GovRAMP Rev 5
Government Risk and Authorization Management Program - Security Baselines for State and Local Government Cloud Services
Showing 283 controls in MODERATE baseline
AC — Access Control (43 controls)
AC-01Policy and Procedures
AC-02Account Management
AC-02(01)Account Management | Automated System Account Management
AC-02(02)Account Management | Automated Temporary and Emergency Account Management
AC-02(03)Account Management | Disable Accounts
AC-02(04)Account Management | Automated Audit Actions
AC-02(05)Account Management | Inactivity Logout
AC-02(07)Account Management | Privileged User Accounts
AC-02(09)Account Management | Restrictions on Use of Shared and Group Accounts
AC-02(12)Account Management | Account Monitoring for Atypical Usage
AC-02(13)Account Management | Disable Accounts for High-risk Individuals
AC-03Access Enforcement
AC-04Information Flow Enforcement
AC-04(21)Information Flow Enforcement | Physical or Logical Separation of Information Flows
AC-05Separation of Duties
AC-06Least Privilege
AC-06(01)Least Privilege | Authorize Access to Security Functions
AC-06(02)Least Privilege | Non-privileged Access for Nonsecurity Functions
AC-06(05)Least Privilege | Privileged Accounts
AC-06(07)Least Privilege | Review of User Privileges
AC-06(09)Least Privilege | Log Use of Privileged Functions
AC-06(10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions
AC-07Unsuccessful Logon Attempts
AC-08System Use Notification
AC-11Device Lock
AC-11(01)Device Lock | Pattern-hiding Displays
AC-12Session Termination
AC-14Permitted Actions Without Identification or Authentication
AC-17Remote Access
AC-17(01)Remote Access | Monitoring and Control
AC-17(02)Remote Access | Protection of Confidentiality and Integrity Using Encryption
AC-17(03)Remote Access | Managed Access Control Points
AC-17(04)Remote Access | Privileged Commands and Access
AC-18Wireless Access
AC-18(01)Wireless Access | Authentication and Encryption
AC-18(03)Wireless Access | Disable Wireless Networking
AC-19Access Control for Mobile Devices
AC-19(05)Access Control for Mobile Devices | Full Device or Container-based Encryption
AC-20Use of External Systems
AC-20(01)Use of External Systems | Limits on Authorized Use
AC-20(02)Use of External Systems | Portable Storage Devices — Restricted Use
AC-21Information Sharing
AC-22Publicly Accessible Content
AT — Awareness and Training (5 controls)
AU — Audit and Accountability (16 controls)
AU-01Policy and Procedures
AU-02Event Logging
AU-03Content of Audit Records
AU-03(01)Content of Audit Records | Additional Audit Information
AU-04Audit Log Storage Capacity
AU-05Response to Audit Logging Process Failures
AU-06Audit Record Review, Analysis, and Reporting
AU-06(01)Audit Record Review, Analysis, and Reporting | Automated Process Integration
AU-06(03)Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
AU-07Audit Record Reduction and Report Generation
AU-07(01)Audit Record Reduction and Report Generation | Automatic Processing
AU-08Time Stamps
AU-09Protection of Audit Information
AU-09(04)Protection of Audit Information | Access by Subset of Privileged Users
AU-11Audit Record Retention
AU-12Audit Record Generation
CA — Assessment, Authorization, and Monitoring (12 controls)
CA-01Policy and Procedures
CA-02Control Assessments
CA-02(01)Control Assessments | Independent Assessors
CA-02(03)Control Assessments | Leveraging Results from External Organizations
CA-03Information Exchange
CA-05Plan of Action and Milestones
CA-06Authorization
CA-07Continuous Monitoring
CA-07(01)Continuous Monitoring | Independent Assessment
CA-08Penetration Testing
CA-08(01)Penetration Testing | Independent Penetration Testing Agent or Team
CA-09Internal System Connections
CM — Configuration Management (24 controls)
CM-01Policy and Procedures
CM-02Baseline Configuration
CM-02(02)Baseline Configuration | Automation Support for Accuracy and Currency
CM-02(03)Baseline Configuration | Retention of Previous Configurations
CM-02(07)Baseline Configuration | Configure Systems and Components for High-risk Areas
CM-03Configuration Change Control
CM-03(02)Configuration Change Control | Testing, Validation, and Documentation of Changes
CM-03(04)Configuration Change Control | Security and Privacy Representatives
CM-04Impact Analyses
CM-05Access Restrictions for Change
CM-05(01)Access Restrictions for Change | Automated Access Enforcement and Audit Records
