information system performance indicates
resource consumption that is inconsistent with expected
operating conditions; auditing functionality has been
disabled or modified to reduce audit visibility; audit or log
records have been deleted or modified without
explanation; information system is raising alerts or faults
in a manner that indicates the presence of an abnormal
condition; resource or service requests are initiated from
clients that are outside of the expected client membership
set; information system reports failed logins or password
changes for administrative or key service accounts;
processes and services are running that are outside of the
baseline system profile; utilities, tools, or scripts have
been saved or installed on production systems without
clear indication of their use or purpose]
SI-4(5)
Requirement: The service provider defines
additional compromise indicators as needed.
Guidance: Alerts may be generated from a variety
of sources including but not limited to malicious
code protection mechanisms, intrusion detection or
prevention mechanisms, or boundary protection
devices such as firewalls, gateways, and routers.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 33
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SI-5 Security Alerts, Advisories,
and Directives
SI-5 SI-5 SI-5c.
[Assignment: organization-defined list of personnel
(identified by name and/or by role)]
Parameter: [All staff with system administration,
monitoring, and/or security responsibilities including but
not limited to FedRAMP]
SI-5c.
Requirement: The service provider defines a list of
personnel (identified by name and/or by role) with
system administration, monitoring, and/or security
responsibilities who are to receive security alerts,
advisories, and directives. The list also includes
designated FedRAMP personnel.
SI-6 Security functionality
verification
Not
Selected
SI-6 SI-6
[Selection (one or more): [Assignment: organization-
defined system transitional states]; upon command by
user with appropriate privilege; periodically every
[Assignment: organization-defined time-period]]
Parameter: [upon system startup and/or restart and
periodically every ninety days]
[Selection (one or more): notifies system administrator;
shuts the system down; restarts the system; [Assignment:
organization-defined alternative action(s)]]
Parameter: [notifies system administrator]
None.
SI-7 Software and Information
Integrity
Not
Selected
SI-7
SI-7 (1)
SI-7 (1)
[Assignment: organization-defined frequency]
Parameter: [at least monthly]
None.
SI-8 Spam Protection Not
Selected
SI-8 None. None.
SI-9 Information Input
Restrictions
Not
Selected
SI-9 None. None.
SI-10 Information Input Validation SI-10 SI-10 None. None.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter One: Cloud Computing Security Requirements Baseline Page 34
Control Number and Name
Control Baseline
Control Parameter Requirements
Additional Requirements
and Guidance
Low Moderate
SI-11 Error Handling Not
Selected
SI-11 SI-11b.
[Assignment: organization-defined sensitive or potentially
harmful information]
Parameter: [user name and password combinations;
attributes used to validate a password reset request (e.g.
security questions); personally identifiable information
(excluding unique user name identifiers provided as a
normal part of a transactional record); biometric data or
personal characteristics used to authenticate identity;
sensitive financial records (e.g. account numbers, access
codes); content related to internal security functions (i.e.,
private encryption keys, white list or blacklist rules, object
permission attributes and settings)].
None.
SI-12 Information Output
Handling and Retention
SI-12 SI-12 None. None.
Table 1: FedRAMP Security Controls & Enhancements. ͳʹ͵
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Page 35
Chapter Two: Continuous Monitoring
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 36
2. Continuous Monitoring ͳʹͶ
2.1. Introduction ͳʹͷ
A critical aspect of managing risk to information from the operation and use of information ͳʹ͸
systems involves the continuous monitoring of the security controls employed within or inherited ͳʹ͹
by the system. Conducting a thorough point-in-time assessment of the deployed security controls ͳʹͺ
is a necessary but not sufficient condition to demonstrate security due diligence. An effective ͳʹͻ
organizational information security program also includes a rigorous continuous monitoring ͳ͵Ͳ
program integrated into the System Development Life Cycle (SDLC). The objective of the ͳ͵ͳ
continuous monitoring program is to determine if the set of deployed security controls continue ͳ͵ʹ
to be effective over time in light of the inevitable changes that occur. Continuous monitoring is a ͳ͵͵
proven technique to address the security impacts on an information system resulting from ͳ͵Ͷ
changes to the hardware, software, firmware, or operational environment. A well-designed and ͳ͵ͷ
well-managed continuous monitoring program can effectively transform an otherwise static ͳ͵͸
security control assessment and risk determination process into a dynamic process that provides ͳ͵͹
essential, near real-time security status-related information to organizational officials in order to ͳ͵ͺ
take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding ͳ͵ͻ
the operation of the information system. Continuous monitoring programs provide organizations ͳͶͲ
with an effective mechanism to update Security Plans, Security Assessment Reports, and Plans of ͳͶͳ
Action and Milestones (POA&Ms). ͳͶʹ
An effective continuous monitoring program includes: ͳͶ͵
x Configuration management and control processes for information systems; ͳͶͶ
x Security impact analyses on proposed or actual changes to information systems and ͳͶͷ
environments of operation; ͳͶ͸
x Assessment of selected security controls (including system-specific, hybrid, and common ͳͶ͹
controls) based on the defined continuous monitoring strategy; ͳͶͺ
x Security status reporting to appropriate officials; and ͳͶͻ
x Active involvement by authorizing officials in the ongoing management of information ͳͷͲ
system-related security risks. ͳͷͳ
2.2. Purpose ͳͷʹ
The purpose of this chapter is to establish and define how Continuous Monitoring will work in a ͳͷ͵
cloud computing environment and specifically within the FedRAMP framework. This document ͳͷͶ
will also serve to define reporting responsibilities and frequency for the Cloud Service Offering ͳͷͷ
Service Provider (CSP). ͳͷ͸
2.3. Background ͳͷ͹
Service Provider is required to develop a strategy and implement a program for the continuous ͳͷͺ
monitoring of security control effectiveness including the potential need to change or supplement ͳͷͻ
the control set, taking into account any proposed/actual changes to the information system or its ͳ͸Ͳ
environment of operation. Continuous monitoring is integrated into the organization’s system ͳ͸ͳ
development life cycle processes. Robust continuous monitoring requires the active involvement ͳ͸ʹ
of information system owners and common control providers, chief information officers, senior ͳ͸͵
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 37
information security officers, and authorizing officials. Continuous monitoring allows an ͳ͸Ͷ
organization to: (i) track the security state of an information system on a continuous basis; and ͳ͸ͷ
(ii) maintain the security authorization for the system over time in highly dynamic environments ͳ͸͸
of operation with changing threats, vulnerabilities, technologies, and missions/business ͳ͸͹
processes. Continuous monitoring of security controls using automated support tools facilitates ͳ͸ͺ
near real-time risk management and represents a significant change in the way security ͳ͸ͻ
authorization activities have been employed in the past. Near real-time risk management of ͳ͹Ͳ
information systems can be accomplished by employing automated support tools to execute ͳ͹ͳ
various steps in the Risk Management Framework including authorization-related activities. In ͳ͹ʹ
addition to vulnerability scanning tools, system and network monitoring tools, and other ͳ͹͵
automated support tools that can help to determine the security state of an information system, ͳ͹Ͷ
organizations can employ automated security management and reporting tools to update key ͳ͹ͷ
documents in the authorization package including the security plan, security assessment report, ͳ͹͸
and plan of action and milestones. The documents in the authorization package are considered ͳ͹͹
“living documents” and updated accordingly based on actual events that may affect the security ͳ͹ͺ
state of the information system. ͳ͹ͻ
2.4. Continuous Monitoring Requirements ͳͺͲ
FedRAMP is designed to facilitate a more streamlined approach and methodology to continuous ͳͺͳ
monitoring. Accordingly, service providers must demonstrate their ability to perform routine ͳͺʹ
tasks on a specifically defined scheduled basis to monitor the cyber security posture of the ͳͺ͵
defined IT security boundary. While FedRAMP will not prescribe specific toolsets to perform ͳͺͶ
these functions, FedRAMP does prescribe their minimum capabilities. Furthermore, FedRAMP ͳͺͷ
will prescribe specific reporting criteria that service providers can utilize to maximize their ͳͺ͸
FISMA reporting responsibilities while minimizing the resource strain that is often experienced. ͳͺ͹
2.5. Reporting and Continuous Monitoring ͳͺͺ
Maintenance of the security Authority To Operate (ATO) will be through continuous monitoring ͳͺͻ
of security controls of the service providers system and its environment of operation to determine ͳͻͲ
if the security controls in the information system continue to be effective over time in light of ͳͻͳ
changes that occur in the system and environment. Through continuous monitoring, security ͳͻʹ
controls and supporting deliverables are updated and submitted to FedRAMP per the schedules ͳͻ͵
below. The submitted deliverables provide a current understanding of the security state and risk ͳͻͶ
posture of the information systems. They allow FedRAMP authorizing officials to make credible ͳͻͷ
risk-based decisions regarding the continued operations of the information systems and initiate ͳͻ͸
appropriate responses as needed when changes occur. The deliverable frequencies below are to ͳͻ͹
be considered standards. However, there will be instances, beyond the control of FedRAMP in ͳͻͺ
which deliverables may be required on an ad hoc basis. ͳͻͻ
The deliverables required during continuous monitoring are depicted in Table 2: FedRAMP ʹͲͲ
Continuous Monitoring . This table provides a listing of the deliverables, responsible party and ʹͲͳ
frequency for completion. The table is organized into: ʹͲʹ
x Deliverable – Detailed description of the reporting artifact. If the artifact is expected in a ʹͲ͵
specific format, that format appears in BOLD text. ʹͲͶ
x Frequency – Frequency under which the artifact should be created and/or updated. ʹͲͷ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 38
x Responsibility – Whether FedRAMP or the Cloud Service Provider is responsible for ʹͲ͸
creation and maintenance of the artifact. ʹͲ͹
Deliverable Frequency Responsibility
FedRAMP Cloud
Service
Provider
Scan reports of all systems within the boundary
for vulnerability (Patch) management.
(Tool Output Report)
Monthly
9
Scan for verification of FDCC compliance
(USGCB, CIS).
(SCAP Tool Output)
Quarterly
9
Incident Response Plan. Annually
9
POAM Remediation
(Completed POA&M Matrix)
Quarterly
9
Change Control Process Annually
9
Penetration testing
(Formal plan and results)
Annually
9

9
IV&V of controls Semi-
Annually
9

Scan to verify that boundary has not changed
(also that no rogue systems are added after ATO)
(Tool Output Report)
Quarterly
9
System configuration management software
(SCAP Tool Output)
Quarterly
9
FISMA Reporting data Quarterly
9
Update Documentation Annually
9
Contingency Plan and Test Report

Annually
9
Separation of Duties Matrix

Annually
9
Information Security Awareness and Training
Records Results)

