Check list of Controls for Cloud.Gov

[mzia]

FedRAMP Controls Moderate Checklist for cloud.gov

Handles designate assignment of task to complete content for SSP

Access Control

• AC-1 ACCESS CONTROL POLICY AND PROCEDURES P1 AC-1 x @dlapiduz
• AC-2 ACCOUNT MANAGEMENT P1 AC-2 (1) (2) (3) (4) (5) (7) (9) (10) x @dlapiduz
• AC-3 ACCESS ENFORCEMENT P1 AC-3 x @dlapiduz
• AC-4 INFORMATION FLOW ENFORCEMENT P1 AC-4 (21) @dlapiduz
• AC-5 SEPARATION OF DUTIES P1 AC-5 x @dlapiduz
• AC-6 LEAST PRIVILEGE P1 AC-6 (1) (2) (5) (9) (10) x @dlapiduz
• AC-7 UNSUCCESSFUL LOGON ATTEMPTS P2 AC-7 @dlapiduz
• AC-8 SYSTEM USE NOTIFICATION P1 AC-8 @dlapiduz
• AC-10 CONCURRENT SESSION CONTROL AC-10
• AC-11 SESSION LOCK P3 AC-11 (1)
• AC-12 SESSION TERMINATION P2 AC-12
• AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION P3 AC-14
• AC-17 REMOTE ACCESS P1 AC-17 (1) (2) (3) (4) (9) x @dlapiduz
• AC-18 WIRELESS ACCESS P1 AC-18 (1) n/a @NoahKunin
• AC-19 ACCESS CONTROL FOR MOBILE DEVICES P1 AC-19 (5) n/a @NoahKunin
• AC-20 USE OF EXTERNAL INFORMATION SYSTEMS P1 AC-20 (1) (2) x
• AC-21 INFORMATION SHARING P2 AC-21 x
• AC-22 PUBLICLY ACCESSIBLE CONTENT P3 AC-22

Awareness and Training

• AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES P1 AT-1
• AT-2 SECURITY AWARENESS TRAINING P1 AT-2 (2)
• AT-3 ROLE-BASED SECURITY TRAINING P1 AT-3 x @NoahKunin
• AT-4 SECURITY TRAINING RECORDS P3 AT-4 x @NoahKunin

Audit and Accountability

• AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES P1 AU-1 x @dlapiduz @clovett3
• AU-2 AUDIT EVENTS P1 AU-2 (3) x @dlapiduz @clovett3
• AU-3 CONTENT OF AUDIT RECORDS P1 AU-3 (1) x @dlapiduz @clovett3
• AU-4 AUDIT STORAGE CAPACITY P1 AU-4 x @dlapiduz @clovett3
• AU-5 RESPONSE TO AUDIT PROCESSING FAILURES P1 AU-5 x @dlapiduz @clovett3
• AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING P1 AU-6 (1) (3) x @dlapiduz @clovett3
• AU-7 AUDIT REDUCTION AND REPORT GENERATION P2 AU-7 (1) x @dlapiduz @clovett3
• AU-8 TIME STAMPS P1 AU-8 (1) x @dlapiduz @clovett3
• AU-9 PROTECTION OF AUDIT INFORMATION P1 AU-9 (2) (4) x @dlapiduz @clovett3
• AU-11 AUDIT RECORD RETENTION P3 AU-11 x @dlapiduz @clovett3
• AU-12 AUDIT GENERATION P1 AU-12 x @dlapiduz @clovett3

Security Assessment and Authorization

• CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES P1 CA-1 x
• CA-2 SECURITY ASSESSMENTS P2 CA-2 (1) (2) (3) x @NoahKunin
• CA-3 SYSTEM INTERCONNECTIONS P1 CA-3 (2) (5) x @NoahKunin
• CA-5 PLAN OF ACTION AND MILESTONES P3 CA-5 x @NoahKunin
• CA-6 SECURITY AUTHORIZATION P2 CA-6 x @NoahKunin
• CA-7 CONTINUOUS MONITORING P2 CA-7 (1) x @NoahKunin
• CA-8 PENETRATION TESTING P2 CA-8 exception (1) x @NoahKunin
• CA-9 INTERNAL SYSTEM CONNECTIONS P2 CA-9 x @NoahKunin

Configuration Management

• CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES P1 CM-1 x @clovett3
• CM-2 BASELINE CONFIGURATION P1 CM-2 (1) (3) (7) x @clovett3
• CM-3 CONFIGURATION CHANGE CONTROL P1 CM-3 x @clovett3
• CM-4 SECURITY IMPACT ANALYSIS P2 CM-4
• CM-5 ACCESS RESTRICTIONS FOR CHANGE P1 CM-5 (1) (3) (5) x @clovett3
• CM-6 CONFIGURATION SETTINGS P1 CM-6 (1) x @clovett3
• CM-7 LEAST FUNCTIONALITY P1 CM-7 (1) (2) (5) x @clovett3
• CM-8 INFORMATION SYSTEM COMPONENT INVENTORY P1 CM-8 (1) (3) (5) x @clovett3
• CM-9 CONFIGURATION MANAGEMENT PLAN P1 CM-9 @clovett3
• CM-10 SOFTWARE USAGE RESTRICTIONS P2 CM-10 (1) x @clovett3
• CM-11 USER-INSTALLED SOFTWARE P1 CM-11 x @clovett3

