Home / Frameworks / FedRAMP / MODERATE Baseline

FedRAMP Rev 5

Federal Risk and Authorization Management Program Security Baselines

410 All 138 LI-SaaS 156 Low 323 Moderate 410 High

Showing 323 controls in MODERATE baseline

AC — Access Control (43 controls)

AC-1Policy and Procedures

AC-2Account Management

AC-2 (01)Account Management | Automated System Account Management

MODERATE

HIGH

AC-2 (02)Account Management | Automated Temporary and Emergency Account Management

MODERATE

HIGH

AC-2 (03)Account Management | Disable Accounts

MODERATE

HIGH

AC-2 (04)Account Management | Automated Audit Actions

MODERATE

HIGH

AC-2 (05)Account Management | Inactivity Logout

MODERATE

HIGH

AC-2 (07)Account Management | Privileged User Accounts

MODERATE

HIGH

AC-2 (09)Account Management | Restrictions on Use of Shared and Group Accounts

MODERATE

HIGH

AC-2 (12)Account Management | Account Monitoring for Atypical Usage

MODERATE

HIGH

AC-2 (13)Account Management | Disable Accounts for High-risk Individuals

MODERATE

HIGH

AC-3Access Enforcement

AC-4Information Flow Enforcement

MODERATE

HIGH

AC-4 (21)Information Flow Enforcement | Physical or Logical Separation of Information Flows

MODERATE

HIGH

AC-5Separation of Duties

AC-6 (01)Least Privilege | Authorize Access to Security Functions

MODERATE

HIGH

AC-6 (02)Least Privilege | Non-privileged Access for Nonsecurity Functions

MODERATE

HIGH

AC-6 (05)Least Privilege | Privileged Accounts

MODERATE

HIGH

AC-6 (07)Least Privilege | Review of User Privileges

MODERATE

HIGH

AC-6 (09)Least Privilege | Log Use of Privileged Functions

MODERATE

HIGH

AC-6 (10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

MODERATE

HIGH

AC-7Unsuccessful Logon Attempts

AC-8System Use Notification

AC-11 (01)Device Lock | Pattern-hiding Displays

MODERATE

HIGH

AC-12Session Termination

MODERATE

HIGH

AC-14Permitted Actions Without Identification or Authentication

AC-17 (01)Remote Access | Monitoring and Control

MODERATE

HIGH

AC-17 (02)Remote Access | Protection of Confidentiality and Integrity Using Encryption

MODERATE

HIGH

AC-17 (03)Remote Access | Managed Access Control Points

MODERATE

HIGH

AC-17 (04)Remote Access | Privileged Commands and Access

AC-18 (01)Wireless Access | Authentication and Encryption

MODERATE

HIGH

AC-18 (03)Wireless Access | Disable Wireless Networking

MODERATE

HIGH

AC-19Access Control for Mobile Devices

AC-19 (05)Access Control for Mobile Devices | Full Device or Container-based Encryption

MODERATE

HIGH

AC-20Use of External Systems

AC-20 (01)Use of External Systems | Limits on Authorized Use

MODERATE

HIGH

AC-20 (02)Use of External Systems | Portable Storage Devices -- Restricted Use

MODERATE

HIGH

AC-21Information Sharing

MODERATE

HIGH

AC-22Publicly Accessible Content

AT — Awareness and Training (6 controls)

AT-1Policy and Procedures

AT-2Literacy Training and Awareness

AT-2 (02)Literacy Training and Awareness | Insider Threat

LOW

MODERATE

HIGH

AT-2 (03)Literacy Training and Awareness | Social Engineering and Mining

MODERATE

HIGH

AT-3Role-based Training

AU — Audit and Accountability (16 controls)

AU-1Policy and Procedures

AU-3Content of Audit Records

AU-3 (01)Content of Audit Records | Additional Audit Information

MODERATE

HIGH

AU-4Audit Log Storage Capacity

AU-5Response to Audit Logging Process Failures

AU-6Audit Record Review, Analysis, and Reporting

AU-6 (01)Audit Record Review, Analysis, and Reporting | Automated Process Integration