Annually
9
Table 2: FedRAMP Continuous Monitoring Deliverables ʹͲͺ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 39
2.6. Routine Systems Change Control Process ʹͲͻ
The Change Control Process is instrumental in ensuring the integrity of the cloud computing ʹͳͲ
environment. As the system owners as well as other authorizing officials approve changes, they ʹͳͳ
are systematically documented. This documentation is a critical aspect of continuous monitoring ʹͳʹ
since it establishes all of the requirements that led to the need for the change as well as the ʹͳ͵
specific details of the implementation. To ensure that changes to the enterprise do not alter the ʹͳͶ
security posture beyond the parameters set by the FedRAMP Joint Authorization Board (JAB), ʹͳͷ
the key documents in the authorization package which include the security plan, security ʹͳ͸
assessment report, and plan of action and milestones are updated and formally submitted to ʹͳ͹
FedRAMP within 30 days of approved modification. ʹͳͺ
There are however, changes that are considered to be routine. These changes can be standard ʹͳͻ
maintenance, addition or deletion of users, the application of standard security patches, or other ʹʹͲ
routine activities. While these changes individually may not have much effect on the overall ʹʹͳ
security posture of the system, in aggregate they can create a formidable security issue. To ʹʹʹ
combat this possibility, these routine changes should be documented as part of the CSP’s ʹʹ͵
standard change management process and accounted for via the CSP’s internal continuous ʹʹͶ
monitoring plan. Accordingly, these changes must be documented, at a minimum, within the ʹʹͷ
current SSP of the system within 30 days of implementation. ʹʹ͸
Configuration Change Control Process (CCP) ʹʹ͹
Throughout the System Development Life Cycle (SDLC) system owners must be cognizant of ʹʹͺ
changes to the system. Since systems routinely experience changes over time to accommodate ʹʹͻ
new requirements, new technologies or new risks, they must be routinely analyzed in respect to ʹ͵Ͳ
the security posture. Minor changes typically have little impact to the security posture of a ʹ͵ͳ
system. These changes can be standard maintenance, adding or deleting users, applying standard ʹ͵ʹ
security patches, or other routine activities. However, significant changes require an added level ʹ͵͵
of attention and action. NIST defines significant change as “A significant change is defined as a ʹ͵Ͷ
change that is likely to affect the security state of an information system.” Changes such as ʹ͵ͷ
installing a new operating system, port modification, new hardware platforms, or changes to the ʹ͵͸
security controls should automatically trigger a re-authorization of the system via the FedRAMP ʹ͵͹
process. ʹ͵ͺ
Minor changes must be captured and documented in the SSP of the system within 30 days of ʹ͵ͻ
implementation. This requirement should be part of the CSP’s documented internal continuous ʹͶͲ
monitoring plan. Once the SSP is updated, it must be submitted to FedRAMP, and a record of ʹͶͳ
the change must be maintained internally. ʹͶʹ
Major or significant changes may require re-authorization via the FedRAMP process. In order to ʹͶ͵
facilitate a re-authorization, it is the responsibility of both the CSP and the sponsoring agency to ʹͶͶ
notify FedRAMP of the need to make such a significant change. FedRAMP will assist and ʹͶͷ
coordinate with all stakeholders the necessary steps to ensure that the change is adequately ʹͶ͸
documented, tested and approved. ʹͶ͹
2.7. FISMA Reporting Requirements ʹͶͺ
FISMA established the IT security reporting requirements. OMB in conjunction with DHS ʹͶͻ
enforces these reporting requirements. FISMA reporting responsibilities must be clearly defined. ʹͷͲ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 40
FedRAMP will coordinate with CSP’s and agencies to gather data associated with the cloud ʹͷͳ
service offering. Only data related to the documented system security boundary of the cloud ʹͷʹ
service offering will be collected by FedRAMP and reported to OMB at the appropriate time and ʹͷ͵
frequency. Agencies will maintain their reporting responsibilities for their internal systems that ʹͷͶ
correspond to the inter-connection between the agency and the cloud service offering. ʹͷͷ
2.8. On-going Testing of Controls and Changes to Security Controls ʹͷ͸
Process ʹͷ͹
System owners and administrators have long maintained the responsibility for patch and ʹͷͺ
vulnerability management. However, it has been proven time and again that this responsibility ʹͷͻ
often requires a heavy use of resources as well as a documented, repeatable process to be carried ʹ͸Ͳ
out consistently and adequately. This strain on resources and lack of processes has opened the ʹ͸ͳ
door to many malicious entities through improper patching, significant lapse in time between ʹ͸ʹ
patch availability and patch implementation, and other security oversights. Routine system ʹ͸͵
scanning and reporting is a vital aspect of continuous monitoring and thus, maintaining a robust ʹ͸Ͷ
cyber security posture. ʹ͸ͷ
Vulnerability patching is critical. Proprietary operating system vendors (POSV) are constantly ʹ͸͸
providing patches to mitigate vulnerabilities that are discovered. In fact, regularly scheduled ʹ͸͹
monthly patches are published by many POSV to be applied to the appropriate operating system. ʹ͸ͺ
It is also the case that POSV will, from time to time, publish security patches that should be ʹ͸ͻ
applied on systems as soon as possible due to the serious nature of the vulnerability. Systems ʹ͹Ͳ
running in virtual environment are not exempted from patching. In fact, not only are the ʹ͹ͳ
operating systems running in a virtual environment to be patched routinely, but often-times the ʹ͹ʹ
virtualization software itself is exposed to vulnerabilities and thus must be patched either via a ʹ͹͵
vendor based solution or other technical solution. ʹ͹Ͷ
Open source operating systems require patch and vulnerability management as well. Due to the ʹ͹ͷ
open nature of these operating systems there needs to be a reliable distribution point for system ʹ͹͸
administrators to safely and securely obtain the required patches. These patches are available at ʹ͹͹
the specific vendors’ website. ʹ͹ͺ
Database platforms, web platforms and applications, and virtually all other software applications ʹ͹ͻ
come with their own security issues. It is not only prudent, but also necessary to stay abreast of ʹͺͲ
all of the vulnerabilities that are represented by the IT infrastructure and applications that are in ʹͺͳ
use. ʹͺʹ
While vulnerability management is indeed a difficult and daunting task, there are proven tools ʹͺ͵
available to assist the system owner and administrator in discovering the vulnerabilities in a ʹͺͶ
timely fashion. These tools must be updated prior to being run. Updates are available at the ʹͺͷ
corresponding vendors’ website. ʹͺ͸
With these issues in mind FedRAMP will require CSP’s to provide the following: ʹͺ͹
x Monthly vulnerability scans of all servers. Tools used to perform the scan must be ʹͺͺ
provided as well as the version number reflecting the latest update. A formal report of ʹͺͻ
all vulnerabilities discovered, mitigated or the mitigating strategy. This report should list ʹͻͲ
the vulnerabilities by severity and name. Specificity is crucial to addressing the security ʹͻͳ
posture of the system. All “High” level vulnerabilities must be mitigated within thirty ʹͻʹ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 41
days (30) days of discovery. “Moderate” level vulnerabilities must be mitigated within ʹͻ͵
ninety (90) days of discovery. It is accepted that, at certain times, the application of ʹͻͶ
certain security patches can cause negative effects on systems. In these situations, it is ʹͻͷ
understood that compensating controls (workarounds) must be used to minimize system ʹͻ͸
performance degradation while serving to mitigate the vulnerability. These ʹͻ͹
“Workarounds” must be submitted to FedRAMP & the Sponsoring agency for ʹͻͺ
acceptance. All reporting must reflect these activities. ʹͻͻ
x Quarterly FDCC and/or system configuration compliance scans, with a Security Content ͵ͲͲ
Automation Protocol (SCAP) validated tool, across the entire boundary, which verifies ͵Ͳͳ
that all servers maintain compliance with the mandated FDCC and/or approved system ͵Ͳʹ
configuration security settings. ͵Ͳ͵
x Weekly scans for malicious code. Internal scans must be performed with the appropriate ͵ͲͶ
updated toolset. Monthly reporting is required to be submitted to FedRAMP, where ͵Ͳͷ
activity is summarized. ͵Ͳ͸
x All software operating systems and applications are required to be scanned by an ͵Ͳ͹
appropriate tool to perform a thorough code review to discover malicious code. ͵Ͳͺ
Mandatory reporting to FedRAMP must include tool used, tool configuration settings, ͵Ͳͻ
scanning parameters, application scanned (name and version) and the name of the third ͵ͳͲ
party performing the scan. Initial report should be included with the SSP as part of the ͵ͳͳ
initial authorization package. ͵ͳʹ
x Performance of the annual Self Assessment in accordance with NIST guidelines. CSP ͵ͳ͵
must perform a self-assessment annually or whenever a significant change occurs. This ͵ͳͶ
is necessary if there is to be a continuous awareness of the risk and security posture of the ͵ͳͷ
system. ͵ͳ͸
x Quarterly POA&M remediation reporting. CSP must provide to FedRAMP a detailed ͵ͳ͹
matrix of POA&M activities using the supplied FedRAMP POA&M Template. This ͵ͳͺ
should include milestones met or milestones missed, resources required and validation ͵ͳͻ
parameters. ͵ʹͲ
x Active Incident Response capabilities allow for suspect systems to be isolated and ͵ʹͳ
inspected for any unapproved or otherwise malicious applications. ͵ʹʹ
x Quarterly boundary-wide scans are required to be performed on the defined boundary IT ͵ʹ͵
system inventory to validate the proper HW and SW configurations as well as search and ͵ʹͶ
discover rogue systems attached to the infrastructure. A summary report, inclusive of a ͵ʹͷ
detailed network architecture drawing must be provided to FedRAMP. ͵ʹ͸
x Change Control Process meetings to determine and validate the necessity for suggested ͵ʹ͹
changes to HW/SW within the enterprise must be coordinated with FedRAMP to ensure ͵ʹͺ
that the JAB is aware of the changes being made to the system. ͵ʹͻ
2.9. Incident Response ͵͵Ͳ
Computer security incident response has become an important component of information ͵͵ͳ
technology (IT) programs. Security-related threats have become not only more numerous and ͵͵ʹ
diverse but also more damaging and disruptive. New types of security-related incidents emerge ͵͵͵
frequently. Preventative activities based on the results of risk assessments can lower the number ͵͵Ͷ
of incidents, but not all incidents can be prevented. An incident response capability is therefore ͵͵ͷ
necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the ͵͵͸
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 42
weaknesses that were exploited, and restoring computing services. To that end, NIST SP 800-61 ͵͵͹
provides guidelines for development and initiation of an incident handling program, particularly ͵͵ͺ
for analyzing incident-related data and determining the appropriate response to each incident. ͵͵ͻ
The guidelines can be followed independently of particular hardware platforms, operating ͵ͶͲ
systems, protocols, or applications. As part of the authorization process the system security plan ͵Ͷͳ
will have documented all of the “IR” or Incident Response family of controls. One of these ͵Ͷʹ
controls (IR-8) requires the development of an Incident Response plan that will cover the life ͵Ͷ͵
cyber of incident response as documented in the NIST SP 800-61 guidelines. The plan should ͵ͶͶ
outline the resources and management support that is needed to effectively maintain and mature ͵Ͷͷ
an incident response capability. The incident response plan should include these elements: ͵Ͷ͸
x Mission ͵Ͷ͹
x Strategies and goals ͵Ͷͺ
x Senior management approval ͵Ͷͻ
x Organizational approach to incident response ͵ͷͲ
x How the incident response team will communicate with the rest of the organization ͵ͷͳ
x Metrics for measuring the incident response capability ͵ͷʹ
x Roadmap for maturing the incident response capability ͵ͷ͵
x How the program fits into the overall organization. ͵ͷͶ
The organization’s mission, strategies, and goals for incident response should help in ͵ͷͷ
determining the structure of its incident response capability. The incident response program ͵ͷ͸
structure should also be discussed within the plan. The response plan must address the ͵ͷ͹
possibility that incidents, including privacy breaches and classified spills, may impact the cloud ͵ͷͺ
and shared cloud customers. In any shared system, communication is the biggest key to success. ͵ͷͻ
As part of the continuous monitoring of a system, responding to incidents will be a key element. ͵͸Ͳ
The FedRAMP concern and its role in continuous monitoring will be to focus on how a provider ͵͸ͳ
conducted the incident response and any after incident actions. As represented in Figure 2: ͵͸ʹ
Incident response life cycle, incident response is a continually improving process. ͵͸͵
͵͸Ͷ
Figure 2: Incident response life cycle ͵͸ͷ
One of the most important parts of incident response is also the most often omitted - learning and ͵͸͸
improving. Each incident response team should evolve to reflect new threats, improved ͵͸͹
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 43
technology, and lessons learned. Many organizations have found that holding a “lessons learned” ͵͸ͺ
meeting with all involved parties after a major incident, and periodically after lesser incidents, is ͵͸ͻ
extremely helpful in improving security measures and the incident handling process itself. This ͵͹Ͳ
meeting provides a chance to achieve closure with respect to an incident by reviewing what ͵͹ͳ
occurred, what was done to intervene, and how well intervention worked. The meeting should be ͵͹ʹ
held within several days of the end of the incident. Questions to be answered in the lessons ͵͹͵
learned meeting include: ͵͹Ͷ
x Exactly what happened, and at what times? ͵͹ͷ
x How well did staff and management perform in dealing with the incident? Were the ͵͹͸
documented procedures followed? Were they adequate? ͵͹͹
x What information was needed sooner? ͵͹ͺ
x Were any steps or actions taken that might have inhibited the recovery? ͵͹ͻ
x What would the staff and management do differently in a future occurrence? ͵ͺͲ
x What corrective actions can prevent similar incidents in the future? ͵ͺͳ
x What tools/resources are needed to detect, analyze, and mitigate future incidents? ͵ͺʹ
Small incidents need limited post-incident analysis, with the exception of incidents performed ͵ͺ͵
through new attack methods that are of widespread concern and interest. After serious attacks ͵ͺͶ
have occurred, it is usually worthwhile to hold post-mortem meetings that cross team and ͵ͺͷ
organizational boundaries to provide a mechanism for information sharing. The primary ͵ͺ͸
consideration in holding such meetings is ensuring that the right people are involved. Not only is ͵ͺ͹
it important to invite people who have been involved in the incident that is being analyzed, but ͵ͺͺ
also wise to consider who should be invited for the purpose of facilitating future cooperation. ͵ͺͻ
2.10. Independent Verification and Validation ͵ͻͲ
Independent Verification and Validation (IV&V) is going to be an integral component to a ͵ͻͳ
successful implementation of FedRAMP. With this in mind, it must be noted that establishing ͵ͻʹ
and maintaining an internal expertise of FedRAMP policies, procedures and processes is going to ͵ͻ͵
be required. This expertise will be tasked to perform various IV&V functions with CSP’s, ͵ͻͶ
sponsoring agencies and commercial entities obtained by CSP’s with absolute independence on ͵ͻͷ
behalf of FedRAMP. FedRAMP IV&V will be on behalf of the JAB. ͵ͻ͸
As part of these efforts, FedRAMP will periodically perform audits (both scheduled and ͵ͻ͹
unscheduled) related strictly to the cloud computing service offering and the established system ͵ͻͺ
boundary. This will include, but not be limited to: ͵ͻͻ
x Scheduled annual assessments of the system security documentation; ͶͲͲ
x Verification of testing procedures; ͶͲͳ
x Validation of testing tools and assessments; ͶͲʹ
x Validation of assessment methodologies employed by the CSP and independent ͶͲ͵
assessors; ͶͲͶ
x Verification of the CSP continuous monitoring program; and ͶͲͷ
x Validation of CSP risk level determination criteria. ͶͲ͸
There are several methods that must be employed to accomplish these tasks. In accordance with ͶͲ͹
the new FIMSA requirement, and as a matter of implementing industry best practices, FedRAMP ͶͲͺ
IV&V will be performing penetration testing. This testing will be performed with strict ͶͲͻ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Two: Continuous Monitoring Page 44
adherence to the specific guidelines established by a mutually agreed upon “Rules of ͶͳͲ
Engagement” agreement between FedRAMP IV&V and the target stakeholders. Unless Ͷͳͳ
otherwise stated in the agreement, all penetration testing will be passive in nature to avoid Ͷͳʹ
unintentional consequences. No attempts to exploit vulnerabilities will be allowed unless Ͷͳ͵
specified within the “Rules of Engagement” agreement. ͶͳͶ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Page 45
Chapter Three: Potential Assessment
& Authorization Approach
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 46
3. Potential Assessment & Authorization Approach Ͷͳͷ
3.1. Introduction Ͷͳ͸
Cloud computing presents a unique opportunity to increase the effectiveness and efficiency of Ͷͳ͹
the A&A and Continuous Monitoring process for Federal Agencies. The nature of cloud Ͷͳͺ
computing systems does not allow Federal Agencies to enforce their own unique security Ͷͳͻ
requirements and policies on a shared infrastructure – as many of these unique requirements are ͶʹͲ
incompatible. Hence, cloud computing provides an opportunity for the Federal Agencies to work Ͷʹͳ
together to create a common security baseline for authorizing these shared systems. Ͷʹʹ
The implementation of a common security baseline requires a joint approach for the A&A and Ͷʹ͵
Continuous Monitoring process. Any joint approach to this process requires a coordinated effort ͶʹͶ
of many operational components working together. These operations need to interact/interplay Ͷʹͷ
with each other to successfully authorize and monitor cloud systems for government-wide use. Ͷʹ͸
FedRAMP operations could potentially be executed by different entities and in many different Ͷʹ͹
models. However, the end goal is to establish an on-going A&A approach that all Federal Ͷʹͺ
Agencies can leverage. To accomplish that goal, the following benefits are desired regardless of Ͷʹͻ
the operating approach: Ͷ͵Ͳ
x Inter-Agency vetted Cloud Computing Security Requirement baseline that is used across Ͷ͵ͳ
the Federal Government; Ͷ͵ʹ
x Consistent interpretation and application of security requirement baseline in a cloud Ͷ͵͵
computing environment; Ͷ͵Ͷ
x Consistent interpretation of cloud service provider authorization packages using a Ͷ͵ͷ
standard set of processes and evaluation criteria; Ͷ͵͸
x More consistent and efficient continuous monitoring of cloud computing Ͷ͵͹
environment/systems fostering cross-agency communication in best practices and shared Ͷ͵ͺ
knowledge; and Ͷ͵ͻ
x Cost savings/avoidance realized due to the “Approve once, use often” concept for ͶͶͲ
security authorization of cloud systems. ͶͶͳ
FedRAMP operations could be conducted under many delivery models. The Federal Cloud ͶͶʹ
Computing Initiative (FCCI) has focused on exploring three models in particular. The three ͶͶ͵
models for assessment that have been vetted within Government and Industry are: ͶͶͶ
x A centralized approach working through a FedRAMP program office; ͶͶͷ
x A federated model using capabilities of multiple approved agency centers; and ͶͶ͸
x Some combination of the above that combines public and private sector partners. ͶͶ͹
Preliminary vetting of the three models focused on finding a model that best met the goals of this ͶͶͺ
endeavor as mentioned above. As a result of vetting the models with government and industry ͶͶͻ
stakeholders, this chapter presents FedRAMP operations through a centralized program office ͶͷͲ
context. However, the government is seeking your input, knowledge, and experience as to the Ͷͷͳ
best model for FedRAMP operations that deliver upon the described benefits and encourage you Ͷͷʹ
to actively engage and contribute with substantive comments. Ͷͷ͵
ͶͷͶ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 47
3.2. Overview Ͷͷͷ
Background Ͷͷ͸
The Federal Government is increasingly using large shared and outsourced systems by moving to Ͷͷ͹
cloud computing, virtualization, and datacenter/application consolidation. The current method of Ͷͷͺ
conducting risk management of shared, outsourced, cloud computing systems on an agency-by- Ͷͷͻ
agency basis causes duplication of efforts, inefficiencies in sharing knowledge, best practices and Ͷ͸Ͳ
lessons learned in authorizing and ongoing monitoring of such systems, and the unnecessary cost Ͷ͸ͳ
from repetitive work and relearning. Ͷ͸ʹ
In order to address these concerns, the U.S. Chief Information Officer (U.S. CIO) established a Ͷ͸͵
government-wide Federal Risk and Authorization Management Program (FedRAMP) to provide Ͷ͸Ͷ
joint security assessment, authorizations and continuous monitoring of cloud computing services Ͷ͸ͷ
for all Federal Agencies to leverage. Ͷ͸͸
Purpose Ͷ͸͹
The objective of FedRAMP is threefold: Ͷ͸ͺ
x Ensure that information systems/services used government-wide have adequate Ͷ͸ͻ
information security; Ͷ͹Ͳ
x Eliminate duplication of effort and reduce risk management costs; and Ͷ͹ͳ
x Enable rapid and cost-effective procurement of information systems/services for Federal Ͷ͹ʹ
agencies. Ͷ͹͵
Benefits Ͷ͹Ͷ
Joint authorization of cloud computing services provides a common security risk model that can Ͷ͹ͷ
be leveraged across the Federal Government. The use of a common security risk model provides Ͷ͹͸
a consistent baseline for Cloud based technologies across government. This common baseline Ͷ͹͹
will ensure that the benefits and challenges of cloud based technologies are effectively integrated Ͷ͹ͺ
across the various cloud computing solutions currently proposed within the government. The Ͷ͹ͻ
risk model will also enable the government to “approve once and use often” by ensuring other ͶͺͲ
agencies gain the benefit and insight of the FedRAMP’s Authorization and access to service Ͷͺͳ
provider’s authorization packages. Ͷͺʹ
By providing a unified government-wide risk management for enterprise level IT systems, Ͷͺ͵
FedRAMP will enable Agencies to either use or leverage authorizations with: ͶͺͶ
x An interagency vetted approach; Ͷͺͷ
x Consistent application of Federal security requirements; Ͷͺ͸
x Consolidated risk management; and Ͷͺ͹
x Increased effectiveness and management cost savings. Ͷͺͺ
Ͷͺͻ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 48
3.3. Governance ͶͻͲ
The following sections describe the FedRAMP governance model and define the roles and Ͷͻͳ
responsibilities of key stakeholders of the FedRAMP process. Ͷͻʹ
3.3.1. Governance Model Ͷͻ͵
ͶͻͶ
Figure 3: FedRAMP Governance Model Ͷͻͷ
FedRAMP is an interagency effort under the authority of the U.S. Chief Information Officer Ͷͻ͸
(U.S. CIO) and managed out of the General Services Administration (GSA) as depicted in Figure Ͷͻ͹
3 and detailed below. Ͷͻͺ
The initiation of FedRAMP and the Joint Authorization Board (JAB) has been via the U.S. CIO Ͷͻͻ
in coordination with the Federal CIO Council. The U.S. CIO has tasked the Joint Authorization ͷͲͲ
Board (JAB) with jointly authorizing cloud computing systems. The General Service ͷͲͳ
Administration has been tasked with the actual day-to-day operation of FedRAMP in supports ͷͲʹ
this effort. ͷͲ͵
The three permanent members of JAB include the Department of Homeland Security (DHS), ͷͲͶ
Department of Defense (DOD), and the General Services Administration (GSA). The sponsoring ͷͲͷ
government agency for each cloud computing system will be represented as the rotating JAB ͷͲ͸
member. The JAB also performs risk determination and acceptance of FedRAMP authorized ͷͲ͹
systems. ͷͲͺ
The JAB also has the final decision making authority on FedRAMP security controls, policies, ͷͲͻ
procedures and templates. ͷͳͲ
JAB technical representatives are appointed by their respective JAB authorizing official (both ͷͳͳ
permanent and rotating) for the implementation of the FedRAMP process. JAB technical ͷͳʹ
representatives provide subject matter expertise and advice to the JAB authorizing officials. ͷͳ͵
The JAB technical representatives review the vetted authorization packages provided by ͷͳͶ
FedRAMP. The JAB technical representatives make authorization recommendations to the JAB ͷͳͷ
authorizing officials and advise the JAB of all residual risks. ͷͳ͸
FedRAMP is an administrative support team provided by the U.S. CIO under the guidance of ͷͳ͹
GSA. FedRAMP operations are responsible for the day-to-day administration and project ͷͳͺ
management of FedRAMP. FedRAMP performs an initial review of submitted authorization ͷͳͻ
packages and has the authority to work with cloud computing system owners to refine each ͷʹͲ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 49
submission until it satisfies FedRAMP and JAB requirements. FedRAMP also oversees ͷʹͳ
continuous monitoring of authorized systems. ͷʹʹ
The ISIMC under the Federal CIO Council is responsible for socializing and reviewing ͷʹ͵
FedRAMP processes and documents. They provide recommendations on the FedRAMP ͷʹͶ
documents directly to the JAB. Their recommendations are based on vetting the cloud computing ͷʹͷ
best practices, lessons learned and emerging concepts within the Federal CIO Council ͷʹ͸
community. However, the final approval on changes to FedRAMP processes and documents is ͷʹ͹
made by the JAB. ͷʹͺ
3.3.2. Roles and Responsibilities ͷʹͻ
Table 3: Stakeholder Roles and Responsibilities defines the responsibilities/tasks for FedRAMP ͷ͵Ͳ
stakeholders. ͷ͵ͳ
Role Duties and Responsibilities
JAB Chair (U.S. CIO) x Selects the JAB Authorizing Officials
x Coordinates FedRAMP activities with the CIO
Council
x Tasks and funds FedRAMP, for technical support as
necessary
JAB Authorizing Officials x Designate a JAB Technical Representative
x Ensure the Technical Representative considers current
threats and evaluation criteria based on evolving cloud
computing best practices in their review of joint
authorizations.
x Issue joint authorization decisions
x Resolve issues as needed
JAB Rotating Authorizing
Officials (Sponsoring Agency
Authorizing Official)
x Same duties as JAB Authorizing Officials only for
their sponsored cloud solution.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 50
Role Duties and Responsibilities
FedRAMP Operations x Communicate FedRAMP security requirements to
service providers or prospective providers.
x Review CSP security authorization packages
x Work with JAB Technical Representatives to clarify
questions and concerns regarding authorization
packages
x Maintain a repository of Authorizations in two
categories:
o Authorizations granted by the JAB.
o Authorizations granted by individual agencies.
x Perform continuous monitoring oversight of
FedRAMP authorized systems.
x Collect FISMA data from FedRAMP authorized
systems for quarterly and annually reporting of data to
OMB through GSA.
x Facilitate the leveraging of authorized systems for
other federal entities.
x Maintain knowledge of the FedRAMP capabilities
and process throughout industry and the federal
government.
JAB Technical
Representatives (including the
technical representative from
the sponsoring Agency)
x Provide subject matter expertise to implement the
direction of the JAB Authorizing Official.
x Support FedRAMP in defining and implementing the
joint authorization process.
x Recommend authorization decisions to the JAB
Authorizing Official.
x Escalate issues to the JAB Authorizing Official as
appropriate.
Sponsoring Agency x Cloud system selection and submission to FedRAMP
x Ensures a contractual agreement with a provider is in
place using FedRAMP requirements.
x Designate Federal personnel to facilitate the receipt
and delivery of deliverables between the cloud
computing provider (CSP) and FedRAMP.
x Assessment, Authorization and continuous monitoring
and FISMA reporting of controls that are Agency’s
(customer’s) responsibility.
Leveraging Agency x Review FedRAMP authorization packages.
x Determine if the stated risk determination and
acceptance is consistent with its agency’s needs.
x Authorize cloud system for their Agency use.
x Assessment, Authorization and continuous monitoring
and FISMA reporting of controls that are Agency’s
(customer’s) responsibility.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 51
Role Duties and Responsibilities
Cloud Service Provider (CSP) x The service provider is a government or commercial
entity that has a cloud offering/service (IaaS, PaaS or
SaaS) and requires FedRAMP authorization of their
offering/service for Government use.
x Work with the sponsoring Agency to submit their
offering for FedRAMP authorization.
x Hire independent third party assessor to perform initial
system assessment and on-going monitoring of
controls.
x Create and submit authorization packages.
x Provide Continuous Monitoring reports and updates to
FedRAMP.
Table 3: Stakeholder Roles and Responsibilities ͷ͵ʹ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 52
3.4. Assessment and Authorization Processes ͷ͵͵
3.4.1. High-Level Overview ͷ͵Ͷ
The following figure depicts the high-level process for getting on the FedRAMP authorization ͷ͵ͷ
request log. Once the Cloud Service Provider (CSP) system is officially on the FedRAMP ͷ͵͸
authorization log, FedRAMP begins processing the cloud system for JAB authorization. The ͷ͵͹
subsequent sections detail the steps involved in the FedRAMP Assessment and Authorization ͷ͵ͺ
process. ͷ͵ͻ
ͷͶͲ
Figure 4: FedRAMP authorization request process ͷͶͳ
AgencyXhasaneed
foranewcloudbased
ITsystem
AgencyXgetssecurity
requirementsforthe
newITsystemfrom
FedRAMP
AgencyXawards
contracttocloud
serviceprovider(CSP)
AgencyXsubmits
requesttoFedRAMP
officeforCSPTobe
FedRAMP authorized
tooperate
CSPisaddedtothe
FedRAMP
AuthorizationRequest
log
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 53
ͷͶʹ
Figure 5: FedRAMP authorization process ͷͶ͵
CSPandagency
sponsorbegin
authorizationprocess
withFedRAMP office
CSP,agencysponsor
andFedRAMP office
reviewsecurity
requirementsandany
alternative
implementations
FedRAMP office
coordinateswithCSP
forcreationofsystem
securityplan(SSP)
CSPhasindpendent
assessmentofsecurity
controlsanddevelops
appropriatereportsfor
submissiontoFedRAMP
office
FedRAMP office
reviewsand
assemblesthefinal
authorizationpackage
fortheJAB
JABreviewsfinal
certificationpackage
andauthorizesCSPto
operate
FedRAMP officeaddsCSP
toauthorizedsystem
inventorytobereviewed
andleveragedbyall
Federalagencies
FedRAMP provides
continuous
monitoringofCSP
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 54
3.4.2. Detailed Assessment & Authorization Process ͷͶͶ
3.4.2.1. Purpose ͷͶͷ
This section defines FedRAMP assessment and authorization process for Cloud Service ͷͶ͸
Providers (CSP). It also provides guidelines and procedures for applying the NIST 800-37 R1 ͷͶ͹
Risk Management Framework to include conducting the activities of security categorization, ͷͶͺ
security control selection and implementation, security control assessment, information system ͷͶͻ
authorization, and continuous monitoring. CCS Service Providers should use this process and ͷͷͲ
the noted references prior to initiating/performing the Security Authorization process. ͷͷͳ
3.4.2.2. Policy ͷͷʹ
Security Authorization Process: ͷͷ͵
a. The FedRAMP Authorizing Officials (AO) must authorize, in writing, all cloud computing ͷͷͶ
systems before they go into operational service for government interest. ͷͷͷ
b. A service provider’s cloud computing systems must be authorized/reauthorized at least every ͷͷ͸
three (3) years or whenever there is a significant change to the system’s security posture in ͷͷ͹
accordance with NIST SP 800-37 R1. ͷͷͺ
Authorization termination dates are influenced by FedRAMP policies that may establish ͷͷͻ
maximum authorization periods. For example, if the maximum authorization period for an ͷ͸Ͳ
information system is three years, then the service provider establishes a continuous monitoring ͷ͸ͳ
strategy for assessing a subset of the security controls employed within and inherited by the ͷ͸ʹ
system during the authorization period. This strategy allows all security controls designated in ͷ͸͵
the respective security plans to be assessed at least one time by the end of the three-year period. ͷ͸Ͷ
This also includes any common controls deployed external to service provider cloud computing ͷ͸ͷ
systems. If the security control assessments are conducted by qualified assessors with the ͷ͸͸
required degree of independence based on policies, appropriate security standards and ͷ͸͹
guidelines, and the needs of the FedRAMP authorizing officials, the assessment results can be ͷ͸ͺ
cumulatively applied to the reauthorization, thus supporting the concept of ongoing ͷ͸ͻ
authorization. FedRAMP policies regarding ongoing authorization and formal reauthorization, ͷ͹Ͳ
if/when required, are consistent with federal directives, regulations, and/or policies. ͷ͹ͳ
3.4.2.3. Required Artifacts ͷ͹ʹ
All Service Providers’ CCS must complete and deliver the following artifacts as part of the ͷ͹͵
authorization process. Templates for these artifacts can be found in FedRAMP templates as ͷ͹Ͷ
described in reference materials: ͷ͹ͷ
x Privacy Impact Assessment (PIA) ͷ͹͸
x FedRAMP Test Procedures and Results ͷ͹͹
x Security Assessment Report (SAR) ͷ͹ͺ
x System Security Plan (SSP) ͷ͹ͻ
x IT System Contingency Plan (CP) ͷͺͲ
x IT System Contingency Plan (CP) Test Results ͷͺͳ
x Plan of Action and Milestones (POA&M) ͷͺʹ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 55
x Continuous Monitoring Plan (CMP) ͷͺ͵
x FedRAMP Control Tailoring Workbook ͷͺͶ
x Control Implementation Summary Table ͷͺͷ
x Results of Penetration Testing ͷͺ͸
x Software Code Review ͷͺ͹
x Interconnection Agreements/Service Level Agreements/Memorandum of Agreements ͷͺͺ
3.4.2.4. Assessment and Authorization Process Workflow ͷͺͻ
FedRAMP Assessment and Authorization is an effort composed of many entities/stakeholders ͷͻͲ
working together in concert to enable government-wide risk management of cloud systems. The ͷͻͳ
following diagrams describe the steps and workflow of the FedRAMP Assessment and ͷͻʹ
Authorization process. ͷͻ͵
ͷͻͶ
Figure 6: FedRAMP Assessment and Authorization Process ͷͻͷ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 56
ͷͻ͸
Figure 7: FedRAMP Categorization of Cloud System and Select Security Controls ͷͻ͹
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 57
ͷͻͺ
Figure 8: FedRAMP Authorization Request ͷͻͻ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 58
͸ͲͲ
Figure 9: Implement Controls ͸Ͳͳ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 59
͸Ͳʹ
Figure 10: Assess Controls, Authorize Cloud System ͸Ͳ͵
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 60
͸ͲͶ
Figure 11: Continuous Monitoring ͸Ͳͷ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 61
The following section provides the list of NIST special publications, FIPS publications, OMB ͸Ͳ͸
Memorandums, FedRAMP templates and other guidelines and documents associated with the ͸Ͳ͹
seven steps of the FedRAMP process: ͸Ͳͺ
Step 1 - Categorize Cloud System: (FIPS 199 / NIST Special Publications 800-30, 800-39, ͸Ͳͻ
800-59, 800-60.) ͸ͳͲ
Step 2 – Select Security Controls: (FIPS Publications 199, 200; NIST Special Publications ͸ͳͳ
800-30, 800-53 R3, FedRAMP security control baseline) ͸ͳʹ
Step 3 – Authorization Request: (FedRAMP primary Authorization Request letter, FedRAMP ͸ͳ͵
secondary authorization request letter) ͸ͳͶ
Step 4 - Implement Controls: (FedRAMP control tailoring workbook; Center for Internet ͸ͳͷ
Security (CIS); United States Government Configuration Baseline (USGCB); FIPS ͸ͳ͸
Publication 200; NIST Special Publications 800-30, 800-53 R3, 800-53A R1) ͸ͳ͹
Step 5 – Assess Controls: (FedRAMP Test Procedures: Center for Internet Security (CIS); ͸ͳͺ
United States Government Configuration Baseline (USGCB); NIST Special ͸ͳͻ
Publication 800-53A R1) ͸ʹͲ
Step 6 – Authorize Cloud System: OMB Memorandum 02-01; NIST Special Publications 800- ͸ʹͳ
30, 800-53A R1) ͸ʹʹ
Step 7 – Continuous Monitoring: FedRAMP Test Procedures; NIST Special Publications ͸ʹ͵
800-30, 800-53A R1, 800-37 R1 ͸ʹͶ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 62
A description of the process steps is listed in Table 4: FedRAMP Process Steps. The table is organized by step process families ͸ʹͷ
relating to the aforementioned steps. The table provides the following information: ͸ʹ͸
x Process Step – The distinct step in the process and divided into sub-steps identified with a letter appendix such as “1a”. ͸ʹ͹
x Description – A high level description of the activities occurring with each step. ͸ʹͺ
x Deliverable – A list of the deliverables associated with the steps if the step has any applicable deliverables. Where no ͸ʹͻ
deliverable is expected, the table cell is blank. ͸͵Ͳ
x Primary Responsibility – The entity with the primary responsibility of executing/implementing the steps. ͸͵ͳ
x Notes/Instructions – Specific comments on how the entity with primary responsible implements each step. ͸͵ʹ
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
1CategorizeCloudSystem
1a,1b,and1c CloudServiceProvider(CSP)makesa
businessdecisionofthesecurity
impactlevel(LoworModerate)they
wishtosupportorgetauthorizedfor
theirsystem/cloudoffering.
x Authorization
requestletter
documentingFIPS
199impactlevel
tobesupported
bythecloud
system.
CloudSystem
Ownerand
Customer
Agency
Inthisphase,thecustomerAgency
isrequiredtocategorizethe
information/datatobeputinthe
cloudanddetermineiftheimpact
levelofferedbytheCSPissufficient
andappropriatetohosttheirAgency
data.
2SelectSecurityControls
2aand2b x IftheCSPchoosestobe
authorizedatLowimpactlevel,
theyneedtocomplywiththe
FedRAMPLowimpactsecurity
controlbaseline(providedin
Chapter3)
x IftheCSPchoosestobe
authorizedatModerateimpact
level,theyneedtocomplywith
theFedRAMPModerateimpact
securitycontrolbaseline
(providedinChapter3)
CloudSystem
Owner
Inthisphase,theSponsoringAgency
mayaddanyagencyͲspecific
controlsovertheFedRAMPbaseline.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 63
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
3AuthorizationRequest
3aand3b x SubmitaSecurityAuthorization
requestpackagetoFedRAMP.
Arequestpackagemustinclude
ALLofthefollowingdocuments:
a. Authorizationrequest
letterfromthe
requestingagency’sCIO.
x Oncealldocumentsarereceived,
the“securityauthorization
request”willbeofficially
acknowledgedanddocumented
inrequestlogandFedRAMPwill
beginprocessingthesystemfor
securityauthorization.
x FedRAMPprimary
andsecondary
Authorization
RequestLetter(if
applicable)
x CopyofSigned
Contract
Sponsoring
Agency
x VerifymultiͲagencyuseofthe
system
InordertoundergoFedRAMP
Authorization,asystemmust
qualifyassharedusebymeeting
oneofthefollowingcriteria:
a. SystemisanFCCIBPA
Awardee.
b. SystemisagovernmentͲ
offeredsystemintended
forusebymultiple
agencies.
c. Systemissponsoredby
morethanoneagency
4ImplementControls
4a Theserviceproviderbeginsthe
FedRAMPauthorizationprocessby
documentinggenericcontrols
implementationanddefiningthe
implementationsettingsfor
organizationdefinedparametersand
anycompensatingsecuritycontrols
asrequiredbyFedRAMPControl
TailoringWorkbook
x FedRAMPControl
Tailoring
Workbook
x Control
Implementation
Summarytable.
CloudService
Provider(CSP)
x Instruction:CompletecolumnG
oftheworkbookandsubmitto
FedRAMPfor
verification/approvalaspartof
theinitialSSPwithsections1Ͳ12
andselectcontrolsinsection13
completed.

Thisisrequiredbefore
assessmentactivitiescanbegin
toassureagreementof
organizationalsettingsbythe
JAB
x Allserviceprovidersmust
completetheControl
ImplementationSummaryTable
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 64
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
(SampleprovidedinFedRAMP
Templates)Ͳwhichiscustomized
fortheserviceprovider’ssystem
anditsenvironment.The
completedtableidentifies
controlstypes(commonvs.
hybridcontrolsvs.appspecific
controls)withimplementation
status(FullyImplemented,
PartiallyImplemented,Not
Implemented,NotApplicable)
acrossallrequiredcontrols.The
serviceprovidercompletedtable
mustreflectcontrolsbasedon
NIST800Ͳ53R3andprovide
statusforbothcontrolsand
enhancements(asapplicableper
FIPS199impactandFedRAMP
requiredcontrols).Thecolumns
canandshouldbecustomizedto
theserviceproviders’
environmenttoaccountfor
controlsandminorapps(as
necessary).

