FedRAMP | Compliance | Fluid Attacks Help

FedRAMP

logo

Summary

FedRAMP is a U.S. Government program designed to standardize how the Federal Information Security Management Act (FISMA) applies to cloud computing services. It provides a standardized approach to security assessment, authorization and continuous monitoring of cloud-based services.
FedRAMP defines a set of security control implementations and security impact level systems based on NIST baseline controls (NIST SP 800-53).

Definitions

Definition Requirements
AC-2_3. Account management - Disable inactive accounts 023. Terminate inactive user sessions
144. Remove inactive accounts periodically
AC-2_5. Account management - Inactivity logout 028. Allow users to log out
AC-2_7. Account management - Role-based schemes 095. Define users with privileges
096. Set user's required privileges
AC-2_12. Account management - Account monitoring, atypical usage 376. Register severity level
AC-6_1. Least privilege - Authorize access to security functions 033. Restrict administrative access
035. Manage privilege modifications
096. Set user's required privileges
AC-6_2. Least privilege - Non-privileged access for nonsecurity functions 096. Set user's required privileges
AC-6_3. Least privilege - Network access to privileged commands 033. Restrict administrative access
AC-6_8. Least privilege - Privilege levels for code execution 352. Enable trusted execution
AC-7_2. Unsuccessful logon - Purge, wipe mobile device 210. Delete information from mobile devices
AC-8. System use notification 227. Display access notification
AC-10. Concurrent session control 025. Manage concurrent sessions
AC-11. Session lock 114. Deny access with inactive credentials
AC-22. Publicly accessible content 045. Remove metadata when sharing files
261. Avoid exposing sensitive information
265. Restrict access to critical processes
325. Protect WSDL files
AU-3_2. Centralized management of planned audit record content 377. Store logs based on valid regulation
378. Use of log management system
AU-8. Time stamps 079. Record exact occurrence time of events
AU-8_1. Synchronization with authoritative time source 363. Synchronize system clocks
AU-12_3. Audit regeneration - Changes by authorized individuals 080. Prevent log modification
322. Avoid excessive logging
378. Use of log management system
CA-2_2. Security assessment - Specialized assessments 041. Scan files for malicious code
115. Filter malicious emails
155. Application free of malicious code
340. Use octet stream downloads
376. Register severity level
CA-2_3. Security assessment - External organizations 161. Define secure default options
262. Verify third-party components
314. Provide processing confirmation
CA-3. System interconnections 181. Transmit data using secure protocols
321. Avoid deserializing untrusted data
CA-3_3. Unclassified non-national security system connections 153. Out of band transactions
336. Disable insecure TLS versions
CA-6. Security authorization 095. Define users with privileges
CA-7. Continuous monitoring 075. Record exceptional events in logs
078. Disable debugging events
079. Record exact occurrence time of events
080. Prevent log modification
376. Register severity level
378. Use of log management system
CM-2_1. Baseline configuration - Reviews and updates 353. Schedule firmware updates
CM-3_6. Baseline configuration - Cryptography management 147. Use pre-existent mechanisms
151. Separate keys for encryption and signatures
224. Use secure cryptographic mechanisms
CM-5_5. Access restrictions for change - Limit production, operational privileges 035. Manage privilege modifications
096. Set user's required privileges
186. Use the principle of least privilege
265. Restrict access to critical processes
CM-7. Least functionality 154. Eliminate backdoors
255. Allow access only to the necessary ports
CM-7_5. Least functionality - Authorized software, whitelisting 326. Detect rooted devices
344. Avoid dynamic code execution
352. Enable trusted execution
IA-2_11. Identification and authentication - Remote access, separate device 362. Assign MFA mechanisms to a single account
IA-4. Identifier management 023. Terminate inactive user sessions
030. Avoid object reutilization
IA-5_1. Authenticator management - Password-based authentication 130. Limit password lifespan
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
138. Define lifespan for temporary passwords
139. Set minimum OTP length
IA-5_3. Authenticator management - In-person or trusted third-party registration 137. Change temporary passwords of third parties
IA-5_8. Authenticator management - Multiple information system accounts 025. Manage concurrent sessions
MP-2. Media access 176. Restrict system objects
205. Configure PIN
229. Request access credentials
264. Request authentication
351. Assign unique keys to each device
MP-5. Media transport 153. Out of band transactions
181. Transmit data using secure protocols
335. Define out of band token lifespan
MP-6. Media sanitization 210. Delete information from mobile devices
214. Allow data destruction
PE-3. Physical access control 114. Deny access with inactive credentials
231. Implement a biometric verification component
362. Assign MFA mechanisms to a single account
PE-16. Delivery and removal 160. Encode system outputs
173. Discard unsafe inputs
PS-3_3. Personnel screening - Information with special protection measures 095. Define users with privileges
096. Set user's required privileges
PS-7. Third-party personnel security 137. Change temporary passwords of third parties
262. Verify third-party components
318. Notify third parties of changes
RA-5. Vulnerability scanning 041. Scan files for malicious code
062. Define standard configurations
118. Inspect attachments
155. Application free of malicious code
RA-5_4. Privileged access 095. Define users with privileges
SA-1. System and services acquisition policy and procedures 331. Guarantee legal compliance
SA-9. External information system services 262. Verify third-party components
SA-10. Developer configuration management 062. Define standard configurations
SC-1. System and communications protection policy and procedures 331. Guarantee legal compliance
SC-8. Transmission confidentiality and integrity 176. Restrict system objects
181. Transmit data using secure protocols
321. Avoid deserializing untrusted data
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
SC-8_1. Cryptographic or alternate physical protection 147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
250. Manage access points
257. Access based on user credentials
SC-10. Network disconnect 023. Terminate inactive user sessions
335. Define out of band token lifespan
SC-12_2. Cryptographic key establishment and management - Symmetric keys 145. Protect system cryptographic keys
149. Set minimum size of symmetric encryption
372. Proper Use of Initialization Vector (IV)
SC-13. Cryptographic protection 145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
224. Use secure cryptographic mechanisms
361. Replace cryptographic keys
SC-28. Protection of information at rest 062. Define standard configurations
176. Restrict system objects
329. Keep client-side storage without sensitive data
SI-3. Malicious code protection 041. Scan files for malicious code
155. Application free of malicious code
340. Use octet stream downloads
SI-5. Security alerts, advisories, and directives 075. Record exceptional events in logs
173. Discard unsafe inputs
227. Display access notification
301. Notify configuration changes
318. Notify third parties of changes
358. Notify upcoming expiration dates
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.