PLEASE NOTE: This is an HTML preview only and some elements such as links or page numbers may be incorrect.
Download the book in PDF, ePub for a complete version.
Table 8 provides a listing of the FedRAMP and FedRAMP+ controls / control enhancements that require values. Both DoD RMF and FedRAMP values are provided along with the FedRAMP Additional Requirements and Guidance. These are provided in the format used by the originator. The purpose is to provide a comparison between the DoD and FedRAMP values and to provide the FedRAMP Additional Requirements and Guidance for use by DoD assessors and CSPs. All CSPs are to be assessed IAW the same set of C/CEs and values. Unless otherwise specified, for all Commercial CSPs, the DoD RMF value takes precedence unless the FedRAMP value is more stringent. The full control / control enhancement text is included to provide full context for the value being addressed.
NOTE: For parameter values tagged as "Not appropriate for DoD to define for all CSP's infrastructure or service offerings." The CSP must provide details on how this control / control enhancement is met to include its values in the SSP for the DoD AO to approve.
Table 8 - Control / Enhancement Parameter Values
Control/Enhancement text
Value
AC-1; ACCESS CONTROL; Access Control Policy And Procedures:
The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
References: NIST Special Publications 800-12, 800-100.
AC-1 a. all personnel b. Annually
Source: DoD RMF TAG -------------------
AC-1.b.1 [at least every 3 years] AC-1.b.2 [at least annually]
Source: FedRAMP v2 -------------------
AC-2; ACCESS CONTROL; Account Management:
The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of, information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
References: None.
AC-2 a. Not appropriate for DoD to define for all CSP's infrastructure or service offerings
e. ISSM or ISSO
f. Not appropriate for DoD to define for all CSP's infrastructure or service offerings
The information system automatically [Selection: - removes; - disables ] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
References: None.
AC-2 (2) For temporary user accounts: 72 hours
For emergency admin accounts: never (see supplemental recommendation)
Source: DoD RMF TAG -------------------
[No more than 30 days for temporary and emergency account types]
The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
References: None.
AC-2 (3) 35 days
Source: DoD RMF TAG -------------------
[90 days for user accounts]
Source: FedRAMP v2 -------------------
FedRAMP Additional Requirements and Guidance: Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the Authorizing Official.
The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].
The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].
References: None.
AC-2 (5) At the end of the users standard work period unless otherwise defined in formal organizational policy.
The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) Monitors privileged role assignments; and (c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
References: None.
AC-2 (7) c. Disables (or revokes) privileged user account
Source: DoD RMF TAG -------------------
AC-2 (9); ACCESS CONTROL; Account Management - Enhancement: Restrictions On Use Of Shared Groups / Accounts
The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts].
References: None.
AC-2 (9) Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source: DoD RMF TAG -------------------
FedRAMP Additional Requirements and Guidance: Required if shared/group accounts are deployed
The organization: (a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and (b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].
References: None.
AC-2 (12) a. Not appropriate for DoD to define for all CSP's infrastructure or service offerings
b. at a minimum, the ISSO
Source: DoD RMF TAG -------------------
FedRAMP Additional Requirements and Guidance: AC-2 (12)(a) and AC-2 (12)(b) Additional FedRAMP Requirements and Guidance: Required for privileged accounts.
The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the information system, or the information system's components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control.
References: None.
AC-3 (4) Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source: DoD RMF TAG -------------------
AC-4; ACCESS CONTROL; Information Flow Enforcement:
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
References: Web: ucdmo.gov
AC-4 Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source: DoD RMF TAG -------------------
AC-4 (21); ACCESS CONTROL; Information Flow Enforcement - Enhancement: Physical / Logical Separation Of Information Flows
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
References: None.
AC-4 (21) Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source: DoD RMF TAG -------------------
AC-5; ACCESS CONTROL; Separation Of Duties:
The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties.
References: None.
AC-5 a. Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source: DoD RMF TAG -------------------
AC-6 (1); ACCESS CONTROL; Least Privilege - Enhancement: Authorize Access To Security Functions
The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].
References: None.
AC-6 (1) all functions not publicly accessible and all security-relevant information not publicly available
Source: DoD RMF TAG -------------------
AC-6 (2); ACCESS CONTROL; Least Privilege - Enhancement: Non-Privileged Access For Nonsecurity Functions
The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts, or roles, when accessing nonsecurity functions.
References: None.
AC-6 (2) any privileged security functions or security-relevant information
Source: DoD RMF TAG -------------------
[all security functions]
Source: FedRAMP v2 -------------------
FedRAMP Additional Requirements and Guidance: AC-6 (2). Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.
AC-6 (5); ACCESS CONTROL; Least Privilege - Enhancement: Privileged Accounts
The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].
References: None.
AC-6 (5) Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source: DoD RMF TAG -------------------
AC-6 (7); ACCESS CONTROL; Least Privilege - Enhancement: Review Of User Privileges
The organization: (a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
References: None.
AC-6 (7) a. at a minimum, annually
a. all users
Source: DoD RMF TAG -------------------
AC-6 (8); ACCESS CONTROL; Least Privilege - Enhancement: Privilege Levels For Code Execution
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.
References: None.
AC-6 (8) any software except software explicitly documented
The information system: a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid login attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection: - locks the account/node for an [Assignment: organization-defined time period]; - locks the account/node until released by an administrator; - delays next login prompt according to [Assignment: organization-defined delay algorithm] ] when the maximum number of unsuccessful attempts is exceeded.
References: None.
AC-7 a(1). Three a(2). 15 minutes b(1). locks the account/node b(2). Until released by an administrator b(3). Minimum of 5 seconds
Source: DoD RMF TAG -------------------
AC-7a [not more than three] [fifteen minutes]
AC-7b [locks the account/node for thirty minutes]
Source: FedRAMP v2 -------------------
AC-8; ACCESS CONTROL; System Use Notification:
The information system: a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: 1. Users are accessing a U.S. Government information system; 2. Information system usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and 4. Use of the information system indicates consent to monitoring and recording; b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and c. For publicly accessible systems: 1. Displays system use information [Assignment: organization-defined conditions], before granting further access; 2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Includes a description of the authorized uses of the system.
References: None.
AC-8 a. The content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013
c. The content of DTM 08-060, "Policy on Use of Department of Defense (DoD) Information Systems – Standard Consent Banner and User Agreement," March 2013
Source: DoD RMF TAG -------------------
Parameter: See Additional Requirements and Guidance.
Source: FedRAMP v2 -------------------
FedRAMP Additional Requirements and Guidance: Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the Authorizing Official (AO). Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the AO. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the AO.
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
References: None.
AC-10 all account types and/or accounts
Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source: DoD RMF TAG -------------------
[three (3) sessions for privileged access and two (2) sessions for non-privileged access]
Source: FedRAMP v2 -------------------
AC-11; ACCESS CONTROL; Session Lock:
The information system: a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.