MODERATE

HIGH

AU-6 (03)Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

MODERATE

HIGH

AU-7Audit Record Reduction and Report Generation

MODERATE

HIGH

AU-7 (01)Audit Record Reduction and Report Generation | Automatic Processing

AU-9Protection of Audit Information

AU-9 (04)Protection of Audit Information | Access by Subset of Privileged Users

MODERATE

HIGH

AU-11Audit Record Retention

AU-12Audit Record Generation

CA — Assessment, Authorization, and Monitoring (14 controls)

CA-1Policy and Procedures

CA-2Control Assessments

CA-2 (01)Control Assessments | Independent Assessors

LOW

MODERATE

HIGH

CA-2 (03)Control Assessments | Leveraging Results from External Organizations

MODERATE

HIGH

CA-3Information Exchange

CA-5Plan of Action and Milestones

CA-7Continuous Monitoring

CA-7 (01)Continuous Monitoring | Independent Assessment

MODERATE

HIGH

CA-7 (04)Continuous Monitoring | Risk Monitoring

LOW

MODERATE

HIGH

CA-8Penetration Testing

CA-8 (01)Penetration Testing | Independent Penetration Testing Agent or Team

MODERATE

HIGH

CA-8 (02)Penetration Testing | Red Team Exercises

MODERATE

HIGH

CA-9Internal System Connections

CM — Configuration Management (27 controls)

CM-1Policy and Procedures

CM-2Baseline Configuration

CM-2 (02)Baseline Configuration | Automation Support for Accuracy and Currency

MODERATE

HIGH

CM-2 (03)Baseline Configuration | Retention of Previous Configurations

MODERATE

HIGH

CM-2 (07)Baseline Configuration | Configure Systems and Components for High-risk Areas

MODERATE

HIGH

CM-3Configuration Change Control

MODERATE

HIGH

CM-3 (02)Configuration Change Control | Testing, Validation, and Documentation of Changes

MODERATE

HIGH

CM-3 (04)Configuration Change Control | Security and Privacy Representatives

CM-4 (02)Impact Analyses | Verification of Controls

MODERATE

HIGH

CM-5Access Restrictions for Change

CM-5 (01)Access Restrictions for Change | Automated Access Enforcement and Audit Records

MODERATE

HIGH

CM-5 (05)Access Restrictions for Change | Privilege Limitation for Production and Operation

MODERATE

HIGH

CM-6Configuration Settings

CM-6 (01)Configuration Settings | Automated Management, Application, and Verification

MODERATE

HIGH

CM-7Least Functionality

CM-7 (01)Least Functionality | Periodic Review

MODERATE

HIGH

CM-7 (02)Least Functionality | Prevent Program Execution

MODERATE

HIGH

CM-7 (05)Least Functionality | Authorized Software -- Allow-by-exception

MODERATE

HIGH

CM-8System Component Inventory

CM-8 (01)System Component Inventory | Updates During Installation and Removal

MODERATE

HIGH

CM-8 (03)System Component Inventory | Automated Unauthorized Component Detection

MODERATE

HIGH

CM-9Configuration Management Plan

MODERATE

HIGH

CM-10Software Usage Restrictions

CM-11User-installed Software

CM-12Information Location

MODERATE

HIGH

CM-12 (01)Information Location | Automated Tools to Support Information Location

MODERATE

HIGH

CP — Contingency Planning (23 controls)