CM-05(05)Access Restrictions for Change | Privilege Limitation for Production and Operation
CM-06Configuration Settings
CM-06(01)Configuration Settings | Automated Management, Application, and Verification
CM-07Least Functionality
CM-07(01)Least Functionality | Periodic Review
CM-07(02)Least Functionality | Prevent Program Execution
CM-07(05)Least Functionality | Authorized Software — Allow-by-exception
CM-08System Component Inventory
CM-08(01)System Component Inventory | Updates During Installation and Removal
CM-08(03)System Component Inventory | Automated Unauthorized Component Detection
CM-09Configuration Management Plan
CM-10Software Usage Restrictions
CM-11User-installed Software
CP — Contingency Planning (22 controls)
CP-01Policy and Procedures
CP-02Contingency Plan
CP-02(01)Contingency Plan | Coordinate with Related Plans
CP-02(03)Contingency Plan | Resume Mission and Business Functions
CP-02(08)Contingency Plan | Identify Critical Assets
CP-03Contingency Training
CP-04Contingency Plan Testing
CP-04(01)Contingency Plan Testing | Coordinate with Related Plans
CP-06Alternate Storage Site
CP-06(01)Alternate Storage Site | Separation from Primary Site
CP-06(03)Alternate Storage Site | Accessibility
CP-07Alternate Processing Site
CP-07(01)Alternate Processing Site | Separation from Primary Site
CP-07(02)Alternate Processing Site | Accessibility
CP-07(03)Alternate Processing Site | Priority of Service
CP-08Telecommunications Services
CP-08(01)Telecommunications Services | Priority of Service Provisions
CP-08(02)Telecommunications Services | Single Points of Failure
CP-09System Backup
CP-09(01)System Backup | Testing for Reliability and Integrity
CP-10System Recovery and Reconstitution
CP-10(02)System Recovery and Reconstitution | Transaction Recovery
IA — Identification and Authentication (19 controls)
IA-01Policy and Procedures
IA-02Identification and Authentication (organizational Users)
IA-02(01)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IA-02(02)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
IA-02(05)Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication
IA-02(08)Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant
IA-03Device Identification and Authentication
IA-04Identifier Management
IA-04(04)Identifier Management | Identify User Status
IA-05Authenticator Management
IA-05(01)Authenticator Management | Password-based Authentication
IA-05(02)Authenticator Management | Public Key-based Authentication
IA-05(06)Authenticator Management | Protection of Authenticators
IA-05(07)Authenticator Management | No Embedded Unencrypted Static Authenticators
IA-06Authentication Feedback
IA-07Cryptographic Module Authentication
IA-08Identification and Authentication (non-organizational Users)
IA-08(02)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators
IA-08(04)Identification and Authentication (non-organizational Users) | Use of Defined Profiles
IR — Incident Response (16 controls)
IR-01Policy and Procedures
IR-02Incident Response Training
IR-03Incident Response Testing
IR-03(02)Incident Response Testing | Coordination with Related Plans
IR-04Incident Handling
IR-04(01)Incident Handling | Automated Incident Handling Processes
IR-05Incident Monitoring
IR-06Incident Reporting
IR-06(01)Incident Reporting | Automated Reporting
IR-07Incident Response Assistance
IR-07(01)Incident Response Assistance | Automation Support for Availability of Information and Support
IR-08Incident Response Plan
IR-09Information Spillage Response
IR-09(02)Information Spillage Response | Training
IR-09(03)Information Spillage Response | Post-spill Operations
IR-09(04)Information Spillage Response | Exposure to Unauthorized Personnel
MA — Maintenance (10 controls)
MA-01Policy and Procedures
MA-02Controlled Maintenance
MA-03Maintenance Tools
MA-03(01)Maintenance Tools | Inspect Tools
MA-03(02)Maintenance Tools | Inspect Media
MA-03(03)Maintenance Tools | Prevent Unauthorized Removal
MA-04Nonlocal Maintenance
MA-05Maintenance Personnel
MA-05(01)Maintenance Personnel | Individuals Without Appropriate Access
MA-06Timely Maintenance
MP — Media Protection (7 controls)
PE — Physical and Environmental Protection (19 controls)
PE-01Policy and Procedures
PE-02Physical Access Authorizations
PE-03Physical Access Control
PE-04Access Control for Transmission
PE-05Access Control for Output Devices
PE-06Monitoring Physical Access
PE-06(01)Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
