cloud.gov · xls file · web viewfedramp controls moderate ... service provider corporate...
TRANSCRIPT
![Page 1: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/1.jpg)
Control ID Implementation Status
Implemented Partially Implemented Planned
AC-1 xAC-2 xAC-2 (1) xAC-2 (2)AC-2 (3) xAC-2 (4) xAC-2 (5) xAC-2 (7) xAC-2 (9) xAC-2 (10) xAC-2 (12) xAC-3 xAC-4 xAC-4 (21) xAC-5 xAC-6 xAC-6 (1) xAC-6 (2) xAC-6 (5) xAC-6 (9) xAC-6 (10) xAC-7 xAC-8 xAC-10 xAC-11 xAC-11 (1) xAC-12 xAC-14 xAC-17 xAC-17 (1) xAC-17 (2) xAC-17 (3) xAC-17 (4) xAC-17 (9) xAC-18AC-18 (1)AC-19AC-19 (5) xAC-20 xAC-20 (1) xAC-20 (2) xAC-21 xAC-22 xAT-1 xAT-2 xAT-2 (2) xAT-3 x
FedRAMP Controls
Moderate
Alternative Implementation
![Page 2: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/2.jpg)
AT-4 xAU-1 xAU-2 xAU-2 (3) xAU-3 xAU-3 (1) xAU-4 xAU-5 xAU-6 xAU-6 (1) xAU-6 (3) xAU-7 xAU-7 (1) xAU-8 xAU-8 (1) xAU-9 xAU-9 (2) xAU-9 (4) xAU-11 xAU-12 xCA-1 xCA-2 xCA-2 (1) xCA-2 (2) xCA-2 (3) xCA-3 CA-3 (3) xCA-3 (5)CA-5 xCA-6 xCA-7 xCA-7 (1) xCA-8 xCA-8 (1) xCA-9 xCM-1 xCM-2 xCM-2 (1) xCM-2 (2) xCM-2 (3) xCM-2 (7) xCM-3 xCM-4 xCM-5 xCM-5 (1) xCM-5 (3) xCM-5 (5) xCM-6 xCM-6 (1) xCM-7 xCM-7 (1) xCM-7 (2) xCM-7 (5) xCM-8 xCM-8 (1) xCM-8 (3) xCM-8 (5) x
![Page 3: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/3.jpg)
CM-9 xCM-10 xCM-10 (1) xCM-11 xCP-1 xCP-2 xCP-2 (1) xCP-2 (2) xCP-2 (3) xCP-2 (8) xCP-3 xCP-4 xCP-4 (1) xCP-6 xCP-6 (1) xCP-6 (3) xCP-7 xCP-7 (1) xCP-7 (2) xCP-7 (3) xCP-8 xCP-8 (1) xCP-8 (2) xCP-9 xCP-9 (1) xCP-9 (3) xCP-10 xCP-10 (2) xIA-1 xIA-2 xIA-2 (1) xIA-2 (2) xIA-2 (3)IA-2 (5) IA-2 (8) xIA-2 (11) xIA-2 (12) xIA-3 xIA-4 xIA-4 (4) xIA-5 xIA-5 (1) xIA-5 (2) xIA-5 (3) xIA-5 (4) xIA-5 (6) xIA-5 (7) xIA-5 (11) xIA-6 xIA-7 xIA-8 xIA-8 (1) xIA-8 (2) xIA-8 (3)IA-8 (4) xIR-1 xIR-2 x
![Page 4: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/4.jpg)
IR-3 xIR-3 (2) xIR-4 xIR-4 (1) xIR-5 xIR-6 xIR-6 (1) xIR-7 xIR-7 (1) xIR-7 (2) xIR-8 xIR-9 xIR-9 (1) xIR-9 (2) xIR-9 (3) xIR-9 (4) xMA-1 xMA-2 xMA-3 xMA-3 (1) xMA-3 (2) xMA-3 (3) xMA-4 xMA-4 (2) xMA-5 xMA-5 (1) xMA-6 xMP-1 xMP-2 xMP-3 xMP-4 xMP-5 xMP-5 (4) xMP-6 xMP-6 (2) xMP-7 xMP-7 (1) xPE-1 xPE-2 xPE-3 xPE-4 xPE-5 xPE-6 xPE-6 (1) xPE-8 xPE-9 xPE-10 xPE-11 xPE-12 xPE-13 xPE-13 (2) xPE-13 (3) xPE-14 xPE-14 (2) xPE-15 xPE-16 xPE-17 x
![Page 5: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/5.jpg)
PL-1 xPL-2 xPL-2 (3) xPL-4 xPL-4 (1) xPL-8 xPS-1 xPS-2 xPS-3 xPS-3 (3)PS-4 xPS-5 xPS-6 xPS-7 xPS-8 xRA-1 xRA-2 xRA-3 xRA-5 xRA-5 (1) xRA-5 (2) xRA-5 (3) xRA-5 (5) xRA-5 (6) xRA-5 (8) xSA-1 xSA-2 xSA-3 xSA-4 xSA-4 (1) xSA-4 (2) xSA-4 (8) xSA-4 (9) xSA-4 (10)SA-5 xSA-8 xSA-9 xSA-9 (1) xSA-9 (2) xSA-9 (4) xSA-9 (5) xSA-10 xSA-10 (1) xSA-11 xSA-11 (1) xSA-11 (2) xSA-11 (8) xSC-1 xSC-2 xSC-4 xSC-5 xSC-6 xSC-7 xSC-7 (3) xSC-7 (4) xSC-7 (5) xSC-7 (7)