4b FedRAMPreviewstheControl
TailoringWorkbookprovidedbythe
vendorforcompliancewith
FedRAMPsecurityrequirementsand
acceptableriskcriteria

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 65
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
4c FedRAMPdeterminesiftheControl
TailoringWorkbookisreadyforJAB
review.Ifyes,thensee4dand4e,
otherwiseFedRAMPsendsthe
workbookbacktotheservice
providertofixit.

4dand4e JAB(consistingofDHS,DODandGSA)
andtheRequesting/Sponsoring
AgencyreceiveaCSP/FedRAMP
briefingonthegenericcontrol
implementation.JABandrequesting
AgencyreviewtheControlTailoring
Workbookforcomplianceand
alternate
implementations/compensating
controlstodetermineeffectiveness
andmakeariskͲbaseddecision.
x InstructionͲWhenthe
FedRAMPControlTailoring
WorkbookandControlSummary
havebeencompletedand
submittedtoFedRAMPfor
review,FedRAMPmayrequesta
meetingwiththeService
Provideratthisstagetoreview
thedocumentsorgivethegoͲ
aheadtoproceedwiththe
authorizationprocess.

4fand4g JABandtheRequesting/sponsoring
AgencyjointlyApprove/Rejectthe
ControlTailoringWorkbookandthe
decisiontoproceedfurther.

4h Ifapproved,FedRAMPnotifiesthe
serviceproviderofJABapprovaland
allowthevendortoproceedwiththe
developmentofSystemSecurityPlan
(SSP)andAssessmentplan

4i Ifrejected,thenFedRAMPnotifies
therequestingagency,whichthen
askstheserviceprovidertocomefor
FedRAMPAuthorizationwhenthey
meettheFedRAMPrequirements.

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 66
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
4j IftheControlTailoringWorkbookis
approved,thenserviceprovider
proceedswiththedevelopmentof
SSP,Assessmentplanand
implementationofthecontrolsper
SSP.UponcompletionofSSPand
Assessmentplan,itissubmittedto
theFedRAMPforreview.
x SystemSecurity
Plan(SSP)
x AssessmentPlan
x TheFedRAMPsecurity
assessmenttestprocedures,as
locatedinreferencematerials,
mustbeusedasthebasisforall
securityassessmentand
continuousmonitoringactivities.
x InstructionͲTheFedRAMPmust
accepttheSystemSecurityPlan
andSecurityAssessmentPlan
beforeassessmentactivitiescan
begin.SystemSecurityPlanand
SecurityAssessmentPlanshould
besubmittedtotheFedRAMP
forreviewandapprovalatthis
time.

4k FedRAMPreviewstheSSPand
Assessmentplan.

4l Ifsatisfactory,thensee5aotherwise
theSSPand/orAssessmentplanare
sentbacktotheserviceproviderto
fixtheissuesidentified.

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 67
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
5AssessControls
5a UponapprovalofSSPand
AssessmentplanfromFedRAMP,the
serviceprovidershouldengagethird
partyindependentassessortoassess
theeffectivenessofimplemented
controlsusingFedRAMP’s
AssessmentProcedures.The
independentassessordocumentsthe
resultsoftheassessmentinthe
SecurityAssessmentReport(SAR)
usingFedRAMP’stemplate.Any
outstandingissuesshouldbe
documentedinthePOA&M’s.Both
SARandPOA&Maresubmittedto
FedRAMPforreview.
x Security
Assessment
Report(SAR)
x POA&M
x UpdatedSSP
ServiceProviderOwnershould
updatethesystemsecurityplan
basedontheresultsoftherisk
assessmentandanymodificationsto
thesecuritycontrolsinthe
informationsystem.UpdatetheSSP
toreflecttheactualstateofthe
securitycontrolsimplementedinthe
systemfollowingcompletionof
securityassessmentactivities.

5b FedRAMPreviewsthetestresults
documentedintheSARandany
outstandingissuesinthePOA&Mto
determineifthedocumentedrisk
seemsacceptableforJAB.FedRAMP
repeatsthisprocesswiththeCSP
untilthedocumentsareacceptable.
Oncetheyareacceptable,then
FedRAMPprovidesthesedocuments
totheJABincludingtherequesting
Agencywithasummaryoftheresults
inthedocuments.

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 68
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
5cand5d JABandtherequestingagency
reviewthetestresultsandPOA&M’s.
Ifthetestresultsdemonstratethat
thesecuritycontrolsareeffectively
implementedandiftheoutstanding
issuesinthePOA&Mareacceptable,
thentheJABnotifiesFedRAMPof
theirapprovalandtheprocessmoves
toStep6a.

5e However,JABmayhave
questions/concernsassociatedwith
thetestresultsoroutstandingissues.
FedRAMPcommunicatesthesewith
theCSPinthisstep.

6AuthorizeCloudSystem
6a FedRAMPassemblesthe
authorizationpackagebasedonthe
updateddeliverablesreceivedfrom
theCSPtothispointandmakesa
recommendationofacceptanceor
rejectionofthepackagetotheJAB
x CompleteCSP
authorization
package
FedRAMPand
CSP

6band6c JABincludingthe
requesting/sponsoringAgency
performsafinalreviewoftheCSP
authorizationpackage

6d Basedonthereviewinsteps6band
c,makeadeterminationonthe
acceptanceorrejectionofthe
residualrisk.

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 69
Process Step Description Deliverable
(if applicable)
Primary
responsibility
Notes/Instructions
6e Ifrejected,thenFedRAMPworks
withtheCSPtorefinethepackage
untiltheresidualriskinthecloud
systemisacceptabletotheJAB

6fand6g Ifaccepted,thentheJABincluding
therequesting/sponsoringAgency
issuestheAuthorityToOperatethe
cloudsystem

6h FedRAMPauthorizedsystemsare
addedtoarepositoryofauthorized
systemsthatcanbeleveragedby
otherFederalAgencies

6i Thecloudsystemisoperationalwith
Federaldataprocessedonthe
system

7ContinuousMonitoring MoredetailsabouttheFedRAMP
ContinuousMonitoringphasecanbe
foundinChapter2:Continuous
Monitoring.
Table 4: FedRAMP Process Steps ͸͵͵
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 70
3.4.2.5. Risk Acceptability Criteria ͸͵Ͷ
The following table lists the FedRAMP JAB acceptable risk criteria. In particular the table lists ͸͵ͷ
the “Not Acceptable” risk criteria and the ones requiring JAB prior approval. ͸͵͸
Not Acceptable Requires JAB Prior Approval
x Vulnerability Scanner output has HIGH
vulnerabilities not remediated.
x More than 5% of total security controls
are reflected within the POA&M.
x False Positive claims are not supported
by evidence files.
x FedRAMP audit shows configuration,
which differs from presented
documentation.
x OS out of lifecycle Support (Windows
XP and before).
x Hot fix patches not implemented,
without justification
x Does not support 2-factor
authentication from customer agency to
cloud for moderate impact system.
Does not support FIPS 140-2 from
customer agency to the cloud.
x Change in inter-connections.
x Change in ISA/MOU.
x Change in physical location.
x Change in Security Impact Level.
x Threat Changes.
x Privacy Act security posture change.
x OS Change (2K to 2K3, Windows to
Linux, etc).
x Change in SW (i.e. Oracle to SQL).
Table 5: FedRAMP Risk Acceptability Criteria ͸͵͹
3.5. Authorization Maintenance Process ͸͵ͺ
Once a system has received a FedRAMP authorization, several events take place. First, the ͸͵ͻ
system is added to the FedRAMP online repository of authorized systems. Next, FedRAMP will ͸ͶͲ
begin facilitating agency access to the approved authorization package to enable agency review ͸Ͷͳ
of the material. Lastly, FedRAMP will begin overseeing continuous monitoring of the system ͸Ͷʹ
and advise the JAB of any changes to risk posture. ͸Ͷ͵
FedRAMP will maintain an online repository of cloud system authorizations in two categories: ͸ͶͶ
x Authorizations granted by the JAB ͸Ͷͷ
x Authorizations granted by individual Agencies ͸Ͷ͸
This web based resource will be publicly accessible and will be the authoritative source of ͸Ͷ͹
FedRAMP system authorization status. The web based resource will maintain the following ͸Ͷͺ
information for each currently authorized system. ͸Ͷͻ
x System Name and scope of authorization (examples of scope include IaaS, PaaS or SaaS, ͸ͷͲ
entire or partial suite of products offered by CSP) ͸ͷͳ
x FIPS 199 impact level supported by the cloud system ͸ͷʹ
x Expiration date for Authorization ͸ͷ͵
x Version of FedRAMP requirements and templates used to authorize the system ͸ͷͶ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 71
x Points of Contact for the cloud system ͸ͷͷ
FedRAMP will also maintain a secure website (separate from the public website) accessible only ͸ͷ͸
to Federal officials to access CSP authorization packages and communicate cloud system ͸ͷ͹
specific updates on the risk posture. ͸ͷͺ
3.6. Authorization Leveraging Process ͸ͷͻ
The purpose of all of the FedRAMP authorizations is to facilitate the leveraging of these ͸͸Ͳ
authorizations for use by multiple federal agencies (“Approve once. Use often”). Leveraging ͸͸ͳ
such authorizations is employed when a federal agency chooses to accept all of the information ͸͸ʹ
in an existing authorization package via FedRAMP. ͸͸͵
A FedRAMP joint authorization is not a “Federal Authority to Operate” exempting Federal ͸͸Ͷ
Agencies, Bureaus, and Divisions from individually granting Authorities to Operate. A ͸͸ͷ
FedRAMP Authorization provides a baseline Authorization for Federal Agencies, Bureaus, and ͸͸͸
Divisions to review and potentially leverage. As is consistent with the traditional authorization ͸͸͹
process, an authorizing official in the leveraging organization is both responsible and ͸͸ͺ
accountable for accepting the security risks that may impact the leveraging organization’s ͸͸ͻ
operations and assets, individuals, other organizations, or the Nation. ͸͹Ͳ
The leveraging organization reviews the FedRAMP authorization package as the basis for ͸͹ͳ
determining risk to the leveraging organization. When reviewing the authorization package, the ͸͹ʹ
leveraging organization considers risk factors such as the time elapsed since the authorization ͸͹͵
results were produced, the results of continuous monitoring, the criticality/sensitivity of the ͸͹Ͷ
information to be processed, stored, or transmitted, as well as the overall risk tolerance of the ͸͹ͷ
leveraging organization. ͸͹͸
FedRAMP will provide leveraging agencies with access to the authorization packages to assist in ͸͹͹
their risk management decision. If the leveraging organization determines that there is ͸͹ͺ
insufficient information in the authorization package or inadequate security measures in place for ͸͹ͻ
establishing an acceptable level of risk, the leveraging organization needs to communicate that to ͸ͺͲ
FedRAMP. If additional information is needed or additional security measures are needed such ͸ͺͳ
as increasing specific security controls, conducting additional assessments, implementing other ͸ͺʹ
compensating controls, or establishing constraints on the use of the information system or ͸ͺ͵
services provided by the system these items will be facilitated by FedRAMP. The goal is to keep ͸ͺͶ
unique requirements to a minimum, but consider any other additional security controls for ͸ͺͷ
implementation and inclusion in the baseline FedRAMP security controls. ͸ͺ͸
The leveraged authorization approach provides opportunities for significant cost savings and ͸ͺ͹
avoids a potentially costly and time-consuming authorization process by the leveraging ͸ͺͺ
organization. Leveraging organizations generate an authorization decision document and ͸ͺͻ
reference, as appropriate, information in the authorization package from FedRAMP. ͸ͻͲ
All of the FedRAMP authorizations do not consider the actual information placed in the system. ͸ͻͳ
It is the leveraging agencies responsibility to do proper information categorization and ͸ͻʹ
determination if privacy information will be properly protected and if a complete Privacy Impact ͸ͻ͵
Assessment is in place. In almost all cases the FedRAMP authorization does not consider the ͸ͻͶ
actual provisioning of users and their proper security training. In all cases additional security ͸ͻͷ
measures will need to be documented. The leveraging organization documents those measures ͸ͻ͸
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 72
by creating an addendum to the original authorization package of FedRAMP or a limited version ͸ͻ͹
of a complete package that references the FedRAMP authorization. This addendum may ͸ͻͺ
include, as appropriate, updates to the security plan (for the controls that is customer Agency’s ͸ͻͻ
implementation responsibility), security assessment report, and/or leveraging organization’s plan ͹ͲͲ
of action and milestones. FedRAMP will report the base system for FISMA purposes and the ͹Ͳͳ
leveraging agency will need to report their authorization via their organizational FISMA process. ͹Ͳʹ
Consistent with the traditional authorization process, a single organizational official in a senior ͹Ͳ͵
leadership position in the leveraging organization is both responsible and accountable for ͹ͲͶ
accepting the information system-related security risks that may impact the leveraging ͹Ͳͷ
organization’s operations and assets, individuals, other organizations, or the Nation. ͹Ͳ͸
The leveraged authorization remains in effect as long as the leveraging organization accepts the ͹Ͳ͹
information system-related security risks and the authorization meets the requirements ͹Ͳͺ
established by federal and/or organizational policies. This requires the sharing of information ͹Ͳͻ
resulting from continuous monitoring activities conducted by FedRAMP and will be provided to ͹ͳͲ
agencies that notify FedRAMP that they are leveraging a particular package. The updates will ͹ͳͳ
include such items as updates to the security plan, security assessment report, plan of action and ͹ͳʹ
milestones, and security status reports. To enhance the security of all parties, the leveraging ͹ͳ͵
organization can also share with the owning organization, the results from any RMF-related ͹ͳͶ
activities it conducts to supplement the authorization results produced by the owning ͹ͳͷ
organization. ͹ͳ͸
3.7. Communications Process ͹ͳ͹
FedRAMP interacts with multiple stakeholders during the security lifecycle of a system. To ͹ͳͺ
streamline the workflow, a secure website is under development to facilitate updates on status, ͹ͳͻ
provide secure posting of artifacts and provide baseline information. However, in addition to ͹ʹͲ
this online web portal, proactive communication is required to ensure the success of each ͹ʹͳ
individual cloud system authorization. It is expected that the Cloud Service Providers, ͹ʹʹ
FedRAMP and Sponsoring and Leveraging Agencies will communicate regularly to ensure that ͹ʹ͵
information is disseminated effectively. ͹ʹͶ
The following communication templates will be employed: ͹ʹͷ
x Sponsorship Letter ͹ʹ͸
x Status Report ͹ʹ͹
x Confirmation Receipts (Complete Package, Incomplete Package) ͹ʹͺ
x Review Recommendation (Acceptable, Unacceptable) ͹ʹͻ
x Missing Artifact List ͹͵Ͳ
x Incident Report ͹͵ͳ
The communication plan in Table 6: Communications Plan identifies the touch points and how ͹͵ʹ
communication will be delivered between FedRAMP, Leveraging Agencies, Sponsoring ͹͵͵
Agencies, and the Cloud Service Providers. Additional emails, conference calls and in-person ͹͵Ͷ
meetings to facilitate the process as the team deems necessary may augment the communication ͹͵ͷ
plan. As changes are integrated into the requirement process, the communication plan may be ͹͵͸
updated to respond to required changes to the communication process. At a minimum, the ͹͵͹
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 73
communication plan will be reviewed annually. The table is organized by phases and depicts ͹͵ͺ
the communication flow in the following areas: ͹͵ͻ
x Trigger Event – Identifies the event that will start the require communication during the ͹ͶͲ
different operational processes of FedRAMP ͹Ͷͳ
x Deliverable –Artifact used to communicate the results/output of the trigger event to ͹Ͷʹ
FedRAMP stakeholders ͹Ͷ͵
x Initiator – The entity responsible for starting the communication process. ͹ͶͶ
x Target Audience – Receivers of the deliverable in the communication process. ͹Ͷͷ
x Delivery Method – How the artifacts will be communicated to the target audience. ͹Ͷ͸
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 74
# Trigger Event Deliverable Initiator Target Audience Delivery Method
Authorization Request, Assessment and Authorization Phases
1 Initiation of FedRAMP
A&A Process
Sponsorship Letter,
Contract
Sponsoring
Agency
FedRAMP Upload through FedRAMP
Website
2 Receipt of Sponsorship
Letter
Kickoff Meeting FedRAMP Sponsoring Agency,
Cloud Service
Provider
Scheduled with the participants
identified through the
sponsorship letter, this first
meeting will allow the
participants an opportunity to
understand the process and
establish milestone dates.
3 Weekly Status Report Status Report FedRAMP Sponsoring Agency,
Cloud Service
Provider
Uploaded to Secure Web Portal,
the status report is updated
weekly advising of current status
and future target dates.
4 Questions about
requirements
Email Inquiry Cloud Service
Provider
FedRAMP Cloud Service Provider may
email questions to FedRAMP.
5 Received Questions Email Clarification FedRAMP Cloud Service
Provider
FedRAMP will respond to email
questions within two business
days.
6 Package Submission Completed
Artifact(s)
Cloud Service
Provider
FedRAMP Securely uploaded through
FedRAMP Website.
7 Completed Package
Submission
Confirmation
Receipt – Completed
Package
FedRAMP Cloud Service
Provider
Emailed acknowledgement
receipt by FedRAMP Review
Team identifies the received
artifacts and target date for
completed review.
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 75
# Trigger Event Deliverable Initiator Target Audience Delivery Method
8 Incomplete Package
Submission
Confirmation
Receipt –
Incomplete Package
FedRAMP Cloud Service
Provider
Emailed acknowledgement
receipt by FedRAMP Review
Team identifies which artifacts
have been received and which are
still missing.
9 FedRAMP completes
artifact review,
recommends ATO
Review
Recommendation
FedRAMP JAB, Sponsoring
Agency, Cloud
Service Provider
Emailed recommendation
explains the Cloud Service
Provider’s compliance with the
required risk management
controls.
10 FedRAMP completes
artifact review,
recommends
improvements
Review
Recommendation
FedRAMP Cloud Service
Provider
Emailed Review
Recommendation includes
individual areas of focus required
by the Cloud Service Provider to
be compliant with FedRAMP
requirements.
11





Completed review,
improvements
recommended
Findings Review
Meeting
FedRAMP Sponsoring Agency,
Cloud Service
Provider
Scheduled by FedRAMP, this
meeting allows the Cloud Service
Provider and the Sponsoring
Agency an opportunity to discuss
and understand any deficiencies
identified by the FedRAMP
review team.




Authorization Maintenance Phase
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 76
# Trigger Event Deliverable Initiator Target Audience Delivery Method
12 FedRAMP authorizes
system
Joint Authorization
Letter
JAB,
FedRAMP
Cloud Service
Provider, Sponsoring
Agency, Leveraging
Agency
Post the following information on
a public FedRAMP website about
the authorized system:
System Name
FIPS 199 impact level the system is
authorized at
Version of FedRAMP security
controls and other templates used
Authorization Expiration Date
Privacy Questionnaire
Maintain the authorization
package including but not limited
to SSP, SAR, Contingency Plan,
Incident reporting plan,
POA&M’s on a secure website
accessible by Government
officials only

13 Granting authorization
package access to
leveraging Agencies
CSP Authorization
Package
FedRAMP Leveraging Agency Provide secure access (login) to
Government-only website for
accessing CSP authorization
package




Continuous Monitoring Phase
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 77
# Trigger Event Deliverable Initiator Target Audience Delivery Method
14 Creation of updated
artifacts (e.g. SSP,
POA&M’s)
Updated Artifacts Cloud Service
Provider
FedRAMP Uploaded to Secure Web Portal,
the Cloud Service Provider will
post all regular recurring artifacts
for FedRAMP team review.
15 Receipt of Updated
Artifacts
Confirmation
Receipt
FedRAMP Cloud Service
Provider
Email acknowledgement receipt
of uploaded artifacts.
16 Accepted Artifacts Review
Recommendation –
Acceptable
FedRAMP Leveraging Agencies,
Cloud Service
Provider
Update on secure website that
Cloud Service Providers updated
artifacts meet compliance
requirements.
17 Unacceptable Artifacts Review
Recommendation -
Unacceptable
FedRAMP Leveraging Agencies,
Cloud Service
Provider
Email Notification of what issues
the Cloud Service Provider is
required to remediate to remain
within compliance. Update on
Secure Web Site identifying
outstanding issues.
18 Updated Artifacts not
received with 1 week of
due date
Missing Artifact List FedRAMP Cloud Service
Provider
Email Notification to the Cloud
Service Provider that their
artifacts have not been received.
17 Updated Artifacts not
received with 2 weeks
of due date
Missing Artifact List FedRAMP Leveraging Agencies,
Cloud Service
Provider
Email Notification to the Cloud
Service Provider that their
artifacts have not been received
and their ATO is at risk.
18 Incident Incident
Reporting/Notificati
on
Cloud Service
Provider
Leveraging Agencies,
FedRAMP

Table 6: Communications Plan ͹Ͷ͹
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 78
3.8. Change Management Process ͹Ͷͺ
The technology changes within the dynamic and scalable cloud computing environment are ͹Ͷͻ
expected to be quite swift. As the cloud computing market matures, best practices associated ͹ͷͲ
with the implementation and testing of security controls will evolve. ͹ͷͳ
There are multiple industry groups, academic collaborations, engineering teams, policy firms and ͹ͷʹ
assorted cadre of experts striving to maximize the potential of cloud computing in a secure ͹ͷ͵
environment. It is therefore obvious that FedRAMP will maintain resources to keep abreast of ͹ͷͶ
the technological and security enhancements in near real time. As these cloud computing best ͹ͷͷ
practices evolve, FedRAMP security requirements, processes and templates will also under go an ͹ͷ͸
evolution. The following sections define the FedRAMP change management process. ͹ͷ͹
3.8.1. Factors for change ͹ͷͺ
The following internal and external factors will drive the change to FedRAMP security ͹ͷͻ
requirements, processes and templates. ͹͸Ͳ
x Update to NIST special publications and FIPS publications: FedRAMP templates and ͹͸ͳ
requirements are based on the NIST special publications and FIPS publications. If the ͹͸ʹ
NIST SP 800-53 r3 is updated with new security controls and enhancements for low and ͹͸͵
moderate impact level, FedRAMP security controls will need to be updated. Also, if ͹͸Ͷ
NIST publishes new guidance associated with cloud computing best practices, these will ͹͸ͷ
be considered for updates to FedRAMP security requirements and evaluation criteria/test ͹͸͸
procedures. ͹͸͹
x Requirements from other Federal security initiatives: Government-wide security ͹͸ͺ
initiatives and mandates such as Trusted Internet Connections (TIC) and Identity, ͹͸ͻ
Credential and Access Management (ICAM) will drive updates to FedRAMP ͹͹Ͳ
requirements for wider adoption of cloud computing systems and services across the ͹͹ͳ
Government. As the solutions for various cloud service models (IaaS, PaaS, SaaS), which ͹͹ʹ
is currently under active investigation, are adopted, they will be disseminated by ͹͹͵
FedRAMP. FedRAMP and the JAB will rely on both ISIMC and NIST to recommend ͹͹Ͷ
changes to security controls over time. While these bodies will not have the authority to ͹͹ͷ
implement the changes, their expertise and reputation lend themselves to providing ͹͹͸
invaluable assistance to FedRAMP. It should be noted that security requirements can ͹͹͹
only be approved for change by the JAB. ͹͹ͺ
x Agency-Specific requirements beyond the FedRAMP baseline: Federal Agencies ͹͹ͻ
leveraging FedRAMP authorizations for use within their own Agencies may add specific ͹ͺͲ
additional security controls, conduct additional assessments, or require implementation of ͹ͺͳ
other compensating controls. The leveraging agencies should notify FedRAMP of these ͹ͺʹ
additional requirements. FedRAMP JAB will meet regularly to discuss any required ͹ͺ͵
updates and possible inclusion of these additional security measures to FedRAMP ͹ͺͶ
security controls baseline and assessment procedures/evaluation criteria. If different ͹ͺͷ
leveraging Agencies have added different requirements and additional security measures ͹ͺ͸
for the same cloud system, FedRAMP will maintain a list of these additions and may ͹ͺ͹
consider updating either the FedRAMP baseline for all cloud systems or just that specific ͹ͺͺ
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 79
cloud system. In both cases, FedRAMP will assess these additional controls/measures ͹ͺͻ
during the continuous monitoring phase. ͹ͻͲ
x Industry best practices, development of standards or use of new tools/technology: ͹ͻͳ
FedRAMP requirements may be updated to adopt new standards as they are created for ͹ͻʹ
cloud computing interoperability, portability and security. As cloud computing market ͹ͻ͵
matures and as industry develops new tools and technologies for automated and near real ͹ͻͶ
time monitoring of controls and automated mechanisms for exposing audit data to ͹ͻͷ
comply with regulatory requirements become available, FedRAMP processes will also be ͹ͻ͸
updated accordingly. ͹ͻ͹
x Changes to cloud service provider offering: As new features and components are added ͹ͻͺ
to the cloud service provider offering, additional requirements and assessments might be ͹ͻͻ
necessary to ensure that robust security posture of the system is maintained. ͺͲͲ
3.8.2. Security Documents/Templates Change Control ͺͲͳ
All security document templates are to be considered “living documents”. Over time, as ͺͲʹ
requirements change, methodologies evolve, or new technologies and threats present themselves, ͺͲ͵
these documents will undergo some degree of modification. FedRAMP is solely responsible for ͺͲͶ
implementing these changes. It should be noted that FedRAMP security document templates are ͺͲͷ
designed to assist the user with proper documentation related to their authorization package. ͺͲ͸
These also serve to provide a more uniform content collection method that aids the CSP and ͺͲ͹
agencies with achieving authorization status for the cloud service offering. As changes are ͺͲͺ
made, updated templates will be posted to the FedRAMP website with instructions related to use. ͺͲͻ
3.8.3. Requirements for Cloud Service Provider Change Control ͺͳͲ
Process ͺͳͳ
Once a requirement is approved, CSP’s have 30 days to develop and submit an implementation ͺͳʹ
plan. CSP’s are responsible for implementing the plans. The implementation plan needs to ͺͳ͵
define the actions that the CSP must perform in order to comply with the new requirement. In ͺͳͶ
most cases the implementation of the new control will be implemented within the 30 day ͺͳͷ
window. However, there may be instances where the implementation of the controls will require ͺͳ͸
the CSP to add the control to the POAM sheet, with milestones, target date, and resource ͺͳ͹
allocations documenting the future implementation due to the nature of the control itself. ͺͳͺ
Furthermore, it is understood that, depending on the particular infrastructure related to the ͺͳͻ
security control, that it might be necessary for the CSP to implement a compensating control. ͺʹͲ
This control will accomplish the same goal as the new requirement. However, it accomplishes ͺʹͳ
the goal in a different manner. All compensating controls must receive authorization from the ͺʹʹ
JAB. When situations arise where the new requirement cannot be implemented on a system due ͺʹ͵
to the legacy nature of the infrastructure, or in cases where the control itself will have a severely ͺʹͶ
negative impact on the mission of the system, the CSP may request a waiver. Waivers, though ͺʹͷ
rare, must be presented to the JAB for approval. Once the control change is implemented, ͺʹ͸
FedRAMP is to be notified and the security control baseline will be adjusted and documented. ͺʹ͹
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 80
3.8.4. Sponsoring Agency CCP ͺʹͺ
Sponsoring federal agencies maintain their responsibility for establishing and maintaining their ͺʹͻ
own internal change control process. Responsibilities related to the cloud computing service ͺ͵Ͳ
offering should be limited to the interconnection between the agency and the CSP, and the input ͺ͵ͳ
to any change requests. ͺ͵ʹ
ͺ͵͵
Proposed Security Assessment & Authorization for U.S. Government Cloud Computing
Chapter Three: Potential Assessment & Authorization Approach Page 81
Document Revision History ͺ͵Ͷ
ͺ͵ͷ
Date Description Version Author
11/02/2010
Proposed Security
Assessment &
Authorization for U.S.
Government Cloud
Computing 0.96
Federal Cloud
Computing Initiative



