├── .gitignore ├── Gemfile ├── Gemfile.lock ├── LICENSE.md ├── README.md ├── _config.yml ├── _data ├── favicons.yml ├── footer.yml ├── header.yml └── navigation.yml ├── _pages ├── cmplan.md ├── fedramp-tailored.md ├── fedramp_moderate.md ├── overview.md └── poam_template.md ├── _site ├── assets │ ├── css │ │ ├── custom.css │ │ └── main.css │ ├── js │ │ └── vendor │ │ │ └── anchor.min.js │ └── uswds │ │ ├── fonts │ │ ├── merriweather-bold-webfont.eot │ │ ├── merriweather-bold-webfont.ttf │ │ ├── merriweather-bold-webfont.woff │ │ ├── merriweather-bold-webfont.woff2 │ │ ├── merriweather-italic-webfont.eot │ │ ├── merriweather-italic-webfont.ttf │ │ ├── merriweather-italic-webfont.woff │ │ ├── merriweather-italic-webfont.woff2 │ │ ├── merriweather-light-webfont.eot │ │ ├── merriweather-light-webfont.ttf │ │ ├── merriweather-light-webfont.woff │ │ ├── merriweather-light-webfont.woff2 │ │ ├── merriweather-regular-webfont.eot │ │ ├── merriweather-regular-webfont.ttf │ │ ├── merriweather-regular-webfont.woff │ │ ├── merriweather-regular-webfont.woff2 │ │ ├── sourcesanspro-bold-webfont.eot │ │ ├── sourcesanspro-bold-webfont.ttf │ │ ├── sourcesanspro-bold-webfont.woff │ │ ├── sourcesanspro-bold-webfont.woff2 │ │ ├── sourcesanspro-italic-webfont.eot │ │ ├── sourcesanspro-italic-webfont.ttf │ │ ├── sourcesanspro-italic-webfont.woff │ │ ├── sourcesanspro-italic-webfont.woff2 │ │ ├── sourcesanspro-light-webfont.eot │ │ ├── sourcesanspro-light-webfont.ttf │ │ ├── sourcesanspro-light-webfont.woff │ │ ├── sourcesanspro-light-webfont.woff2 │ │ ├── sourcesanspro-regular-webfont.eot │ │ ├── sourcesanspro-regular-webfont.ttf │ │ ├── sourcesanspro-regular-webfont.woff │ │ └── sourcesanspro-regular-webfont.woff2 │ │ ├── img │ │ ├── alerts │ │ │ ├── error.png │ │ │ ├── error.svg │ │ │ ├── info.png │ │ │ ├── info.svg │ │ │ ├── success.png │ │ │ ├── success.svg │ │ │ ├── warning.png │ │ │ └── warning.svg │ │ ├── angle-arrow-down-hover.png │ │ ├── angle-arrow-down-hover.svg │ │ ├── angle-arrow-down-primary-hover.png │ │ ├── angle-arrow-down-primary-hover.svg │ │ ├── angle-arrow-down-primary.png │ │ ├── angle-arrow-down-primary.svg │ │ ├── angle-arrow-down.png │ │ ├── angle-arrow-down.svg │ │ ├── angle-arrow-up-primary-hover.png │ │ ├── angle-arrow-up-primary-hover.svg │ │ ├── angle-arrow-up-primary.png │ │ ├── angle-arrow-up-primary.svg │ │ ├── arrow-down.png │ │ ├── arrow-down.svg │ │ ├── arrow-right.png │ │ ├── arrow-right.svg │ │ ├── circle-124.png │ │ ├── close.png │ │ ├── close.svg │ │ ├── correct8.png │ │ ├── correct8.svg │ │ ├── correct9.png │ │ ├── correct9.svg │ │ ├── external-link-alt-hover.png │ │ ├── external-link-alt-hover.svg │ │ ├── external-link-alt.png │ │ ├── external-link-alt.svg │ │ ├── external-link-hover.png │ │ ├── external-link-hover.svg │ │ ├── external-link.png │ │ ├── external-link.svg │ │ ├── favicons │ │ │ ├── favicon-114.png │ │ │ ├── favicon-144.png │ │ │ ├── favicon-16.png │ │ │ ├── favicon-192.png │ │ │ ├── favicon-40.png │ │ │ ├── favicon-57.png │ │ │ ├── favicon-72.png │ │ │ ├── favicon.ico │ │ │ └── favicon.png │ │ ├── hero.png │ │ ├── icon-dot-gov.svg │ │ ├── icon-https.svg │ │ ├── logo-img.png │ │ ├── minus-alt.png │ │ ├── minus-alt.svg │ │ ├── minus.png │ │ ├── minus.svg │ │ ├── plus-alt.png │ │ ├── plus-alt.svg │ │ ├── plus.png │ │ ├── plus.svg │ │ ├── search-alt.png │ │ ├── search-alt.svg │ │ ├── search.png │ │ ├── search.svg │ │ ├── social-icons │ │ │ ├── png │ │ │ │ ├── facebook25.png │ │ │ │ ├── rss25.png │ │ │ │ ├── twitter16.png │ │ │ │ └── youtube15.png │ │ │ └── svg │ │ │ │ ├── facebook25.svg │ │ │ │ ├── rss25.svg │ │ │ │ ├── twitter16.svg │ │ │ │ └── youtube15.svg │ │ └── us_flag_small.png │ │ └── js │ │ ├── uswds.js │ │ ├── uswds.min.js │ │ └── uswds.min.js.map ├── fedramp_moderate │ └── index.html └── index.html ├── assets ├── css │ └── custom.scss └── img │ ├── oclogo.png │ └── paper.jpg └── ssp ├── ac.md ├── at.md ├── au.md ├── ca.md ├── cm.md ├── cp.md ├── fedramp_moderate.md ├── ia.md ├── ir.md ├── ma.md ├── mp.md ├── pe.md ├── pl.md ├── poam_template.md ├── ps.md ├── ra.md ├── sa.md ├── sc.md └── si.md /.gitignore: -------------------------------------------------------------------------------- 1 | tmp/ 2 | _site/ 3 | .sass-cache/ 4 | .DS_store 5 | .*.swp 6 | .jekyll-metadata 7 | .jekyll-cache 8 | .jekyll-cache/* -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gem 'jekyll' 4 | gem 'uswds-jekyll', :git => 'https://github.com/18F/uswds-jekyll.git' 5 | -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | GIT 2 | remote: https://github.com/18F/uswds-jekyll.git 3 | revision: 413413405c01ffbbb039ab7bd38767db9ab87484 4 | specs: 5 | uswds-jekyll (4.2.0) 6 | jekyll (>= 3.4, < 5) 7 | 8 | GEM 9 | remote: https://rubygems.org/ 10 | specs: 11 | addressable (2.7.0) 12 | public_suffix (>= 2.0.2, < 5.0) 13 | colorator (1.1.0) 14 | concurrent-ruby (1.1.5) 15 | em-websocket (0.5.1) 16 | eventmachine (>= 0.12.9) 17 | http_parser.rb (~> 0.6.0) 18 | eventmachine (1.2.7) 19 | ffi (1.11.1) 20 | forwardable-extended (2.6.0) 21 | http_parser.rb (0.6.0) 22 | i18n (1.6.0) 23 | concurrent-ruby (~> 1.0) 24 | jekyll (4.0.0) 25 | addressable (~> 2.4) 26 | colorator (~> 1.0) 27 | em-websocket (~> 0.5) 28 | i18n (>= 0.9.5, < 2) 29 | jekyll-sass-converter (~> 2.0) 30 | jekyll-watch (~> 2.0) 31 | kramdown (~> 2.1) 32 | kramdown-parser-gfm (~> 1.0) 33 | liquid (~> 4.0) 34 | mercenary (~> 0.3.3) 35 | pathutil (~> 0.9) 36 | rouge (~> 3.0) 37 | safe_yaml (~> 1.0) 38 | terminal-table (~> 1.8) 39 | jekyll-sass-converter (2.0.1) 40 | sassc (> 2.0.1, < 3.0) 41 | jekyll-watch (2.2.1) 42 | listen (~> 3.0) 43 | kramdown (2.1.0) 44 | kramdown-parser-gfm (1.1.0) 45 | kramdown (~> 2.0) 46 | liquid (4.0.3) 47 | listen (3.2.0) 48 | rb-fsevent (~> 0.10, >= 0.10.3) 49 | rb-inotify (~> 0.9, >= 0.9.10) 50 | mercenary (0.3.6) 51 | pathutil (0.16.2) 52 | forwardable-extended (~> 2.6) 53 | public_suffix (4.0.1) 54 | rb-fsevent (0.10.3) 55 | rb-inotify (0.10.0) 56 | ffi (~> 1.0) 57 | rouge (3.11.1) 58 | safe_yaml (1.0.5) 59 | sassc (2.2.1) 60 | ffi (~> 1.9) 61 | terminal-table (1.8.0) 62 | unicode-display_width (~> 1.1, >= 1.1.1) 63 | unicode-display_width (1.6.0) 64 | 65 | PLATFORMS 66 | ruby 67 | 68 | DEPENDENCIES 69 | jekyll 70 | uswds-jekyll! 71 | 72 | BUNDLED WITH 73 | 1.17.3 74 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | ## creative commons 2 | 3 | # CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER. 6 | 7 | ### Statement of Purpose 8 | 9 | The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work"). 10 | 11 | Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others. 12 | 13 | For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights. 14 | 15 | 1. **Copyright and Related Rights.** A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following: 16 | 17 | i. the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work; 18 | 19 | ii. moral rights retained by the original author(s) and/or performer(s); 20 | 21 | iii. publicity and privacy rights pertaining to a person's image or likeness depicted in a Work; 22 | 23 | iv. rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below; 24 | 25 | v. rights protecting the extraction, dissemination, use and reuse of data in a Work; 26 | 27 | vi. database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and 28 | 29 | vii. other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof. 30 | 31 | 2. **Waiver.** To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose. 32 | 33 | 3. **Public License Fallback.** Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose. 34 | 35 | 4. **Limitations and Disclaimers.** 36 | 37 | a. No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document. 38 | 39 | b. Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law. 40 | 41 | c. Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work. 42 | 43 | d. Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work. 44 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fedramp-ssp 2 | Taking FedRAMP templates to Markdown 3 | 4 | #### Build instructions 5 | 6 | ```bash 7 | $ bundle install 8 | $ bundle update 9 | $ jekyll build 10 | $ jekyll serve 11 | ``` 12 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | title: Modernize The Docs 2 | 3 | theme: uswds-jekyll 4 | 5 | styles: 6 | - assets/css/custom.css 7 | 8 | collections: 9 | pages: 10 | output: true 11 | permalink: /:path/ 12 | 13 | defaults: 14 | - scope: 15 | path: _pages 16 | values: 17 | layout: page 18 | 19 | github_info: 20 | organization: opencontrol 21 | repository: fedramp-ssp 22 | default_branch: master 23 | 24 | google_analytics_ua: UA-141012673-1 25 | -------------------------------------------------------------------------------- /_data/favicons.yml: -------------------------------------------------------------------------------- 1 | - rel: icon 2 | type: image/png 3 | href: https://github.com/opencontrol.png 4 | -------------------------------------------------------------------------------- /_data/footer.yml: -------------------------------------------------------------------------------- 1 | type: slim 2 | edit_page: 3 | text: Edit this page 4 | logos: 5 | - src: assets/img/oclogo.png 6 | url: https://open-control.org 7 | alt: OpenControl 8 | - src: https://www.netlify.com/img/global/badges/netlify-dark.svg 9 | url: https://www.netlify.com 10 | alt: Deploys by Netlify 11 | external: true 12 | -------------------------------------------------------------------------------- /_data/header.yml: -------------------------------------------------------------------------------- 1 | type: extended 2 | logo: 3 | src: https://github.com/opencontrol.png 4 | alt: OpenControl 5 | external: true 6 | primary: 7 | links: primary 8 | -------------------------------------------------------------------------------- /_data/navigation.yml: -------------------------------------------------------------------------------- 1 | primary: 2 | - text: Overview 3 | href: overview/#top 4 | links: overview 5 | - text: System Security Plan Moderate Template 6 | href: fedramp_moderate/ 7 | links: fedramp_moderate 8 | - text: FEDRAMP Tailored Template 9 | href: fedramp-tailored/#top 10 | links: fedramp-tailored 11 | - text: Configuration Management Plan Template 12 | href: cmplan/#top 13 | links: cmplan 14 | # - text: POA&M Template 15 | #href: poam_template/#top 16 | #links: poam_template 17 | 18 | overview: 19 | - text: Home 20 | href: index/ 21 | links: index 22 | 23 | fedramp_moderate: 24 | - text: System Security Plan 25 | href: fedramp_moderate/#top 26 | - text: Access Control (AC) 27 | href: fedramp_moderate/#access-control-ac 28 | - text: Awareness and Training (AT) 29 | href: fedramp_moderate/#awareness-and-training-at 30 | - text: Audit and Accountability (AU) 31 | href: fedramp_moderate/#audit-and-accountability-au 32 | - text: Security Assessment and Authorization (CA) 33 | href: fedramp_moderate/#security-assessment-and-authorization-ca 34 | - text: Configuration Management (CM) 35 | href: fedramp_moderate/#configuration-management-cm 36 | - text: Contingency Planning (CP) 37 | href: fedramp_moderate/#contingency-planning-cp 38 | - text: Identification and Authentication (IA) 39 | href: fedramp_moderate/#identification-and-authentication-ia 40 | - text: Incident Response (IR) 41 | href: fedramp_moderate/#incident-response-ir 42 | - text: Maintenance (MA) 43 | href: fedramp_moderate/#maintenance-ma 44 | - text: Media Protection (MP) 45 | href: fedramp_moderate/#media-protection-mp 46 | - text: Physical and Environmental Protection (PE) 47 | href: fedramp_moderate/#physical-and-environmental-protection-pe 48 | - text: Planning (PL) 49 | href: fedramp_moderate/#planning-pl 50 | - text: Personnel Security (PS) 51 | href: fedramp_moderate/#personnel-security-ps 52 | - text: Risk Assessment (RA) 53 | href: fedramp_moderate/#risk-assessment-ra 54 | - text: System and Services Acquisition (SA) 55 | href: fedramp_moderate/#system-and-services-acquisition-sa 56 | - text: System and Communications Protection (SC) 57 | href: fedramp_moderate/#system-and-communications-protection-sc 58 | - text: System and Information Integrity (SI) 59 | href: fedramp_moderate/#system-and-information-integrity-si 60 | 61 | cmplan: 62 | - text: Configuration Management Plan 63 | href: cmplan/#top 64 | - text: Background 65 | href: cmplan/#background 66 | - text: Overview of System 67 | href: cmplan/#overview-of-system 68 | - text: Purpose of this Document 69 | href: cmplan/#purpose-of-this-document 70 | - text: Application Policies and Procedures 71 | href: cmplan/#application-policies-and-procedures 72 | - text: SecCM Roles and Responsibilities 73 | href: cmplan/#seccm-roles-and-responsibilities 74 | - text: SecCM Program Administration 75 | href: cmplan/#seccm-program-administration 76 | - text: Configuration Identification 77 | href: cmplan/#configuration-identification 78 | - text: Configuration Baselining 79 | href: cmplan/#configuration-baselining 80 | - text: Configuration Change Control 81 | href: cmplan/#configuration-change-control 82 | - text: SecCM Reporting 83 | href: cmplan/#seccm-reporting 84 | - text: Suggested SecCM Plan Appendices 85 | href: cmplan/#suggested-seccm-plan-appendices 86 | 87 | fedramp-tailored: 88 | - text: FEDRAMP Tailored Template 89 | href: fedramp-tailored/#top 90 | - text: 1. Information System Name 91 | href: fedramp-tailored/#1-information-system-name 92 | - text: 2. Information System Categorization 93 | href: fedramp-tailored/#2-information-system-categorization 94 | - text: 2.1. Information Types 95 | href: fedramp-tailored/#21-information-types 96 | - text: 2.2. Security Objectives Categorization (FIPS 199) 97 | href: fedramp-tailored/#22-security-objectives-categorization-fips-199 98 | - text: 3. Information System Owner 99 | href: fedramp-tailored/#3-information-system-owner 100 | - text: 4. Independent Assessor 101 | href: fedramp-tailored/#4-independent-assessor 102 | - text: 5. Authorizing Official 103 | href: fedramp-tailored/#5-authorizing-official 104 | - text: 6. Other Designated Contacts 105 | href: fedramp-tailored/#6-other-designated-contacts 106 | - text: 7. Assignment of Security Responsibility 107 | href: fedramp-tailored/#7-assignment-of-security-responsibility 108 | - text: 8. Information System Operational Status 109 | href: fedramp-tailored/#8-information-system-operational-status 110 | - text: 9. Information System Type 111 | href: fedramp-tailored/#9-information-system-type 112 | - text: 9.1. Cloud Service Models 113 | href: fedramp-tailored/#91-cloud-service-models 114 | - text: 9.2. Cloud Deployment Models 115 | href: fedramp-tailored/#92-cloud-deployment-models 116 | - text: 9.3. Leveraged Authorizations 117 | href: fedramp-tailored/#93-leveraged-authorizations 118 | - text: 10. General System Description 119 | href: fedramp-tailored/#10-general-system-description 120 | - text: 10.1. System Function or Purpose 121 | href: fedramp-tailored/#101-system-function-or-purpose 122 | - text: 10.2. Information System Components and Boundaries 123 | href: fedramp-tailored/#102-information-system-components-and-boundaries 124 | - text: 10.3. Types of Users 125 | href: fedramp-tailored/#103-types-of-users 126 | - text: 10.4. Network Architecture 127 | href: fedramp-tailored/#104-network-architecture 128 | - text: 11. System Environment 129 | href: fedramp-tailored/#11-system-environment 130 | - text: 11.1. Hardware Inventory 131 | href: fedramp-tailored/#111-hardware-inventory 132 | - text: 11.2. Software Inventory 133 | href: fedramp-tailored/#112-software-inventory 134 | - text: 11.3. Network Inventory 135 | href: fedramp-tailored/#113-network-inventory 136 | - text: 11.4. Data Flow 137 | href: fedramp-tailored/#114-data-flow 138 | - text: 11.5. Ports, Protocols, and Services 139 | href: fedramp-tailored/#115-ports-protocols-and-services 140 | - text: 12. System Interconnections 141 | href: fedramp-tailored/#12-system-interconnections 142 | - text: 13. FedRAMP Applicable Laws and Regulations 143 | href: fedramp-tailored/#13-fedramp-applicable-laws-and-regulations 144 | - text: 13.1. FedRAMP Tailored LI-SaaS Guidance 145 | href: fedramp-tailored/#131-fedramp-tailored-li-saas-guidance 146 | - text: 13.2. APPLICABLE STANDARDS AND GUIDANCE 147 | href: fedramp-tailored/#132-information-system-name-applicable-standards-and-guidance 148 | 149 | poam_template: 150 | - text: POA&M Template 151 | href: poam_template/#top 152 | -------------------------------------------------------------------------------- /_pages/cmplan.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Configuration Management Plan 3 | sidenav: cmplan 4 | sticky_sidenav: true 5 | --- 6 | 7 | ## SAMPLE OUTLINE FOR A SECURITY CONFIGURATION MANAGEMENT PLAN 8 | _The following is an outline for developing a SecCM Plan for an organization and/or an 9 | information system. Organizations are encouraged to adapt the outline to make it suitable for their operational environment._ 10 | 11 | ## INTRODUCTION 12 | ### BACKGROUND 13 | _[Overview of SecCM and its purpose]_ 14 | 15 | ### OVERVIEW OF SYSTEM 16 | _[System description; may reference relevant section of System Security Plan]_ 17 | 18 | #### System Mission 19 | #### Data Flow Description 20 | #### System Architecture 21 | #### System Administration and Management Activities 22 | ### PURPOSE OF THIS DOCUMENT 23 | _[Use of this document]_ 24 | 25 | ### SCOPE 26 | _[Applicability of this plan]_ 27 | 28 | ### APPLICABLE POLICIES AND PROCEDURES 29 | _[List of applicable federal and organizational policies, standards, and procedures]_ 30 | 31 | ## SecCM PROGRAM 32 | ### SecCM ROLES AND RESPONSIBILITIES 33 | _[Description of roles/responsibilities for SecCM]_ 34 | 35 | ### SecCM PROGRAM ADMINISTRATION 36 | _[Policies, Procedures, CCB]_ 37 | 38 | #### SecCM Policies and Procedures 39 | _(included herein or by reference)_ 40 | 41 | #### Configuration Control Board Functions 42 | #### Establishment of Change Control Board at the Organization Level 43 | #### Establishment of Change Control Board at the System Level 44 | #### Schedules and Resource Requirements 45 | #### SecCM TOOLS 46 | _[Tools and Archival locations for CCB]_ 47 | 48 | #### SCM Tools 49 | #### SCM Library 50 | #### SecCM RETENTION, ARCHIVING, STORAGE AND DISPOSAL 51 | _[Requirements for managing historical information on CIs, changes, etc.]_ 52 | 53 | ## SecCM ACTIVITIES 54 | ### CONFIGURATION IDENTIFICATION 55 | #### Types of Configuration Items (CI) 56 | _[Description of categories of CIs, such as HW, Documentation, SW and scripts, Web pages]_ 57 | 58 | #### Identification Criteria 59 | _[How to determine which Information System Components will be included with which CIs]_ 60 | 61 | #### Configuration Item Labeling 62 | _[Naming convention for CIs]_ 63 | 64 | ### CONFIGURATION BASELINING 65 | _[Defining the information to be included in baseline for each CI]_ 66 | 67 | #### Identification of Applicable Common Secure Configurations 68 | #### Information System Component CI Baselines 69 | #### Non-Component Object CI Baselines 70 | ### CONFIGURATION CHANGE CONTROL 71 | _[Requirements related to Configuration Change Control]_ 72 | 73 | #### Handling of Scheduled, Unscheduled, and Unauthorized Changes 74 | #### Security Impact Analysis 75 | #### Testing 76 | #### Submission of Findings to the Change Control Board 77 | #### Change Control Board Evaluation and Approval Process 78 | #### Recording Requirements 79 | ### SecCM MONITORING 80 | _[Requirements related to monitoring baseline configurations and adherence to SecCM policies]_ 81 | 82 | #### Organization Level Tools 83 | #### System Level Tools 84 | #### Monitoring Requirements and Frequencies 85 | ### SecCM REPORTING 86 | _[Requirements related to reporting SecCM monitoring results and statistics to appropriate organizational staff]_ 87 | 88 | #### Report Recipients 89 | #### Reviewing Reports 90 | 91 | ### Suggested SecCM Plan APPENDICES: 92 | #### CCB Charter 93 | #### Change Request Form Template 94 | #### Security Impact Analysis Report Format 95 | #### References 96 | -------------------------------------------------------------------------------- /_pages/overview.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Home 3 | permalink: / 4 | layout: home 5 | --- 6 | 7 | 8 | 9 | The goal of this exercise is to take the FedRAMP documentation and incorporate into the Markdown standards and format. 10 | 11 | Documented content can have bugs, too, and need the loving care of contributions. 12 | 13 | The active and passive inconsistencies to the authoritative sources (ie; the word docs) have been corrected: 14 | 15 | * Table lettering and numbering 16 | * Spacing, carriage returns, leading zeros 17 | * Typos 18 | * Table formatting 19 | * Different font sizes 20 | * Obvious different authors lead to inconsistent styles 21 | 22 | Note that this is _not_ an official government site. This website and its code are to demonstrate automating Risk Management Framework documentation. 23 | -------------------------------------------------------------------------------- /_pages/poam_template.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: POAM Template 3 | --- 4 | 5 | # Plan of Action and Milestones 6 | 7 | |CSP|System Name|Impact Level|POAM Date| 8 | |--|--|--|--| 9 | |Text|Text|Low/Moderate/High|Date| 10 | 11 | |POAM ID|Controls|Weakness Name|Weakness Descriptio|Weakness Detector Source|Weakness Source Identifier|Asset Identifier|Point of Contac|Resources Required|Overall Remediation Plan|Original Detection Date|Scheduled Completion Date|Planned Milestones|Milestone Changes|Status Date|Vendor Dependence|Last Vendor Check-in Date|Vendor Dependent Product Name|Original Risk Rating|Adjusted Risk Rating|Risk Adjustment|False Positive|Operational Requirement|Deviation Rationale|Supporting Documents|Comments|Auto-Approve| 12 | |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| 13 | V-1Example|AC-1|Open port on Example Firewall|Unprovisioned port left open on example firewall|Nessus| 12345|172.246.15.3 (80/TCP) http://vuln.gov/queries 172.246.16.17 (80/tcp)|John Doe - Example CSP|| Implement a technical solution to the problem.|5/5/2014|8/3/2014|(1) 2014/05/23: Milestone Description
(2) 2014-06-12: Milestone Description|(2) Update 2014-06-18 : That milestone was delayed due to a Vendor Dependency
(3) New 2014-06-13 : This is the details of this new milestone|8/5/2014| Yes|8/5/2014|Example Firewall|High|Moderate|Yes|No|Pending|Risk Adjustment: The example firewall scanned is just preliminary
Operational Requirement: The port is needed for service example.|Remediation Evidence : filename.doc