![Page 6: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/6.jpg)
SC-7 (8)SC-7 (12) xSC-7 (13) xSC-7 (18) xSC-8 xSC-8 (1) xSC-10 x xSC-12 xSC-12 (2) x xSC-12 (3) SC-13 xSC-15SC-17 xSC-18 xSC-19 SC-20 x xSC-21 xSC-22 xSC-23 xSC-28 xSC-28 (1) xSC-39 xSI-1 xSI-2 xSI-2 (2) xSI-2 (3) xSI-3 xSI-3 (1) xSI-3 (2) xSI-3 (7) xSI-4 xSI-4 (1) xSI-4 (2) xSI-4 (4) xSI-4 (5) xSI-4 (14)SI-4 (16) xSI-4 (23) xSI-5 xSI-6 xSI-7 xSI-7 (1) xSI-7 (7) xSI-8 SI-8 (1)SI-8 (2)SI-10 xSI-11 xSI-12 xSI-16 x
![Page 7: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/7.jpg)
Implementation Status Control Origination
Not applicable
x
xx x
xx
x xx
xxxx
xxxx
xxx
xxx
xxxxx
xxx
xx xx xx x
xxx
xx
xx
x
Service Provider Corporate (GSA/18F)
Service Provider System Specific
(cloud.gov)
Service Provider Hybrid (Service
Provider Corporate and Service Provider
System Specific)
Configured by Customer (Customer
System Specific)
![Page 8: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/8.jpg)
xxxxxxx
xx
xx
xx
xxxx
xx
xx
xxxx
x xx x
x xxxxxxx
xx
xx
xx
xx
xxxxx
xx
xx
xxxx
x
![Page 9: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/9.jpg)
xxx
xxxx
xx
xxx
xxx
xxxxxx
x xx x
xx
xxx
x x
x
xx
x
xx
![Page 10: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/10.jpg)
xx
xx
xx
xxx
xxxxxxx
x
x
x
![Page 11: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/11.jpg)
xx
xxx
xxxx
xxx
xxxxxx
xxxxxx
xxxxxx
xx
xxx
xxx
xxx
xxx
xx
xxxx
xxxx
x x
![Page 12: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/12.jpg)
x xxxx
xxx
x xx
x xx
xx x
xxxxxxx
xxx
xx
xx
xxx
xx
xx
xx
xx
xx
xx xx xx
xx
x
![Page 13: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/13.jpg)
Control Origination
x xx
x xx
x xxxx
x
xx
x x
x
x
xxx
Provided by Customer (Customer
System Specific)
Shared (Service Provider and
Customer Responsibility)
Inherited from Pre-Existing Provisional Authorization (AWS
GovCloud)
![Page 14: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/14.jpg)
x x
x
xx
x x
x
x
x
x
x
xx
xx
![Page 15: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/15.jpg)
x
x
xxxxxxxxxx
xx
x
x
xx
x xx
xxxxxxxxx
xxx
xxxx
x
![Page 16: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/16.jpg)
xxxxx
xxxxxxxxxx
xxxxxxxxx
xxxxxxxxxxxxxxxxxxx
![Page 17: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/17.jpg)
x
xx
x
x
xxxx
x
![Page 18: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/18.jpg)
x
xx
x
xx
x
xx
x
x xx
x
x
x
xx
![Page 19: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/19.jpg)
Ref #
1
2
3
4
5
6
7
8
9
10
GUIDANCE: For the controls and enhancements identified in the Control Implementation Summary (CIS) as being Shared (Column L), please explain what the Customer responsibility is in the "Customer Responsibility" column below and note the corresponding controls and enhancements in the "Controls Reference" column.