ͺ͵͸

Preface
Proposed Security Assessment and Authorization for U.S. Government Cloud Computing: Over the past 18 months, an inter-agency team comprised of the National Institute of Standards and Technology (NIST), General Services Administration (GSA), the CIO Council and working bodies such as the Information Security and Identity Management Committee (ISIMC), has worked on developing the Proposed Security Assessment and Authorization for U.S. Government Cloud Computing. This team evaluated security controls and multiple Assessment and Authorization models for U.S. Government Cloud Computing as outlined in this document. The attached document is a product of 18 months of collaboration with State and Local Governments, Private Sector, NGO’s and Academia. This marks an early step toward our goal of deploying secure cloud computing services to improve performance and lower the cost of government operations, but we need to improve this document through your input. Often stated, but still true, we recognize that we do not have a monopoly on the best ideas. We seek your input, knowledge, and experience to help us frame appropriate security controls and processes for the Federal Government’s journey to cloud computing. The attached document is a draft and is designed to encourage robust debate on the best path forward. Comments on the documents should be submitted online at www.FedRAMP.gov by December 2nd . We look forward to your active engagement and substantive comments. Vivek Kundra U.S. Chief Information Officer

To Submit Comments
Comments on the documents can be submitted using the FedRAMP online comment form available at www.FedRAMP.gov through 11:59 pm Eastern Time on December 2nd. Comments can be made either anonymously or by providing contact information, if attribution or follow up is requested. At the conclusion of the comment period, a joint tiger team of representatives from across government will review the comments for inclusion in the final documents. Press inquiries should be directed to Sara Merriam, GSA’s Press Secretary, at 202-5019139. The comment form asks for the following information:
Organization Type: Please indicate whether you are reporting your comment as a member of government, industry, or the community-at-large. Company or Agency Name: This optional field will allow you to provide attribution to the agency or company that you work for. Document Name: To comment on this document, please select the first item in the list, “FedRAMP: Security Controls, Guidelines & Process for US Government Cloud Computing”. If commenting on the reference documents, please indicate to which reference document your comment relates. Section Number: Please indicate to which section number or section name your comment relates. Examples from this text would be “2. FedRAMP Security Controls”, “FedRAMP Security Controls” or “2”. This is meant to assist the review team in locating the context for your comment. Page Number: Please indicate the page number on which your comment relates. Page numbers are found at the bottom of each page in each document. Line or Table Number: Through the documents, the text has a line number on the left hand side of the page. Please reference the line number in question; or in the case of tables, the table’s unique identifier in the left . Examples from this text would be “530” or “AC-1”. Comment Type: To facilitate review and action of the comments, please identify your comment into one of the following categories. o Editorial – The comment relates to the text’s wording or formatting but does not impact the underlying content of the text. o Policy – The comment relates to specific government policy or a requested change thereto. o Procedural – The comment relates to the proposed process by which FedRAMP will conduct operations. o Question – The comment is a question about either the intent or interpretation of the text. It is anticipated that an FAQ document will be drafted as a result of questions received. o Technical – The comment relates to either the technical implementation of a control, assessment procedure, template or process in one of the documents. o Other – If your comment doesn’t fit into one of the other categories, please use this categorization. Visibility – Either Public if the comment or its resulting answer should be posted to the general public or if a response should only be sent to the specific commentator. If private, please include contact information. Comment – Please enter your comment here. Proposed Resolution – If your comment relates to a change, please identify your suggested resolution within this field. Contact Information – If you would like a direct response to your comment, please include contact information in the form of your name and email address. Please note that all contact information will be kept confidential.

Document Organization & Reference Material This document describes the U. and roles and responsibilities for Federal agencies and Cloud Service Providers in accordance with the Risk Management Framework detailed in NIST Special Publication 800-37R1. leveraging. The three chapters are as follows: Chapter 1: Cloud Computing Security Requirement Baseline This chapter presents a list of baseline security controls for Low and Moderate impact Cloud systems. This reflects upon all aspects of an authorization (including sponsorship. Government Cloud Computing. risk assessment reports. Government’s proposed Assessment and Authorization (A&A) for U. Cloud Service Providers can use the templates to develop and submit artifacts for assessment & authorization.S. a joint authorization process. maintenance and continuous monitoring). The document is organized in to three Chapters. Security Documentation Templates The templates required for completing all the artifacts for assessment & authorization are available as reference material. reporting frequency and responsibility for cloud service provider compliance with FISMA. . Chapter 3: Potential Assessment & Authorization Approach This chapter describes the proposed operational approach for A&A’s for cloud computing systems. Reference Material In addition to the three chapters detailed above.S. the following artifacts are also available as reference material: Assessment Procedures The assessment procedures are intended to be used by independent 3rd party assessors in their review of cloud service provider systems and the corresponding development of the security assessment. each chapter details a necessary element in creating a framework from which a government-wide A&A could function. This section defines continuous monitoring deliverables. NIST Special Publication 800-53R3 provided the foundation for the development of these security controls. Chapter 2: Continuous Monitoring This chapter describes the process under which authorized cloud computing systems will be monitored.

Refrigerating and Air-conditioning Engineers Awareness and Training Authority to Operate Audit and Accountability Assessment and Authorization Configuration Change Control process Center for Internet Security Configuration Management Continuous Monitoring Plan Contingency Planning Cloud Service Provider Federal Cloud Computing Initiative Federal Desktop Core Configuration Federal Risk and Authorization Management Program Federal Information Processing Standard Federal Information Security Management Act Identification and Authentication Identity.Acronym Definitions Term A&A AC ASHRAE AT ATO AU CA CCP CIS CM CMP CP CSP FCCI FDCC FedRAMP FIPS FISMA IA ICAM IR ISIMC IV&V JAB MA MP NIST PE PIA PL Definition Assessment and Authorization Access Control American Society of Heating. Credential and Access Management Incident Response Information Security and Identity Management Committee Independent Validation & Verification Joint Authorization Board Maintenance Media Protection National Institute of Standards & Technology Physical and Environmental Protection Privacy Impact Assessment Planning .

Term POA&M POSV PS RA RMF SA SAR SC SCAP SDLC SI SSP TIC USGCB Definition Plan of Action & Milestones Proprietary Operating System Vendor Personnel Security Risk Assessment Risk Management Framework System and Services Acquisition Security Assessment Report System and Communications Protection Security Content Automation Protocol System Development Life Cycle System and Information Integrity System Security Plan Trusted Internet Connection United States Government Configuration Baseline .

Government Cloud Computing Table of Contents Draft Version 0.96 Table of Contents .S.Proposed Security Assessment & Authorization for U.

As depicted in Figure 1. privacy official and the program owner. This document describes a government-wide Federal Risk and Authorization Management Program (FedRAMP) to provide joint security assessment. Finally. A wide range of technologies fall under the title “cloud computing.e. In order to address these concerns. As such. multi-tenant infrastructures. Instead.Proposed Security Assessment & Authorization for U. However. with three service models. However. The decision to embrace cloud computing technology is a risk-based decision. this decision from a risk management perspective requires inputs from all stakeholders. including the CIO. agencies must then determine the appropriate manner for their security assessments and authorizations. but a collection of essential characteristics that are manifested through various types of technology deployment and service models. Once the business decision has been made to move towards a cloud computing environment. CIO) requested the Federal CIO Council launch a government-wide risk and authorization management program. not a technologybased decision. Software as a Service. the Federal Information Security Management Act (FISMA) and NIST special publications provide Federal Agencies with guidance and framework needed to securely use cloud systems. security authorizations have become increasingly time-consuming and costly both for the Federal Government and private industry. Additionally. A government-wide risk and authorization program for cloud computing would allow agencies to completely leverage the work of an already completed authorization or only require an agency to complete delta requirements (i. cloud computing also brings new risks and challenges to securely use cloud computing capabilities as good stewards of government data. represent a subset of the National Institute of Standards and Technology (NIST) definition of cloud computing. Not only do agencies have varying numbers of security requirements at or above the NIST baseline. many times additional requirements from multiple agencies are not compatible on the same system. Platform as a Service. unique requirements for that individual agency). Government Cloud Computing Executive Overview The ability to embrace cloud computing capabilities for federal departments and agencies brings advantages and opportunities for increased efficiencies. The guidelines embraced in this document.S. This shared infrastructure provides the same boundaries and security protocols for each customer. PaaS. authorizations and continuous monitoring of cloud computing services for all Federal Agencies to leverage. CISO. Cloud computing is not a single capability. a government-wide risk and authorization program would enable providers and the program office to complete the security assessment and authorization process once and share the results with customer agencies. CLOUD COMPUTING AND GOVERNMENT-WIDE RISK AND AUTHORIZATION Cloud Computing systems are hosted on large.S.” and the complexity of their various implementations may result in confusion among program managers. and Infrastructure as a Service (SaaS. cost savings. the U. government-wide risk and Page i . interpretation and application of FISMA requirements and NIST Standards vary greatly from agency to agency. Chief Information Officer (U.S. completing the security assessment and authorization process separately by each customer is redundant. In such an environment. and IaaS). Office of General Counsel (OGC). and green computing technologies.

Consolidated risk management. This will allow Federal Agencies to leverage this work at their agency but private industry will also finally have the full picture of what a security authorization will entail prior to being in a contractual relationship with an agency. Through this government-wide approach. By following the requirements and processes in this document. and Increased effectiveness and management cost savings. TRANSPARENT PATH FOR SECURE ADOPTION OF CLOUD COMPUTING The security guidance and FedRAMP assessment and authorization process aims to develop robust cloud security governance for the Federal Government. FedRAMP will provide a unified government-wide risk management process for cloud computing systems.Proposed Security Assessment & Authorization for U. FedRAMP will work in an open and transparent manner with Federal Agencies and private industry about the Assessment and Authorization process. In addition. STANDARDIZED ASSESSMENT & AUTHORIZATION: FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is designed to solve the security authorization problems highlighted by cloud computing. Government Cloud Computing authorization program will promote faster and costeffective acquisition of cloud computing systems by using an ‘authorize once. processes. private vendors as well. use many’ approach to leveraging security authorizations.S. Page ii . All of the security requirements. ISIMC has developed guidance for agency use on the secure use of cloud computing in Federal Security Guidelines for Cloud Computing. The collective work that follows represents collaboration amongst security experts and representatives throughout government including all of the CIO Council Agencies. such a program will promote the Administration’s goal of openness and transparency in government. FedRAMP will work in collaboration with the CIO Council and Information Security and Identity Management Committee (ISIMC) to constantly refine and keep this document up to date with cloud computing security best practices. Federal agencies will be able to take advantage of cloud based solutions to provide more efficient and secure IT solutions when delivering products and services to its customers. Consistent application of Federal security requirements. and templates will have to be made publicly available for consumption not only by Federal agencies but Figure 1: FedRAMP eliminates redundancy. FedRAMP will enable agencies to either use or leverage authorizations with an: Interagency vetted approach using common security requirements. Additionally. Separate from FedRAMP.

Government Cloud Computing Chapter One: Cloud Computing Security Requirements Baseline Page 1 .Proposed Security Assessment & Authorization for U.S.

Required parameter values for the variable parts of security controls and control enhancements (designated by assignment and selection statements) are also provided. The security controls contained in this publication work in concert with NIST Special Publication 800-53. Additional security controls and control enhancements that are not included in the low and moderate control baselines defined in NIST Special Publication 800-53 Revision 3 (Appendix D) are denoted in bold font. frequency and other considerations for how cloud service providers address specific controls and enhancements. and authorizing officials and information system owners have the authority and responsibility to develop security plans which define how the controls are implemented within their particular information systems and environments of operation. a blank will appear in that column. The table presents the following information: Control Number and Name – The control number and control name relate to the control as defined in NIST Special Publication 800-53. For example.nist. AC-2 : Control is included in the NIST Baseline AC-2 (1) : Control enhancement is included in the NIST Baseline AC-2 (7) : FedRAMP specific control enhancement. stored. Revision 3. All NIST security standards and guidelines used to define the requirements for the FedRAMP cloud computing initiative are publicly available at http://csrc. DHS & DOD for use within information systems providing cloud computing services to the Federal government. Revision 3.Proposed Security Assessment & Authorization for U.gov. These parameters identify the scope. and transmitted by cloud information systems as defined in Federal Information Processing Standard 199. This table is organized by the 17 control families identified in NIST Special Publication 800-53. Table 1 (begins on page 3) specifies control parameter definitions and additional requirements or guidance in addition to NIST Special Publication 80053. the enhancement is designated inside of parenthesis. two sets of security controls have been defined for low-impact and moderate-impact cloud information systems respectively. Government Cloud Computing 1. Control Parameter Requirements – Certain controls are defined with implementation parameters. Revision 3. If the control is not applicable. Revision 3 for a FedRAMP A&A package. Recommended Security Controls for Federal Information Systems and Organizations (as amended).S. Chapter One: Cloud Computing Security Requirements Baseline Page 2 . NIST Special Publication 800-53. Revision 3. These controls have been agreed to by a Joint Approval Board made up of users from GSA. Cloud Computing Security Requirements Baseline This chapter identifies (by security control number and name) the security controls from NIST Special Publication 800-53. In the case of FedRAMP. Control Baseline – The control is listed in either the Low or Moderate impact column where applicable to that baseline. Revision 3 details security controls that apply to all federal information systems. If a control enhancement is applicable. The FedRAMP defined security controls are presented in Table 1: FedRAMP Security Controls. Additional Requirements & Guidance – These entries represent additional required security controls for cloud computing applications and environments of operation selected from the security control catalog in NIST Special Publication 800-53 Revision 3 (Appendix F). The impact levels are based on the sensitivity and criticality of the federal information being processed.

accounts associated with devices). The time periods are approved and accepted by the JAB. column. Assigns user accounts and authenticators in accordance within service provider's role-based access control policies. and c. as appropriate. AC-3 Access Enforcement AC-3 AC-3 AC-3 (3) AC-3 (3) [Assignment: organization-defined nondiscretionary access control policies] Parameter: [role-based access control] [Assignment: organization-defined set of users and resources] Parameter: [all users and resources] AC-3 (3) Requirement: The service provider: a. AC-4 Information Flow Enforcement Not Selected AC-4 None.. Configures the information system to request user ID and authenticator prior to system access. Configures the databases containing federal information in accordance with service provider's security administration guide to provide role-based access controls enforcing assigned privileges and permissions at the file. [Assignment: organization-defined frequency] Parameter: [at least annually] AC-2 (2) [Assignment: organization-defined time period for each type of account (temporary and emergency)] Parameter: [no more than ninety days for temporary and emergency account types] AC-2 (3) [Assignment: organization-defined time period] Parameter: [ninety days for user accounts] See additional requirements and guidance. AC-1 Access Control Policy and Procedures AC-1 AC-1 Access Control (AC) None. Chapter One: Cloud Computing Security Requirements Baseline Page 3 . AC-1 [Assignment: organization-defined frequency] Parameter: [at least annually] AC-2j. AC-2 Account Management AC-2 AC-2 AC-2 (1) AC-2 (2) AC-2 (3) AC-2 (4) AC-2 (7) AC-2 (3) Requirement: The service provider defines the time period for non-user accounts (e.S. None. table.g.Proposed Security Assessment & Authorization for U. row. b. or cell level.1. Government Cloud Computing Control Baseline Control Number and Name Low Moderate Control Parameter Requirements Additional Requirements and Guidance 1.

Chapter One: Cloud Computing Security Requirements Baseline Page 4 . The list of functions is approved and accepted by the JAB.e. privileges). AC-6 (2) Guidance: Examples of security functions include but are not limited to: establishing system accounts. Government Cloud Computing Control Baseline Control Number and Name Low AC-5 Separation of Duties Not Selected Not Selected Control Parameter Requirements Moderate AC-5 None. system and security administration. AC-6 (2) [Assignment: organization-defined list of security functions or security-relevant information] Parameter: [all security functions] AC-6 (1) Requirement: The service provider defines the list of security functions.S. permissions. and setting intrusion detection parameters. None. and firmware and security-relevant information] Parameter: See additional requirements and guidance. configuring access authorizations (i. [Assignment: organization-defined number] Parameter: [not more than three] AC-7a.Proposed Security Assessment & Authorization for U. None. Additional Requirements and Guidance AC-6 Least Privilege AC-6 AC-6 (1) AC-6 (2) AC-6 (1) [Assignment: organization-defined list of security functions (deployed in hardware. [Assignment: organization-defined time period] Parameter: [fifteen minutes] AC-7b. AC-10 [Assignment: organization-defined number] Parameter: [one session] None. locks the account/node until released by an administrator. system programming.. software. delays next login prompt according to [Assignment: organization-defined delay algorithm]] Parameter: [locks the account/node for thirty minutes] AC-8 AC-10 System Use Notification Concurrent Session Control AC-8 Not Selected AC-8 AC-10 None. [Selection: locks the account/node for an [Assignment: organization-defined time period]. setting events to be audited. AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7a. other privileged functions. None.

configuring access authorizations. and VPN. UUCP (UnixUnix Copy Protocol). X-Windows. performing system administration functions. Government Cloud Computing Control Baseline Control Number and Name Low AC-11 Session Lock Not Selected Control Parameter Requirements Moderate AC-11 AC-11 (1) AC-11a. Guidance: Exceptions to restricted networking protocols are granted for explicitly identified information system components in support of specific operational requirements. NETBIOS. NNTP (Network News Transfer Protocol). like NIS or NFS. SMTP (Simple Mail Transfer Protocol). IPX/SPX. The security attributes need to be approved and accepted by JAB. (trivial ftp). AC-16 Requirement: The service provider defines the security attributes. rsh. RIP (Routing Information Protocol). AC-16 Not Selected AC-16 AC-16 Assignment: organization-defined security attributes] Parameter: See additional requirements and guidance. Additional Requirements and Guidance AC-14 Permitted Actions Without Identification/ Authentication Security Attributes AC-14 AC-14 AC-14 (1) None. AC-17 (8) [Assignment: organization-defined networking protocols within the information system deemed to be non-secure] Parameter: [tftp. Peer-to-Peer] AC-17 (7) Requirement: The service provider defines the list of security functions and security relevant information. Sun Open Windows. real time] AC-17 (7) [Assignment: organization-defined list of security functions and security-relevant information] Parameter: See additional requirements and guidance. rlogin. AC-17 Remote Access AC-17 AC-17 AC-17 (1) AC-17 (2) AC-17 (3) AC-17 (4) AC-17 (5) AC-17 (7) AC-17 (8) AC-17 (5) [Assignment: organization-defined frequency] Parameter: [continuously. NTP (Network Time Protocol). SSH. TELNET. FTP. and auditing system events or accessing event logs. None.Proposed Security Assessment & Authorization for U. Security functions and the implementation of such functions are approved and accepted by the JAB. [Assignment: organization-defined time period] Parameter: [fifteen minutes] None. DNS (Domain Name Services). Bluetooth. Guidance: Security functions include but are not limited to: establishing system accounts.S. AC-17 (8) Requirement: Networking protocols implemented by the service provider are approved and accepted by JAB. RPC-services. rexec. Chapter One: Cloud Computing Security Requirements Baseline Page 5 .

AC-21b. AC-21a. AC-19g. None. AC-22 Publicly Accessible Content AC-22 AC-22 AC-22d.S. The measures are approved and accepted by JAB. [Assignment: organization-defined inspection and preventative measures] Parameter: See additional requirements and guidance. Requirement: The service provider defines the mechanisms or manual processes for the information sharing circumstances defined by the service consumer. None.2.Proposed Security Assessment & Authorization for U. None. Requirement: The service consumer defines information sharing circumstances where user discretion is required. Requirement: The service provider defines inspection and preventative measures. AC-21b. [Assignment: organization-defined frequency] Parameter: [at least quarterly] 1. AT-2 AT-2 AT-2 None. Additional Requirements and Guidance AC-19 Access Control for Mobile Devices AC-19 AC-19g. Chapter One: Cloud Computing Security Requirements Baseline Page 6 . Government Cloud Computing Control Baseline Control Number and Name Low AC-18 Wireless Access AC-18 Control Parameter Requirements Moderate AC-18 AC-18 (1) AC-18 (2) AC-18 (3) AC-18 (4) AC-18 (5) AC-19 AC-19 (1) AC-19 (2) AC-19 (3) AC-20 AC-20 (1) AC-20 (2) AC-21 AC-18 (2) [Assignment: organization-defined frequency] Parameter: [at least quarterly] None. [Assignment: list of organization-defined information sharing circumstances and automated mechanisms or manual processes required] Parameter: See additional requirements and guidance. AT-1 Security Awareness and Training Policy and Procedures Security Awareness AT-1 AT-1 Awareness and Training (AT) AT-1 [Assignment: organization-defined frequency] Parameter: [at least annually] AT-2 [Assignment: organization-defined frequency] Parameter: [at least annually] None. [Assignment: organization-defined information sharing circumstances where user discretion is required] Parameter: See additional requirements and guidance. AC-20 Use of External Information Systems AC-20 AC-21 User-Based Collaboration and Information Sharing Not Selected AC-21a.

AU-1 Audit and Accountability Policy and Procedures AU-1 AU-1 Audit and Accountability (AU) AU-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None.Proposed Security Assessment & Authorization for U. 1. Government Cloud Computing Control Baseline Control Number and Name Low AT-3 Security Training AT-3 Control Parameter Requirements Moderate AT-3 AT-3 [Assignment: organization-defined frequency] Parameter: [at least every three years] AT-4b.S. AT-5 Contacts With Security Groups and Associations Not Selected AT-5 None. [Assignment: organization-defined frequency] Parameter: [At least three years] None None.3. Chapter One: Cloud Computing Security Requirements Baseline Page 7 . Additional Requirements and Guidance AT-4 Security Training Records AT-4 AT-4 None.

