FedRAMP's Access Control (AC) ensures secure user access by enforcing authentication, authorization, least privilege, and session management to protect federal systems from unauthorized access and data breaches.

• Policy and Procedures

  The AC-1 control under FedRAMP mandates that an organization establishes, documents, and disseminates an access control policy and associated procedures. This control is foundational and provides a framework for managing user access to systems and data, thereby ensuring security and compliance.

• Account Management

  The AC-2 control within FedRAMP addresses the establishment, implementation, and enforcement of account management practices to support secure access. It requires organizations to identify, manage, and monitor user accounts, including those of employees, contractors, and other authorized entities. AC-2 also covers account authorization, activation, deactivation, and periodic review to prevent unauthorized access.

• Access Enforcement

  AC-3 requires organizations to enforce access control policies, ensuring that only authorized users, processes, or devices can access systems and resources. It involves implementing measures to enforce the appropriate level of access based on predefined access policies, ensuring that access rights are applied consistently and accurately. Access enforcement mechanisms prevent unauthorized access, misuse of data, and reduce the risk of security breaches by ensuring that the right individuals have the right level of access.

• Unsuccessful Logon Attempts

  AC-7 mandates that organizations must control and respond to unsuccessful logon attempts to protect systems and data from unauthorized access. This control requires monitoring and limiting the number of consecutive unsuccessful logon attempts by users. The objective is to mitigate the risk of brute force attacks and other attempts to guess user credentials.
  
  This subcontrol typically involves automatic actions such as locking accounts or triggering alerts after a certain number of failed logon attempts. By enforcing these restrictions, organizations can reduce the likelihood of unauthorized users gaining access to systems through credential guessing, while also maintaining accountability for legitimate users.

• System Use Notification

  AC-8 requires that organizations display a system use notification that informs users of the authorized use of the system and any monitoring or auditing that will occur during their session. This notification must appear at the start of a user session or when users access a system. The notification serves as a reminder that the system is monitored and that any activity may be recorded, ensuring users are aware of the organization's access policies and procedures.
  
  The objective of this control is to increase transparency and accountability by ensuring users are informed that their actions on the system are subject to monitoring, which helps deter inappropriate or unauthorized use.

• Permitted Actions Without Identification or Authentication

  AC-14 specifies that an organization must define and control the actions that users or systems can perform without identification or authentication. The goal of this control is to minimize the risk of unauthorized access by ensuring that only appropriate, limited, and non-sensitive actions can be performed without a user being properly identified or authenticated.
  
  While identification and authentication are crucial to most system interactions, there may be cases where some actions (such as public-facing services or anonymous browsing) do not require identification or authentication. This control ensures that the actions allowed under these conditions do not compromise security or data integrity.
  
  For example, a user might be able to view publicly available information on a website without authentication, but they should not be able to perform any operations that modify data or access sensitive information.

• Remote Access

  AC-17 mandates that organizations control remote access to their systems and networks, ensuring that remote access is authorized, monitored, and protected from unauthorized access. This control establishes the requirement to allow remote access only under certain conditions and to implement appropriate safeguards such as encryption, access control mechanisms, and monitoring. The goal is to protect organizational assets, sensitive data, and resources when they are accessed remotely, which is especially important for systems that are accessible from external networks.
  
  Organizations should ensure that remote access methods, whether through VPNs, remote desktop solutions, or other forms, are properly configured and managed to prevent unauthorized access and maintain the integrity of sensitive data.

• Wireless Access

  AC-18 mandates the implementation of strict controls to protect wireless access to systems. Wireless networks can present significant security vulnerabilities because they often extend beyond physical premises, making them more susceptible to unauthorized access and eavesdropping. This control requires that all wireless access to information systems is protected against unauthorized access, and that there are strict security measures in place to ensure data confidentiality, integrity, and availability when transmitted over wireless networks.
  
  Wireless access includes Wi-Fi, Bluetooth, and other forms of wireless communication. Organizations must control and monitor these access points to prevent unauthorized users or devices from connecting to the system. Security measures such as encryption, authentication, and network segmentation should be used to mitigate risks associated with wireless networks.

• Access Control for Mobile Devices

  AC-19 addresses the need to establish access control mechanisms specifically for mobile devices within an organization’s network and systems. This control ensures that mobile devices—whether personally owned or organization-provided—are properly secured and managed to prevent unauthorized access, data leakage, or potential vulnerabilities. Mobile devices, due to their portability and access to sensitive information, pose an increased risk of exposure if not adequately protected. This control includes mechanisms for ensuring proper authentication, data encryption, and compliance with organization-specific access policies for mobile device usage.