![Page 20: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/20.jpg)
11
12
13
![Page 21: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/21.jpg)
Customer Responsibility
Customers are responsible for identifying and authorizing the software programs within their application spaces.
Customers are responsible for scanning for vulnerabilities in their applications.
Customers are responsible for managing access to their customer application data.
GUIDANCE: For the controls and enhancements identified in the Control Implementation Summary (CIS) as being Shared (Column L), please explain what the Customer responsibility is in the "Customer Responsibility" column below and note the corresponding controls and enhancements in the "Controls Reference" column.
Customers are responsible for managing the "External" roles listed in Table 9-1 User Roles and Privileges (including Application System Owner, Org Manager, Org Auditor, Space Manager, Space Developer, and Space Auditor), which are the roles available for customer Orgs, Spaces, and Applications. Customer responsibility includes assigning personnel to those roles (using the principle of least privilege), removing them from roles, and identifying non-organizational users with access.
cloud.gov delegates authentication to customer enterprise single-sign-on identity systems. Customers are responsible for configuring, monitoring, and managing their authentication systems. This includes:* Monitoring (and handling or restricting) inactive accounts, inactive authentication sessions, shared/group access, and invalid login attempts.* Implementing multi-factor authentication (MFA) for all accounts.* Handling identity verification, management, and authorization.* Managing authenticators.* Conforming to FICAM-issued profiles, if applicable.
Customers are responsible for ensuring that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.
Customers are responsible for ensuring that their application's activities are monitored and captured within audit logs, and for reviewing and analyzing their application logs. They may use cloud.gov's built-in logging features to help them fulfill this requirement.
Customers are responsible for ensuring that their applications comply with the cloud.gov Rules of Behavior ("Use your account responsibly" on https://cloud.gov/docs/getting-started/accounts/ ) and all applicable federal and agency laws and policies.
Customers are responsible for identifying and handling information spills related to their applications, including identifying the specific information involved, alerting appropriate personnel, implementing procedures, and training personnel. Customers may request assistance from cloud.gov for handling information spills.
Customer agencies and cloud.gov have a shared responsibility to create, review, and approve inter-agency agreements (IAAs) that allow customer agencies to access and use cloud.gov.
![Page 22: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/22.jpg)
cloud.gov requires that customer applications use HTTPS. HSTS is enabled by default. Customers are responsible for enabling stricter HSTS settings if they need to. Customers are responsible for selecting a name resolution service that fulfills this requirement and for obtaining certificates for custom domains.
cloud.gov EBS volumes, RDS, and S3 buckets are encrypted at rest. Customers are responsible for further encrypting any sensitive information in their customer applications, and for auditing the permissions their users have for managing their applications.
Customers are responsible for fulfilling information handling and storage requirements in their applications in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
![Page 23: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/23.jpg)
Controls Reference
AC-2, AC-2 (7), AC-5, AC-6, IA-8
IA-5 (7)
AU-2, AU-6, AU-6 (3), AU-7 (1)
CM-7 (2)
CM-7 (5)
IR-9, IR-9 (1), IR-9 (2), IR-9 (3), IR-9 (4)
PS-6
RA-5
SC-4
GUIDANCE: For the controls and enhancements identified in the Control Implementation Summary (CIS) as being Shared (Column L), please explain what the Customer responsibility is in the "Customer Responsibility" column below and note the corresponding controls and enhancements in the "Controls Reference" column.
AC-2 (3), AC-2 (5), AC-2 (9), AC-2 (10), AC-7, IA-2 (1), IA-2 (2), IA-4, IA-4 (4), IA-5, IA-5 (1), IA-5 (2), IA-5 (3), IA-5 (4), IA-5 (6), IA-8 (4)
![Page 24: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/24.jpg)
SC-8, SC-20
SC-28, SC-28 (1)
SI-12
![Page 25: cloud.gov · XLS file · Web viewFedRAMP Controls Moderate ... Service Provider Corporate (GSA/18F) ... Inherited from Pre-Existing Provisional Authorization (AWS GovCloud)](https://reader035.vdocuments.site/reader035/viewer/2022070612/5b844d537f8b9aea498c0908/html5/thumbnails/25.jpg)