CP-1Policy and Procedures

CP-2 (01)Contingency Plan | Coordinate with Related Plans

MODERATE

HIGH

CP-2 (03)Contingency Plan | Resume Mission and Business Functions

MODERATE

HIGH

CP-2 (08)Contingency Plan | Identify Critical Assets

MODERATE

HIGH

CP-3Contingency Training

CP-4Contingency Plan Testing

CP-4 (01)Contingency Plan Testing | Coordinate with Related Plans

MODERATE

HIGH

CP-6Alternate Storage Site

MODERATE

HIGH

CP-6 (01)Alternate Storage Site | Separation from Primary Site

MODERATE

HIGH

CP-6 (03)Alternate Storage Site | Accessibility

MODERATE

HIGH

CP-7Alternate Processing Site

MODERATE

HIGH

CP-7 (01)Alternate Processing Site | Separation from Primary Site

MODERATE

HIGH

CP-7 (02)Alternate Processing Site | Accessibility

MODERATE

HIGH

CP-7 (03)Alternate Processing Site | Priority of Service

MODERATE

HIGH

CP-8Telecommunications Services

MODERATE

HIGH

CP-8 (01)Telecommunications Services | Priority of Service Provisions

MODERATE

HIGH

CP-8 (02)Telecommunications Services | Single Points of Failure

CP-9 (01)System Backup | Testing for Reliability and Integrity

MODERATE

HIGH

CP-9 (08)System Backup | Cryptographic Protection

MODERATE

HIGH

CP-10System Recovery and Reconstitution

CP-10 (02)System Recovery and Reconstitution | Transaction Recovery

MODERATE

HIGH

IA — Identification and Authentication (27 controls)

IA-1Policy and Procedures

IA-2Identification and Authentication (organizational Users)

IA-2 (01)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

LOW

MODERATE

HIGH

IA-2 (02)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

LOW

MODERATE

HIGH

IA-2 (05)Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication

MODERATE

HIGH

IA-2 (06)Identification and Authentication (organizational Users) | Access to Accounts --separate Device

MODERATE

HIGH

IA-2 (08)Identification and Authentication (organizational Users) | Access to Accounts -- Replay Resistant

LOW

MODERATE

HIGH

IA-2 (12)Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

IA-3Device Identification and Authentication

MODERATE

HIGH

IA-4Identifier Management

IA-4 (04)Identifier Management | Identify User Status

MODERATE

HIGH

IA-5Authenticator Management

IA-5 (01)Authenticator Management | Password-based Authentication

LOW

MODERATE

HIGH

IA-5 (02)Authenticator Management | Public Key-based Authentication

MODERATE

HIGH

IA-5 (06)Authenticator Management | Protection of Authenticators

MODERATE

HIGH

IA-5 (07)Authenticator Management | No Embedded Unencrypted Static Authenticators

MODERATE

HIGH

IA-6Authentication Feedback

IA-7Cryptographic Module Authentication

IA-8Identification and Authentication (non-organizational Users)

IA-8 (01)Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

LOW

MODERATE

HIGH

IA-8 (02)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

LOW

MODERATE

HIGH

IA-8 (04)Identification and Authentication (non-organizational Users) | Use of Defined Profiles

LOW

MODERATE

HIGH

IA-11Re-authentication

IA-12Identity Proofing

MODERATE

HIGH

IA-12 (02)Identity Proofing | Identity Evidence

MODERATE

HIGH

IA-12 (03)Identity Proofing | Identity Evidence Validation and Verification

MODERATE

HIGH

IA-12 (05)Identity Proofing | Address Confirmation

MODERATE

HIGH

IR — Incident Response (17 controls)

IR-1Policy and Procedures

IR-2Incident Response Training

IR-3Incident Response Testing

MODERATE

HIGH

IR-3 (02)Incident Response Testing | Coordination with Related Plans

MODERATE

HIGH

IR-4Incident Handling

IR-4 (01)Incident Handling | Automated Incident Handling Processes

MODERATE

HIGH

IR-5Incident Monitoring

IR-6Incident Reporting

IR-6 (01)Incident Reporting | Automated Reporting

MODERATE

HIGH

IR-6 (03)Incident Reporting | Supply Chain Coordination

MODERATE

HIGH

IR-7Incident Response Assistance

IR-7 (01)Incident Response Assistance | Automation Support for Availability of Information and Support

MODERATE

HIGH

IR-8Incident Response Plan

IR-9Information Spillage Response

MODERATE

HIGH

IR-9 (02)Information Spillage Response | Training

MODERATE

HIGH

IR-9 (03)Information Spillage Response | Post-spill Operations

MODERATE

HIGH

IR-9 (04)Information Spillage Response | Exposure to Unauthorized Personnel

MODERATE

HIGH

MA — Maintenance (10 controls)

MA-1Policy and Procedures

MA-2Controlled Maintenance

MA-3Maintenance Tools

MODERATE

HIGH

MA-3 (01)Maintenance Tools | Inspect Tools

MODERATE

HIGH

MA-3 (02)Maintenance Tools | Inspect Media

MODERATE

HIGH

MA-3 (03)Maintenance Tools | Prevent Unauthorized Removal

MODERATE

HIGH

MA-4Nonlocal Maintenance

MA-5Maintenance Personnel

MA-5 (01)Maintenance Personnel | Individuals Without Appropriate Access

MODERATE

HIGH

MA-6Timely Maintenance

MODERATE

HIGH

MP — Media Protection (7 controls)