For Web applications: all administrator activity. AU-2d. AU-4 AU-5 Audit Storage Capacity Response to Audit Processing Failures AU-4 AU-5 AU-4 AU-5 Chapter One: Cloud Computing Security Requirements Baseline Page 8 . data changes. [Assignment: organization-defined list of auditable events] Parameter: [Successful and unsuccessful account logon events. The audit record types are approved and accepted by the JAB. AU-3 Content of Audit Records AU-3 AU-3 AU-3 (1) AU-3 (1) [Assignment: organization-defined additional. and applications to record security-related events. authentication checks. None. The events to be audited are approved and accepted by JAB. Parameter: [continually] AU-2 (3) [Assignment: organization-defined frequency] Parameter: [annually or whenever there is a change in the threat environment] Additional Requirements and Guidance AU-2d. Government Cloud Computing Control Baseline Control Number and Name Low AU-2 Auditable Events AU-2 Control Parameter Requirements Moderate AU-2 AU-2 (3) AU-2 (4) AU-2a. object access. and system events. the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry. moderate-impact: shut down] AU-3 (1) Requirement: The service provider defines audit record types. transaction. account management events. AU-2 Requirement: The service provider configures the auditing features of operating systems. Requirement: The service provider defines the subset of auditable events from AU-2a to be audited. to include logon/logoff and all failed access attempts. AU-2 (3) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB. for client-server transactions. process tracking. [Assignment: organization-defined frequency of (or situation requiring) auditing for each identified event]. more detailed information] Parameter: [session. data deletions. databases. additional informational messages to diagnose or identify the event. data access.Proposed Security Assessment & Authorization for U. None. or activity duration. characteristics that describe or identify the object or resource being acted upon] None. the number of bytes received and bytes sent. privilege functions. Guidance: For client-server transactions. and permission changes] AU-2d. connection.S. [Assignment: organization-defined subset of the auditable events defined in AU-2 a. policy change. to be audited] Parameter: See additional requirements and guidance. authorization checks. AU-5b [Assignment: Organization-defined actions to be taken] Parameter: [low-impact: overwrite oldest audit records.

None. The secondary server is selected from a different geographic region than the primary server. NSA-approved] Parameter: See additional requirements and guidance. AU-10 Non-Repudiation Not Selected AU-10 AU-10 (5) AU-10 (5) Requirement: The service provider implements FIPS-140-2 validated cryptography (e. Guidance: Synchronization of system clocks improves the accuracy of log analysis. and Reporting AU-6 Control Parameter Requirements Moderate AU-6 AU-6 (1) AU-6 (3) AU-7 AU-7 (1) AU-8 AU-8 (1) AU-6a. AU-8 (1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service.cgi].. Analysis. DOD PKI Class 3 or 4 tokens) for service offerings that include Software-as-a-Service (SaaS) with email. Additional Requirements and Guidance AU-7 Audit Reduction and Report Generation Time Stamps Not Selected AU-8 None. AU-11 Audit Record Retention AU-11 AU-11 AU-11 [Assignment: organization-defined time period consistent with records retention policy] Parameter: [at least ninety days] Chapter One: Cloud Computing Security Requirements Baseline Page 9 . AU-9 Protection of Audit Information AU-9 AU-9 AU-9 (2) AU-9 (2) [Assignment: organization-defined frequency] Parameter: [at least weekly] AU-10 (5) [Selection: FIPS-validated.gov/tf-cgi/servers. None. Government Cloud Computing Control Baseline Control Number and Name Low AU-6 Audit Review. AU-11 Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements. AU-8 AU-8 (1) [Assignment: organization-defined frequency] Parameter: [at least hourly] AU-8 (1) [Assignment: organization-defined authoritative time source] Parameter: [http://tf.g. [Assignment: organization-defined frequency] Parameter: [at least weekly] None. Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server.Proposed Security Assessment & Authorization for U.S.nist.

The types of changes are approved and accepted by the JAB. None. CA-1 Security Assessment and Authorization Policies and Procedures Security Assessments CA-1 CA-1 Assessment and Authorization (CA) CA-1 [Assignment: organization-defined frequency] Parameter: [at least annually] CA-2b. Additional Requirements and Guidance 1. [Assignment: organization-defined information system components] Parameter: [all information system components where audit capability is deployed] None. CA-3 Information System Connections Plan of Action and Milestones CA-3 CA-3 None. Government Cloud Computing Control Baseline Control Number and Name Low AU-12 Audit Generation AU-12 Control Parameter Requirements Moderate AU-12 AU-12a. [Assignment: organization-defined frequency] Parameter: [at least every three years or when a significant change occurs] None. [Assignment: organization-defined frequency] Parameter: [at least quarterly] CA-6c.4. The service provider describes the types of changes to the information system or the environment of operations that would require a reauthorization of the information system. CA-5 CA-5 CA-5 CA-5b. CA-6 Security Authorization CA-6 CA-6 CA-6c.Proposed Security Assessment & Authorization for U.S. Chapter One: Cloud Computing Security Requirements Baseline Page 10 . Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1. [Assignment: organization-defined frequency] Parameter: [at least annually] None. Appendix F. CA-2 CA-2 CA-2 (1) CA-2 CA-2 (1) None.

CM-1 Configuration Management Policy and Procedures CM-1 CM-1 Configuration Management (CM) CM-1 [Assignment: organization-defined frequency] Parameter: [at least annually] CM-2 (1) (a) [Assignment: organization-defined frequency] Parameter: [annually] CM-2 (1) (b) [Assignment: organization-defined circumstances] Parameter: [a significant change] CM-2 (5) (a) [Assignment: organization-defined list of software programs authorized to execute on the information system] Parameter: See additional requirements and guidance.5. Chapter One: Cloud Computing Security Requirements Baseline Page 11 . CM-2 (5) (a) Requirement: The service provider defines and maintains a list of software programs authorized to execute on the information system. The types of changes are approved and accepted by the JAB. Additional Requirements and Guidance 1. malicious user testing. red team exercises] Parameter: [penetration testing] [Assignment: organization-defined other forms of security assessment] Parameter: [in-depth monitoring] None. None. penetration testing. Government Cloud Computing Control Baseline Control Number and Name Low CA-7 Continuous Monitoring CA-7 CA-7 (2) Control Parameter Requirements Moderate CA-7 CA-7 (2) CA-7d. CM-2 Baseline Configuration CM-2 CM-2 CM-2 (1) CM-2 (3) CM-2 (5) CM-2 (1) (b) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1. [Assignment: organization-defined frequency] Parameter: [monthly] CA-7 (2) [Assignment: organization-defined frequency] Parameter: [annually] [Selection: announced.Proposed Security Assessment & Authorization for U. The list of authorized programs is approved and accepted by the JAB. Appendix F. unannounced] Parameter: [unannounced] [Selection: in-depth monitoring. The service provider describes the types of changes to the information system or the environment of operations that would require a review and update of the baseline configuration.S.

Requirement: The service provider uses the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. Chapter One: Cloud Computing Security Requirements Baseline Page 12 . CM-6a. CM-5 (5) (b) [Assignment: organization-defined frequency] Parameter: [at least quarterly] CM-6a.S.gov/usgcb_faq. None. Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.nist. CM-4 CM-5 Security Impact Analysis Access Restrictions for Change CM-4 Not Selected CM-4 CM-5 CM-5 (1) CM-5 (5) CM-6 CM-6 (1) CM-6 (3) None. Additional Requirements and Guidance CM-3f. Government Cloud Computing Control Baseline Control Number and Name Low CM-3 Configuration Change Control CM-3 Control Parameter Requirements Moderate CM-3 CM-3 (2) CM-3f. Guidance: Information on the USGCB checklists can be found at: http://usgcb.Proposed Security Assessment & Authorization for U. Configuration settings are approved and accepted by the JAB. [Selection (one or more): [Assignment: organizationdefined frequency]. web status page). [Assignment: organization-defined security configuration checklists] Parameter: [United States Government Configuration Baseline (USGCB)] CM-6 Configuration Settings CM-6 CM-6a. electronic bulletin board. None.html#usgcbfaq_usg cbfdcc. The means of communication are approved and accepted by the JAB. The change control element and frequency/conditions of use are approved and accepted by the JAB. CM-6a Requirement: The service provider ensures that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available. Requirement: The service provider defines the configuration change control element and the frequency or conditions under which it is convened. [Assignment: organization-defined configuration change conditions]] Parameter: See additional requirements and guidance. [Assignment: organization-defined configuration change control element] Parameter: See additional requirements and guidance.g..

protocols. Chapter One: Cloud Computing Security Requirements Baseline Page 13 .nist. 1. None. using automated mechanisms with a maximum five-minute delay in detection. CM-8 (3) (a) [Assignment: organization-defined frequency] Parameter: [Continuously. The list of prohibited or restricted functions. protocols. [Assignment: organization-defined information deemed necessary to achieve effective property accountability] Parameter: See additional requirements and guidance. serial number.6. the machine name and network address. and/or services or establishes its own list of prohibited or restricted functions. and/or services if USGCB is not available.S. ports. physical location). information system/component owner. Government Cloud Computing Control Baseline Control Number and Name Low CM-7 Least Functionality CM-7 Control Parameter Requirements Moderate CM-7 CM-7 (1) CM-7 [Assignment: organization-defined list of prohibited or restricted functions. CM-9 Configuration Management Plan CM-9 None. CP-1 Contingency Planning Policy and Procedures CP-1 CP-1 Contingency Planning (CP) CP-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None. type.gov/usgcb_faq. Requirement: The service provider defines information deemed necessary to achieve effective property accountability. ports. protocols. model. Guidance: Information deemed necessary to achieve effective property accountability may include hardware inventory specifications (manufacturer. software license information. CM-7 Guidance: Information on the USGCB checklists can be found at: http://usgcb. protocols. and/or services is approved and accepted by the JAB.html#usgcbfaq_usg cbfdcc.] CM-8d. ports. Property accountability information is approved and accepted by the JAB.Proposed Security Assessment & Authorization for U. and/or services] Parameter: [United States Government Configuration Baseline (USGCB)] CM-7 (1) [Assignment: organization-defined frequency] Parameter: [at least quarterly] Additional Requirements and Guidance CM-7 Requirement: The service provider uses the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions. CM-8 Information System Component Inventory CM-8 CM-8 CM-8 (1) CM-8 (3) CM-8 (5) CM-8d. and for a networked component/device. ports.

Additional Requirements and Guidance CP-2b. Test plans are approved and accepted by the JAB. CP-7a. Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis. Requirement: The service provider defines a list of key contingency personnel (identified by name and/or by role) and organizational elements. The contingency list includes designated FedRAMP personnel. [Assignment: organization-defined time period consistent with recovery time objectives] Parameter: See additional requirements and guidance. [Assignment: organization-defined frequency] Parameter: [at least annually] CP-2f.S. CP-2d. CP-3 Contingency Training CP-3 CP-3 CP-3 [Assignment: organization-defined frequency] Parameter: [at least annually] CP-4a. CP-4 Contingency Plan Testing and Exercises CP-4 CP-4 CP-4 (1) CP-4a. Requirement: The service provider defines a list of key contingency personnel (identified by name and/or by role) and organizational elements. CP-6 Alternate Storage Site Not Selected CP-6 CP-6 (1) CP-6 (3) CP-7 CP-7 (1) CP-7 (2) CP-7 (3) CP-7 (5) None. CP-7 Alternate Processing Site Not Selected CP-7a. The contingency list includes designated FedRAMP personnel. None. classroom exercises/table top written tests for low impact systems] None. [Assignment: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements] Parameter: See additional requirements and guidance. [Assignment: organization-defined frequency] Parameter: [at least annually for moderate impact systems. at least every three years for low impact systems] [Assignment: organization-defined tests and/or exercises] Parameter: [functional exercises for moderate impact systems. [Assignment: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements] Parameter: See additional requirements and guidance. CP-2f. The time period is approved and accepted by the JAB. Chapter One: Cloud Computing Security Requirements Baseline Page 14 .Proposed Security Assessment & Authorization for U. Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended) and provides plans to FedRAMP prior to initiating testing. Government Cloud Computing Control Baseline Control Number and Name Low CP-2 Contingency Plan CP-2 Control Parameter Requirements Moderate CP-2 CP-2 (1) CP-2 (2) CP-2b.

S. Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative. 1. CP-9b. CP-9 Information System Backup CP-9 CP-9 CP-9 (1) CP-9 (3) CP-9a. The backup storage capability is approved and accepted by the JAB.Proposed Security Assessment & Authorization for U. CP-9a. Additional Requirements and Guidance CP-8 Requirement: The service provider defines a time period consistent with the business impact analysis.7. The time period is approved and accepted by the JAB. Government Cloud Computing Control Baseline Control Number and Name Low CP-8 Telecommunications Services Not Selected Control Parameter Requirements Moderate CP-8 CP-8 (1) CP-8 (2) CP-8 [Assignment: organization-defined time period] Parameter: See additional requirements and guidance. CP-10 (3) Requirement: The service provider defines circumstances that can inhibit recovery and reconstitution to a known state in accordance with the contingency plan for the information system and business impact analysis. The backup storage capability is approved and accepted by the JAB. Chapter One: Cloud Computing Security Requirements Baseline Page 15 . Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. The backup storage capability is approved and accepted by the JAB. [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives] Parameter: [daily incremental. Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. weekly full] CP-9b. IA-1 Identification and Authentication Policy and Procedures IA-1 IA-1 Identification and Authentication (IA) IA-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None. weekly full] CP-9c. [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives] Parameter: [daily incremental. [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives] Parameter: [daily incremental. CP-9c. weekly full] CP-9 (1) [Assignment: organization-defined frequency] Parameter: [at least annually] CP-10 Information System Recovery and Reconstitution CP-10 CP-10 CP-10 (2) CP-10 (3) CP-10 (3) [Assignment: organization-defined circumstances that can inhibit recovery and reconstitution to a known state] Parameter: See additional requirements and guidance.

Additional Requirements and Guidance IA-2 (8) Requirement: The service provider defines replayresistant authentication mechanisms. Requirement: The service provider defines time period of inactivity for device identifiers.Proposed Security Assessment & Authorization for U. IA-4 (4) [Assignment: organization-defined characteristic identifying user status] Parameter: [contractors. The mechanisms are approved and accepted by the JAB. Government Cloud Computing Control Baseline Control Number and Name Low IA-2 Identification and Authentication (Organizational Users) IA-2 IA-2 (1) Control Parameter Requirements Moderate IA-2 IA-2 (1) IA-2 (2) IA-2 (3) IA-2 (8) IA-3 IA-2 (8) [Assignment: organization-defined replay-resistant authentication mechanisms] Parameter: See additional requirements and guidance.S. IA-3 Device Identification and Authentication Not Selected IA-3 [Assignment: organization-defined list of specific and/or types of devices] Parameter: See additional requirements and guidance. foreign nationals] Chapter One: Cloud Computing Security Requirements Baseline Page 16 . The list of devices and/or device types is approved and accepted by the JAB. The time period is approved and accepted by JAB. [Assignment: organization-defined time period of inactivity] Parameter: [ninety days for user identifiers] Parameter: See additional requirements and guidance. IA-4e. [Assignment: organization-defined time period] Parameter: [at least two years] IA-4e. IA-3 Requirement: The service provider defines a list a specific devices and/or types of devices. IA-4 Identifier Management IA-4 IA-4 IA-4 (4) IA-4d.

lower-case letters. [Assignment: organization-defined time period by authenticator type] Parameter: [sixty days] IA-5 (1) (a) [Assignment: organization-defined requirements for case sensitivity. IA-8 IA-8 IA-8 None. mix of upper-case letters. None. numbers. Chapter One: Cloud Computing Security Requirements Baseline Page 17 . minimum of twelve characters. None. IA-6 IA-7 Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (NonOrganizational Users) IA-6 IA-7 IA-6 IA-7 None.S. Government Cloud Computing Control Baseline Control Number and Name Low IA-5 Authenticator Management IA-5 IA-5 (1) Control Parameter Requirements Moderate IA-5 IA-5 (1) IA-5 (2) IA-5 (3) IA-5 (6) IA-5 (7) IA-5g.Proposed Security Assessment & Authorization for U. and special characters. None. numbers. None. sixty day maximum] IA-5 (1) (e) [Assignment: organization-defined number] Parameter: [twenty four] IA-5 (3) [Assignment: organization-defined types of and/or specific authenticators] Parameter: [HSPD12 smart cards] Additional Requirements and Guidance IA-5 (1) (a) Guidance: Mobile devices are excluded from the password complexity requirement. lower-case letters. and special characters] IA-5 (1) (b) [Assignment: organization-defined number of changed characters] Parameter: [at least one or as determined by the information system (where possible)] IA-5 (1) (d) [Assignment: organization-defined numbers for lifetime minimum. including minimum requirements for each type] Parameter: [case sensitive. and at least one each of upper-case letters. lifetime maximum] Parameter: [one day minimum. number of characters.

IR-1 Incident Response Policy and Procedures IR-1 IR-1 Incident Response (IR) None. IR-4 Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed. None. IR-1 [Assignment: organization-defined frequency] Parameter: [at least annually] IR-2b. Test plans are approved and accepted by the JAB prior to test commencing. Chapter One: Cloud Computing Security Requirements Baseline Page 18 . IR-3 Incident Response Testing and Exercises Not Selected IR-3 IR-3 Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Government Cloud Computing Control Baseline Control Number and Name Low Moderate Control Parameter Requirements Additional Requirements and Guidance 1.S. stored. and transmitted by the information system.8. IR-2 Incident Response Training IR-2 IR-2 None. [Assignment: organization-defined frequency] Parameter: [at least annually] IR-3 [Assignment: organization-defined frequency] Parameter: [annually] [Assignment: organization-defined tests and/or exercises] Parameter: See additional requirements and guidance. [Assignment: organization-defined time period] Parameter: [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)] None. IR-6a.Proposed Security Assessment & Authorization for U. IR-4 Incident Handling IR-4 IR-4 IR-4 (1) None. IR-3 Requirement: The service provider provides test plans to FedRAMP annually. IR-5 IR-6 Incident Monitoring Incident Reporting IR-5 IR-6 IR-5 IR-6 IR-6 (1) None.

IR-8e. None. None.S. Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. MA-5 Maintenance Personnel MA-5 None. MA-4 Non-Local Maintenance MA-4 None.Proposed Security Assessment & Authorization for U.9. MA-1 System Maintenance Policy and Procedures MA-1 MA-1 Maintenance (MA) None. Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. None. 1. IR-8c. The incident response list includes designated FedRAMP personnel. [Assignment: organization-defined frequency] Parameter: [at least annually] IR-8e. [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements] Parameter: See additional requirements and guidance. None. MA-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None. [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements] Parameter: See additional requirements and guidance. Additional Requirements and Guidance IR-8 Incident Response Plan IR-8 IR-8b. Government Cloud Computing Control Baseline Control Number and Name Low IR-7 Incident Response Assistance IR-7 Control Parameter Requirements Moderate IR-7 IR-7 (1) IR-7 (2) IR-8 None. MA-3 Maintenance Tools Not Selected None. MA-2 Controlled Maintenance MA-2 MA-2 MA-2 (1) MA-3 MA-3 (1) MA-3 (2) MA-3 (3) MA-4 MA-4 (1) MA-4 (2) MA-5 None. IR-8b. Chapter One: Cloud Computing Security Requirements Baseline Page 19 . The incident response list includes designated FedRAMP personnel.

1. The list of components is approved and accepted by the JAB. [Assignment: organization-defined security measures] Parameter: See additional requirements and guidance. [Assignment: organization-defined list of removable media types] Parameter: [no removable media types] [Assignment: organization-defined controlled areas] Parameter: [not applicable] Chapter One: Cloud Computing Security Requirements Baseline Page 20 . None.10. Requirement: The service provider defines a list of individuals with authorized access to defined media types. Media Protection (MP) MP-1 Media Protection Policy and Procedures MP-1 MP-1 MP-1 [Assignment: organization-defined frequency] Parameter: [at least annually] MP-2 [Assignment: organization-defined types of digital and non-digital media] Parameter: See additional requirements and guidance. [Assignment: organization-defined list of authorized individuals] Parameter: See additional requirements and guidance. Government Cloud Computing Control Baseline Control Number and Name Low MA-6 Timely Maintenance Not Selected Control Parameter Requirements Moderate MA-6 MA-6 [Assignment: organization-defined list of security-critical information system components and/or key information technology components] Parameter: See additional requirements and guidance. MP-3 Media Marking Not Selected MP-3 MP-3b.S. The time period is approved and accepted by the JAB. Requirement: The service provider defines a time period to obtain maintenance and spare parts in accordance with the contingency plan for the information system and business impact analysis. [Assignment: organization-defined time period] Parameter: See additional requirements and guidance. Additional Requirements and Guidance MA-6 Requirement: The service provider defines a list of security-critical information system components and/or key information technology components. None.Proposed Security Assessment & Authorization for U. The list of authorized individuals is approved and accepted by the JAB. MP-2 Media Access MP-2 MP-2 MP-2 (1) MP-2 Requirement: The service provider defines types of digital and non-digital media. Requirement: The service provider defines the types of security measures to be used in protecting defined media types. The media types are approved and accepted by the JAB. The security measures are approved and accepted by the JAB.

[Assignment: organization-defined types of digital and non-digital media] Parameter: [magnetic tapes. external/removable hard drives. [Assignment: organization-defined security measures] Parameter: [for digital media. Government Cloud Computing Control Baseline Control Number and Name Low MP-4 Media Storage Not Selected Control Parameter Requirements Moderate MP-4 MP-4 (1) MP-4a. for non-digital media. compact disks and digital video disks] [Assignment: organization-defined security measures] Parameter: [for digital media. The security measures are approved and accepted by the JAB. Requirement: The service provider defines controlled areas within facilities where the information and information system reside. diskettes. compact disks and digital video disks] [Assignment: organization-defined controlled areas] Parameter: See additional requirements and guidance. flash/thumb drives. encryption using a FIPS 140-2 validated encryption module.Proposed Security Assessment & Authorization for U. [Assignment: organization-defined types of digital and non-digital media] Parameter: [magnetic tapes. Requirement: The service provider defines security measures to protect digital and non-digital media in transport. secure storage in locked cabinets or safes] Additional Requirements and Guidance MP-4a. Physical and Environmental Protection (PE) PE-1 Physical and Environmental Protection Policy and Procedures Physical Access Authorizations PE-1 PE-1 PE-1 [Assignment: organization-defined frequency] Parameter: [at least annually] PE-2c. external/removable hard drives. MP-5 Media Transport Not Selected MP-5 MP-5 (2) MP-5 (4) MP-5a. flash/thumb drives. 1. Chapter One: Cloud Computing Security Requirements Baseline Page 21 . None.S. and needto-know.11. role. MP-6 Media Sanitization MP-6 MP-6 MP-6 (4) None. [Assignment: organization-defined frequency] Parameter: [at least annually] None. PE-2 PE-2 PE-2 PE-2 (1) PE-2 (1) Requirement: The service provider provides physical access to the facility where information systems reside based on position. diskettes. encryption using a FIPS 140-2 validated encryption module] MP-5a.

[Assignment: organization-defined frequency] Parameter: [at least monthly] None. None.S. None. None. PE-7 Visitor Control PE-7 PE-7 PE-7 (1) PE-8 None. [Assignment: organization-defined frequency] Parameter: [at least annually] PE-3g. PE-5 PE-5 None. Requirement: The service provider defines emergency shutoff switch locations. PE-8 Access Records PE-8 PE-8b. Additional Requirements and Guidance PE-4 Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Not Selected Not Selected PE-6 PE-4 None. PE-10 PE-10 PE-10b. None. [Assignment: organization-defined frequency] Parameter: [at least annually] None. PE-10b. PE-9 Power Equipment and Power Cabling Emergency Shutoff Not Selected Not Selected PE-9 None. PE-11 Emergency Power Not Selected PE-12 PE-11 PE-11 (1) PE-12 PE-12 Emergency Lighting None. [Assignment: organization-defined frequency] Parameter: [at least semi-annually] None.Proposed Security Assessment & Authorization for U. None. PE-6 PE-6 PE-6 (1) PE-6b. None. Government Cloud Computing Control Baseline Control Number and Name Low PE-3 Physical Access Control PE-3 Control Parameter Requirements Moderate PE-3 PE-3f. [Assignment: organization–defined location by information system or system component] Parameter: See additional requirements and guidance. The locations are approved and accepted by the JAB. Chapter One: Cloud Computing Security Requirements Baseline Page 22 . None.

Requirement: The service provider defines management. PE-15 PE-16 Water Damage Protection Delivery and Removal PE-15 PE-16 PE-15 PE-16 None.S. PE-16 [Assignment: organization-defined types of information system components] Parameter: [all information system components] PE-17a. The security controls are approved and accepted by the JAB. None. operational. and technical information system security controls] Parameter: See additional requirements and guidance. Planning (PL) PL-1 Security Planning Policy and Procedures PL-1 PL-1 PL-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None. PE-17 Alternate Work Site Not Selected PE-17 PE-17a. Government Cloud Computing Control Baseline Control Number and Name Low PE-13 Fire Protection PE-13 Control Parameter Requirements Moderate PE-13 PE-13 (1) PE-13 (2) PE-13 (3) PE-14 PE-14 (1) None. [Assignment: organization-defined management. Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14b. [Assignment: organization-defined frequency] Parameter: [continuously] PE-14a. None.Proposed Security Assessment & Authorization for U. Chapter One: Cloud Computing Security Requirements Baseline Page 23 .12. None. 1. operational. PE-18 Location of Information System Components Not Selected PE-18 None. None. and technical information system security controls for alternate work sites. Additional Requirements and Guidance PE-14 Temperature and Humidity Controls PE-14 PE-14a. [Assignment: organization-defined acceptable levels] Parameter: [consistent with American Society of Heating. Requirements: The service provider measures temperature at server inlets and humidity levels by dew point.

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Control Baseline Control Number and Name Low
PL-2 System Security Plan PL-2

Control Parameter Requirements Moderate
PL-2 PL-2 (2) PL-2b. [Assignment: organization-defined frequency] Parameter: [at least annually] None. None. None. None.

Additional Requirements and Guidance

PL-4 PL-5 PL-6

Rules of Behavior Privacy Impact Assessment Security-Related Activity Planning

PL-4 PL-5 PL-6

PL-4 PL-5 PL-6

None. None. None.