• Use of External Systems

  AC-20 addresses the security and management of access to external systems. It ensures that any external systems (e.g., third-party services, cloud-based platforms, or devices not under direct control of the organization) are appropriately managed to prevent unauthorized access and ensure that security requirements are enforced. This control establishes requirements for the secure integration, monitoring, and auditing of external systems used within the organization’s environment to ensure that they do not introduce additional vulnerabilities or risks. It also requires organizations to manage the risks associated with using external systems for processing or storing sensitive or critical data

• Publicly Accessible Content

  AC-22 addresses the need to manage and control publicly accessible content. It ensures that content made publicly available by an organization is properly identified, classified, and protected from unintentional exposure of sensitive information. The objective is to ensure that publicly accessible content (e.g., website content, publicly available reports, or other documents) is appropriately handled to avoid the risk of disclosing protected, confidential, or sensitive information.

FedRAMP's Awareness and Training (AT) ensures personnel understand security responsibilities through regular training, role-based education, and awareness programs to mitigate risks and strengthen cybersecurity posture.

• Policy and Procedures

  AT-1 addresses the need for establishing a formal policy and procedures for training individuals on security and privacy practices within the organization. It focuses on ensuring that employees, contractors, and other relevant personnel are properly educated and aware of the risks and responsibilities related to information security. This subcontrol is critical for fostering a security-aware culture and ensuring that personnel understand how to handle sensitive information and respond to potential security threats.

• Literacy Training and Awareness

  AT-2 requires organizations to provide literacy training and awareness for personnel to ensure they have the foundational knowledge necessary to recognize and respond to security risks. This includes general security awareness and specific training that is relevant to the individual’s role in the organization. Literacy training should include understanding the impact of security vulnerabilities, recognizing potential threats, and ensuring that employees know how to properly handle sensitive information and adhere to organizational security policies.

• Literacy Training and Awareness | Insider Threat

  AT-2 (2) focuses on training employees to recognize and appropriately respond to potential insider threats. Insider threats involve individuals within an organization who may intentionally or unintentionally cause harm through unauthorized access to data, systems, or resources. The goal of this subcontrol is to ensure that employees are aware of the potential risks posed by insider threats, can identify suspicious behaviors, and understand the steps to report or mitigate these threats.
  
  This training includes understanding the warning signs of insider threats, the consequences of such threats, and the procedures for reporting any suspicious activities or security breaches. Insider threat literacy is an essential component of a comprehensive security awareness program, particularly in organizations that handle sensitive information or critical infrastructure.

• Role-based Training

  AT-3 focuses on the requirement for role-based training to ensure employees and personnel are equipped with the appropriate knowledge and skills required to perform their duties securely. This type of training is tailored based on an individual’s specific role within the organization, addressing their unique security responsibilities and risks. By customizing the training to job functions, employees gain relevant security knowledge that directly supports their daily tasks and enhances overall organizational security posture.

• Training Records

  AT-4 requires organizations to maintain records of security training activities to demonstrate compliance with security awareness and training requirements. These records should include information about the training courses provided, the employees who attended, the completion dates, and the results of any assessments or tests. Training records serve as a key mechanism for tracking employee participation and ensuring that all personnel are adequately trained in security policies, procedures, and potential threats. Additionally, these records help in evaluating the effectiveness of training programs and meeting regulatory compliance requirements.

FedRAMP's Audit and Accountability (AU) requires logging, monitoring, and analyzing system activities to detect security incidents, ensure accountability, and support forensic investigations while maintaining compliance.

• Policy and Procedures

  AU-1 requires organizations to establish, document, and implement an audit and accountability policy and associated procedures. These policies and procedures should govern the collection, retention, analysis, and protection of audit records. Audit logs help organizations to track user activities, system events, and any changes to systems that might indicate malicious behavior or improper usage. An effective audit and accountability policy ensures that logs are maintained and reviewed regularly to detect and respond to security incidents promptly.

• Event Logging

  AU-2 mandates the creation, collection, and maintenance of event logs for system and network activities. These logs must capture a variety of security-relevant events to enable security monitoring, analysis, and post-incident investigation. Effective event logging is essential for understanding user activities, identifying security breaches, and supporting accountability. By establishing event logging practices, organizations can document important activities related to system access, data modifications, and potential incidents, ensuring compliance with regulatory and security standards.

• Content of Audit Records

  AU-3 outlines the requirements for the content of audit records, specifying what data should be captured to ensure effective monitoring, detection, and accountability. The content of audit records is crucial for security event analysis, forensic investigations, and compliance auditing. This control requires organizations to ensure that audit records contain enough detailed information to support the identification, investigation, and response to security incidents. The data captured within these audit records must provide insights into who performed the actions, what was done, when it occurred, and where it happened, along with other relevant details.

• Audit Log Storage Capacity

  AU-4 requires that organizations maintain sufficient capacity for storing audit logs, ensuring that they are retained for a predefined period, without losing critical data. This subcontrol emphasizes the importance of having enough storage resources to accommodate the volume of audit logs generated by systems and processes. Ensuring that logs are securely stored and readily accessible for analysis is a key element in meeting compliance and enhancing the ability to detect and respond to security incidents.
  