MP-1Policy and Procedures

MP-6Media Sanitization

PE — Physical and Environmental Protection (19 controls)

PE-1Policy and Procedures

PE-2Physical Access Authorizations

PE-3Physical Access Control

PE-4Access Control for Transmission

MODERATE

HIGH

PE-5Access Control for Output Devices

MODERATE

HIGH

PE-6Monitoring Physical Access

PE-6 (01)Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment

MODERATE

HIGH

PE-8Visitor Access Records

PE-9Power Equipment and Cabling

MODERATE

HIGH

PE-10Emergency Shutoff

PE-12Emergency Lighting

PE-13 (01)Fire Protection | Detection Systems -- Automatic Activation and Notification

MODERATE

HIGH

PE-13 (02)Fire Protection | Suppression Systems -- Automatic Activation and Notification

MODERATE

HIGH

PE-14Environmental Controls

PE-15Water Damage Protection

PE-16Delivery and Removal

PE-17Alternate Work Site

MODERATE

HIGH

PL — Planning (7 controls)

PL-1Policy and Procedures

PL-2System Security and Privacy Plans

PL-4Rules of Behavior

PL-4 (01)Rules of Behavior | Social Media and External Site/application Usage Restrictions

LOW

MODERATE

HIGH

PL-8Security and Privacy Architectures

PL-10Baseline Selection

PL-11Baseline Tailoring

PS — Personnel Security (10 controls)

PS-1Policy and Procedures

PS-2Position Risk Designation

PS-3Personnel Screening

PS-3 (03)Personnel Screening | Information Requiring Special Protective Measures

MODERATE

HIGH

PS-4Personnel Termination

PS-5Personnel Transfer

PS-6Access Agreements

PS-7External Personnel Security

PS-8Personnel Sanctions

PS-9Position Descriptions

RA — Risk Assessment (11 controls)

RA-1Policy and Procedures

RA-2Security Categorization

RA-3 (01)Risk Assessment | Supply Chain Risk Assessment

LOW

MODERATE

HIGH

RA-5Vulnerability Monitoring and Scanning

RA-5 (02)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

LOW

MODERATE

HIGH

RA-5 (03)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage

MODERATE

HIGH

RA-5 (05)Vulnerability Monitoring and Scanning | Privileged Access

MODERATE

HIGH

RA-5 (11)Vulnerability Monitoring and Scanning | Public Disclosure Program

RA-9Criticality Analysis

MODERATE

HIGH

SA — System and Services Acquisition (21 controls)

SA-1Policy and Procedures

SA-2Allocation of Resources

SA-3System Development Life Cycle

SA-4Acquisition Process

SA-4 (01)Acquisition Process | Functional Properties of Controls

MODERATE

HIGH

SA-4 (02)Acquisition Process | Design and Implementation Information for Controls

MODERATE

HIGH

SA-4 (09)Acquisition Process | Functions, Ports, Protocols, and Services in Use

MODERATE

HIGH

SA-4 (10)Acquisition Process | Use of Approved PIV Products

SA-5System Documentation

SA-8Security and Privacy Engineering Principles

SA-9External System Services

SA-9 (01)External System Services | Risk Assessments and Organizational Approvals

MODERATE

HIGH

SA-9 (02)External System Services | Identification of Functions, Ports, Protocols, and Services

MODERATE

HIGH

SA-9 (05)External System Services | Processing, Storage, and Service Location

MODERATE

HIGH

SA-10Developer Configuration Management

MODERATE

HIGH

SA-11Developer Testing and Evaluation

MODERATE

HIGH

SA-11 (01)Developer Testing and Evaluation | Static Code Analysis

MODERATE

HIGH

SA-11 (02)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

MODERATE

HIGH

SA-15Development Process, Standards, and Tools

MODERATE

HIGH

SA-15 (03)Development Process, Standards, and Tools | Criticality Analysis

MODERATE

HIGH

SA-22Unsupported System Components

SC — System and Communications Protection (29 controls)