Contingency Planning

• CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES P1 CP-1 x @NoahKunin @clovett3
• CP-2 CONTINGENCY PLAN P1 CP-2 (1) (2) (3) (8) x @NoahKunin @clovett3
• CP-3 CONTINGENCY TRAINING P2 CP-3 x @NoahKunin @clovett3
• CP-4 CONTINGENCY PLAN TESTING P2 CP-4 (1) x @NoahKunin @clovett3
• CP-6 ALTERNATE STORAGE SITE P1 CP-6 (1) (3) x @NoahKunin @clovett3
• CP-7 ALTERNATE PROCESSING SITE P1 CP-7 (1) (2) (3) x @NoahKunin @clovett3
• CP-8 TELECOMMUNICATIONS SERVICES P1 CP-8 (1) x @NoahKunin @clovett3
• CP-9 INFORMATION SYSTEM BACKUP P1 CP-9 (1) (3) x @NoahKunin @clovett3
• CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION P1 CP-10 (2) x @NoahKunin @clovett3

Identification and Authentication

• IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES P1 IA-1 x @dlapiduz
• IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) P1 IA-2 (1) (2) (3) (5)(8) (11) (12) x @dlapiduz
• IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION P1 IA-3 @dlapiduz
• IA-4 IDENTIFIER MANAGEMENT P1 IA-4 x @dlapiduz
• IA-5 AUTHENTICATOR MANAGEMENT P1 IA-5 (1) (2) (3) (4) (6) (7) (11) x @dlapiduz
• IA-6 AUTHENTICATOR FEEDBACK P2 IA-6 x @dlapiduz
• IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION P1 IA-7 x @dlapiduz
• IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) P1 IA-8 (1) (2) (3) (4) @dlapiduz

Incident Response

• IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES P1 IR-1 x
• IR-2 INCIDENT RESPONSE TRAINING P2 IR-2 x @jacobian
• IR-3 INCIDENT RESPONSE TESTING P2 IR-3 (2) x @jacobian
• IR-4 INCIDENT HANDLING P1 IR-4 (1) x @jacobian
• IR-5 INCIDENT MONITORING P1 IR-5 x @jacobian
• IR-6 INCIDENT REPORTING P1 IR-6 (1) x
• IR-7 INCIDENT RESPONSE ASSISTANCE P2 IR-7 (1) x @jacobian
• IR-8 INCIDENT RESPONSE PLAN P1 IR-8 x
• IR-9 INFORMATION SPILLAGE RESPONSE P0 IR-9 (1) (2) (3) (4) @jacobian

Maintenance

• MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES P1 MA-1 x
• MA-2 CONTROLLED MAINTENANCE P2 MA-2 x
• MA-3 MAINTENANCE TOOLS P3 MA-3 (1) (2) (3) x
• MA-4 NONLOCAL MAINTENANCE P2 MA-4 (2) x
• MA-5 MAINTENANCE PERSONNEL P2 MA-5 (1) x
• MA-6 TIMELY MAINTENANCE P2 MA-6 x

Media Protection

• MP-1 MEDIA PROTECTION POLICY AND PROCEDURES P1 MP-1 @NoahKunin
• MP-3 MEDIA MARKING P2 MP-3 @NoahKunin
• MP-4 MEDIA STORAGE P1 MP-4 @NoahKunin
• MP-5 MEDIA TRANSPORT P1 MP-5 (4) @NoahKunin
• MP-6 MEDIA SANITIZATION P1 MP-6 (2) @NoahKunin
• MP-7 MEDIA USE P1 MP-7 (1) @NoahKunin

Physical and Environmental Protection

• PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES P1 PE-1
• PE-2 PHYSICAL ACCESS AUTHORIZATIONS P1 PE-2
• PE-3 PHYSICAL ACCESS CONTROL P1 PE-3
• PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM P1 PE-4
• PE-5 ACCESS CONTROL FOR OUTPUT DEVICES P2 PE-5
• PE-6 MONITORING PHYSICAL ACCESS P1 PE-6 (1)
• PE-8 VISITOR ACCESS RECORDS P3 PE-8
• PE-9 POWER EQUIPMENT AND CABLING P1 PE-9
• PE-10 EMERGENCY SHUTOFF P1 PE-10
• PE-11 EMERGENCY POWER P1 PE-11
• PE-12 EMERGENCY LIGHTING P1 PE-12
• PE-13 FIRE PROTECTION P1 PE-13 (2) (3)
• PE-14 TEMPERATURE AND HUMIDITY CONTROLS P1 PE-14
• PE-15 WATER DAMAGE PROTECTION P1 PE-15
• PE-16 DELIVERY AND REMOVAL P2 PE-16
• PE-17 ALTERNATE WORK SITE P2 PE-17