Deviation Request : DR-123-Example-1.doc|none|no| 14 | -------------------------------------------------------------------------------- /_site/assets/css/custom.css: -------------------------------------------------------------------------------- 1 | .usa-footer-slim-logo-img{max-width:none;max-height:4rem;margin-right:2rem} 2 | 3 | /*# sourceMappingURL=custom.css.map */ -------------------------------------------------------------------------------- /_site/assets/js/vendor/anchor.min.js: -------------------------------------------------------------------------------- 1 | /** 2 | * AnchorJS - v4.1.0 - 2017-09-20 3 | * https://github.com/bryanbraun/anchorjs 4 | * Copyright (c) 2017 Bryan Braun; Licensed MIT 5 | */ 6 | !function(A,e){"use strict";"function"==typeof define&&define.amd?define([],e):"object"==typeof module&&module.exports?module.exports=e():(A.AnchorJS=e(),A.anchors=new A.AnchorJS)}(this,function(){"use strict";return function(A){function e(A){A.icon=A.hasOwnProperty("icon")?A.icon:"",A.visible=A.hasOwnProperty("visible")?A.visible:"hover",A.placement=A.hasOwnProperty("placement")?A.placement:"right",A.ariaLabel=A.hasOwnProperty("ariaLabel")?A.ariaLabel:"Anchor",A.class=A.hasOwnProperty("class")?A.class:"",A.truncate=A.hasOwnProperty("truncate")?Math.floor(A.truncate):64}function t(A){var e;if("string"==typeof A||A instanceof String)e=[].slice.call(document.querySelectorAll(A));else{if(!(Array.isArray(A)||A instanceof NodeList))throw new Error("The selector provided to AnchorJS was invalid.");e=[].slice.call(A)}return e}function i(){if(null===document.head.querySelector("style.anchorjs")){var A,e=document.createElement("style");e.className="anchorjs",e.appendChild(document.createTextNode("")),void 0===(A=document.head.querySelector('[rel="stylesheet"], style'))?document.head.appendChild(e):document.head.insertBefore(e,A),e.sheet.insertRule(" .anchorjs-link { opacity: 0; text-decoration: none; -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; }",e.sheet.cssRules.length),e.sheet.insertRule(" *:hover > .anchorjs-link, .anchorjs-link:focus { opacity: 1; }",e.sheet.cssRules.length),e.sheet.insertRule(" [data-anchorjs-icon]::after { content: attr(data-anchorjs-icon); }",e.sheet.cssRules.length),e.sheet.insertRule(' @font-face { font-family: "anchorjs-icons"; src: url(data:n/a;base64,AAEAAAALAIAAAwAwT1MvMg8yG2cAAAE4AAAAYGNtYXDp3gC3AAABpAAAAExnYXNwAAAAEAAAA9wAAAAIZ2x5ZlQCcfwAAAH4AAABCGhlYWQHFvHyAAAAvAAAADZoaGVhBnACFwAAAPQAAAAkaG10eASAADEAAAGYAAAADGxvY2EACACEAAAB8AAAAAhtYXhwAAYAVwAAARgAAAAgbmFtZQGOH9cAAAMAAAAAunBvc3QAAwAAAAADvAAAACAAAQAAAAEAAHzE2p9fDzz1AAkEAAAAAADRecUWAAAAANQA6R8AAAAAAoACwAAAAAgAAgAAAAAAAAABAAADwP/AAAACgAAA/9MCrQABAAAAAAAAAAAAAAAAAAAAAwABAAAAAwBVAAIAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAMCQAGQAAUAAAKZAswAAACPApkCzAAAAesAMwEJAAAAAAAAAAAAAAAAAAAAARAAAAAAAAAAAAAAAAAAAAAAQAAg//0DwP/AAEADwABAAAAAAQAAAAAAAAAAAAAAIAAAAAAAAAIAAAACgAAxAAAAAwAAAAMAAAAcAAEAAwAAABwAAwABAAAAHAAEADAAAAAIAAgAAgAAACDpy//9//8AAAAg6cv//f///+EWNwADAAEAAAAAAAAAAAAAAAAACACEAAEAAAAAAAAAAAAAAAAxAAACAAQARAKAAsAAKwBUAAABIiYnJjQ3NzY2MzIWFxYUBwcGIicmNDc3NjQnJiYjIgYHBwYUFxYUBwYGIwciJicmNDc3NjIXFhQHBwYUFxYWMzI2Nzc2NCcmNDc2MhcWFAcHBgYjARQGDAUtLXoWOR8fORYtLTgKGwoKCjgaGg0gEhIgDXoaGgkJBQwHdR85Fi0tOAobCgoKOBoaDSASEiANehoaCQkKGwotLXoWOR8BMwUFLYEuehYXFxYugC44CQkKGwo4GkoaDQ0NDXoaShoKGwoFBe8XFi6ALjgJCQobCjgaShoNDQ0NehpKGgobCgoKLYEuehYXAAAADACWAAEAAAAAAAEACAAAAAEAAAAAAAIAAwAIAAEAAAAAAAMACAAAAAEAAAAAAAQACAAAAAEAAAAAAAUAAQALAAEAAAAAAAYACAAAAAMAAQQJAAEAEAAMAAMAAQQJAAIABgAcAAMAAQQJAAMAEAAMAAMAAQQJAAQAEAAMAAMAAQQJAAUAAgAiAAMAAQQJAAYAEAAMYW5jaG9yanM0MDBAAGEAbgBjAGgAbwByAGoAcwA0ADAAMABAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAH//wAP) format("truetype"); }',e.sheet.cssRules.length)}}this.options=A||{},this.elements=[],e(this.options),this.isTouchDevice=function(){return!!("ontouchstart"in window||window.DocumentTouch&&document instanceof DocumentTouch)},this.add=function(A){var n,o,s,a,r,c,h,l,u,d,f,p=[];if(e(this.options),"touch"===(f=this.options.visible)&&(f=this.isTouchDevice()?"always":"hover"),A||(A="h2, h3, h4, h5, h6"),0===(n=t(A)).length)return this;for(i(),o=document.querySelectorAll("[id]"),s=[].map.call(o,function(A){return A.id}),r=0;r\]\.\/\(\)\*\\]/g;return this.options.truncate||e(this.options),A.trim().replace(/\'/gi,"").replace(t,"-").replace(/-{2,}/g,"-").substring(0,this.options.truncate).replace(/^-+|-+$/gm,"").toLowerCase()},this.hasAnchorJSLink=function(A){var e=A.firstChild&&(" "+A.firstChild.className+" ").indexOf(" anchorjs-link ")>-1,t=A.lastChild&&(" "+A.lastChild.className+" ").indexOf(" anchorjs-link ")>-1;return e||t||!1}}}); -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-bold-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-bold-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-bold-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-bold-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-bold-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-bold-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-bold-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-bold-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-italic-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-italic-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-italic-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-italic-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-italic-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-italic-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-italic-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-italic-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-light-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-light-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-light-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-light-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-light-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-light-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-light-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-light-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-regular-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-regular-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-regular-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-regular-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-regular-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-regular-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/merriweather-regular-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/merriweather-regular-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-bold-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-bold-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-bold-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-bold-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-bold-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-bold-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-bold-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-bold-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-italic-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-italic-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-italic-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-italic-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-italic-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-italic-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-italic-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-italic-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-light-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-light-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-light-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-light-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-light-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-light-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-light-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-light-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-regular-webfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-regular-webfont.eot -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-regular-webfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-regular-webfont.ttf -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-regular-webfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-regular-webfont.woff -------------------------------------------------------------------------------- /_site/assets/uswds/fonts/sourcesanspro-regular-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/fonts/sourcesanspro-regular-webfont.woff2 -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/alerts/error.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/error.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 17 | 18 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/alerts/info.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/info.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 18 | 19 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/success.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/alerts/success.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/success.svg: -------------------------------------------------------------------------------- 1 | 3 | 12 | 13 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/warning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/alerts/warning.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/alerts/warning.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 6 | 16 | 17 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down-hover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/angle-arrow-down-hover.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down-hover.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down-primary-hover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/angle-arrow-down-primary-hover.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down-primary-hover.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down-primary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/angle-arrow-down-primary.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down-primary.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/angle-arrow-down.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-down.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-up-primary-hover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/angle-arrow-up-primary-hover.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-up-primary-hover.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-up-primary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/angle-arrow-up-primary.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/angle-arrow-up-primary.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/arrow-down.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/arrow-down.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/arrow-down.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/arrow-right.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/arrow-right.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/arrow-right.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/circle-124.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/circle-124.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/close.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/close.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/close.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Fill 15 Copy 5 | Created with Sketch. 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/correct8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/correct8.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/correct8.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/correct9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/correct9.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/correct9.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link-alt-hover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/external-link-alt-hover.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link-alt-hover.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link-alt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/external-link-alt.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link-alt.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link-hover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/external-link-hover.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link-hover.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/external-link.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/external-link.