Under active development — Content is continuously updated and improved

Home / Frameworks / GovRAMP / LOW Baseline

GovRAMP Rev 5

Government Risk and Authorization Management Program - Security Baselines for State and Local Government Cloud Services

419 All 133 Low 283 Moderate

Showing 133 controls in LOW baseline

AC — Access Control (11 controls)

AC-01Policy and Procedures

AC-02Account Management

AC-03Access Enforcement

AC-07Unsuccessful Logon Attempts

AC-08System Use Notification

AC-14Permitted Actions Without Identification or Authentication

AC-17Remote Access

AC-18Wireless Access

AC-19Access Control for Mobile Devices

AC-20Use of External Systems

AC-22Publicly Accessible Content

AT — Awareness and Training (5 controls)

AT-01Policy and Procedures

AT-02Literacy Training and Awareness

AT-02(02)Literacy Training and Awareness | Insider Threat

AT-03Role-based Training

AT-04Training Records

AU — Audit and Accountability (10 controls)

AU-01Policy and Procedures

AU-02Event Logging

AU-03Content of Audit Records

AU-04Audit Log Storage Capacity

AU-05Response to Audit Logging Process Failures

AU-06Audit Record Review, Analysis, and Reporting

AU-08Time Stamps

AU-09Protection of Audit Information

AU-11Audit Record Retention

AU-12Audit Record Generation

CA — Assessment, Authorization, and Monitoring (9 controls)

CA-01Policy and Procedures

CA-02Control Assessments

CA-02(01)Control Assessments | Independent Assessors

CA-03Information Exchange

CA-05Plan of Action and Milestones

CA-06Authorization

CA-07Continuous Monitoring

CA-08Penetration Testing

CA-09Internal System Connections

CM — Configuration Management (9 controls)

CM-01Policy and Procedures

CM-02Baseline Configuration

CM-04Impact Analyses

CM-05Access Restrictions for Change

CM-06Configuration Settings

CM-07Least Functionality

CM-08System Component Inventory

CM-10Software Usage Restrictions

CM-11User-installed Software

CP — Contingency Planning (6 controls)

CP-01Policy and Procedures

CP-02Contingency Plan

CP-03Contingency Training

CP-04Contingency Plan Testing

CP-09System Backup

CP-10System Recovery and Reconstitution

IA — Identification and Authentication (13 controls)

IA-01Policy and Procedures

IA-02Identification and Authentication (organizational Users)

IA-02(01)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

IA-02(02)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

IA-02(08)Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant

IA-04Identifier Management

IA-05Authenticator Management

IA-05(01)Authenticator Management | Password-based Authentication

IA-06Authentication Feedback

IA-07Cryptographic Module Authentication

IA-08Identification and Authentication (non-organizational Users)

IA-08(02)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

IA-08(04)Identification and Authentication (non-organizational Users) | Use of Defined Profiles

IR — Incident Response (7 controls)

IR-01Policy and Procedures

IR-02Incident Response Training

IR-04Incident Handling

IR-05Incident Monitoring

IR-06Incident Reporting

IR-07Incident Response Assistance

IR-08Incident Response Plan

MA — Maintenance (4 controls)

MA-01Policy and Procedures

MA-02Controlled Maintenance

MA-04Nonlocal Maintenance

MA-05Maintenance Personnel

MP — Media Protection (4 controls)

MP-01Policy and Procedures

MP-02Media Access

MP-06Media Sanitization

PE — Physical and Environmental Protection (10 controls)

PE-01Policy and Procedures

PE-02Physical Access Authorizations

PE-03Physical Access Control

PE-06Monitoring Physical Access

PE-08Visitor Access Records

PE-12Emergency Lighting

PE-13Fire Protection

PE-14Environmental Controls

PE-15Water Damage Protection

PE-16Delivery and Removal

PL — Planning (5 controls)

PL-01Policy and Procedures

PL-02System Security and Privacy Plans

PL-04Rules of Behavior

PL-04(01)Rules of Behavior | Social Media and External Site/application Usage Restrictions

PL-08Security and Privacy Architectures

PS — Personnel Security (8 controls)

PS-01Policy and Procedures

PS-02Position Risk Designation

PS-03Personnel Screening

PS-04Personnel Termination

PS-05Personnel Transfer

PS-06Access Agreements

PS-07External Personnel Security

PS-08Personnel Sanctions

RA — Risk Assessment (5 controls)

RA-01Policy and Procedures

RA-02Security Categorization

RA-03Risk Assessment

RA-05Vulnerability Monitoring and Scanning

RA-05(02)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

SA — System and Services Acquisition (7 controls)

SA-01Policy and Procedures

SA-02Allocation of Resources

SA-03System Development Life Cycle

SA-04Acquisition Process

SA-05System Documentation

SA-08Security and Privacy Engineering Principles

SA-09External System Services

SC — System and Communications Protection (14 controls)

SC-01Policy and Procedures

SC-05Denial-of-service Protection

SC-07Boundary Protection

SC-08Transmission Confidentiality and Integrity

SC-08(01)Transmission Confidentiality and Integrity | Cryptographic Protection

SC-12Cryptographic Key Establishment and Management

SC-13Cryptographic Protection

SC-15Collaborative Computing Devices and Applications

SC-20Secure Name/address Resolution Service (authoritative Source)

SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)

SC-22Architecture and Provisioning for Name/address Resolution Service

SC-28Protection of Information at Rest

SC-28(01)Protection of Information at Rest | Cryptographic Protection

SC-39Process Isolation

SI — System and Information Integrity (6 controls)

SI-01Policy and Procedures

SI-02Flaw Remediation

SI-03Malicious Code Protection

SI-04System Monitoring

SI-05Security Alerts, Advisories, and Directives

SI-12Information Management and Retention