1.13. Personnel Security (PS)
PS-1 Personnel Security Policy and Procedures PS-1 PS-1 PS-1 [Assignment: organization-defined frequency] Parameter: [at least annually] PS-2c. [Assignment: organization-defined frequency] Parameter: [at least every three years] PS-3b. [Assignment: organization-defined list of conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening] Parameter: [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions] None. None.

PS-2

Position Categorization

PS-2

PS-2

None.

PS-3

Personnel Screening

PS-3

PS-3

None.

PS-4

Personnel Termination

PS-4

PS-4

None.

Chapter One: Cloud Computing Security Requirements Baseline

Page 24

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Control Baseline Control Number and Name Low
PS-5 Personnel Transfer PS-5

Control Parameter Requirements Moderate
PS-5 PS-5 [Assignment: organization-defined transfer or reassignment actions] Parameter: See additional requirements and guidance. [Assignment: organization-defined time period following the formal transfer action] Parameter: [within five days]

Additional Requirements and Guidance
PS-5 Requirement: The service provider defines transfer or reassignment actions. Transfer or reassignment actions are approved and accepted by the JAB.

PS-6

Access Agreements

PS-6

PS-6

PS-6b. [Assignment: organization-defined frequency] Parameter: [at least annually] None.

None.

PS-7

Third-Party Personnel Security Personnel Sanctions

PS-7

PS-7

None.

PS-8

PS-8

PS-8

None.

None.

1.14. Risk Assessment (RA)
RA-1 Risk Assessment Policy and Procedures RA-1 RA-1 RA-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None. RA-3b. [Selection: security plan; risk assessment report; [Assignment: organization-defined document]] Parameter: [security assessment report] RA-3c. [Assignment: organization-defined frequency] Parameter: [at least every three years or when a significant change occurs] RA-3d. [Assignment: organization-defined frequency] Parameter: [at least every three years or when a significant change occurs] None.

RA-2 RA-3

Security Categorization Risk Assessment

RA-2 RA-3

RA-2 RA-3

None. RA-3c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3d. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F.

Chapter One: Cloud Computing Security Requirements Baseline

Page 25

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Control Baseline Control Number and Name Low
RA-5 Vulnerability Scanning RA-5 RA-5 (1) RA-5 (2) RA-5 (3) RA-5 (9)

Control Parameter Requirements Moderate
RA-5 RA-5 (1) RA-5 (2) RA-5 (3) RA-5 (9) RA-5 (6) RA-5a. [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] Parameter: [quarterly operating system, web application, and database scans (as applicable)] RA-5d. Assignment: organization-defined response times] Parameter: [high-risk vulnerabilities mitigated within thirty days; moderate risk vulnerabilities mitigated within ninety days] RA-5 (2) [Assignment: organization-defined frequency] Parameter: [continuously, before each scan] None.

Additional Requirements and Guidance

1.15. System and Services Acquisition (SA)
SA-1 System and Services Acquisition Policy and Procedures Allocation of Resources Life Cycle Support Acquisitions SA-1 SA-1 SA-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None. None. None. None.

SA-2 SA-3 SA-4

SA-2 SA-3 SA-4

SA-2 SA-3 SA-4 SA-4 (1) SA-4 (4) SA-4 (7)

None. None. SA-4 Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html. None.

SA-5

Information System Documentation

SA-5

SA-5 SA-5 (1) SA-5 (3) SA-6

None.

SA-6

Software Usage Restrictions User-Installed Software

SA-6

None.

None.

SA-7

SA-7

SA-7

None.

None.

Chapter One: Cloud Computing Security Requirements Baseline

Page 26

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Control Baseline Control Number and Name Low
SA-8 Security Engineering Principles External Information System Services Not Selected SA-9

Control Parameter Requirements Moderate
SA-8 None. None.

Additional Requirements and Guidance

SA-9

SA-9 SA-9 (1)

SA-9 (1) (b) [Assignment: organization-defined senior organizational official]. Parameter: [Joint Authorization Board (JAB)]

SA-9 (1) Requirement: The service provider documents all existing outsourced security services and conducts a risk assessment of future outsourced security services. Future, planned outsourced services are approved and accepted by the JAB. None.

SA-10

Developer Configuration Management Developer Security Testing

Not Selected SA-11 SA-11 (1)

SA-10

None.

SA-11

SA-11 SA-11 (1)

None.

SA-11 (1) Requirement: The service provider submits a code analysis report as part of the authorization package and updates the report in any reauthorization actions. SA-11 (1) Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed.

SA-12

Supply Chain Protection

Not Selected

SA-12

SA-12 [Assignment: organization-defined list of measures to protect against supply chain threats] Parameter: See additional requirements and guidance.

SA-12 Requirement: The service provider defines a list of measures to protect against supply chain threats. The list of protective measures is approved and accepted by JAB.

1.16. System and Communications Protection (SC)
SC-1 System and Communications Protection Policy and Procedures SC-1 SC-1 SC-1 [Assignment: organization-defined frequency] Parameter: [at least annually] None.

Chapter One: Cloud Computing Security Requirements Baseline

Page 27

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Control Baseline Control Number and Name Low
SC-2 Application Partitioning Not Selected Not Selected SC-5

Control Parameter Requirements Moderate
SC-2 None. None.

Additional Requirements and Guidance

SC-4

Information in Shared Resources Denial of Service Protection

SC-4

None.

None.

SC-5

SC-5

SC-5 [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list] Parameter: See additional requirements and guidance.

SC-5 Requirement: The service provider defines a list of types of denial of service attacks (including but not limited to flooding attacks and software/logic attacks) or provides a reference to source for current list. The list of denial of service attack types is approved and accepted by JAB. None. SC-7 (1) Requirement: The service provider and service consumer ensure that federal information (other than unrestricted information) being transmitted from federal government entities to external entities using information systems providing cloud services is inspected by TIC processes. SC-7 (8) Requirements: The service provider defines the internal communications traffic to be routed by the information system through authenticated proxy servers and the external networks that are the prospective destination of such traffic routing. The internal communications traffic and external networks are approved and accepted by JAB. SC-7 (13) Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.

SC-6

Resource Priority

Not Selected SC-7

SC-6

None

SC-7

Boundary Protection

SC-7 SC-7 (1) SC-7 (2) SC-7 (3) SC-7 (4) SC-7 (5) SC-7 (7) SC-7 (8) SC-7 (12) SC-7 (13) SC-7 (18)

SC-7 (4) (e) [Assignment: organization-defined frequency] Parameter: [at least annually] SC-7 (8) [Assignment: organization-defined internal communications traffic] Parameter: See additional requirements and guidance. [Assignment: organization-defined external networks] Parameter: See additional requirements and guidance. SC-7 (13) [Assignment: organization-defined key information security tools, mechanisms, and support components] Parameter: See additional requirements and guidance.

Chapter One: Cloud Computing Security Requirements Baseline

Page 28

including but not limited to system authentication. SC-10 Guidance: Long running batch jobs and other operations are not subject to this time limit.e. Government Cloud Computing Control Baseline Control Number and Name Low SC-8 Transmission Integrity Not Selected Not Selected Control Parameter Requirements Moderate SC-8 SC-8 (1) SC-9 SC-9 (1) None. SC-10 Network Disconnect Not Selected SC-10 SC-10 [Assignment: organization-defined time period] Parameter: [thirty minutes for all RAS-based sessions. SC-13 Use of Cryptography SC-13 SC-13 SC-13 (1) SC-14 SC-15 None.Proposed Security Assessment & Authorization for U. allocating additional bandwidth to a cloud user).S. SC-12 Cryptographic Key Establishment and Management SC-12 SC-12 SC-12 (2) SC-12 (5) SC-12 (2) [Selection: NIST-approved. [Assignment: organization-defined exceptions where remote activation is to be allowed] Parameter: [no exceptions] None. thirty to sixty minutes for non-interactive users] SC-11 [Assignment: organization-defined security functions to include at a minimum. and provisioning or deprovisioning of services (i. re-authentication. SC-15a. information system authentication and re-authentication] Parameter: See additional requirements and guidance SC-11 Trusted Path Not Selected SC-11 SC-11 Requirement: The service provider defines the security functions that require a trusted path. Additional Requirements and Guidance SC-9 Transmission Confidentiality SC-9 (1) [Assignment: organization-defined alternative physical measures] Parameter: See additional requirements and guidance SC-9(1) Requirement: The service provider must implement a hardened or alarmed carrier Protective Distribution System (PDS) when transmission confidentiality cannot be achieved through cryptographic mechanisms. None. Chapter One: Cloud Computing Security Requirements Baseline Page 29 . None. SC-15 Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use. The list of security functions requiring a trusted path is approved and accepted by JAB. SC-14 SC-15 Public Access Protections Collaborative Computing Devices SC-14 SC-15 None. NSA-approved] Parameter: [NIST-approved] None.

None. SC-20 SC-20 SC-20 (1) None. None. [Assignment: organization-defined actions] Parameter: See additional requirements and guidance. SC-21 Not Selected SC-21 None. None. SC-22 Not Selected SC-22 None. None. SC-19 Voice Over Internet Protocol Secure Name /Address Resolution Service (Authoritative Source) Secure Name/ Address Resolution Service (Recursive or Caching Resolver) Architecture and Provisioning for Name/Address Resolution Service Session Authenticity Not Selected SC-20 SC-20 (1) SC-19 None. SC-18 (4) Requirement: The service provider defines the software applications where the automatic execution of mobile code is prevented by the information system providing cloud services. SC-18 Mobile Code SC-18 SC-18 SC-18 (4) SC-18 (4) [Assignment: organization-defined software applications] Parameter: See additional requirements and guidance. None. Requirement: The service provider defines the actions to be taken prior to the information system executing mobile code in the software applications identified. Software applications and actions taken by the service provider are approved by JAB. None. Chapter One: Cloud Computing Security Requirements Baseline Page 30 . SC-17 Requirement: The service provider defines the public key infrastructure certificate policy. Government Cloud Computing Control Baseline Control Number and Name Low SC-16 Transmission of Security Attributes Public Key Infrastructure Certificates Not Selected Not Selected Control Parameter Requirements Moderate SC-16 None. SC-23 Not Selected SC-23 None. The certificate policy is approved and accepted by the JAB.Proposed Security Assessment & Authorization for U.S. Additional Requirements and Guidance SC-17 SC-17 SC-17 [Assignment: organization-defined certificate policy] Parameter: See additional requirements and guidance.

1. SI-2 SI-2 SI-2 SI-2 (2) None. None. The OS Independent applications list is approved and accepted by JAB.Proposed Security Assessment & Authorization for U. SC-28 Protection of Information at Rest Virtualization Techniques Not Selected Not Selected Not Selected Not Selected SC-28 SC-28 (1) SC-30 None. SC-32 Information System Partitioning Transmission Preparation Integrity SC-32 None. None.17. Parameter: See additional requirements and guidance SC-27 Requirement: The service provider and service consumer define which applications must run independent of operating system. SC-33 SC-33 None. SC-30 None None. Chapter One: Cloud Computing Security Requirements Baseline Page 31 . None. Additional Requirements and Guidance SC-27 Operating SystemIndependent Applications SC-27 SC-27 [Assignment: organization-defined operating system independent applications]. System and Information Integrity (SI) SI-1 System and Information Integrity Policy and Procedures Flaw Remediation SI-1 SI-1 SI-1 [Assignment: organization-defined frequency] Parameter: [at least annually] SI-2 (2) [Assignment: organization-defined frequency] Parameter: [at least monthly] None.S. Government Cloud Computing Control Baseline Control Number and Name Low SC-25 Thin Nodes Not Selected Not Selected Control Parameter Requirements Moderate SC-25 None None.

[Assignment: organization-defined action]] Parameter: [block or quarantine malicious code. or scripts have been saved or installed on production systems without clear indication of their use or purpose] None. Guidance: Alerts may be generated from a variety of sources including but not limited to malicious code protection mechanisms. [Assignment: organization-defined frequency] Parameter: [at least weekly] [Selection (one or more): block malicious code. send alert to administrator.S. identify irregularities or anomalies that are indicators of a system malfunction or compromise] SI-4 (5) [Assignment: organization-defined list of compromise indicators] Parameter: [protected information system files or directories have been modified without notification from the appropriate change/configuration management channels. processes and services are running that are outside of the baseline system profile. tools. information system is raising alerts or faults in a manner that indicates the presence of an abnormal condition. Government Cloud Computing Control Baseline Control Number and Name Low SI-3 Malicious Code Protection SI-3 Control Parameter Requirements Moderate SI-3 SI-3 (1) SI-3 (2) SI-3 (3) SI-3c. and secure state. send alert to administrator. Chapter One: Cloud Computing Security Requirements Baseline Page 32 . examine system records to confirm that the system is functioning in an optimal. resource or service requests are initiated from clients that are outside of the expected client membership set. or boundary protection devices such as firewalls. auditing functionality has been disabled or modified to reduce audit visibility. quarantine malicious code. gateways. [Assignment: organization-defined monitoring objectives] Parameter: [ensure the proper functioning of internal processes and controls in furtherance of regulatory and compliance requirements. information system performance indicates resource consumption that is inconsistent with expected operating conditions. and routers. information system reports failed logins or password changes for administrative or key service accounts. intrusion detection or prevention mechanisms. Additional Requirements and Guidance SI-4 Information System Monitoring SI-4 SI-4 SI-4 (2) SI-4 (4) SI-4 (5) Si-4 (6) SI-4(5) Requirement: The service provider defines additional compromise indicators as needed. utilities. send alert to FedRAMP} SI-4a.Proposed Security Assessment & Authorization for U. audit or log records have been deleted or modified without explanation. resilient.

shuts the system down. upon command by user with appropriate privilege. SI-8 Spam Protection Not Selected Not Selected SI-10 SI-8 None. [Assignment: organization-defined alternative action(s)]] Parameter: [notifies system administrator] SI-7 Software and Information Integrity Not Selected SI-7 SI-7 (1) SI-7 (1) [Assignment: organization-defined frequency] Parameter: [at least monthly] None. None. None. and directives. Chapter One: Cloud Computing Security Requirements Baseline Page 33 . SI-10 SI-10 None.Proposed Security Assessment & Authorization for U. None. The list also includes designated FedRAMP personnel. advisories. Government Cloud Computing Control Baseline Control Number and Name Low SI-5 Security Alerts. restarts the system. and/or security responsibilities including but not limited to FedRAMP] Additional Requirements and Guidance SI-5c. and Directives SI-5 Control Parameter Requirements Moderate SI-5 SI-5c. Requirement: The service provider defines a list of personnel (identified by name and/or by role) with system administration. SI-9 Information Input Restrictions Information Input Validation SI-9 None. monitoring. None. SI-6 Security functionality verification Not Selected SI-6 SI-6 [Selection (one or more): [Assignment: organizationdefined system transitional states]. monitoring. and/or security responsibilities who are to receive security alerts. [Assignment: organization-defined list of personnel (identified by name and/or by role)] Parameter: [All staff with system administration.S. periodically every [Assignment: organization-defined time-period]] Parameter: [upon system startup and/or restart and periodically every ninety days] [Selection (one or more): notifies system administrator. Advisories.

None. content related to internal security functions (i. personally identifiable information (excluding unique user name identifiers provided as a normal part of a transactional record). Additional Requirements and Guidance SI-12 Information Output Handling and Retention SI-12 SI-12 None. attributes used to validate a password reset request (e. account numbers.S. private encryption keys.e. Table 1: FedRAMP Security Controls & Enhancements. access codes). security questions). sensitive financial records (e. object permission attributes and settings)].Proposed Security Assessment & Authorization for U. biometric data or personal characteristics used to authenticate identity. None.g.. Government Cloud Computing Control Baseline Control Number and Name Low SI-11 Error Handling Not Selected Control Parameter Requirements Moderate SI-11 SI-11b.g. Chapter One: Cloud Computing Security Requirements Baseline Page 34 . white list or blacklist rules. [Assignment: organization-defined sensitive or potentially harmful information] Parameter: [user name and password combinations.

S.Proposed Security Assessment & Authorization for U. Government Cloud Computing Chapter Two: Continuous Monitoring Page 35 .

software. or operational environment. and common controls) based on the defined continuous monitoring strategy. chief information officers. An effective organizational information security program also includes a rigorous continuous monitoring program integrated into the System Development Life Cycle (SDLC). hybrid. Robust continuous monitoring requires the active involvement of information system owners and common control providers. and Active involvement by authorizing officials in the ongoing management of information system-related security risks. taking into account any proposed/actual changes to the information system or its environment of operation. and Plans of Action and Milestones (POA&Ms). Assessment of selected security controls (including system-specific. Purpose The purpose of this chapter is to establish and define how Continuous Monitoring will work in a cloud computing environment and specifically within the FedRAMP framework.1.Proposed Security Assessment & Authorization for U. Continuous monitoring is integrated into the organization’s system development life cycle processes. risk-based decisions regarding the operation of the information system. firmware. 2. Government Cloud Computing 2. near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective. Introduction A critical aspect of managing risk to information from the operation and use of information systems involves the continuous monitoring of the security controls employed within or inherited by the system. Continuous Monitoring 2. Security impact analyses on proposed or actual changes to information systems and environments of operation. Security status reporting to appropriate officials.S. senior Chapter Two: Continuous Monitoring Page 36 . Continuous monitoring programs provide organizations with an effective mechanism to update Security Plans.3. 2. Background Service Provider is required to develop a strategy and implement a program for the continuous monitoring of security control effectiveness including the potential need to change or supplement the control set. Security Assessment Reports.2. An effective continuous monitoring program includes: Configuration management and control processes for information systems. Continuous monitoring is a proven technique to address the security impacts on an information system resulting from changes to the hardware. Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. This document will also serve to define reporting responsibilities and frequency for the Cloud Service Offering Service Provider (CSP). The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential.

FedRAMP will prescribe specific reporting criteria that service providers can utilize to maximize their FISMA reporting responsibilities while minimizing the resource strain that is often experienced. 2. and plan of action and milestones. security controls and supporting deliverables are updated and submitted to FedRAMP per the schedules below. This table provides a listing of the deliverables. Near real-time risk management of information systems can be accomplished by employing automated support tools to execute various steps in the Risk Management Framework including authorization-related activities. The documents in the authorization package are considered “living documents” and updated accordingly based on actual events that may affect the security state of the information system.4. there will be instances. technologies. responsible party and frequency for completion. They allow FedRAMP authorizing officials to make credible risk-based decisions regarding the continued operations of the information systems and initiate appropriate responses as needed when changes occur. service providers must demonstrate their ability to perform routine tasks on a specifically defined scheduled basis to monitor the cyber security posture of the defined IT security boundary. beyond the control of FedRAMP in which deliverables may be required on an ad hoc basis. Through continuous monitoring. 2. Frequency – Frequency under which the artifact should be created and/or updated. In addition to vulnerability scanning tools. and other automated support tools that can help to determine the security state of an information system. While FedRAMP will not prescribe specific toolsets to perform these functions.5. FedRAMP does prescribe their minimum capabilities.S. Government Cloud Computing information security officers. Chapter Two: Continuous Monitoring Page 37 . and authorizing officials. vulnerabilities. The table is organized into: Deliverable – Detailed description of the reporting artifact. organizations can employ automated security management and reporting tools to update key documents in the authorization package including the security plan. Accordingly. Continuous Monitoring Requirements FedRAMP is designed to facilitate a more streamlined approach and methodology to continuous monitoring.Proposed Security Assessment & Authorization for U. system and network monitoring tools. Reporting and Continuous Monitoring Maintenance of the security Authority To Operate (ATO) will be through continuous monitoring of security controls of the service providers system and its environment of operation to determine if the security controls in the information system continue to be effective over time in light of changes that occur in the system and environment. If the artifact is expected in a specific format. The submitted deliverables provide a current understanding of the security state and risk posture of the information systems. and (ii) maintain the security authorization for the system over time in highly dynamic environments of operation with changing threats. Furthermore. The deliverables required during continuous monitoring are depicted in Table 2: FedRAMP Continuous Monitoring . Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and represents a significant change in the way security authorization activities have been employed in the past. The deliverable frequencies below are to be considered standards. and missions/business processes. security assessment report. Continuous monitoring allows an organization to: (i) track the security state of an information system on a continuous basis. However. that format appears in BOLD text.

Deliverable Frequency Responsibility FedRAMP Cloud Service Provider Scan reports of all systems within the boundary for vulnerability (Patch) management. CIS). (Tool Output Report) Scan for verification of FDCC compliance (USGCB. (SCAP Tool Output) Incident Response Plan. POAM Remediation (Completed POA&M Matrix) Change Control Process Penetration testing (Formal plan and results) IV&V of controls Scan to verify that boundary has not changed (also that no rogue systems are added after ATO) (Tool Output Report) System configuration management software (SCAP Tool Output) FISMA Reporting data Update Documentation Contingency Plan and Test Report Separation of Duties Matrix Information Security Awareness and Training Records Results) Table 2: FedRAMP Continuous Monitoring Deliverables Monthly Quarterly Annually Quarterly Annually Annually SemiAnnually Quarterly Quarterly Quarterly Annually Annually Annually Annually Chapter Two: Continuous Monitoring Page 38 .Proposed Security Assessment & Authorization for U.S. Government Cloud Computing Responsibility – Whether FedRAMP or the Cloud Service Provider is responsible for creation and maintenance of the artifact.

6. To ensure that changes to the enterprise do not alter the security posture beyond the parameters set by the FedRAMP Joint Authorization Board (JAB). these routine changes should be documented as part of the CSP’s standard change management process and accounted for via the CSP’s internal continuous monitoring plan. As the system owners as well as other authorizing officials approve changes. adding or deleting users. However. security assessment report. tested and approved. While these changes individually may not have much effect on the overall security posture of the system. Accordingly. Chapter Two: Continuous Monitoring Page 39 . new technologies or new risks. Major or significant changes may require re-authorization via the FedRAMP process. Minor changes typically have little impact to the security posture of a system. Minor changes must be captured and documented in the SSP of the system within 30 days of implementation. at a minimum. FISMA reporting responsibilities must be clearly defined. FISMA Reporting Requirements FISMA established the IT security reporting requirements. significant changes require an added level of attention and action. or changes to the security controls should automatically trigger a re-authorization of the system via the FedRAMP process. Once the SSP is updated. 2. these changes must be documented. addition or deletion of users. it is the responsibility of both the CSP and the sponsoring agency to notify FedRAMP of the need to make such a significant change.Proposed Security Assessment & Authorization for U. OMB in conjunction with DHS enforces these reporting requirements.” Changes such as installing a new operating system. To combat this possibility. These changes can be standard maintenance. applying standard security patches. changes that are considered to be routine. or other routine activities.7. Government Cloud Computing 2. In order to facilitate a re-authorization. Since systems routinely experience changes over time to accommodate new requirements. and plan of action and milestones are updated and formally submitted to FedRAMP within 30 days of approved modification. This requirement should be part of the CSP’s documented internal continuous monitoring plan. This documentation is a critical aspect of continuous monitoring since it establishes all of the requirements that led to the need for the change as well as the specific details of the implementation. they are systematically documented. in aggregate they can create a formidable security issue. NIST defines significant change as “A significant change is defined as a change that is likely to affect the security state of an information system. Routine Systems Change Control Process The Change Control Process is instrumental in ensuring the integrity of the cloud computing environment. it must be submitted to FedRAMP. These changes can be standard maintenance. new hardware platforms.S. the application of standard security patches. and a record of the change must be maintained internally. or other routine activities. port modification. Configuration Change Control Process (CCP) Throughout the System Development Life Cycle (SDLC) system owners must be cognizant of changes to the system. FedRAMP will assist and coordinate with all stakeholders the necessary steps to ensure that the change is adequately documented. the key documents in the authorization package which include the security plan. they must be routinely analyzed in respect to the security posture. within the current SSP of the system within 30 days of implementation. There are however.

from time to time. web platforms and applications. mitigated or the mitigating strategy. Database platforms. Government Cloud Computing FedRAMP will coordinate with CSP’s and agencies to gather data associated with the cloud service offering.Proposed Security Assessment & Authorization for U. Routine system scanning and reporting is a vital aspect of continuous monitoring and thus. Open source operating systems require patch and vulnerability management as well. regularly scheduled monthly patches are published by many POSV to be applied to the appropriate operating system. Updates are available at the corresponding vendors’ website. With these issues in mind FedRAMP will require CSP’s to provide the following: Monthly vulnerability scans of all servers. maintaining a robust cyber security posture. On-going Testing of Controls and Changes to Security Controls Process System owners and administrators have long maintained the responsibility for patch and vulnerability management. It is not only prudent. and other security oversights. there are proven tools available to assist the system owner and administrator in discovering the vulnerabilities in a timely fashion. This strain on resources and lack of processes has opened the door to many malicious entities through improper patching. publish security patches that should be applied on systems as soon as possible due to the serious nature of the vulnerability. it has been proven time and again that this responsibility often requires a heavy use of resources as well as a documented.8. significant lapse in time between patch availability and patch implementation.S. However. These patches are available at the specific vendors’ website. In fact. This report should list the vulnerabilities by severity and name. Specificity is crucial to addressing the security posture of the system. In fact. Only data related to the documented system security boundary of the cloud service offering will be collected by FedRAMP and reported to OMB at the appropriate time and frequency. Proprietary operating system vendors (POSV) are constantly providing patches to mitigate vulnerabilities that are discovered. repeatable process to be carried out consistently and adequately. Vulnerability patching is critical. but often-times the virtualization software itself is exposed to vulnerabilities and thus must be patched either via a vendor based solution or other technical solution. but also necessary to stay abreast of all of the vulnerabilities that are represented by the IT infrastructure and applications that are in use. It is also the case that POSV will. Agencies will maintain their reporting responsibilities for their internal systems that correspond to the inter-connection between the agency and the cloud service offering. These tools must be updated prior to being run. Due to the open nature of these operating systems there needs to be a reliable distribution point for system administrators to safely and securely obtain the required patches. and virtually all other software applications come with their own security issues. 2. Tools used to perform the scan must be provided as well as the version number reflecting the latest update. All “High” level vulnerabilities must be mitigated within thirty Chapter Two: Continuous Monitoring Page 40 . While vulnerability management is indeed a difficult and daunting task. Systems running in virtual environment are not exempted from patching. not only are the operating systems running in a virtual environment to be patched routinely. A formal report of all vulnerabilities discovered.