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon-114.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon-114.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon-144.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon-144.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon-16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon-16.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon-192.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon-192.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon-40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon-40.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon-57.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon-57.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon-72.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon-72.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon.ico -------------------------------------------------------------------------------- /_site/assets/uswds/img/favicons/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/favicons/favicon.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/hero.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/hero.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/icon-dot-gov.svg: -------------------------------------------------------------------------------- 1 | dot gov icon -------------------------------------------------------------------------------- /_site/assets/uswds/img/icon-https.svg: -------------------------------------------------------------------------------- 1 | https icon -------------------------------------------------------------------------------- /_site/assets/uswds/img/logo-img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/logo-img.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/minus-alt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/minus-alt.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/minus-alt.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/minus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/minus.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/minus.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/plus-alt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/plus-alt.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/plus-alt.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/plus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/plus.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/plus.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/search-alt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/search-alt.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/search-alt.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/search.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/search.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/png/facebook25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/social-icons/png/facebook25.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/png/rss25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/social-icons/png/rss25.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/png/twitter16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/social-icons/png/twitter16.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/png/youtube15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/social-icons/png/youtube15.png -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/svg/facebook25.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/svg/rss25.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/svg/twitter16.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/social-icons/svg/youtube15.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /_site/assets/uswds/img/us_flag_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/_site/assets/uswds/img/us_flag_small.png -------------------------------------------------------------------------------- /_site/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Home | Modernize The Docs 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 28 | 29 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | Skip to main content 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 561 |
562 | 563 | 564 | 565 | 566 | 567 | 568 | 569 | 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | 578 | 579 | 580 | 581 | 582 | 583 | 584 |
585 | 586 | 587 |

The goal of this exercise is to take the FedRAMP documentation and incorporate into the Markdown standards and format.

588 | 589 |

Documented content can have bugs, too, and need the loving care of contributions.

590 | 591 |

The active and passive inconsistencies to the authoritative sources (ie; the word docs) have been corrected:

592 | 593 | 601 | 602 |

Note that this is not an official government site. This website and its code are to demonstrate automating Risk Management Framework documentation.

603 | 604 | 605 |
606 | 607 | 608 | 609 | 610 | 611 | 612 | 613 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | 671 | 672 | 673 | 674 | 675 | 676 | 677 | 678 | 679 | 680 | 681 | -------------------------------------------------------------------------------- /assets/css/custom.scss: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | 4 | .usa-footer-slim-logo-img { 5 | max-width: none; 6 | max-height: 4rem; 7 | margin-right: 2rem; 8 | } 9 | -------------------------------------------------------------------------------- /assets/img/oclogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/assets/img/oclogo.png -------------------------------------------------------------------------------- /assets/img/paper.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trevorbryant/fedramp-ssp/a897aa116a853cb6f4f892569aba03165a1238a8/assets/img/paper.jpg -------------------------------------------------------------------------------- /ssp/at.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Awareness and Training (AT) 3 | --- 4 | 5 | ## Awareness and Training (AT) 6 | ### AT-1 Security Awareness and Training Policy and Procedures (L) (M) 7 | The organization: 8 |
    9 |
  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    2. 10 |
      11 |
    1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. 12 |
    2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
      3. 13 |
    14 |
  2. Reviews and updates the current:
    3. 15 |
      16 |
    1. Security awareness and training policy [FedRAMP Assignment: at least every 3 years]; and
      2. 17 |
    2. Security awareness and training procedures [FedRAMP Assignment: at least annually]. 18 |
      3. 19 |
    20 |
21 | 22 | |AC-1|Control Summary Information| 23 | |---|---| 24 | |Responsible Role: 25 | |Parameter AT-1(a): 26 | |Parameter AT-1(b)(1): 27 | |Parameter AT-1(b)(2): 28 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 29 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific) 30 | 31 | |AT-1 What is the solution and how is it implemented?| 32 | |--- 33 | |Part a: 34 | |Part b1: 35 | |Part b2: 36 | 37 | ### AT-2 Security Awareness (L) (M) (H) 38 | The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): 39 |
    40 |
  1. As part of initial training for new users;
    2. 41 |
  2. When required by information system changes; and
    3. 42 |
  3. [FedRAMP Assignment: at least annually] thereafter.
    4. 43 |
44 | 45 | |AT-2|Control Summary Information| 46 | |---|---| 47 | |Responsible Role: 48 | |Parameter AT-2(c): 49 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 50 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 51 | 52 | |AT-2 What is the solution and how is it implemented?| 53 | |--- 54 | |Part a: 55 | |Part b1: 56 | |Part b2: 57 | 58 | ### AT-2 (2) Control Enhancement (M) (H) 59 | The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. 60 | 61 | |AT-2 (2)|Control Summary Information| 62 | |---|---| 63 | |Responsible Role: 64 | |Parameter AT-2(c): 65 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 66 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 67 | 68 | |AT-2 (2) What is the solution and how is it implemented?| 69 | |--- 70 | |Part a: 71 | 72 | ### AT-3 Role-Based Security Training (L) (M) (H) 73 | The organization provides role-based security training to personnel with assigned security roles and responsibilities: 74 |
    75 |
  1. Before authorizing access to the information system or performing assigned duties;
    2. 76 |
  2. When required by information system changes; and
    3. 77 |
  3. [FedRAMP Assignment: at least annually] thereafter.
    4. 78 |
79 | 80 | |AT-3|Control Summary Information| 81 | |---|---| 82 | |Responsible Role: 83 | |Parameter AT-3(c): 84 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 85 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 86 | 87 | |AT-3 What is the solution and how is it implemented?| 88 | |--- 89 | |Part a: 90 | |Part b: 91 | |Part c: 92 | 93 | ### AT-4 Security Training Records (L) (M) 94 | The organization: 95 |
    96 |
  1. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
    2. 97 |
  2. Retains individual training records for [FedRAMP Assignment: at least one year].
    3. 98 |
99 | 100 | |AT-4(b)|Control Summary Information| 101 | |---|---| 102 | |Responsible Role: 103 | |Parameter AT-4(b)(c): 104 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 105 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 106 | 107 | |AT-4 What is the solution and how is it implemented?| 108 | |--- 109 | |Part a: 110 | |Part b: 111 | -------------------------------------------------------------------------------- /ssp/ir.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Incident Response (IR) 3 | --- 4 | 5 | ## Incident Response (IR) 6 | ### IR-1 Incident Response Policy and Procedures (L) (M) 7 | The organization: 8 |
    9 |
  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    2. 10 |
      11 |
    1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. 12 |
    2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
      3. 13 |
    14 |
  2. Reviews and updates the current:
    3. 15 |
      16 |
    1. Incident response policy [FedRAMP Assignment: at least every three (3) years]; and
      2. 17 |
    2. Incident response procedures [FedRAMP Assignment: at least annually].
      3. 18 |
    19 |
20 | 21 | |IR-1|Control Summary Information| 22 | |---|---| 23 | |Responsible Role: 24 | |Parameter IR-1(a): 25 | |Parameter IR-1(b)(1): 26 | |Parameter IR-1(b)(2): 27 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 28 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific) 29 | 30 | |IR-1 What is the solution and how is it implemented?| 31 | |---| 32 | |Part a| 33 | |Part b| 34 | 35 | ### IR-2 Incident Response Training (L) (M) 36 | The organization provides incident response training to information system users consistent with assigned roles and responsibilities in accordance with NIST SP 800-53 Rev 4: 37 |
    38 |
  1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
    2. 39 |
  2. When required by information system changes; and
    3. 40 |
  3. [FedRAMP Assignment: at least annually] thereafter.
    4. 41 |
42 | 43 | |IR-2|Control Summary Information| 44 | |---|---| 45 | |Responsible Role: 46 | |Parameter IR-2(a): 47 | |Parameter IR-2(c): 48 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 49 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 50 | 51 | |IR-2 What is the solution and how is it implemented?| 52 | |---| 53 | |Part a| 54 | |Part b| 55 | |Part c| 56 | 57 | ### IR-3 Incident Response Testing (M) 58 | The organization tests the incident response capability for the information system [FedRAMP Assignment: at least annually] using [FedRAMP Assignment: see additional FedRAMP Requirements and Guidance] to determine the incident response effectiveness and documents the results.