Planning

• PL-1 SECURITY PLANNING POLICY AND PROCEDURES P1 PL-1
• PL-2 SYSTEM SECURITY PLAN P1 PL-2 (3)
• PL-4 RULES OF BEHAVIOR P2 PL-4 (1) x
• PL-8 INFORMATION SECURITY ARCHITECTURE P1 PL-8

Personnel Security

• PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES P1 PS-1
• PS-2 POSITION RISK DESIGNATION P1 PS-2
• PS-3 PERSONNEL SCREENING P1 PS-3 (3)
• PS-4 PERSONNEL TERMINATION P1 PS-4
• PS-5 PERSONNEL TRANSFER P2 PS-5
• PS-6 ACCESS AGREEMENTS P3 PS-6
• PS-7 THIRD-PARTY PERSONNEL SECURITY P1 PS-7
• PS-8 PERSONNEL SANCTIONS P3 PS-8

Risk Assessment

• RA-1 RISK ASSESSMENT POLICY AND PROCEDURES P1 RA-1
• RA-2 SECURITY CATEGORIZATION P1 RA-2
• RA-3 RISK ASSESSMENT P1 RA-3
• RA-5 VULNERABILITY SCANNING P1 RA-5 (1) (2) (3) (5) (6) (8) x

System and Services Acquisition

• SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES P1 SA-1
• SA-2 ALLOCATION OF RESOURCES P1 SA-2
• SA-3 SYSTEM DEVELOPMENT LIFE CYCLE P1 SA-3
• SA-4 ACQUISITION PROCESS P1 SA-4 (1) (2) (8) (9) (10)
• SA-5 INFORMATION SYSTEM DOCUMENTATION P2 SA-5
• SA-8 SECURITY ENGINEERING PRINCIPLES P1 SA-8
• SA-9 EXTERNAL INFORMATION SYSTEM SERVICES P1 SA-9 (1) (2) (4) (5)
• SA-10 DEVELOPER CONFIGURATION MANAGEMENT P1 SA-10 (1)
• SA-11 DEVELOPER SECURITY TESTING AND EVALUATION P1 SA-11 (1) (2) (8)

System and Communications Protection

• SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES P1 SC-1 x
• SC-2 APPLICATION PARTITIONING P1 SC-2 x
• SC-4 INFORMATION IN SHARED RESOURCES P1 SC-4 x
• SC-5 DENIAL OF SERVICE PROTECTION P1 SC-5 x
• SC-6 RESOURCE AVAILABILITY P0 SC-6 x
• SC-7 BOUNDARY PROTECTION P1 SC-7 (3) (4) (5) (7) (8) (12) (13)(18) x
• SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY P1 SC-8 (1) x
• SC-10 NETWORK DISCONNECT P2 SC-10 x
• SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT P1 SC-12 (2) (3) x
• SC-13 CRYPTOGRAPHIC PROTECTION P1 SC-13 x
• SC-15 COLLABORATIVE COMPUTING DEVICES P1 SC-15 x
• SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES P1 SC-17
• SC-18 MOBILE CODE P2 SC-18
• SC-19 VOICE OVER INTERNET PROTOCOL P1 SC-19
• SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) P1 SC-20
• SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) P1 SC-21
• SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE P1 SC-22
• SC-23 SESSION AUTHENTICITY P1 SC-23 x
• SC-28 PROTECTION OF INFORMATION AT REST P1 SC-28 (1) x
• SC-39 PROCESS ISOLATION P1 SC-39 x

System and Information Integrity

• SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES P1 SI-1 x
• SI-2 FLAW REMEDIATION P1 SI-2 (2) (3) x
• SI-3 MALICIOUS CODE PROTECTION P1 SI-3 (1) (2) (7) x
• SI-4 INFORMATION SYSTEM MONITORING P1 SI-4 (2) (4) (5) (14) (16) (23) x
• SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES P1 SI-5 x
• SI-6 SECURITY FUNCTION VERIFICATION P1 SI-6 x
• SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY P1 SI-7 (1) (7) x
• SI-8 SPAM PROTECTION P2 SI-8 (1) (2)
• SI-10 INFORMATION INPUT VALIDATION P1 SI-10 x
• SI-11 ERROR HANDLING P2 SI-11 x
• SI-12 INFORMATION HANDLING AND RETENTION P2 SI-12 x
• SI-16 MEMORY PROTECTION P1 SI-16 x

[dlapiduz]

Moving to individual issues...

[afeld]

See the FedRAMP SSP v1 milestone.