Weekly scans for malicious code. All software operating systems and applications are required to be scanned by an appropriate tool to perform a thorough code review to discover malicious code. Monthly reporting is required to be submitted to FedRAMP. Performance of the annual Self Assessment in accordance with NIST guidelines. scanning parameters. Mandatory reporting to FedRAMP must include tool used. but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents.S. This is necessary if there is to be a continuous awareness of the risk and security posture of the system. at certain times. it is understood that compensating controls (workarounds) must be used to minimize system performance degradation while serving to mitigate the vulnerability. Change Control Process meetings to determine and validate the necessity for suggested changes to HW/SW within the enterprise must be coordinated with FedRAMP to ensure that the JAB is aware of the changes being made to the system. the application of certain security patches can cause negative effects on systems. Incident Response Computer security incident response has become an important component of information technology (IT) programs. It is accepted that. inclusive of a detailed network architecture drawing must be provided to FedRAMP. A summary report. minimizing loss and destruction. with a Security Content Automation Protocol (SCAP) validated tool. Quarterly FDCC and/or system configuration compliance scans. mitigating the Chapter Two: Continuous Monitoring Page 41 .Proposed Security Assessment & Authorization for U. Internal scans must be performed with the appropriate updated toolset. CSP must perform a self-assessment annually or whenever a significant change occurs. “Moderate” level vulnerabilities must be mitigated within ninety (90) days of discovery. Security-related threats have become not only more numerous and diverse but also more damaging and disruptive. Active Incident Response capabilities allow for suspect systems to be isolated and inspected for any unapproved or otherwise malicious applications. where activity is summarized. This should include milestones met or milestones missed. which verifies that all servers maintain compliance with the mandated FDCC and/or approved system configuration security settings.9. Government Cloud Computing days (30) days of discovery. These “Workarounds” must be submitted to FedRAMP & the Sponsoring agency for acceptance. 2. Quarterly boundary-wide scans are required to be performed on the defined boundary IT system inventory to validate the proper HW and SW configurations as well as search and discover rogue systems attached to the infrastructure. CSP must provide to FedRAMP a detailed matrix of POA&M activities using the supplied FedRAMP POA&M Template. New types of security-related incidents emerge frequently. tool configuration settings. resources required and validation parameters. Initial report should be included with the SSP as part of the initial authorization package. across the entire boundary. In these situations. All reporting must reflect these activities. application scanned (name and version) and the name of the third party performing the scan. Preventative activities based on the results of risk assessments can lower the number of incidents. Quarterly POA&M remediation reporting.

The incident response program structure should also be discussed within the plan. The organization’s mission.learning and improving. In any shared system. The FedRAMP concern and its role in continuous monitoring will be to focus on how a provider conducted the incident response and any after incident actions. or applications. Each incident response team should evolve to reflect new threats. One of these controls (IR-8) requires the development of an Incident Response plan that will cover the life cyber of incident response as documented in the NIST SP 800-61 guidelines. improved Chapter Two: Continuous Monitoring Page 42 . NIST SP 800-61 provides guidelines for development and initiation of an incident handling program. The response plan must address the possibility that incidents. protocols. The incident response plan should include these elements: Mission Strategies and goals Senior management approval Organizational approach to incident response How the incident response team will communicate with the rest of the organization Metrics for measuring the incident response capability Roadmap for maturing the incident response capability How the program fits into the overall organization. As part of the continuous monitoring of a system. may impact the cloud and shared cloud customers.Proposed Security Assessment & Authorization for U. particularly for analyzing incident-related data and determining the appropriate response to each incident. strategies. communication is the biggest key to success. operating systems. including privacy breaches and classified spills. As part of the authorization process the system security plan will have documented all of the “IR” or Incident Response family of controls. To that end. Figure 2: Incident response life cycle One of the most important parts of incident response is also the most often omitted . The guidelines can be followed independently of particular hardware platforms. As represented in Figure 2: Incident response life cycle. responding to incidents will be a key element. and goals for incident response should help in determining the structure of its incident response capability. The plan should outline the resources and management support that is needed to effectively maintain and mature an incident response capability. incident response is a continually improving process. Government Cloud Computing weaknesses that were exploited. and restoring computing services.S.

with the exception of incidents performed through new attack methods that are of widespread concern and interest. Questions to be answered in the lessons learned meeting include: Exactly what happened. 2. and periodically after lesser incidents. Validation of testing tools and assessments.10. This testing will be performed with strict Chapter Two: Continuous Monitoring Page 43 . After serious attacks have occurred. FedRAMP will periodically perform audits (both scheduled and unscheduled) related strictly to the cloud computing service offering and the established system boundary. Government Cloud Computing technology. Validation of assessment methodologies employed by the CSP and independent assessors. This expertise will be tasked to perform various IV&V functions with CSP’s. Verification of testing procedures. Verification of the CSP continuous monitoring program. and lessons learned. it is usually worthwhile to hold post-mortem meetings that cross team and organizational boundaries to provide a mechanism for information sharing. This will include. is extremely helpful in improving security measures and the incident handling process itself. it must be noted that establishing and maintaining an internal expertise of FedRAMP policies.Proposed Security Assessment & Authorization for U. Independent Verification and Validation Independent Verification and Validation (IV&V) is going to be an integral component to a successful implementation of FedRAMP. There are several methods that must be employed to accomplish these tasks. but not be limited to: Scheduled annual assessments of the system security documentation. but also wise to consider who should be invited for the purpose of facilitating future cooperation. and how well intervention worked. analyze.S. sponsoring agencies and commercial entities obtained by CSP’s with absolute independence on behalf of FedRAMP. what was done to intervene. In accordance with the new FIMSA requirement. and mitigate future incidents? Small incidents need limited post-incident analysis. Not only is it important to invite people who have been involved in the incident that is being analyzed. procedures and processes is going to be required. The meeting should be held within several days of the end of the incident. and Validation of CSP risk level determination criteria. Many organizations have found that holding a “lessons learned” meeting with all involved parties after a major incident. FedRAMP IV&V will be on behalf of the JAB. FedRAMP IV&V will be performing penetration testing. This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred. and at what times? How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently in a future occurrence? What corrective actions can prevent similar incidents in the future? What tools/resources are needed to detect. The primary consideration in holding such meetings is ensuring that the right people are involved. With this in mind. As part of these efforts. and as a matter of implementing industry best practices.

S. Unless otherwise stated in the agreement. Government Cloud Computing adherence to the specific guidelines established by a mutually agreed upon “Rules of Engagement” agreement between FedRAMP IV&V and the target stakeholders. No attempts to exploit vulnerabilities will be allowed unless specified within the “Rules of Engagement” agreement.Proposed Security Assessment & Authorization for U. all penetration testing will be passive in nature to avoid unintentional consequences. Chapter Two: Continuous Monitoring Page 44 .

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing Chapter Three: Potential Assessment & Authorization Approach Page 45 .

Preliminary vetting of the three models focused on finding a model that best met the goals of this endeavor as mentioned above. The three models for assessment that have been vetted within Government and Industry are: A centralized approach working through a FedRAMP program office. The implementation of a common security baseline requires a joint approach for the A&A and Continuous Monitoring process. FedRAMP operations could be conducted under many delivery models. this chapter presents FedRAMP operations through a centralized program office context. Government Cloud Computing 3. cloud computing provides an opportunity for the Federal Agencies to work together to create a common security baseline for authorizing these shared systems. the following benefits are desired regardless of the operating approach: Inter-Agency vetted Cloud Computing Security Requirement baseline that is used across the Federal Government. Any joint approach to this process requires a coordinated effort of many operational components working together. More consistent and efficient continuous monitoring of cloud computing environment/systems fostering cross-agency communication in best practices and shared knowledge. However. FedRAMP operations could potentially be executed by different entities and in many different models. Hence. However. The nature of cloud computing systems does not allow Federal Agencies to enforce their own unique security requirements and policies on a shared infrastructure – as many of these unique requirements are incompatible. Consistent interpretation of cloud service provider authorization packages using a standard set of processes and evaluation criteria. and Some combination of the above that combines public and private sector partners. the end goal is to establish an on-going A&A approach that all Federal Agencies can leverage. Consistent interpretation and application of security requirement baseline in a cloud computing environment. Introduction Cloud computing presents a unique opportunity to increase the effectiveness and efficiency of the A&A and Continuous Monitoring process for Federal Agencies. and experience as to the best model for FedRAMP operations that deliver upon the described benefits and encourage you to actively engage and contribute with substantive comments. knowledge. As a result of vetting the models with government and industry stakeholders.1. To accomplish that goal.Proposed Security Assessment & Authorization for U.S. the government is seeking your input. and Cost savings/avoidance realized due to the “Approve once. use often” concept for security authorization of cloud systems. A federated model using capabilities of multiple approved agency centers. These operations need to interact/interplay with each other to successfully authorize and monitor cloud systems for government-wide use. The Federal Cloud Computing Initiative (FCCI) has focused on exploring three models in particular. Potential Assessment & Authorization Approach 3. Chapter Three: Potential Assessment & Authorization Approach Page 46 .

best practices and lessons learned in authorizing and ongoing monitoring of such systems. the U. and datacenter/application consolidation. and Enable rapid and cost-effective procurement of information systems/services for Federal agencies. The use of a common security risk model provides a consistent baseline for Cloud based technologies across government. This common baseline will ensure that the benefits and challenges of cloud based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. Consistent application of Federal security requirements. virtualization.2.Proposed Security Assessment & Authorization for U. Chapter Three: Potential Assessment & Authorization Approach Page 47 . Consolidated risk management. and Increased effectiveness and management cost savings. By providing a unified government-wide risk management for enterprise level IT systems.S. Eliminate duplication of effort and reduce risk management costs. The current method of conducting risk management of shared. In order to address these concerns. authorizations and continuous monitoring of cloud computing services for all Federal Agencies to leverage. Benefits Joint authorization of cloud computing services provides a common security risk model that can be leveraged across the Federal Government. The risk model will also enable the government to “approve once and use often” by ensuring other agencies gain the benefit and insight of the FedRAMP’s Authorization and access to service provider’s authorization packages. cloud computing systems on an agency-byagency basis causes duplication of efforts. and the unnecessary cost from repetitive work and relearning. Government Cloud Computing 3. outsourced. Overview Background The Federal Government is increasingly using large shared and outsourced systems by moving to cloud computing. CIO) established a government-wide Federal Risk and Authorization Management Program (FedRAMP) to provide joint security assessment. Purpose The objective of FedRAMP is threefold: Ensure that information systems/services used government-wide have adequate information security.S. Chief Information Officer (U. FedRAMP will enable Agencies to either use or leverage authorizations with: An interagency vetted approach.S. inefficiencies in sharing knowledge.

The three permanent members of JAB include the Department of Homeland Security (DHS). The U. Department of Defense (DOD).S. The JAB technical representatives review the vetted authorization packages provided by FedRAMP. The General Service Administration has been tasked with the actual day-to-day operation of FedRAMP in supports this effort. Governance The following sections describe the FedRAMP governance model and define the roles and responsibilities of key stakeholders of the FedRAMP process. procedures and templates. FedRAMP performs an initial review of submitted authorization packages and has the authority to work with cloud computing system owners to refine each Chapter Three: Potential Assessment & Authorization Approach Page 48 . The JAB also has the final decision making authority on FedRAMP security controls.S. 3.Proposed Security Assessment & Authorization for U. JAB technical representatives are appointed by their respective JAB authorizing official (both permanent and rotating) for the implementation of the FedRAMP process.3.1.S. FedRAMP operations are responsible for the day-to-day administration and project management of FedRAMP. FedRAMP is an administrative support team provided by the U. The JAB also performs risk determination and acceptance of FedRAMP authorized systems.S. CIO) and managed out of the General Services Administration (GSA) as depicted in Figure 3 and detailed below. The JAB technical representatives make authorization recommendations to the JAB authorizing officials and advise the JAB of all residual risks. CIO has tasked the Joint Authorization Board (JAB) with jointly authorizing cloud computing systems. CIO under the guidance of GSA. and the General Services Administration (GSA).S.S. policies. JAB technical representatives provide subject matter expertise and advice to the JAB authorizing officials. Government Cloud Computing 3. Chief Information Officer (U. The sponsoring government agency for each cloud computing system will be represented as the rotating JAB member. Governance Model Figure 3: FedRAMP Governance Model FedRAMP is an interagency effort under the authority of the U. The initiation of FedRAMP and the Joint Authorization Board (JAB) has been via the U. CIO in coordination with the Federal CIO Council.3.

S. FedRAMP also oversees continuous monitoring of authorized systems.2. The ISIMC under the Federal CIO Council is responsible for socializing and reviewing FedRAMP processes and documents. 3.Proposed Security Assessment & Authorization for U. the final approval on changes to FedRAMP processes and documents is made by the JAB. JAB Authorizing Officials JAB Rotating Authorizing Officials (Sponsoring Agency Authorizing Official) Chapter Three: Potential Assessment & Authorization Approach Page 49 . Issue joint authorization decisions Resolve issues as needed Same duties as JAB Authorizing Officials only for their sponsored cloud solution.3. They provide recommendations on the FedRAMP documents directly to the JAB. lessons learned and emerging concepts within the Federal CIO Council community. Roles and Responsibilities Table 3: Stakeholder Roles and Responsibilities defines the responsibilities/tasks for FedRAMP stakeholders. CIO) Duties and Responsibilities Selects the JAB Authorizing Officials Coordinates FedRAMP activities with the CIO Council Tasks and funds FedRAMP. for technical support as necessary Designate a JAB Technical Representative Ensure the Technical Representative considers current threats and evaluation criteria based on evolving cloud computing best practices in their review of joint authorizations.S. However. Government Cloud Computing submission until it satisfies FedRAMP and JAB requirements. Their recommendations are based on vetting the cloud computing best practices. Role JAB Chair (U.

Recommend authorization decisions to the JAB Authorizing Official. Government Cloud Computing Role FedRAMP Operations JAB Technical Representatives (including the technical representative from the sponsoring Agency) Sponsoring Agency Leveraging Agency Duties and Responsibilities Communicate FedRAMP security requirements to service providers or prospective providers. Collect FISMA data from FedRAMP authorized systems for quarterly and annually reporting of data to OMB through GSA. Escalate issues to the JAB Authorizing Official as appropriate. Perform continuous monitoring oversight of FedRAMP authorized systems. Maintain knowledge of the FedRAMP capabilities and process throughout industry and the federal government.S. Review CSP security authorization packages Work with JAB Technical Representatives to clarify questions and concerns regarding authorization packages Maintain a repository of Authorizations in two categories: o Authorizations granted by the JAB. Authorize cloud system for their Agency use. Support FedRAMP in defining and implementing the joint authorization process. Assessment. Determine if the stated risk determination and acceptance is consistent with its agency’s needs. Provide subject matter expertise to implement the direction of the JAB Authorizing Official. Cloud system selection and submission to FedRAMP Ensures a contractual agreement with a provider is in place using FedRAMP requirements. Assessment. Page 50 Chapter Three: Potential Assessment & Authorization Approach . Facilitate the leveraging of authorized systems for other federal entities. Authorization and continuous monitoring and FISMA reporting of controls that are Agency’s (customer’s) responsibility.Proposed Security Assessment & Authorization for U. Designate Federal personnel to facilitate the receipt and delivery of deliverables between the cloud computing provider (CSP) and FedRAMP. Authorization and continuous monitoring and FISMA reporting of controls that are Agency’s (customer’s) responsibility. Review FedRAMP authorization packages. o Authorizations granted by individual agencies.

Hire independent third party assessor to perform initial system assessment and on-going monitoring of controls. Government Cloud Computing Role Cloud Service Provider (CSP) Duties and Responsibilities The service provider is a government or commercial entity that has a cloud offering/service (IaaS.S. Provide Continuous Monitoring reports and updates to FedRAMP. PaaS or SaaS) and requires FedRAMP authorization of their offering/service for Government use. Work with the sponsoring Agency to submit their offering for FedRAMP authorization. Create and submit authorization packages. Table 3: Stakeholder Roles and Responsibilities Chapter Three: Potential Assessment & Authorization Approach Page 51 .Proposed Security Assessment & Authorization for U.

Government Cloud Computing 3. Agency X gets security requirements for the new IT system from FedRAMP Agency X has a need for a new cloud based IT system Agency X awards contract to cloud service provider (CSP) Agency X submits request to FedRAMP office for CSP To be FedRAMP authorized to operate CSP is added to the FedRAMP Authorization Request log Figure 4: FedRAMP authorization request process Chapter Three: Potential Assessment & Authorization Approach Page 52 . The subsequent sections detail the steps involved in the FedRAMP Assessment and Authorization process. FedRAMP begins processing the cloud system for JAB authorization. High-Level Overview The following figure depicts the high-level process for getting on the FedRAMP authorization request log.4.4.Proposed Security Assessment & Authorization for U.S.1. Assessment and Authorization Processes 3. Once the Cloud Service Provider (CSP) system is officially on the FedRAMP authorization log.

Proposed Security Assessment & Authorization for U. Government Cloud Computing CSP and agency sponsor begin authorization process with FedRAMP office CSP. agency sponsor and FedRAMP office review security requirements and any alternative implementations FedRAMP office coordinates with CSP for creation of system security plan (SSP) CSP has indpendent assessment of security controls and develops appropriate reports for submission to FedRAMP office FedRAMP office reviews and assembles the final authorization package for the JAB JAB reviews final certification package and authorizes CSP to operate FedRAMP office adds CSP to authorized system inventory to be reviewed and leveraged by all Federal agencies FedRAMP provides continuous monitoring of CSP Figure 5: FedRAMP authorization process Chapter Three: Potential Assessment & Authorization Approach Page 53 .S.

FedRAMP policies regarding ongoing authorization and formal reauthorization. Required Artifacts All Service Providers’ CCS must complete and deliver the following artifacts as part of the authorization process. information system authorization. and the needs of the FedRAMP authorizing officials. if the maximum authorization period for an information system is three years.4. This strategy allows all security controls designated in the respective security plans to be assessed at least one time by the end of the three-year period. 3.2. regulations.3.2.Proposed Security Assessment & Authorization for U. thus supporting the concept of ongoing authorization. and/or policies. Government Cloud Computing 3. security control assessment. Authorization termination dates are influenced by FedRAMP policies that may establish maximum authorization periods. Policy Security Authorization Process: a. are consistent with federal directives. CCS Service Providers should use this process and the noted references prior to initiating/performing the Security Authorization process. Templates for these artifacts can be found in FedRAMP templates as described in reference materials: Privacy Impact Assessment (PIA) FedRAMP Test Procedures and Results Security Assessment Report (SAR) System Security Plan (SSP) IT System Contingency Plan (CP) IT System Contingency Plan (CP) Test Results Plan of Action and Milestones (POA&M) Chapter Three: Potential Assessment & Authorization Approach Page 54 . in writing. A service provider’s cloud computing systems must be authorized/reauthorized at least every three (3) years or whenever there is a significant change to the system’s security posture in accordance with NIST SP 800-37 R1.1. b.2.S. if/when required.4. The FedRAMP Authorizing Officials (AO) must authorize. the assessment results can be cumulatively applied to the reauthorization.4. then the service provider establishes a continuous monitoring strategy for assessing a subset of the security controls employed within and inherited by the system during the authorization period. If the security control assessments are conducted by qualified assessors with the required degree of independence based on policies. all cloud computing systems before they go into operational service for government interest. This also includes any common controls deployed external to service provider cloud computing systems. Purpose This section defines FedRAMP assessment and authorization process for Cloud Service Providers (CSP). For example. appropriate security standards and guidelines. and continuous monitoring.2. It also provides guidelines and procedures for applying the NIST 800-37 R1 Risk Management Framework to include conducting the activities of security categorization. 3. Detailed Assessment & Authorization Process 3.4. security control selection and implementation.2.

S.4. Figure 6: FedRAMP Assessment and Authorization Process Chapter Three: Potential Assessment & Authorization Approach Page 55 . The following diagrams describe the steps and workflow of the FedRAMP Assessment and Authorization process.2. Government Cloud Computing Continuous Monitoring Plan (CMP) FedRAMP Control Tailoring Workbook Control Implementation Summary Table Results of Penetration Testing Software Code Review Interconnection Agreements/Service Level Agreements/Memorandum of Agreements 3. Assessment and Authorization Process Workflow FedRAMP Assessment and Authorization is an effort composed of many entities/stakeholders working together in concert to enable government-wide risk management of cloud systems.4.Proposed Security Assessment & Authorization for U.

Government Cloud Computing Figure 7: FedRAMP Categorization of Cloud System and Select Security Controls Chapter Three: Potential Assessment & Authorization Approach Page 56 .Proposed Security Assessment & Authorization for U.S.

S.Proposed Security Assessment & Authorization for U. Government Cloud Computing Figure 8: FedRAMP Authorization Request Chapter Three: Potential Assessment & Authorization Approach Page 57 .

Government Cloud Computing Figure 9: Implement Controls Chapter Three: Potential Assessment & Authorization Approach Page 58 .S.Proposed Security Assessment & Authorization for U.

Authorize Cloud System Chapter Three: Potential Assessment & Authorization Approach Page 59 . Government Cloud Computing Figure 10: Assess Controls.Proposed Security Assessment & Authorization for U.S.

Proposed Security Assessment & Authorization for U. Government Cloud Computing Figure 11: Continuous Monitoring Chapter Three: Potential Assessment & Authorization Approach Page 60 .S.

NIST Special Publications 800-30. 800-39. 200.S.Implement Controls: (FedRAMP control tailoring workbook. 800-37 R1 Chapter Three: Potential Assessment & Authorization Approach Page 61 . 800-59. Center for Internet Security (CIS).) Step 2 – Select Security Controls: (FIPS Publications 199. United States Government Configuration Baseline (USGCB). 800-53A R1. FedRAMP security control baseline) Step 3 – Authorization Request: (FedRAMP primary Authorization Request letter. 800-53 R3. FIPS publications. 800-53A R1) Step 7 – Continuous Monitoring: FedRAMP Test Procedures. NIST Special Publications 800-30. FedRAMP templates and other guidelines and documents associated with the seven steps of the FedRAMP process: Step 1 . 800-53A R1) Step 5 – Assess Controls: (FedRAMP Test Procedures: Center for Internet Security (CIS). 800-60. FIPS Publication 200. NIST Special Publication 800-53A R1) Step 6 – Authorize Cloud System: OMB Memorandum 02-01. NIST Special Publications 800-30. United States Government Configuration Baseline (USGCB). OMB Memorandums. 800-53 R3. Government Cloud Computing The following section provides the list of NIST special publications.Proposed Security Assessment & Authorization for U. FedRAMP secondary authorization request letter) Step 4 .Categorize Cloud System: (FIPS 199 / NIST Special Publications 800-30. NIST Special Publications 80030.

Where no deliverable is expected. 1b. The table provides the following information: Process Step – The distinct step in the process and divided into sub-steps identified with a letter appendix such as “1a”. they need to comply with the FedRAMP Moderate impact security control baseline (provided in Chapter 3) Description Primary responsibility Cloud System Owner and Customer Agency Notes/Instructions 1a. the Sponsoring Agency may add any agency specific controls over the FedRAMP baseline. to be supported by the cloud system. Process Step Deliverable (if applicable) 1 Categorize Cloud System Cloud Service Provider (CSP) makes a Authorization business decision of the security request letter impact level (Low or Moderate) they documenting FIPS wish to support or get authorized for 199 impact level their system/cloud offering. the table cell is blank.S. The table is organized by step process families relating to the aforementioned steps. Deliverable – A list of the deliverables associated with the steps if the step has any applicable deliverables. Primary Responsibility – The entity with the primary responsibility of executing/implementing the steps. Notes/Instructions – Specific comments on how the entity with primary responsible implements each step. they need to comply with the FedRAMP Low impact security control baseline (provided in Chapter 3) If the CSP chooses to be authorized at Moderate impact level. Government Cloud Computing A description of the process steps is listed in Table 4: FedRAMP Process Steps. Description – A high level description of the activities occurring with each step. 2 Select Security Controls If the CSP chooses to be authorized at Low impact level. and 1c In this phase.Proposed Security Assessment & Authorization for U. the customer Agency is required to categorize the information/data to be put in the cloud and determine if the impact level offered by the CSP is sufficient and appropriate to host their Agency data. In this phase. 2a and 2b Cloud System Owner Chapter Three: Potential Assessment & Authorization Approach Page 62 .

b. any compensating security controls as required by FedRAMP Control Tailoring Workbook Description Primary responsibility Sponsoring Agency Notes/Instructions Verify multi agency use of the system In order to undergo FedRAMP Authorization. System is a government offered system intended for use by multiple agencies. Contract Once all documents are received. This is required before assessment activities can begin to assure agreement of organizational settings by the JAB All service providers must complete the Control Implementation Summary Table Cloud Service Provider (CSP) Chapter Three: Potential Assessment & Authorization Approach Page 63 . c. System is sponsored by more than one agency Instruction: Complete column G of the workbook and submit to FedRAMP for verification/approval as part of the initial SSP with sections 1 12 and select controls in section 13 completed.Proposed Security Assessment & Authorization for U. and secondary A request package must include Authorization ALL of the following documents: Request Letter (if a. Authorization request applicable) letter from the Copy of Signed requesting agency’’s CIO.S. Government Cloud Computing Process Step 3a and 3b 4a Deliverable (if applicable) 3 Authorization Request Submit a Security Authorization FedRAMP primary request package to FedRAMP. System is an FCCI BPA Awardee. 4 Implement Controls The service provider begins the FedRAMP Control FedRAMP authorization process by Tailoring documenting generic controls Workbook implementation and defining the Control implementation settings for Implementation organization defined parameters and Summary table. the ““security authorization request”” will be officially acknowledged and documented in request log and FedRAMP will begin processing the system for security authorization. a system must qualify as shared use by meeting one of the following criteria: a.