59 | IR-3 Additional FedRAMP Requirements and Guidance:
60 | Requirements: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to the test commencing. 61 | 62 | |IR-3|Control Summary Information| 63 | |---|---| 64 | |Responsible Role: 65 | |Parameter IR-3-1: 66 | |Parameter IR-3-2: 67 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 68 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 69 | 70 | |IR-3 What is the solution and how is it implemented?| 71 | |---| 72 | || 73 | 74 | ### IR-3 (2) Control Enhancement (M) (H) 75 | The organization coordinates incident response testing with organizational elements responsible for related plans. 76 | 77 | |IR-3 (2)|Control Summary Information| 78 | |---|---| 79 | |Responsible Role: 80 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 81 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 82 | 83 | |IR-3 (2) What is the solution and how is it implemented?| 84 | |---| 85 | || 86 | 87 | ### IR-4 Incident Handling (L) (M) (H) 88 | The organization: 89 |
    90 |
  1. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
    2. 91 |
  2. Coordinates incident handling activities with contingency planning activities; and
    3. 92 |
  3. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.
    4. 93 | IR-4 Additional FedRAMP Requirements and Guidance:
    94 | Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system. 95 |
96 | 97 | |IR-4|Control Summary Information| 98 | |---|---| 99 | |Responsible Role: 100 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 101 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 102 | 103 | |IR-4 What is the solution and how is it implemented?| 104 | |---| 105 | |Part a 106 | |Part b 107 | |Part c 108 | 109 | ### IR-4 (1) Control Enhancement (M) (H) 110 | The organization employs automated mechanisms to support the incident handling process. 111 | 112 | |IR-4 (1)|Control Summary Information| 113 | |---|---| 114 | |Responsible Role: 115 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 116 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 117 | 118 | |IR-4 (1) What is the solution and how is it implemented?| 119 | |---| 120 | || 121 | 122 | ### IR-5 Incident Monitoring (L) (M) (H) 123 | The organization tracks and documents information system security incidents. 124 | 125 | ### IR-4 (1) Control Enhancement (M) (H) 126 | The organization employs automated mechanisms to support the incident handling process. 127 | 128 | |IR-5|Control Summary Information| 129 | |---|---| 130 | |Responsible Role: 131 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 132 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 133 | 134 | |IR-5 What is the solution and how is it implemented?| 135 | |---| 136 | || 137 | 138 | ### IR-6 Incident Reporting (L) (M) (H) 139 | The organization: 140 |
    141 |
  1. Requires personnel to report suspected security incidents to the organizational incident response capability within [FedRAMP Assignment: US-CERT incident reporting timelines as specified in NIST SP800-61 (as amended)]; and
    2. 142 |
  2. Reports security incident information to [Assignment: organization-defined authorities].
    3. 143 | IR-6 Additional FedRAMP Requirements and Guidance
    144 | Requirement: Report security incident information according to FedRAMP Incident Communications Procedure. 145 |
146 | 147 | |IR-6|Control Summary Information| 148 | |---|---| 149 | |Responsible Role: 150 | |Parameter IR-6(a): 151 | |Parameter IR-6(b): 152 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 153 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 154 | 155 | |IR-6 What is the solution and how is it implemented?| 156 | |---| 157 | |Part a 158 | |Part b 159 | 160 | ### IR-6 (1) Control Enhancement (M) (H) 161 | The organization employs automated mechanisms to assist in the reporting of security incidents. 162 | 163 | |IR-6 (1) |Control Summary Information| 164 | |---|---| 165 | |Responsible Role: 166 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 167 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 168 | 169 | |IR-6 (1) What is the solution and how is it implemented?| 170 | |---| 171 | || 172 | 173 | ### IR-7 Incident Response Assistance (L) (M) (H) 174 | The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. 175 | 176 | |IR-7 |Control Summary Information| 177 | |---|---| 178 | |Responsible Role: 179 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 180 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 181 | 182 | |IR-7 What is the solution and how is it implemented?| 183 | |---| 184 | || 185 | 186 | ### IR-7 (1) Control Enhancement (M) (H) 187 | The organization employs automated mechanisms to increase the availability of incident response related information and support. 188 | 189 | |IR-7 (1)|Control Summary Information| 190 | |---|---| 191 | |Responsible Role: 192 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 193 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 194 | 195 | |IR-7 (1) What is the solution and how is it implemented?| 196 | |---| 197 | || 198 | 199 | ### IR-7 (2) Control Enhancement (M) (H) 200 | The organization: 201 |
    202 |
  1. Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and
    2. 203 |
  2. Identifies organizational incident response team members to the external providers.
    3. 204 |
205 | 206 | |IR-7 (2)|Control Summary Information| 207 | |---|---| 208 | |Responsible Role: 209 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 210 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 211 | 212 | |IR-7 (2) What is the solution and how is it implemented?| 213 | |---| 214 | |Part a 215 | |Part b 216 | 217 | ### IR-8 Incident Response Plan (L) (M) (H) 218 | The organization: 219 |
    220 |
  1. Develops an incident response plan that:
    2. 221 |
      222 |
    1. Provides the organization with a roadmap for implementing its incident response capability;
      2. 223 |
    2. Describes the structure and organization of the incident response capability;
      3. 224 |
    3. Provides a high-level approach for how the incident response capability fits into the overall organization;
      4. 225 |
    4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
      5. 226 |
    5. Defines reportable incidents;
      6. 227 |
    6. Provides metrics for measuring the incident response capability within the organization;
      7. 228 |
    7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
      8. 229 |
    8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
      9. 230 |
    231 |
  2. Distributes copies of the incident response plan to [FedRAMP Assignment: see additional FedRAMP Requirements and Guidance].
    3. 232 | IR-8(b) Additional FedRAMP Requirements and Guidance:
    233 | Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. 234 |
  3. Reviews the incident response plan [FedRAMP Assignment: at least annually];
    4. 235 |
  4. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
    5. 236 |
  5. Communicates incident response plan changes to [FedRAMP Assignment: see additional FedRAMP Requirements and Guidance]; and
    6. 237 | IR-8(e) Additional FedRAMP Requirements and Guidance:
    238 | Requirement: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. 239 |
  6. Protects the incident response plan from unauthorized disclosure and modification.
    7. 240 |
241 | 242 | |IR-8|Control Summary Information| 243 | |---|---| 244 | |Responsible Role: 245 | |Parameter IR-8(a)(8): 246 | |Parameter IR-8(b): 247 | |Parameter IR-8(c): 248 | |Parameter IR-8(e): 249 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 250 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 251 | 252 | |IR-8 What is the solution and how is it implemented?| 253 | |---| 254 | |Part a 255 | |Part b 256 | |Part c 257 | |Part d 258 | |Part e 259 | |Part f 260 | 261 | ### IR-9 Information Spillage Response (M) (H) 262 | The organization responds to information spills by: 263 |
    264 |
  1. Identifying the specific information involved in the information system contamination;
    2. 265 |
  2. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
    3. 266 |
  3. Isolating the contaminated information system or system component;
    4. 267 |
  4. Eradicating the information from the contaminated information system or component;
    5. 268 |
  5. Identifying other information systems or system components that may have been subsequently contaminated; and
    6. 269 |
  6. Performing other [Assignment: organization-defined actions].
    7. 270 |
271 | 272 | 273 | |IR-9|Control Summary Information| 274 | |---|---| 275 | |Responsible Role: 276 | |Parameter IR-9(b): 277 | |Parameter IR-9(f): 278 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 279 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 280 | 281 | |IR-9 What is the solution and how is it implemented?| 282 | |---| 283 | |Part a 284 | |Part b 285 | |Part c 286 | |Part d 287 | |Part e 288 | |Part f 289 | 290 | ### IR-9 (1) Control Enhancement (M) (H) 291 | The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills. 292 | 293 | |IR-9 (1)|Control Summary Information| 294 | |---|---| 295 | |Responsible Role: 296 | |Parameter IR-9(1): 297 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 298 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 299 | 300 | |IR-9 (1) What is the solution and how is it implemented?| 301 | |---| 302 | || 303 | 304 | ### IR-9 (2) Control Enhancement (M) 305 | The organization provides information spillage response training [Assignment: organization- defined frequency]. 306 | 307 | |IR-9 (2)|Control Summary Information| 308 | |---|---| 309 | |Responsible Role: 310 | |Parameter IR-9(2): 311 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 312 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 313 | 314 | |IR-9 (2) What is the solution and how is it implemented?| 315 | |---| 316 | || 317 | 318 | ### IR-9 (3) Control Enhancement (M) (H) 319 | The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. 320 | 321 | |IR-9 (3)|Control Summary Information| 322 | |---|---| 323 | |Responsible Role: 324 | |Parameter IR-9(3): 325 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 326 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 327 | 328 | |IR-9 (3) What is the solution and how is it implemented?| 329 | |---| 330 | || 331 | 332 | ### IR-9 (4) Control Enhancement (M) (H) 333 | The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations. 334 | 335 | |IR-9 (4)|Control Summary Information| 336 | |---|---| 337 | |Responsible Role: 338 | |Parameter IR-9(4): 339 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 340 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 341 | 342 | |IR-9 (4) What is the solution and how is it implemented?| 343 | |---| 344 | || 345 | -------------------------------------------------------------------------------- /ssp/ma.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Maintenance (MA) 3 | --- 4 | 5 | ## Maintenance (MA) 6 | ### MA-1 System Maintenance Policy and Procedures (L) (M) 7 | The organization: 8 |
