| Parameter | Value |
|---|---|
| ac-06.01_odp.02 | all functions not publicly accessible |
| ac-06.01_odp.05 | all security-relevant information not publicly available |
CTL · Control Parameters
Control Parameters
FedRAMP-specific parameter values and guidance applied on top of NIST SP 800-53 controls. These set the organization-defined parameters (ODPs) and clarify how the baseline controls apply.
AC
AC Family
4 controls| Parameter | Value |
|---|---|
| ac-06.02_odp | all security functions |
| Parameter | Value |
|---|---|
| ac-06.08_odp | any software except software explicitly documented |
Guidance
- The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:
- AC-20 describes system access to and from external systems.
- CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.
- SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.
AU
AU Family
4 controlsGuidance
- This activity is considered vulnerability detection and is subject to the Vulnerability Detection and Response rules.
Guidance
- This activity is considered vulnerability detection and is subject to the Vulnerability Detection and Response rules.
| Parameter | Value |
|---|---|
| au-10_odp | at least actions including the addition, modification, deletion, approval, sending, or receiving of data |
| Parameter | Value |
|---|---|
| au-12_odp.01 | at least all information system and network components where audit capability is deployed/available |
CA
CA Family
4 controls| Parameter | Value |
|---|---|
| ca-02_odp.02 | individuals or roles to include FedRAMP and agency customers |
| Parameter | Value |
|---|---|
| ca-02.03_odp.01 | any FedRAMP Recognized independent assessment service |
Guidance
- Follow the FedRAMP Continuous Collaborative Monitoring, Significant Change Notification, Vulnerability Detection and Response, and Vulnerability Evaluation and Reporting rules.
Guidance
- Penetration testing is part of vulnerability detection and is subject to the Vulnerability Detection and Response rules.
CM
CM Family
6 controlsGuidance
- Follow the Significant Change Notification rules.
Guidance
- Follow the FedRAMP Continuous Collaborative Monitoring, Significant Change Notification, Vulnerability Detection and Response, and Vulnerability Evaluation and Reporting rules.
| Parameter | Value |
|---|---|
| cm-11_odp.03 | Continuously (via CM-7 (5)) |
Guidance
- Follow the FedRAMP Minimum Assessment Scope rules.
Guidance
- Follow the FedRAMP Minimum Assessment Scope rules.
Guidance
- If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized.
CP
CP Family
3 controls| Parameter | Value |
|---|---|
| cp-02.03_odp.02 | time period defined in service provider and organization Service Level Agreements |
Guidance
- The service provider may determine what is considered a sufficient degree of separation between the primary and alternate processing sites, based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites will be less relevant.
| Parameter | Value |
|---|---|
| cp-10.04_odp | time period consistent with the restoration time-periods defined in the service provider and organization Service Level Agreements |
IA
IA Family
7 controlsGuidance
- Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
Guidance
- Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
Guidance
- Multi-factor authentication must be phishing-resistant. In accordance with current CISA Guidance. Current CISA guidance can be found here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
| Parameter | Value |
|---|---|
| ia-02.06_odp.01 | local, network and remote |
| ia-02.06_odp.02 | privileged accounts; non-privileged accounts |
| Parameter | Value |
|---|---|
| ia-02.08_odp | privileged accounts; non-privileged accounts |
| Parameter | Value |
|---|---|
| ia-04.04_odp | contractors; foreign nationals |
Varies by class
B
- Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 1. Link https://pages.nist.gov/800-63-3
- IA-5 Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).
C
- Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 2. Link https://pages.nist.gov/800-63-3
- IA-5 Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).
D
- Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3
- IA-5 Guidance: SP 800-63C Section 6.2.3 Encrypted Assertion requires that authentication assertions be encrypted when passed through third parties, such as a browser. For example, a SAML assertion can be encrypted using XML-Encryption, or an OpenID Connect ID Token can be encrypted using JSON Web Encryption (JWE).
IR
IR Family
24 controlsGuidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Incident Evaluation and Reporting rules.
MA
MA Family
2 controlsPS
PS Family
1 controlsGuidance
- CSPs MUST clearly document any nationality requirements for any account type within its platform. If none exists, this must also be explicitly stated.
RA
RA Family
8 controlsGuidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
SA
SA Family
3 controlsGuidance
- Follow the FedRAMP Secure Configuration Guide rules.
| Parameter | Value |
|---|---|
| sa-09.02_odp | all external systems where federal customer data is processed or stored |
Varies by class
C
- sa-09.05_odp.01: information processing, information or data, AND system services
- sa-09.05_odp.03: all federal customer data
D
- sa-09.05_odp.01: information processing, information or data, AND system services
- sa-09.05_odp.02: U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction
- sa-09.05_odp.03: all federal customer data
SC
SC Family
2 controlsGuidance
- SC-7 (b) may be met by using any technical capability or complement of capabilities that ensures logical separation between publicly accessible components and internal networks by preventing traversal without inspection and authorization; traffic may not flow unrestricted from publicly accessible components to internal networks.
Guidance
- Follow the FedRAMP Cryptographic Module Use rules.
SI
SI Family
9 controlsGuidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow all applicable rules within the Vulnerability and Detection Response and Incident Communication Procedure guidance.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules.
Guidance
- Follow the FedRAMP Addressing FedRAMP Communication rules.
Guidance
- When CSO sends email on behalf of the government as part of the business offering, Control Description should include implementation of Domain-based Message Authentication, Reporting & Conformance (DMARC) on the sending domain for outgoing messages as described in DHS Binding Operational Directive (BOD) 18-01. https://www.cisa.gov/news-events/directives
- SI-8 Guidance: CSPs should confirm DMARC configuration (where appropriate) to ensure that policy=reject and the rua parameter includes reports@dmarc.cyber.dhs.gov. DMARC compliance should be documented in the SI-08 control implementation solution description, and list the FROM: domain(s) when emails are sent on behalf of the government.
SR