Proposed Security Assessment & Authorization for U. The completed table identifies controls types (common vs. Government Cloud Computing Process Step Description Deliverable (if applicable) Primary responsibility Notes/Instructions (Sample provided in FedRAMP Templates) which is customized for the service provider’’s system and its environment.S. Not Implemented. 4b FedRAMP reviews the Control Tailoring Workbook provided by the vendor for compliance with FedRAMP security requirements and acceptable risk criteria Chapter Three: Potential Assessment & Authorization Approach Page 64 . The service provider completed table must reflect controls based on NIST 800 53 R3 and provide status for both controls and enhancements (as applicable per FIPS 199 impact and FedRAMP required controls). Partially Implemented. The columns can and should be customized to the service providers’’ environment to account for controls and minor apps (as necessary). Not Applicable) across all required controls. hybrid controls vs. app specific controls) with implementation status (Fully Implemented.

FedRAMP may request a meeting with the Service Provider at this stage to review the documents or give the go ahead to proceed with the authorization process. JAB (consisting of DHS. 4f and 4g 4h 4i Chapter Three: Potential Assessment & Authorization Approach Page 65 . which then asks the service provider to come for FedRAMP Authorization when they meet the FedRAMP requirements.Proposed Security Assessment & Authorization for U. JAB and requesting Agency review the Control Tailoring Workbook for compliance and alternate implementations/compensating controls to determine effectiveness and make a risk based decision. If approved. then see 4d and 4e.S. then FedRAMP notifies the requesting agency. JAB and the Requesting/sponsoring Agency jointly Approve/Reject the Control Tailoring Workbook and the decision to proceed further. Government Cloud Computing Process Step 4c Description FedRAMP determines if the Control Tailoring Workbook is ready for JAB review. Deliverable (if applicable) Primary responsibility Notes/Instructions 4d and 4e Instruction When the FedRAMP Control Tailoring Workbook and Control Summary have been completed and submitted to FedRAMP for review. otherwise FedRAMP sends the workbook back to the service provider to fix it. If yes. FedRAMP notifies the service provider of JAB approval and allow the vendor to proceed with the development of System Security Plan (SSP) and Assessment plan If rejected. DOD and GSA) and the Requesting/Sponsoring Agency receive a CSP/FedRAMP briefing on the generic control implementation.

must be used as the basis for all security assessment and continuous monitoring activities. then service provider proceeds with the development of SSP. System Security Plan and Security Assessment Plan should be submitted to the FedRAMP for review and approval at this time. If satisfactory. it is submitted to the FedRAMP for review. Upon completion of SSP and Assessment plan. Government Cloud Computing Process Step 4j Description If the Control Tailoring Workbook is approved. then see 5a otherwise the SSP and/or Assessment plan are sent back to the service provider to fix the issues identified. Instruction The FedRAMP must accept the System Security Plan and Security Assessment Plan before assessment activities can begin.S. 4k 4l FedRAMP reviews the SSP and Assessment plan.Proposed Security Assessment & Authorization for U. as located in reference materials. Deliverable (if applicable) System Security Plan (SSP) Assessment Plan Primary responsibility Notes/Instructions The FedRAMP security assessment test procedures. Assessment plan and implementation of the controls per SSP. Chapter Three: Potential Assessment & Authorization Approach Page 66 .

Proposed Security Assessment & Authorization for U. Chapter Three: Potential Assessment & Authorization Approach Page 67 . Update the SSP to reflect the actual state of the security controls implemented in the system following completion of security assessment activities. the Assessment service provider should engage third Report (SAR) party independent assessor to assess POA&M the effectiveness of implemented Updated SSP controls using FedRAMP’’s Assessment Procedures. Both SAR and POA&M are submitted to FedRAMP for review. Description Primary responsibility Notes/Instructions Service Provider Owner should update the system security plan based on the results of the risk assessment and any modifications to the security controls in the information system. Government Cloud Computing Process Step 5a 5b Deliverable (if applicable) 5 Assess Controls Upon approval of SSP and Security Assessment plan from FedRAMP. then FedRAMP provides these documents to the JAB including the requesting Agency with a summary of the results in the documents. Any outstanding issues should be documented in the POA&M’’s. FedRAMP repeats this process with the CSP until the documents are acceptable. The independent assessor documents the results of the assessment in the Security Assessment Report (SAR) using FedRAMP’’s template.S. FedRAMP reviews the test results documented in the SAR and any outstanding issues in the POA&M to determine if the documented risk seems acceptable for JAB. Once they are acceptable.

Government Cloud Computing Process Step 5c and 5d Description Deliverable (if applicable) Primary responsibility Notes/Instructions 5e 6a 6b and 6c 6d JAB and the requesting agency review the test results and POA&M’’s. JAB may have questions/concerns associated with the test results or outstanding issues. then the JAB notifies FedRAMP of their approval and the process moves to Step 6a. make a determination on the acceptance or rejection of the residual risk. If the test results demonstrate that the security controls are effectively implemented and if the outstanding issues in the POA&M are acceptable. FedRAMP and CSP Chapter Three: Potential Assessment & Authorization Approach Page 68 .S. FedRAMP communicates these with the CSP in this step. However. 6 Authorize Cloud System FedRAMP assembles the Complete CSP authorization package based on the authorization updated deliverables received from package the CSP to this point and makes a recommendation of acceptance or rejection of the package to the JAB JAB including the requesting/sponsoring Agency performs a final review of the CSP authorization package Based on the review in steps 6b and c.Proposed Security Assessment & Authorization for U.

Proposed Security Assessment & Authorization for U.S. then the JAB including the requesting/sponsoring Agency issues the Authority To Operate the cloud system 6h FedRAMP authorized systems are added to a repository of authorized systems that can be leveraged by other Federal Agencies 6i The cloud system is operational with Federal data processed on the system 7 Continuous Monitoring More details about the FedRAMP Continuous Monitoring phase can be found in Chapter 2: Continuous Monitoring. Government Cloud Computing Process Step 6e Description Deliverable (if applicable) Primary responsibility Notes/Instructions If rejected. Table 4: FedRAMP Process Steps Chapter Three: Potential Assessment & Authorization Approach Page 69 . then FedRAMP works with the CSP to refine the package until the residual risk in the cloud system is acceptable to the JAB 6f and 6g If accepted.

without justification Does not support 2-factor authentication from customer agency to cloud for moderate impact system.S. Windows to Linux.4. System Name and scope of authorization (examples of scope include IaaS.Proposed Security Assessment & Authorization for U. Does not support FIPS 140-2 from customer agency to the cloud. Threat Changes. FedRAMP will begin overseeing continuous monitoring of the system and advise the JAB of any changes to risk posture. Change in physical location. Change in SW (i. Privacy Act security posture change. False Positive claims are not supported by evidence files. entire or partial suite of products offered by CSP) FIPS 199 impact level supported by the cloud system Expiration date for Authorization Version of FedRAMP requirements and templates used to authorize the system Chapter Three: Potential Assessment & Authorization Approach Page 70 . several events take place. the system is added to the FedRAMP online repository of authorized systems.5. Next. OS Change (2K to 2K3.5. 3. Oracle to SQL). Lastly.e. The web based resource will maintain the following information for each currently authorized system. FedRAMP audit shows configuration. Change in Security Impact Level. Change in ISA/MOU. Hot fix patches not implemented. Government Cloud Computing 3. First. Table 5: FedRAMP Risk Acceptability Criteria Requires JAB Prior Approval Change in inter-connections. PaaS or SaaS. Risk Acceptability Criteria The following table lists the FedRAMP JAB acceptable risk criteria. which differs from presented documentation. In particular the table lists the “Not Acceptable” risk criteria and the ones requiring JAB prior approval. Authorization Maintenance Process Once a system has received a FedRAMP authorization. etc).2. OS out of lifecycle Support (Windows XP and before). FedRAMP will maintain an online repository of cloud system authorizations in two categories: Authorizations granted by the JAB Authorizations granted by individual Agencies This web based resource will be publicly accessible and will be the authoritative source of FedRAMP system authorization status. More than 5% of total security controls are reflected within the POA&M. Not Acceptable Vulnerability Scanner output has HIGH vulnerabilities not remediated. FedRAMP will begin facilitating agency access to the approved authorization package to enable agency review of the material.

or the Nation. Bureaus. The leveraging organization reviews the FedRAMP authorization package as the basis for determining risk to the leveraging organization. Leveraging organizations generate an authorization decision document and reference. or establishing constraints on the use of the information system or services provided by the system these items will be facilitated by FedRAMP. All of the FedRAMP authorizations do not consider the actual information placed in the system. The leveraged authorization approach provides opportunities for significant cost savings and avoids a potentially costly and time-consuming authorization process by the leveraging organization. as well as the overall risk tolerance of the leveraging organization. A FedRAMP joint authorization is not a “Federal Authority to Operate” exempting Federal Agencies. If the leveraging organization determines that there is insufficient information in the authorization package or inadequate security measures in place for establishing an acceptable level of risk. the results of continuous monitoring. When reviewing the authorization package. A FedRAMP Authorization provides a baseline Authorization for Federal Agencies.Proposed Security Assessment & Authorization for U. individuals. and Divisions to review and potentially leverage. As is consistent with the traditional authorization process.S. In almost all cases the FedRAMP authorization does not consider the actual provisioning of users and their proper security training. the leveraging organization considers risk factors such as the time elapsed since the authorization results were produced. In all cases additional security measures will need to be documented. and Divisions from individually granting Authorities to Operate. or transmitted. the leveraging organization needs to communicate that to FedRAMP.6. Government Cloud Computing Points of Contact for the cloud system FedRAMP will also maintain a secure website (separate from the public website) accessible only to Federal officials to access CSP authorization packages and communicate cloud system specific updates on the risk posture. information in the authorization package from FedRAMP. Authorization Leveraging Process The purpose of all of the FedRAMP authorizations is to facilitate the leveraging of these authorizations for use by multiple federal agencies (“Approve once. stored. Leveraging such authorizations is employed when a federal agency chooses to accept all of the information in an existing authorization package via FedRAMP. an authorizing official in the leveraging organization is both responsible and accountable for accepting the security risks that may impact the leveraging organization’s operations and assets. but consider any other additional security controls for implementation and inclusion in the baseline FedRAMP security controls. the criticality/sensitivity of the information to be processed. It is the leveraging agencies responsibility to do proper information categorization and determination if privacy information will be properly protected and if a complete Privacy Impact Assessment is in place. FedRAMP will provide leveraging agencies with access to the authorization packages to assist in their risk management decision. If additional information is needed or additional security measures are needed such as increasing specific security controls. Bureaus. The goal is to keep unique requirements to a minimum. implementing other compensating controls. The leveraging organization documents those measures Chapter Three: Potential Assessment & Authorization Approach Page 71 . as appropriate. conducting additional assessments. 3. Use often”). other organizations.

Proposed Security Assessment & Authorization for U. FedRAMP will report the base system for FISMA purposes and the leveraging agency will need to report their authorization via their organizational FISMA process. as appropriate. updates to the security plan (for the controls that is customer Agency’s implementation responsibility). This requires the sharing of information resulting from continuous monitoring activities conducted by FedRAMP and will be provided to agencies that notify FedRAMP that they are leveraging a particular package. To enhance the security of all parties. individuals. in addition to this online web portal. Additional emails. a single organizational official in a senior leadership position in the leveraging organization is both responsible and accountable for accepting the information system-related security risks that may impact the leveraging organization’s operations and assets. other organizations. 3. Consistent with the traditional authorization process. Government Cloud Computing by creating an addendum to the original authorization package of FedRAMP or a limited version of a complete package that references the FedRAMP authorization. and security status reports. The leveraged authorization remains in effect as long as the leveraging organization accepts the information system-related security risks and the authorization meets the requirements established by federal and/or organizational policies. security assessment report. Leveraging Agencies. the Chapter Three: Potential Assessment & Authorization Approach Page 72 . At a minimum. To streamline the workflow. The updates will include such items as updates to the security plan.S. proactive communication is required to ensure the success of each individual cloud system authorization. security assessment report. and the Cloud Service Providers. the communication plan may be updated to respond to required changes to the communication process. a secure website is under development to facilitate updates on status. FedRAMP and Sponsoring and Leveraging Agencies will communicate regularly to ensure that information is disseminated effectively. Sponsoring Agencies. However. conference calls and in-person meetings to facilitate the process as the team deems necessary may augment the communication plan. or the Nation. This addendum may include. provide secure posting of artifacts and provide baseline information. and/or leveraging organization’s plan of action and milestones.7. As changes are integrated into the requirement process. Unacceptable) Missing Artifact List Incident Report The communication plan in Table 6: Communications Plan identifies the touch points and how communication will be delivered between FedRAMP. plan of action and milestones. the results from any RMF-related activities it conducts to supplement the authorization results produced by the owning organization. It is expected that the Cloud Service Providers. the leveraging organization can also share with the owning organization. The following communication templates will be employed: Sponsorship Letter Status Report Confirmation Receipts (Complete Package. Communications Process FedRAMP interacts with multiple stakeholders during the security lifecycle of a system. Incomplete Package) Review Recommendation (Acceptable.

Government Cloud Computing communication plan will be reviewed annually.Proposed Security Assessment & Authorization for U. Chapter Three: Potential Assessment & Authorization Approach Page 73 . Target Audience – Receivers of the deliverable in the communication process.S. the communication flow in the following areas: The table is organized by phases and depicts Trigger Event – Identifies the event that will start the require communication during the different operational processes of FedRAMP Deliverable –Artifact used to communicate the results/output of the trigger event to FedRAMP stakeholders Initiator – The entity responsible for starting the communication process. Delivery Method – How the artifacts will be communicated to the target audience.

FedRAMP will respond to email questions within two business days. Uploaded to Secure Web Portal. Securely uploaded through FedRAMP Website. Assessment and Authorization Phases 1 2 Initiation of FedRAMP A&A Process Receipt of Sponsorship Letter Sponsorship Letter. Cloud Service Provider FedRAMP Cloud Service Provider FedRAMP Cloud Service Provider 4 5 Questions about requirements Received Questions Email Inquiry Email Clarification Cloud Service Provider FedRAMP 6 7 Package Submission Completed Package Submission Completed Artifact(s) Cloud Service Provider Confirmation FedRAMP Receipt – Completed Package Chapter Three: Potential Assessment & Authorization Approach Page 74 .Proposed Security Assessment & Authorization for U. Government Cloud Computing # Trigger Event Deliverable Initiator Authorization Request. this first meeting will allow the participants an opportunity to understand the process and establish milestone dates. the status report is updated weekly advising of current status and future target dates. Contract Kickoff Meeting Sponsoring Agency FedRAMP Target Audience FedRAMP Sponsoring Agency. Cloud Service Provider may email questions to FedRAMP. Emailed acknowledgement receipt by FedRAMP Review Team identifies the received artifacts and target date for completed review. 3 Weekly Status Report Status Report FedRAMP Sponsoring Agency. Cloud Service Provider Delivery Method Upload through FedRAMP Website Scheduled with the participants identified through the sponsorship letter.S.

Proposed Security Assessment & Authorization for U. Emailed recommendation explains the Cloud Service Provider’s compliance with the required risk management controls. improvements recommended Findings Review Meeting FedRAMP Sponsoring Agency. Emailed Review Recommendation includes individual areas of focus required by the Cloud Service Provider to be compliant with FedRAMP requirements. Cloud Service Provider 10 FedRAMP completes artifact review. Cloud Service Provider Authorization Maintenance Phase Chapter Three: Potential Assessment & Authorization Approach Page 75 . 9 FedRAMP completes artifact review. Scheduled by FedRAMP.S. Sponsoring Agency. recommends ATO Review Recommendation FedRAMP JAB. Government Cloud Computing # 8 Trigger Event Incomplete Package Submission Deliverable Confirmation Receipt – Incomplete Package Initiator FedRAMP Target Audience Cloud Service Provider Delivery Method Emailed acknowledgement receipt by FedRAMP Review Team identifies which artifacts have been received and which are still missing. this meeting allows the Cloud Service Provider and the Sponsoring Agency an opportunity to discuss and understand any deficiencies identified by the FedRAMP review team. recommends improvements Review Recommendation FedRAMP Cloud Service Provider 11 Completed review.

FedRAMP Target Audience Cloud Service Provider.Proposed Security Assessment & Authorization for U. Leveraging Agency Delivery Method Post the following information on a public FedRAMP website about the authorized system: System Name FIPS 199 impact level the system is authorized at Version of FedRAMP security controls and other templates used Authorization Expiration Date Privacy Questionnaire Maintain the authorization package including but not limited to SSP. Incident reporting plan. Sponsoring Agency. Contingency Plan. Government Cloud Computing # 12 Trigger Event FedRAMP authorizes system Deliverable Joint Authorization Letter Initiator JAB. SAR. POA&M’s on a secure website accessible by Government officials only 13 Granting authorization package access to leveraging Agencies CSP Authorization Package FedRAMP Leveraging Agency Provide secure access (login) to Government-only website for accessing CSP authorization package Continuous Monitoring Phase Chapter Three: Potential Assessment & Authorization Approach Page 76 .S.

Email acknowledgement receipt of uploaded artifacts. SSP.g. Email Notification of what issues the Cloud Service Provider is required to remediate to remain within compliance. Cloud Service Provider 17 Unacceptable Artifacts FedRAMP 18 Updated Artifacts not received with 1 week of due date Updated Artifacts not received with 2 weeks of due date Incident Missing Artifact List FedRAMP Cloud Service Provider Leveraging Agencies. Email Notification to the Cloud Service Provider that their artifacts have not been received and their ATO is at risk. POA&M’s) Receipt of Updated Artifacts Accepted Artifacts Deliverable Updated Artifacts Initiator Cloud Service Provider Target Audience FedRAMP Delivery Method Uploaded to Secure Web Portal. the Cloud Service Provider will post all regular recurring artifacts for FedRAMP team review. Update on secure website that Cloud Service Providers updated artifacts meet compliance requirements. Cloud Service Provider Leveraging Agencies.S. FedRAMP 17 Missing Artifact List FedRAMP 18 Incident Reporting/Notificati on Cloud Service Provider Table 6: Communications Plan Chapter Three: Potential Assessment & Authorization Approach Page 77 . Government Cloud Computing # 14 Trigger Event Creation of updated artifacts (e. Update on Secure Web Site identifying outstanding issues.Proposed Security Assessment & Authorization for U. 15 16 Confirmation Receipt Review Recommendation – Acceptable Review Recommendation Unacceptable FedRAMP FedRAMP Cloud Service Provider Leveraging Agencies. Cloud Service Provider Leveraging Agencies. Email Notification to the Cloud Service Provider that their artifacts have not been received.

PaaS. academic collaborations. FedRAMP and the JAB will rely on both ISIMC and NIST to recommend changes to security controls over time. these will be considered for updates to FedRAMP security requirements and evaluation criteria/test procedures. FedRAMP JAB will meet regularly to discuss any required updates and possible inclusion of these additional security measures to FedRAMP security controls baseline and assessment procedures/evaluation criteria. As the cloud computing market matures.8. The following sections define the FedRAMP change management process. There are multiple industry groups. Update to NIST special publications and FIPS publications: FedRAMP templates and requirements are based on the NIST special publications and FIPS publications. Government Cloud Computing 3.S. Agency-Specific requirements beyond the FedRAMP baseline: Federal Agencies leveraging FedRAMP authorizations for use within their own Agencies may add specific additional security controls. Factors for change The following internal and external factors will drive the change to FedRAMP security requirements.8. FedRAMP will maintain a list of these additions and may consider updating either the FedRAMP baseline for all cloud systems or just that specific Chapter Three: Potential Assessment & Authorization Approach Page 78 . are adopted. which is currently under active investigation. The leveraging agencies should notify FedRAMP of these additional requirements. As these cloud computing best practices evolve. conduct additional assessments.1. If the NIST SP 800-53 r3 is updated with new security controls and enhancements for low and moderate impact level. If different leveraging Agencies have added different requirements and additional security measures for the same cloud system. or require implementation of other compensating controls. While these bodies will not have the authority to implement the changes. SaaS). It should be noted that security requirements can only be approved for change by the JAB. FedRAMP security requirements. FedRAMP security controls will need to be updated.Proposed Security Assessment & Authorization for U. processes and templates. processes and templates will also under go an evolution. their expertise and reputation lend themselves to providing invaluable assistance to FedRAMP. As the solutions for various cloud service models (IaaS. if NIST publishes new guidance associated with cloud computing best practices. Also. engineering teams. Credential and Access Management (ICAM) will drive updates to FedRAMP requirements for wider adoption of cloud computing systems and services across the Government. Requirements from other Federal security initiatives: Government-wide security initiatives and mandates such as Trusted Internet Connections (TIC) and Identity. policy firms and assorted cadre of experts striving to maximize the potential of cloud computing in a secure environment. best practices associated with the implementation and testing of security controls will evolve. Change Management Process The technology changes within the dynamic and scalable cloud computing environment are expected to be quite swift. they will be disseminated by FedRAMP. It is therefore obvious that FedRAMP will maintain resources to keep abreast of the technological and security enhancements in near real time. 3.

8. All compensating controls must receive authorization from the JAB. the CSP may request a waiver. CSP’s have 30 days to develop and submit an implementation plan.S. As cloud computing market matures and as industry develops new tools and technologies for automated and near real time monitoring of controls and automated mechanisms for exposing audit data to comply with regulatory requirements become available. Chapter Three: Potential Assessment & Authorization Approach Page 79 . and resource allocations documenting the future implementation due to the nature of the control itself. Requirements for Cloud Service Provider Change Control Process Once a requirement is approved. These also serve to provide a more uniform content collection method that aids the CSP and agencies with achieving authorization status for the cloud service offering. portability and security. FedRAMP is to be notified and the security control baseline will be adjusted and documented. updated templates will be posted to the FedRAMP website with instructions related to use. depending on the particular infrastructure related to the security control. The implementation plan needs to define the actions that the CSP must perform in order to comply with the new requirement. additional requirements and assessments might be necessary to ensure that robust security posture of the system is maintained. 3. However. Government Cloud Computing cloud system. Over time. When situations arise where the new requirement cannot be implemented on a system due to the legacy nature of the infrastructure. However.3. In most cases the implementation of the new control will be implemented within the 30 day window. methodologies evolve. FedRAMP processes will also be updated accordingly. Changes to cloud service provider offering: As new features and components are added to the cloud service provider offering. with milestones. CSP’s are responsible for implementing the plans. it accomplishes the goal in a different manner. This control will accomplish the same goal as the new requirement. Furthermore. It should be noted that FedRAMP security document templates are designed to assist the user with proper documentation related to their authorization package. there may be instances where the implementation of the controls will require the CSP to add the control to the POAM sheet. though rare. As changes are made. target date.Proposed Security Assessment & Authorization for U. must be presented to the JAB for approval. or new technologies and threats present themselves.8. Security Documents/Templates Change Control All security document templates are to be considered “living documents”. 3. In both cases. Industry best practices.2. FedRAMP is solely responsible for implementing these changes. FedRAMP will assess these additional controls/measures during the continuous monitoring phase. or in cases where the control itself will have a severely negative impact on the mission of the system. it is understood that. Waivers. these documents will undergo some degree of modification. as requirements change. Once the control change is implemented. that it might be necessary for the CSP to implement a compensating control. development of standards or use of new tools/technology: FedRAMP requirements may be updated to adopt new standards as they are created for cloud computing interoperability.

Chapter Three: Potential Assessment & Authorization Approach Page 80 . Responsibilities related to the cloud computing service offering should be limited to the interconnection between the agency and the CSP. Sponsoring Agency CCP Sponsoring federal agencies maintain their responsibility for establishing and maintaining their own internal change control process.Proposed Security Assessment & Authorization for U. and the input to any change requests.8.S. Government Cloud Computing 3.4.

Proposed Security Assessment & Authorization for U.S.S. Government Cloud 11/02/2010 Computing Version Author 0.96 Federal Cloud Computing Initiative Chapter Three: Potential Assessment & Authorization Approach Page 81 . Government Cloud Computing Document Revision History Date Description Proposed Security Assessment & Authorization for U.