    9 |
  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    2. 10 |
      11 |
    1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. 12 |
    2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
      3. 13 |
    14 |
  2. Reviews and updates the current:
    3. 15 |
      16 |
    1. System maintenance policy [FedRAMP Assignment: at least every three (3) years]; and
      2. 17 |
    2. System maintenance procedures [FedRAMP Assignment: at least annually].
      3. 18 |
    19 |
20 | 21 | |MA-1|Control Summary Information| 22 | |---|---| 23 | |Responsible Role: 24 | |Parameter MA-1(a): 25 | |Parameter MA-1(b)(1): 26 | |Parameter MA-1(b)(2): 27 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 28 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific) 29 | 30 | |MA-1 What is the solution and how is it implemented?| 31 | |---| 32 | |Part a 33 | |Part b 34 | 35 | ### MA-2 Controlled Maintenance (L) (M) (H) 36 | The organization: 37 |
    38 |
  1. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
    2. 39 |
  2. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
    3. 40 |
  3. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
    4. 41 |
  4. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
    5. 42 |
  5. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
    6. 43 |
  6. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
    7. 44 |
45 | 46 | |MA-2|Control Summary Information| 47 | |---|---| 48 | |Responsible Role: 49 | |Parameter MA-2(c): 50 | |Parameter MA-2(f): 51 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 52 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 53 | 54 | |MA-2 What is the solution and how is it implemented?| 55 | |---| 56 | |Part a 57 | |Part b 58 | |Part c 59 | |Part d 60 | |Part e 61 | |Part f 62 | 63 | ### MA-3 Maintenance Tools (M) (H) 64 | The organization approves, controls, and monitors information system maintenance tools. 65 | 66 | |MA-3|Control Summary Information| 67 | |---|---| 68 | |Responsible Role: 69 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 70 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 71 | 72 | |MA-3 What is the solution and how is it implemented?| 73 | |---| 74 | || 75 | 76 | ### MA-3 (1) Control Enhancement (M) (H) 77 | The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. 78 | 79 | |MA-3 (1)|Control Summary Information| 80 | |---|---| 81 | |Responsible Role: 82 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 83 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 84 | 85 | |MA-3 (1) What is the solution and how is it implemented?| 86 | |---| 87 | || 88 | 89 | ### MA-3 (2) Control Enhancement (M) (H) 90 | The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. 91 | 92 | |MA-3 (2)|Control Summary Information| 93 | |---|---| 94 | |Responsible Role: 95 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 96 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 97 | 98 | |MA-3 (2) What is the solution and how is it implemented?| 99 | |---| 100 | || 101 | 102 | ### MA-3 (3) Control Enhancement (M) (H) 103 | The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: 104 |
    105 |
  1. Verifying that there is no organizational information contained on the equipment;
    2. 106 |
  2. Sanitizing or destroying the equipment;
    3. 107 |
  3. Retaining the equipment within the facility; or
    4. 108 |
  4. Obtaining an exemption from [FedRAMP Assignment: the information owner explicitly authorizes removal of the equipment from the facility].
    5. 109 |
110 | 111 | |MA-3 (3)|Control Summary Information| 112 | |---|---| 113 | |Responsible Role: 114 | |Parameter MA-3(3)(d): 115 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 116 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 117 | 118 | |MA-3 (3) What is the solution and how is it implemented?| 119 | |---| 120 | |Part a 121 | |Part b 122 | |Part c 123 | |Part d 124 | 125 | ### MA-4 Remote Maintenance (L) (M) (H) 126 | The organization: 127 |
    128 |
  1. Approves and monitors nonlocal maintenance and diagnostic activities;
    2. 129 |
  2. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
    3. 130 |
  3. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
    4. 131 |
  4. Maintains records for nonlocal maintenance and diagnostic activities; and
    5. 132 |
  5. Terminates session and network connections when nonlocal maintenance is completed.
    6. 133 |
134 | 135 | |MA-4|Control Summary Information| 136 | |---|---| 137 | |Responsible Role: 138 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 139 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 140 | 141 | |MA-4 What is the solution and how is it implemented?| 142 | |---| 143 | |Part a 144 | |Part b 145 | |Part c 146 | |Part d 147 | |Part e 148 | 149 | ### MA-4 (2) Control Enhancement (M) (H) 150 | The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. 151 | 152 | |MA-4 (2)|Control Summary Information| 153 | |---|---| 154 | |Responsible Role: 155 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 156 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 157 | 158 | |MA-4 (2) What is the solution and how is it implemented?| 159 | |---| 160 | || 161 | 162 | ### MA-5 Maintenance Personnel (L) (M) (H) 163 | The organization: 164 |
    165 |
  1. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
    2. 166 |
  2. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
    3. 167 |
  3. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
    4. 168 |
169 | 170 | |MA-5|Control Summary Information| 171 | |---|---| 172 | |Responsible Role: 173 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 174 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 175 | 176 | |MA-5 What is the solution and how is it implemented?| 177 | |---| 178 | |Part a 179 | |Part b 180 | |Part c 181 | 182 | ### MA-5 (1) Control Enhancement (L) (M) 183 | The organization: 184 |
    185 |
  1. Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
    2. 186 |
      187 |
    1. Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
      2. 188 |
    2. Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
      3. 189 |
    190 |
  2. Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.
    3. 191 | MA-5 (1) Additional FedRAMP Requirements and Guidance:
    192 | Requirement: Only MA-5 (1) (a) (1) is required by FedRAMP 193 |
194 | 195 | |MA-5 (1)|Control Summary Information| 196 | |---|---| 197 | |Responsible Role: 198 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 199 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 200 | 201 | |MA-5 (1) What is the solution and how is it implemented?| 202 | |---| 203 | |Part a 204 | |Part b 205 | 206 | ### MA-6 Timely Maintenance (M) (H) 207 | The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure. 208 | 209 | |MA-6|Control Summary Information| 210 | |---|---| 211 | |Responsible Role: 212 | |Parameter MA-6(1): 213 | |Parameter MA-6(2): 214 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 215 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 216 | 217 | |MA-6 What is the solution and how is it implemented?| 218 | |---| 219 | |Part a 220 | |Part b 221 | -------------------------------------------------------------------------------- /ssp/mp.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Media Protection (MP) 3 | --- 4 | 5 | ## Media Protection (MP) 6 | ### MP-1 Media Protection Policy and Procedures (L) (M) 7 | The organization: 8 |
    9 |
  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    2. 10 |
      11 |
    1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. 12 |
    2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
      3. 13 |
    14 |
  2. Reviews and updates the current:
    3. 15 |
      16 |
    1. Media protection policy [FedRAMP Assignment: at least every three (3) years]; and
      2. 17 |
    2. Media protection procedures [FedRAMP Assignment: at least annually].
      3. 18 |
    19 |
20 | 21 | |MP-1|Control Summary Information| 22 | |---|---| 23 | |Responsible Role: 24 | |Parameter MP-1(a): 25 | |Parameter MP-1(b)(1): 26 | |Parameter MP-1(b)(2): 27 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 28 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific) 29 | 30 | |MP-1 What is the solution and how is it implemented?| 31 | |---| 32 | |Part a| 33 | |Part b| 34 | 35 | ### MP-2 Media Access (L) (M) 36 | The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. 37 | 38 | |MP-2|Control Summary Information| 39 | |---|---| 40 | |Responsible Role: 41 | |Parameter MP-2-1: 42 | |Parameter MP-2-2: 43 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 44 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 45 | 46 | |MP-2 What is the solution and how is it implemented?| 47 | |---| 48 | || 49 | 50 | ### MP-3 Media Labeling (M) (H) 51 | The organization: 52 |
    53 |
  1. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
    2. 54 |
  2. Exempts [FedRAMP Assignment: no removable media types] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
    3. 55 | MP-3(b) Additional FedRAMP Requirements and Guidance:
    56 | Guidance: Second parameter in MP-3(b)-2 is not applicable. 57 |
58 | 59 | |MP-3|Control Summary Information| 60 | |---|---| 61 | |Responsible Role: 62 | |Parameter MP-3(b)-1: 63 | |Parameter MP-3(b)-2:| Not applicable 64 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 65 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 66 | 67 | |MP-3 What is the solution and how is it implemented?| 68 | |---| 69 | |Part a 70 | |Part b 71 | 72 | ### MP-4 Media Storage (M) (H) 73 | The organization: 74 |
    75 |
  1. Physically controls and securely stores [FedRAMP Assignment: [all types of digital and non-digital media with sensitive information]] within [FedRAMP Assignment: see additional FedRAMP requirements and guidance]; and
    2. 76 | MP-4a Additional FedRAMP Requirements and Guidance:
    77 | Requirement: The service provider defines controlled areas within facilities where the information and information system reside. 78 |
  2. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
    3. 79 |
80 | 81 | |MP-4|Control Summary Information| 82 | |---|---| 83 | |Responsible Role: 84 | |Parameter MP-4(a)-1: 85 | |Parameter MP-4(a)-2: 86 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 87 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 88 | 89 | |MP-4 What is the solution and how is it implemented?| 90 | |---| 91 | |Part a 92 | |Part b 93 | 94 | ### MP-5 Media Transport (M) (H) 95 | The organization: 96 |
    97 |
  1. Protects and controls [FedRAMP Assignment: all media with sensitive information] during transport outside of controlled areas using [FedRAMP Assignment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container];
    2. 98 | MP-5a Additional FedRAMP Requirements and Guidance:
    99 | Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO. 100 |
  2. Maintains accountability for information system media during transport outside of controlled areas;
    3. 101 |
  3. Documents activities associated with the transport of information system media; and
    4. 102 |
  4. Restricts the activities associated with transport of information system media to authorized personnel.
    5. 103 |
104 | 105 | |MP-5|Control Summary Information| 106 | |---|---| 107 | |Responsible Role: 108 | |Parameter MP-5(a)-1: 109 | |Parameter MP-5(a)-2: 110 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 111 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 112 | 113 | |MP-5 What is the solution and how is it implemented?| 114 | |---| 115 | |Part a 116 | |Part b 117 | |Part c 118 | |Part d 119 | 120 | ### MP-5 (4) Control Enhancement (M) (H) 121 | The organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. 122 | 123 | |MP-5 (4)|Control Summary Information| 124 | |---|---| 125 | |Responsible Role: 126 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 127 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 128 | 129 | |MP-5 (4) What is the solution and how is it implemented?| 130 | |---| 131 | || 132 | 133 | ### MP-6 Media Sanitization and Disposal (L) (M) 134 | The organization: 135 |
    136 |
  1. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
    2. 137 |
  2. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
    3. 138 |
139 | 140 | |MP-6|Control Summary Information| 141 | |---|---| 142 | |Responsible Role: 143 | |Parameter MP-6(a)-1: 144 | |Parameter MP-6(a)-2: 145 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 146 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 147 | 148 | |MP-6 What is the solution and how is it implemented?| 149 | |---| 150 | |Part a 151 | |Part b 152 | 153 | ### MP-6 (2) Control Enhancement (M) 154 | The organization tests sanitization equipment and procedures [FedRAMP Assignment: at least annually] to verify that the intended sanitization is being achieved. 155 | MP-6 (2) Additional FedRAMP Requirements and Guidance:
156 | Guidance: Equipment and procedures may be tested or evaluated for effectiveness. 157 | 158 | |MP-6 (2)|Control Summary Information| 159 | |---|---| 160 | |Responsible Role: 161 | |Parameter MP-6(2): 162 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 163 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 164 | 165 | |MP-6 (2) What is the solution and how is it implemented?| 166 | |---| 167 | || 168 | 169 | ### MP-7 Media Use (L) (M) (H) 170 | The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. 171 | 172 | |MP-6 (2)|Control Summary Information| 173 | |---|---| 174 | |Responsible Role: 175 | |Parameter MP-7-1: 176 | |Parameter MP-7-2: 177 | |Parameter MP-7-3: 178 | |Parameter MP-7-4: 179 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 180 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 181 | 182 | |MP-6 (2) What is the solution and how is it implemented?| 183 | |---| 184 | || 185 | 186 | ### MP-7 (1) Control Enhancement (M) (H) 187 | The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. 188 | 189 | |MP-7 (1)|Control Summary Information| 190 | |---|---| 191 | |Responsible Role: 192 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 193 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 194 | 195 | |MP-7 (1) What is the solution and how is it implemented?| 196 | |---| 197 | || 198 | -------------------------------------------------------------------------------- /ssp/pl.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Planning (PL) 3 | --- 4 | 5 | ## Planning (PL) 6 | ### PL-1 Security Planning Policy and Procedures (L) (M) 7 | The organization: 8 |
