FedRAMP Requirements

The Federal Risk and Authorization Management Program know as FedRAMP, is a standardized risk management system for cyber risk and continuous monitoring for cloud products and services for government agencies. It is a manadatory program for Federal Agency cloud deployments and service models categorized at the low, moderate, and high-risk impact levels.

FedRAMP is based on NIST 800-53 as a library of system controls and 800-37 for risk management and includes a formal assessment of up to 17 family controls. 

Hover over family control for more detail.

FedRAMP C A C M I A I R M P P E P L C P P S R A S A S C S I A T A U M A A C F ed R AM P A C-4 A C-17 A C-14 A C-12 A C-11 A C-8 A C-7 A C-18 A C-19 A C-20 A C-21 A C-22 A C-6 A C-5 A C-1 A C-3 A C-2 Access Cont r ol P olicy & P r ocedu r es Account Management Access Enfo r cement Information Flow Enfo r cement Sepa r ation of Duties Least Privilege Unsuccessful Logon A ttempts System Use Notification Session Lock Session T ermination P ermitted Actions w/o Identification Remote Access Wi r eless Access Access Cont r ol for Mobile D e vices Use of External Information Systems Information Sharing Publicly Accessible Content A c c e s s C o n t r o l A T -4 A T -1 A T -3 A T -2 Security A wa r eness & T r aining P olicy & P r ocedu r es Security A wa r eness T r aining Role-Based Security T r aining Security T r aining Reco r ds S e c u r i t y A w a r e n e s s T r a i n i n g A U-4 A U-12 A U-11 A U-9 A U-8 A U-7 A U-6 A U-5 A U-1 A U-3 A U-2 A udit & Accountability P olicy & P r ocendu r es A udit E v ents Content of A udit Reco r ds A udit S t o r age Capacity Response t o A udit P r ocessing F ailu r es A u d i t a n d A c c o u n t a b i l i t y A udit R e vie w , Analysis & Repo r ting A udit Reduction and Repo r t Gene r ation Time Stamps P r otection of A udit Information A udit Reco r d Retention A udit Gene r ation CA-9 CA-7 CA-6 CA-5 CA-1 CA-3 CA-2 Security Assessments Security Assessment & A uthorization P olic& P r ocedu r es S e c u r i t y A s s e s s m e n t & A u t h o r i z a t i o n P o l i c y & P r o c e d u r e s System Inte r connections Security A uthorization Continuous Moni t oring Internal System Connections Plan of Action & Miles t ones CM-4 CM-11 CM-10 CM-8 CM-7 CM-6 CM-5 CM-1 CM-3 CM-2 Configu r ation Management P olicy & P r ocedu r es CM-9 C o n f i g u r a t i o n M a n a g e m e n t Baseline Configu r ation Configu r ation & Change Cont r ol Security Impact Analysis Access Restrictions for Change Configu r ation Settings Least F unctionality Information System Component In v en t o r y Configu r ation Management Plan Softwa r e Usage Restrictions User Installed Softwa r e CP-4 CP-10 CP-9 CP-8 CP-7 CP-6 CP-1 CP-3 CP-2 Contingency Planning P olicy & P r ocedu r es Alternate S t o r age Site Alternate P r ocessing Site T elecommunications Se r vices C o n t i n g e n c y P l a n n i n g Contingency Plan Contingency T r aining Contingency Plan T esting Information System Backup Information System Rec o v e r y & Reconstitution I A-4 I A-8 I A-7 I A-6 I A-5 I A-1 I A-3 I A-2 Identification & A uthentication P olicy & P r ocedu r es Identification & A uthentication (O r ganiztional Users) Identifier Management A uthentica t or Management A uthentica t or F eedback I d e n t i f i e r M a n a g e m e n t D e vice Identification & A uthentication C r yp t og r aphic Module A uthentication Identification & A uthentication (Non-Users) M A-4 M A-6 M A-5 M A-1 M A-3 M A-2 System Maintenance P olicy & P r ocedu r es Cont r olled Maintenance Maintenance T ools Nonlocal Maintenance Maintenance P ersonnel Timely Maintenance M a i n t e n a n c e MP-4 MP-7 MP-6 MP-5 MP-1 MP-3 MP-2 Media P r otection P olicy & P r ocedu r es Media Access Media S t o r age Media T r anspo r t Media Sanitization Media Use Media Marking M e d i a P r o t e c t i o n PE-4 PE-13 PE-12 PE-11 PE-10 PE-9 PE-8 PE-14 PE-15 PE16 PE-17 PE-6 PE-5 PE-1 PE-3 PE-2 Visi t or Access Reco r ds P ower E quipment & Cabling Eme r gency Shu t off Eme r gency P ower Eme r gency Lighting T empe r atu r e & Humidity Cont r