GovRAMP Rev 5
Government Risk and Authorization Management Program - Security Baselines for State and Local Government Cloud Services
Showing 144 controls in LOW baseline
AC — Access Control (11 controls)
AC-01Policy and Procedures
AC-02Account Management
AC-03Access Enforcement
AC-07Unsuccessful Logon Attempts
AC-08System Use Notification
AC-14Permitted Actions Without Identification or Authentication
AC-17Remote Access
AC-18Wireless Access
AC-19Access Control for Mobile Devices
AC-20Use of External Systems
AC-22Publicly Accessible Content
AT — Awareness and Training (5 controls)
AU — Audit and Accountability (10 controls)
AU-01Policy and Procedures
AU-02Event Logging
AU-03Content of Audit Records
AU-04Audit Log Storage Capacity
AU-05Response to Audit Logging Process Failures
AU-06Audit Record Review, Analysis, and Reporting
AU-08Time Stamps
AU-09Protection of Audit Information
AU-11Audit Record Retention
AU-12Audit Record Generation
CA — Assessment, Authorization, and Monitoring (9 controls)
CM — Configuration Management (9 controls)
CP — Contingency Planning (6 controls)
IA — Identification and Authentication (13 controls)
IA-01Policy and Procedures
IA-02Identification and Authentication (organizational Users)
IA-02(01)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IA-02(02)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
IA-02(08)Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant
IA-04Identifier Management
IA-05Authenticator Management
IA-05(01)Authenticator Management | Password-based Authentication
IA-06Authentication Feedback
IA-07Cryptographic Module Authentication
IA-08Identification and Authentication (non-organizational Users)
IA-08(02)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators
IA-08(04)Identification and Authentication (non-organizational Users) | Use of Defined Profiles
IR — Incident Response (7 controls)
MA — Maintenance (4 controls)
MP — Media Protection (4 controls)
PE — Physical and Environmental Protection (10 controls)
PL — Planning (5 controls)
PS — Personnel Security (8 controls)
RA — Risk Assessment (5 controls)
SA — System and Services Acquisition (7 controls)
SC — System and Communications Protection (14 controls)
SC-01Policy and Procedures
SC-05Denial-of-service Protection
SC-07Boundary Protection
SC-08Transmission Confidentiality and Integrity
SC-08(01)Transmission Confidentiality and Integrity | Cryptographic Protection
SC-12Cryptographic Key Establishment and Management
SC-13Cryptographic Protection
SC-15Collaborative Computing Devices and Applications
SC-20Secure Name/address Resolution Service (authoritative Source)
SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-22Architecture and Provisioning for Name/address Resolution Service
SC-28Protection of Information at Rest
SC-28(01)Protection of Information at Rest | Cryptographic Protection
SC-39Process Isolation
SI — System and Information Integrity (6 controls)
SR — Supply Chain Risk Management (11 controls)
SR-01Policy and Procedures
SR-02Supply Chain Risk Management Plan
SR-02(01)Supply Chain Risk Management Plan | Establish SCRM Team
SR-03Supply Chain Controls and Processes
SR-05Acquisition Strategies, Tools, and Methods
SR-08Notification Agreements
SR-10Inspection of Systems or Components
SR-11Component Authenticity
SR-11(01)Component Authenticity | Anti-counterfeit Training
SR-11(02)Component Authenticity | Configuration Control for Component Service and Repair
SR-12Component Disposal