    9 |
  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    2. 10 |
      11 |
    1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. 12 |
    2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
      3. 13 |
    14 |
  2. Reviews and updates the current:
    3. 15 |
      16 |
    1. Security planning policy [FedRAMP Assignment: at least every three (3) years]; and
      2. 17 |
    2. Security planning procedures [FedRAMP Assignment: at least annually].
      3. 18 |
    19 |
20 | 21 | |PL-1|Control Summary Information| 22 | |---|---| 23 | |Responsible Role: 24 | |Parameter PL-1(a): 25 | |Parameter PL-1(b)(1): 26 | |Parameter PL-1(b)(2): 27 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 28 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific) 29 | 30 | |PL-1 What is the solution and how is it implemented?| 31 | |---| 32 | |Part a| 33 | |Part b| 34 | 35 | ### PL-2 System Security Plan (L) (M) (H) 36 | The organization: 37 |
    38 |
  1. Develops a security plan for the information system that:
    2. 39 |
      40 |
    1. Is consistent with the organization’s enterprise architecture;
      2. 41 |
    2. Explicitly defines the authorization boundary for the system;
      3. 42 |
    3. Describes the operational context of the information system in terms of missions and business processes;
      4. 43 |
    4. Provides the security categorization of the information system including supporting rationale;
      5. 44 |
    5. Describes the operational environment for the information system and relationships with or connections to other information;
      6. 45 |
    6. Provides an overview of the security requirements for the system;
      7. 46 |
    7. Identifies any relevant overlays, if applicable;
      8. 47 |
    8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
      9. 48 |
    9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
      10. 49 |
    50 |
  2. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
    3. 51 |
  3. Reviews the security plan for the information system [FedRAMP Assignment: at least annually];
    4. 52 |
  4. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
    5. 53 |
  5. Protects the security plan from unauthorized disclosure and modification.
    6. 54 |
55 | 56 | 57 | |PL-2|Control Summary Information| 58 | |---|---| 59 | |Responsible Role: 60 | |Parameter PL-2(b): 61 | |Parameter PL-2(c): 62 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 63 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 64 | 65 | |PL-2 What is the solution and how is it implemented?| 66 | |---| 67 | |Part a| 68 | |Part b| 69 | |Part c| 70 | |Part d| 71 | |Part e| 72 | 73 | ### PL-2 (3) Control Enhancement (M) (H) 74 | The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. 75 | 76 | |PL-2 (3)|Control Summary Information| 77 | |---|---| 78 | |Responsible Role: 79 | |Parameter PL-2(3): 80 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 81 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 82 | 83 | |PL-2 (3) What is the solution and how is it implemented?| 84 | |---| 85 | || 86 | 87 | ### PL-4 Rules of Behavior (L) (M) 88 | The organization: 89 |
    90 |
  1. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
    2. 91 |
  2. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
    3. 92 |
  3. Reviews and updates the rules of behavior [FedRAMP Assignment: at least every three (3) years]; and
    4. 93 |
  4. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.
    5. 94 |
95 | 96 | |PL-4|Control Summary Information| 97 | |---|---| 98 | |Responsible Role: 99 | |Parameter PL-4(c): 100 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 101 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 102 | 103 | |PL-4 What is the solution and how is it implemented?| 104 | |---| 105 | |Part a 106 | |Part b 107 | |Part c 108 | |Part d 109 | 110 | ### PL-4 (1) Control Enhancement (M) (H) 111 | The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. 112 | 113 | |PL-4 (1)|Control Summary Information| 114 | |---|---| 115 | |Responsible Role: 116 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 117 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 118 | 119 | |PL-4 (1) What is the solution and how is it implemented?| 120 | |---| 121 | || 122 | 123 | ### PL-8 Information Security Architecture (M) (H) 124 | The organization: 125 |
    126 |
  1. Develops an information security architecture for the information system that:
    2. 127 |
      128 |
    1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
      2. 129 |
    2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
      3. 130 |
    3. Describes any information security assumptions about, and dependencies on, external services;
      4. 131 |
    132 |
  2. Reviews and updates the information security architecture [FedRAMP Assignment: at least annually or when a significant change occurs] to reflect updates in the enterprise architecture; and
    3. 133 | PL-8 (b) Additional FedRAMP Requirements and Guidance:
    134 | Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, on Page F-8. 135 |
  3. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
    4. 136 |
137 | 138 | |PL-8|Control Summary Information| 139 | |---|---| 140 | |Responsible Role: 141 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 142 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 143 | 144 | |PL-8 What is the solution and how is it implemented?| 145 | |---| 146 | |Part a 147 | |Part b 148 | |Part c 149 | -------------------------------------------------------------------------------- /ssp/poam_template.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: POAM Template 3 | --- 4 | 5 | # Plan of Action and Milestones 6 | 7 | |CSP|System Name|Impact Level|POAM Date| 8 | |--|--|--|--| 9 | |Text|Text|Low/Moderate/High|Date| 10 | 11 | |POAM ID|Controls|Weakness Name|Weakness Descriptio|Weakness Detector Source|Weakness Source Identifier|Asset Identifier|Point of Contac|Resources Required|Overall Remediation Plan|Original Detection Date|Scheduled Completion Date|Planned Milestones|Milestone Changes|Status Date|Vendor Dependence|Last Vendor Check-in Date|Vendor Dependent Product Name|Original Risk Rating|Adjusted Risk Rating|Risk Adjustment|False Positive|Operational Requirement|Deviation Rationale|Supporting Documents|Comments|Auto-Approve| 12 | |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| 13 | V-1Example|AC-1|Open port on Example Firewall|Unprovisioned port left open on example firewall|Nessus| 12345|172.246.15.3 (80/TCP) http://vuln.gov/queries 172.246.16.17 (80/tcp)|John Doe - Example CSP|| Implement a technical solution to the problem.|5/5/2014|8/3/2014|(1) 2014/05/23: Milestone Description
(2) 2014-06-12: Milestone Description|(2) Update 2014-06-18 : That milestone was delayed due to a Vendor Dependency
(3) New 2014-06-13 : This is the details of this new milestone|8/5/2014| Yes|8/5/2014|Example Firewall|High|Moderate|Yes|No|Pending|Risk Adjustment: The example firewall scanned is just preliminary
Operational Requirement: The port is needed for service example.|Remediation Evidence : filename.doc
Deviation Request : DR-123-Example-1.doc|none|no| 14 | -------------------------------------------------------------------------------- /ssp/ps.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Personnel Security (PS) 3 | --- 4 | 5 | ## Personnel Security (PS) 6 | ### PS-1 Personnel Security Policy and Procedures (L) (M) 7 | The organization: 8 |
    9 |
  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    2. 10 |
      11 |
    1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. 12 |
    2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
      3. 13 |
    14 |
  2. Reviews and updates the current:
    3. 15 |
      16 |
    1. Personnel security policy [FedRAMP Assignment: at least every three (3) years]; and
      2. 17 |
    2. Personnel security procedures [FedRAMP Assignment: at least annually].
      3. 18 |
    19 |
20 | 21 | |PS-1|Control Summary Information| 22 | |---|---| 23 | |Responsible Role: 24 | |Parameter PS-1(a): 25 | |Parameter PS-1(b)(1): 26 | |Parameter PS-1(b)(2): 27 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 28 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific) 29 | 30 | |PS-1 What is the solution and how is it implemented?| 31 | |---| 32 | |Part a 33 | |Part b 34 | 35 | ### PS-2 Position Categorization (L) (M) 36 | The organization: 37 |
    38 |
  1. Assigns a risk designation to all positions;
    2. 39 |
  2. Establishes screening criteria for individuals filling those positions; and
    3. 40 |
  3. Reviews and revises position risk designations [FedRAMP Assignment: at least every three (3) years].
    4. 41 |
42 | 43 | |PS-2|Control Summary Information| 44 | |---|---| 45 | |Responsible Role: 46 | |Parameter PS-2(c): 47 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 48 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 49 | 50 | |PS-2 What is the solution and how is it implemented?| 51 | |--- 52 | |Part a 53 | |Part b 54 | |Part c 55 | 56 | ### PS-3 Personnel Screening (L) (M) (H) 57 | The organization: 58 |
    59 |
  1. Screens individuals prior to authorizing access to the information system; and
    2. 60 |
  2. Rescreens individuals according to [FedRAMP Assignment: For national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions].
    3. 61 |
62 | 63 | |PS-3|Control Summary Information| 64 | |---|---| 65 | |Responsible Role: 66 | |Parameter PS-3(b): 67 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 68 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 69 | 70 | |PS-3 What is the solution and how is it implemented?| 71 | |---| 72 | |Part a 73 | |Part b 74 | 75 | ### PS-3 (3) Control Enhancement (M) (H) 76 | The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: 77 |
    78 |
  1. Have valid access authorizations that are demonstrated by assigned official government duties; and
    2. 79 |
  2. Satisfy [FedRAMP Assignment: personnel screening criteria – as required by specific information].
    3. 80 |
81 | 82 | |PS-3 (3)|Control Summary Information| 83 | |---|---| 84 | |Responsible Role: 85 | |Parameter PS-3 (3)(b): 86 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 87 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 88 | 89 | |PS-3 (3) What is the solution and how is it implemented?| 90 | |--- 91 | |Part a 92 | |Part b 93 | 94 | ### PS-4 Personnel Termination (L) (M) 95 | The organization, upon termination of individual employment: 96 |
    97 |
  1. Disables information system access within [FedRAMP Assignment: same day];
    2. 98 |
  2. Terminates/revokes any authenticators/credentials associated with the individual;
    3. 99 |
  3. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
    4. 100 |
  4. Retrieves all security-related organizational information system-related property;
    5. 101 |
  5. Retains access to organizational information and information systems formerly controlled by terminated individual; and
    6. 102 |
  6. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
    7. 103 |
104 | 105 | |PS-4|Control Summary Information| 106 | |---|---| 107 | |Responsible Role: 108 | |Parameter PS-4(a): 109 | |Parameter PS-4(c): 110 | |Parameter PS-4(f)-1: 111 | |Parameter PS-4(f)-2: 112 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 113 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 114 | 115 | |PS-4 What is the solution and how is it implemented?| 116 | |---| 117 | |Part a 118 | |Part b 119 | |Part c 120 | |Part d 121 | |Part e 122 | |Part f 123 | 124 | ### PS-5 Personnel Transfer (L) (M) 125 | The organization: 126 |
    127 |
  1. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
    2. 128 |
  2. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
    3. 129 |
  3. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
    4. 130 |
  4. Notifies [Assignment: organization-defined personnel or roles] within [FedRAMP Assignment: within five days of the formal transfer action (DoD 24 hours)].