SC-1Policy and Procedures

SC-2Separation of System and User Functionality

MODERATE

HIGH

SC-4Information in Shared System Resources

MODERATE

HIGH

SC-5Denial-of-service Protection

SC-7Boundary Protection

SC-7 (03)Boundary Protection | Access Points

MODERATE

HIGH

SC-7 (04)Boundary Protection | External Telecommunications Services

MODERATE

HIGH

SC-7 (05)Boundary Protection | Deny by Default -- Allow by Exception

MODERATE

HIGH

SC-7 (07)Boundary Protection | Split Tunneling for Remote Devices

MODERATE

HIGH

SC-7 (08)Boundary Protection | Route Traffic to Authenticated Proxy Servers

MODERATE

HIGH

SC-7 (12)Boundary Protection | Host-based Protection

MODERATE

HIGH

SC-7 (18)Boundary Protection | Fail Secure

MODERATE

HIGH

SC-8Transmission Confidentiality and Integrity

SC-8 (01)Transmission Confidentiality and Integrity | Cryptographic Protection

LOW

MODERATE

HIGH

SC-10Network Disconnect

MODERATE

HIGH

SC-12Cryptographic Key Establishment and Management

SC-13Cryptographic Protection

SC-15Collaborative Computing Devices and Applications

SC-17Public Key Infrastructure Certificates

SC-20Secure Name/address Resolution Service (authoritative Source)

SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)

SC-22Architecture and Provisioning for Name/address Resolution Service

SC-23Session Authenticity

MODERATE

HIGH

SC-28Protection of Information at Rest

SC-28 (01)Protection of Information at Rest | Cryptographic Protection

LOW

MODERATE

HIGH

SC-39Process Isolation

SC-45System Time Synchronization

MODERATE

HIGH

SC-45 (01)System Time Synchronization | Synchronization with Authoritative Time Source

MODERATE

HIGH

SI — System and Information Integrity (24 controls)

SI-1Policy and Procedures

SI-2 (02)Flaw Remediation | Automated Flaw Remediation Status

MODERATE

HIGH

SI-2 (03)Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

MODERATE

HIGH

SI-3Malicious Code Protection

SI-4System Monitoring

SI-4 (01)System Monitoring | System-wide Intrusion Detection System

MODERATE

HIGH

SI-4 (02)System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

MODERATE

HIGH

SI-4 (04)System Monitoring | Inbound and Outbound Communications Traffic

MODERATE

HIGH

SI-4 (05)System Monitoring | System-generated Alerts

MODERATE

HIGH

SI-4 (16)System Monitoring | Correlate Monitoring Information

MODERATE

HIGH

SI-4 (18)System Monitoring | Analyze Traffic and Covert Exfiltration

MODERATE

HIGH

SI-4 (23)System Monitoring | Host-based Devices

MODERATE

HIGH

SI-5Security Alerts, Advisories, and Directives

SI-6Security and Privacy Function Verification

MODERATE

HIGH

SI-7Software, Firmware, and Information Integrity

MODERATE

HIGH

SI-7 (01)Software, Firmware, and Information Integrity | Integrity Checks

MODERATE

HIGH

SI-7 (07)Software, Firmware, and Information Integrity | Integration of Detection and Response

SI-8 (02)Spam Protection | Automatic Updates

MODERATE

HIGH

SI-10Information Input Validation

SI-12Information Management and Retention

SI-16Memory Protection

MODERATE

HIGH

SR — Supply Chain Risk Management (12 controls)

SR-1Policy and Procedures

SR-2Supply Chain Risk Management Plan

SR-2 (01)Supply Chain Risk Management Plan | Establish SCRM Team

LOW

MODERATE

HIGH

SR-3Supply Chain Controls and Processes

SR-5Acquisition Strategies, Tools, and Methods

SR-6Supplier Assessments and Reviews

MODERATE

HIGH

SR-8Notification Agreements

SR-10Inspection of Systems or Components

SR-11Component Authenticity

SR-11 (01)Component Authenticity | Anti-counterfeit Training

LOW

MODERATE

HIGH

SR-11 (02)Component Authenticity | Configuration Control for Component Service and Repair

LOW

MODERATE

HIGH

SR-12Component Disposal