ols W ater Damage P r otection Deli v e r y & Rem ov al Alternate W ork Site Physical & Envi r onmental P r otection P olicy & P r ocedu r es Physical Access A uthorizations Physical Access Cont r ol Access Cont r ol for T r ansmission Medium Access Cont r ol for Output D e vices Moni t oring Physical Access Fi r e P r otection P h y s i c a l & E n v i r o n m e n t a l P r o t e c t i o n IR-4 IR-8 IR-7 IR-6 IR-5 IR-1 IR-3 IR-2 Incident Response P olicy & P r ocedu r es Incident Response T r aining Incident Response T esting Incident Handling Incident Moni t oring Incident Repo r ting Incident Response Assistance Incident Response Plan I n c i d e n t R e s p o n s e PL-8 PL-1 PL-4 PL-2 Security Planning P olicy & P r ocedu r es System Security Plan Rules of Beh a vior Information Security A r chitectu r e S e c u r i t y P l a n n i n g P o l i c y PS-4 PS-8 PS-7 PS-6 PS-5 PS-1 PS-3 PS-2 P ersonnel Security P olicy & P r ocedu r es P osition Risk Designation P eersonnel Sc r eening P ersonnel T ermination P ersonnel T r ans f er Access Ag r eements Thi r d- P a r ty P ersonnel Security P ersonnel Sanctions P e r s o n n e l T r a n s f e r RA-5 RA-1 RA-3 RA-2 Risk Assessment P olicy & P r ocedu r es Security Categorization Risk Assessment V ulne r ability Scanning R i s k A s s e s s m e n t SA-4 SA-11 SA-10 SA-9 SA-8 SA-5 SA-1 SA-3 SA-2 System & Se r vices Acquisition P olicy & P r ocedu r es Allocation of Resou r ces System D ev elopment Li f e C y cle Aquisition P r ocess Information System Documentation Security Engineering Principles External Information System Se r vices D ev eloper Configu r ation Management D ev eloper Security T esting & E v aluation S y s t e m & S e r v i c e s A c q u i s i t i o n SC-5 SC-18 SC-17 SC-15 SC-13 SC-12 SC-10 SC-19 SC-20 SC-21 SC-22 SC-23 SC-8 SC-7 SC-1 SC-4 SC-2 System & Communications P r otection P olicy & P r ocedu r es Application P a r titioning Information in Sha r ed Resou r ces Denial of Se r vice P r otection Bounda r y P r otection T r ansmission Confidentiality & Integrity Network Disconnect C r yp t og r aphic K e y Establishment & Management C r yp t og r aphic P r otection Collabo r ati v e Computing D e vices Public K e y Inf r astructu r e Ce r tificates Mobile Code V oice o v er Internet P r o t ocol Secu r e Add r ess Resolution ( A uthoritati v e Sou r ce) Secu r e Add r ess Resolution (Recursi v e Resol v er) A r chitectu r e & P r o visioning for Add r ess Resolution Se r vice Session A uthenticity SC-28 SC-39 P r otection of Information at Rest P r ocess Isolation S y s t e m & C o m m u n i c a t i o n s P r o t e c t i o n SI-4 SI-16 SI-12 SI-11 SI-10 SI-8 SI-7 SI-5 SI-1 SI-3 SI-2 System & Information Integrity P olicy & P r ocedu r es Flaw Remediation Malicious Code P r otection Information System Moni t oring Security Ale r ts, Advisories, & Di r ecti v es Softwa r e, Firmwa r e, & Information Integrity Spam P r otection Information V alidation Er r or Handling Information Handling & Retention Memo r y P r otection S y s t e m & I n f o r m a t i o n I n t e g r i t y
ISO compliance with RiskForesight

Continuous Compliance Solution with RiskForesight

Caveonix RiskForesight implements continuous compliance of controls critical to FedRAMP evaluation and reporting maturity effectiveness across infrastructure and applications. RiskForesight performs thousands of checks mapped to FedRAMP sections and more than 20 other common security and privacy frameworks such as the NIST Cyber Security Framework, PCI, and NIST 800-53. Caveonix RiskForesight tracks and reports your adherence to FEDRAMP requirements for Low, Medium, and High impact levels, and determines the impact of vulnerabilities and configuration changes to your secure compliance baseline. RiskForesight detects compliance drift, intelligently analyzes risk and provides recommendations to bring your applications back into compliance.

Additionally, Caveonix measures against global configuration benchmarking standards and creates audit and compliance packages with detailed audit artifacts attesting to your compliance.

ISO Dashboard
Request Demo