    5. 131 |
132 | 133 | |PS-5|Control Summary Information| 134 | |---|---| 135 | |Responsible Role: 136 | |Parameter PS-5(b)-1: 137 | |Parameter PS-5(b)-2: 138 | |Parameter PS-5(d)-1: 139 | |Parameter PS-5(d)-2: 140 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 141 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 142 | 143 | |PS-5 What is the solution and how is it implemented?| 144 | |---| 145 | |Part a 146 | |Part b 147 | |Part c 148 | |Part d 149 | 150 | ### PS-6 Access Agreements (L) (M) 151 | The organization: 152 |
    153 |
  1. Develops and documents access agreements for organizational information systems;
    2. 154 |
  2. Reviews and updates the access agreements [FedRAMP Assignment: at least annually]; and
    3. 155 |
  3. Ensures that individuals requiring access to organizational information and information systems:
    4. 156 |
      157 |
    1. Sign appropriate access agreements prior to being granted access; and
      2. 158 |
    2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [FedRAMP Assignment: at least annually].
      3. 159 |
    160 |
161 | 162 | |PS-6|Control Summary Information| 163 | |---|---| 164 | |Responsible Role: 165 | |Parameter PS-6(b): 166 | |Parameter PS-6(c)(2): 167 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 168 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 169 | 170 | |PS-6 What is the solution and how is it implemented?| 171 | |---| 172 | |Part a 173 | |Part b 174 | |Part c 175 | 176 | ### PS-7 Third-Party Personnel Security (L) (M) 177 | The organization: 178 |
    179 |
  1. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
    2. 180 |
  2. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
    3. 181 |
  3. Documents personnel security requirements;
    4. 182 |
  4. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [FedRAMP Assignment: same day]; and
    5. 183 |
  5. Monitors provider compliance.
    6. 184 |
185 | 186 | |PS-7|Control Summary Information| 187 | |---|---| 188 | |Responsible Role: 189 | |Parameter PS-7(d)-1: 190 | |Parameter PS-7(d)-2: 191 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 192 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 193 | 194 | |PS-7 What is the solution and how is it implemented?| 195 | |---| 196 | |Part a 197 | |Part b 198 | |Part c 199 | |Part d 200 | |Part e 201 | 202 | ### PS-8 Personnel Sanctions (L) (M) 203 | The organization: 204 |
    205 |
  1. Employs a formal sanctions process for personnel failing to comply with established information security policies and procedures; and
    2. 206 |
  2. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
    3. 207 |
208 | 209 | |PS-8|Control Summary Information| 210 | |---|---| 211 | |Responsible Role: 212 | |Parameter PS-8(b)-1: 213 | |Parameter PS-8(b)-2: 214 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 215 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 216 | 217 | |PS-8 What is the solution and how is it implemented?| 218 | |---| 219 | |Part a 220 | |Part b 221 | -------------------------------------------------------------------------------- /ssp/ra.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Risk Assessment (RA) 3 | --- 4 | 5 | ## Risk Assessment (RA) 6 | ### RA-1 Risk Assessment Policy and Procedures (L) (M) 7 | The organization: 8 |
    9 |
  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    2. 10 |
      11 |
    1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. 12 |
    2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
      3. 13 |
    14 |
  2. Reviews and updates the current:
    3. 15 |
      16 |
    1. Risk assessment policy [FedRAMP Assignment: at least every three (3) years]; and
      2. 17 |
    2. Risk assessment procedures [FedRAMP Assignment: at least annually].
      3. 18 |
    19 |
20 | 21 | |RA-1|Control Summary Information| 22 | |---|---| 23 | |Responsible Role: 24 | |Parameter RA-1(a): 25 | |Parameter RA-1(b)(1): 26 | |Parameter RA-1(b)(2): 27 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 28 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific) 29 | 30 | |RA-1 What is the solution and how is it implemented?| 31 | |---| 32 | |Part a 33 | |Part b 34 | 35 | ### RA-2 Security Categorization (L) (M) (H) 36 | The organization: 37 |
    38 |
  1. Categorizes information and the information system in accordance with applicable Federal Laws, Executive Orders, directives, policies, regulations, standards, and guidance;
    2. 39 |
  2. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
    3. 40 |
  3. Ensures the security categorization decision is reviewed and approved by the AO or authorizing official designated representative.
    4. 41 |
42 | 43 | |RA-2|Control Summary Information| 44 | |---|---| 45 | |Responsible Role: 46 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 47 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 48 | 49 | |RA-2 What is the solution and how is it implemented?| 50 | |---| 51 | |Part a 52 | |Part b 53 | |Part c 54 | 55 | ### RA-3 Risk Assessment (L) (M) 56 | The organization: 57 |
    58 |
  1. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
    2. 59 |
  2. Documents risk assessment results in [Selection: security plan; risk assessment report; [FedRAMP Assignment: security assessment report]];
    3. 60 |
  3. Reviews risk assessment results [FedRAMP Assignment: in accordance with OMB A-130 requirements or when a significant change occurs];
    4. 61 |
  4. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
    5. 62 |
  5. Updates the risk assessment [FedRAMP Assignment: in accordance with OMB A-130 requirements or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
    6. 63 | RA-3 Additional FedRAMP Requirements and Guidance:
    64 | Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F 65 | RA-3 (d) Requirement: Include all Authorizing Officials; for JAB authorizations to include FedRAMP. 66 |
67 | 68 | |RA-3|Control Summary Information| 69 | |---|---| 70 | |Responsible Role: 71 | |Parameter RA-3(b): 72 | |Parameter RA-3(c): 73 | |Parameter RA-3(d): 74 | |Parameter RA-3(e): 75 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 76 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 77 | 78 | |RA-3 What is the solution and how is it implemented?| 79 | |---| 80 | |Part a 81 | |Part b 82 | |Part c 83 | |Part d 84 | |Part e 85 | 86 | ### RA-5 Vulnerability Scanning (L) (M) (H) 87 | The organization: 88 |
    89 |
  1. Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
    2. 90 | RA-5 (a) Additional FedRAMP Requirements and Guidance:
    91 | Requirement: An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. 92 |
  2. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for:
    3. 93 |
      94 |
    1. Enumerating platforms, software flaws, and improper configurations;
      2. 95 |
    2. Formatting and making transparent, checklists and test procedures; and
      3. 96 |
    3. Measuring vulnerability impact;
      4. 97 |
    98 |
  3. Analyzes vulnerability scan reports and results from security control assessments
    4. 99 |
  4. Remediates legitimate vulnerabilities; [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; and
    5. 100 |
  5. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
    6. 101 | RA-5 (e) Additional FedRAMP Requirements and Guidance:
    102 | Requirement: To include all Authorizing Officials; for JAB authorizations to include FedRAMP.
    103 | RA-5 Additional FedRAMP Requirements and Guidance 104 | Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents Vulnerability Scanning Requirements
    105 | https://www.FedRAMP.gov/documents/ 106 |
107 | 108 | |RA-5|Control Summary Information| 109 | |---|---| 110 | |Responsible Role: 111 | |Parameter RA-5(a): 112 | |Parameter RA-5(d): 113 | |Parameter RA-5(e): 114 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 115 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 116 | 117 | |RA-5 What is the solution and how is it implemented?| 118 | |---| 119 | |Part a 120 | |Part b 121 | |Part c 122 | |Part d 123 | |Part e 124 | 125 | ### RA-5 (1) Control Enhancement (M) (H) 126 | The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities to be scanned. 127 | 128 | |RA-5 (1)|Control Summary Information| 129 | |---|---| 130 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 131 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 132 | 133 | |RA-5 (1) What is the solution and how is it implemented?| 134 | |---| 135 | || 136 | 137 | ### RA-5 (2) Control Enhancement (M) (H) 138 | The organization updates the information system vulnerabilities scanned [Selection (one or more): [FedRAMP Assignment: prior to a new scan]]. 139 | 140 | |RA-5 (2)|Control Summary Information| 141 | |---|---| 142 | |Responsible Role: 143 | |Parameter RA-5(2): 144 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 145 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 146 | 147 | |RA-5 (2) What is the solution and how is it implemented?| 148 | |---| 149 | || 150 | 151 | ### RA-5 (3) Control Enhancement (M) (H) 152 | The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). 153 | 154 | |RA-5 (3)|Control Summary Information| 155 | |---|---| 156 | |Responsible Role: 157 | |Parameter RA-5(2): 158 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 159 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 160 | 161 | |RA-5 (3) What is the solution and how is it implemented?| 162 | |---| 163 | || 164 | 165 | ### RA-5 (5) Control Enhancement (M) (H) 166 | The organization includes privileged access authorization to [FedRAMP Assignment: operating systems, databases, web applications] for selected [FedRAMP Assignment: all scans]. 167 | 168 | |RA-5 (5)|Control Summary Information| 169 | |---|---| 170 | |Responsible Role: 171 | |Parameter RA-5(5)-1: 172 | |Parameter RA-5(5)-2: 173 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 174 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 175 | 176 | |RA-5 (5) What is the solution and how is it implemented?| 177 | |---| 178 | || 179 | 180 | ### RA-5 (6) Control Enhancement (M) (H) 181 | The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. 182 | 183 | |RA-6|Control Summary Information| 184 | |---|---| 185 | |Responsible Role: 186 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 187 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 188 | 189 | |RA-6 What is the solution and how is it implemented?| 190 | |---| 191 | || 192 | 193 | 194 | ### RA-5 (8) Control Enhancement (L) (M) (H) 195 | The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. 196 | RA-5 (8) Additional FedRAMP Requirements and Guidance:
197 | Requirement: This enhancement is required for all high vulnerability scan findings. 198 | Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability. 199 | 200 | 201 | |RA-8|Control Summary Information| 202 | |---|---| 203 | |Responsible Role: 204 | |Implementation Status (check all that apply):|☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable 205 | |Control Origination (check all that apply):|☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for _insert text here_. 206 | 207 | |RA-8 What is the solution and how is it implemented?| 208 | |---| 209 | || 210 | --------------------------------------------------------------------------------