PE-08Visitor Access Records
PE-09Power Equipment and Cabling
PE-10Emergency Shutoff
PE-11Emergency Power
PE-12Emergency Lighting
PE-13Fire Protection
PE-13(01)Fire Protection | Detection Systems — Automatic Activation and Notification
PE-13(02)Fire Protection | Suppression Systems — Automatic Activation and Notification
PE-14Environmental Controls
PE-15Water Damage Protection
PE-16Delivery and Removal
PE-17Alternate Work Site
PL — Planning (5 controls)
PS — Personnel Security (9 controls)
RA — Risk Assessment (7 controls)
RA-01Policy and Procedures
RA-02Security Categorization
RA-03Risk Assessment
RA-05Vulnerability Monitoring and Scanning
RA-05(02)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
RA-05(03)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
RA-05(05)Vulnerability Monitoring and Scanning | Privileged Access
SA — System and Services Acquisition (18 controls)
SA-01Policy and Procedures
SA-02Allocation of Resources
SA-03System Development Life Cycle
SA-04Acquisition Process
SA-04(01)Acquisition Process | Functional Properties of Controls
SA-04(02)Acquisition Process | Design and Implementation Information for Controls
SA-04(09)Acquisition Process | Functions, Ports, Protocols, and Services in Use
SA-05System Documentation
SA-08Security and Privacy Engineering Principles
SA-09External System Services
SA-09(01)External System Services | Risk Assessments and Organizational Approvals
SA-09(02)External System Services | Identification of Functions, Ports, Protocols, and Services
SA-09(05)External System Services | Processing, Storage, and Service Location
SA-10Developer Configuration Management
SA-11Developer Testing and Evaluation
SA-11(01)Developer Testing and Evaluation | Static Code Analysis
SA-11(02)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
SA-15Development Process, Standards, and Tools
SC — System and Communications Protection (27 controls)
SC-01Policy and Procedures
SC-02Separation of System and User Functionality
SC-04Information in Shared System Resources
SC-05Denial-of-service Protection
SC-07Boundary Protection
SC-07(03)Boundary Protection | Access Points
SC-07(04)Boundary Protection | External Telecommunications Services
SC-07(05)Boundary Protection | Deny by Default — Allow by Exception
SC-07(07)Boundary Protection | Split Tunneling for Remote Devices
SC-07(08)Boundary Protection | Route Traffic to Authenticated Proxy Servers
SC-07(12)Boundary Protection | Host-based Protection
SC-07(18)Boundary Protection | Fail Secure
SC-08Transmission Confidentiality and Integrity
SC-08(01)Transmission Confidentiality and Integrity | Cryptographic Protection
SC-10Network Disconnect
SC-12Cryptographic Key Establishment and Management
SC-13Cryptographic Protection
SC-15Collaborative Computing Devices and Applications
SC-17Public Key Infrastructure Certificates
SC-18Mobile Code
SC-20Secure Name/address Resolution Service (authoritative Source)
SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-22Architecture and Provisioning for Name/address Resolution Service
SC-23Session Authenticity
SC-28Protection of Information at Rest
SC-28(01)Protection of Information at Rest | Cryptographic Protection
SC-39Process Isolation
SI — System and Information Integrity (24 controls)
SI-01Policy and Procedures
SI-02Flaw Remediation
SI-02(02)Flaw Remediation | Automated Flaw Remediation Status
SI-02(03)Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-03Malicious Code Protection
SI-04System Monitoring
SI-04(01)System Monitoring | System-wide Intrusion Detection System
SI-04(02)System Monitoring | Automated Tools and Mechanisms for Real-time Analysis
SI-04(04)System Monitoring | Inbound and Outbound Communications Traffic
SI-04(05)System Monitoring | System-generated Alerts
SI-04(16)System Monitoring | Correlate Monitoring Information
SI-04(18)System Monitoring | Analyze Traffic and Covert Exfiltration
SI-04(23)System Monitoring | Host-based Devices
SI-05Security Alerts, Advisories, and Directives
SI-06Security and Privacy Function Verification
SI-07Software, Firmware, and Information Integrity
SI-07(01)Software, Firmware, and Information Integrity | Integrity Checks
SI-07(07)Software, Firmware, and Information Integrity | Integration of Detection and Response
SI-08Spam Protection
SI-08(02)Spam Protection | Automatic Updates
SI-10Information Input Validation
SI-11Error Handling
SI-12Information Management and Retention
SI-16Memory Protection