  Adequate audit log storage is necessary to ensure that logs can be retained for the full retention period required by policies, regulatory requirements, or business needs. This control ensures that the storage systems used for logs are scalable, have appropriate redundancy, and meet both the size and availability requirements.

• Response to Audit Logging Process Failures

  AU-5 focuses on the organization's ability to respond effectively to audit logging process failures. This subcontrol requires the establishment of procedures for detecting, reporting, and addressing failures in the audit logging process to ensure that audit logs are continuously recorded, stored, and protected. When audit logs are unavailable or compromised, it can hinder an organization's ability to investigate security incidents, track user activity, or meet compliance requirements. Therefore, organizations must have predefined actions and mitigation steps in place to address such failures immediately.

• Audit Record Review, Analysis, and Reporting

  AU-6 requires organizations to periodically review and analyze audit records to ensure they are being generated, collected, and retained appropriately. This control ensures that logs are systematically examined to identify anomalies, potential security incidents, or noncompliance with policies. It emphasizes the need for ongoing oversight and reporting of audit data to detect early signs of security threats, unauthorized access, or system misuse.

• Time Stamps

  AU-8 requires the use of accurate and synchronized time stamps in audit records. The time stamps are essential for the integrity and reliability of the audit trail, providing a reliable reference for when specific events occur. These time stamps must be generated by a consistent, accurate time source and must be applied to all events in the audit trail to ensure proper event sequencing and to facilitate effective forensic analysis, investigation, and reporting.

• Protection of Audit Information

  AU-9 addresses the protection of audit information to ensure that it is not altered or deleted without authorization. This control ensures the confidentiality, integrity, and availability of audit logs and audit records. By securing audit information, organizations can ensure that audit logs can be trusted for investigative, compliance, and forensic purposes. Unauthorized access, modification, or deletion of audit information can undermine the effectiveness of the audit process, leading to loss of critical evidence in the event of a security breach or incident.

• Audit Record Retention

  AU-11 requires that organizations retain audit records for a defined period to support ongoing monitoring, investigations, and legal or compliance needs. The retention of audit records must ensure that they are accessible and usable when needed, while also maintaining their integrity. Organizations are required to keep these logs in a manner that ensures their availability for review by authorized personnel, during security investigations, or audits.
  
  This subcontrol aims to balance the retention of important audit records with the need to manage data storage and privacy concerns. Retention periods should align with regulatory requirements, organizational policies, and potential incident response needs. Logs should be stored securely and protected from tampering or unauthorized access, and the organization should have defined procedures for securely disposing of audit records once their retention period has expired.

• Audit Record Generation

  AU-12 specifies the requirement for generating audit records that capture relevant security events and system activities. These records must contain sufficient information to support the monitoring, investigation, and analysis of activities that could impact the system’s security posture. The audit records should be generated automatically and consistently across the system and related infrastructure, ensuring they cover critical actions like user logins, configuration changes, and access to sensitive data.
  
  This subcontrol emphasizes that audit records should be created for key system activities that are likely to have security implications, such as unauthorized access attempts, privilege escalations, or configuration changes. Organizations must configure systems to ensure that audit logs are generated in real-time and contain enough detail to support later analysis, whether it's for troubleshooting, compliance audits, or security investigations.

FedRAMP's Security Assessment and Authorization (CA) ensures continuous monitoring, independent security assessments, and risk-based authorization to maintain compliance and protect federal systems from threats.

• Policy and Procedures

  CA-1 requires organizations to develop, implement, and maintain formal policies and procedures that govern the security assessment and authorization (SA&A) process for information systems. These policies and procedures should ensure that systems undergo a comprehensive security evaluation to assess the effectiveness of security controls, manage risks, and confirm that the system is authorized for operation before it is deployed in the operational environment. The security authorization process is essential for ensuring that systems meet the necessary security standards and comply with applicable regulations.

• Control Assessments

  CA-2 outlines the requirement for organizations to perform assessments of the security controls in place for their information systems to ensure that they are operating effectively and are in compliance with security requirements. This control mandates that organizations conduct regular assessments to verify the performance of security controls, identify vulnerabilities, and confirm that controls are functioning as intended.
  
  The assessment process includes reviewing technical, administrative, and physical controls within the system and ensures that those controls meet the necessary compliance and security standards. This evaluation is vital for maintaining the confidentiality, integrity, and availability of systems and data by ensuring that vulnerabilities are detected and mitigated.

• Control Assessments | Independent Assessors

  CA-2 (1) specifies the requirement for organizations to use independent assessors to evaluate the security controls of their systems. This subcontrol ensures that security assessments are unbiased, thorough, and credible by engaging assessors who are independent of the system’s development and operation. The use of independent assessors helps to maintain objectivity, provides external validation of control effectiveness, and ensures that the results of the assessments are trusted by stakeholders.
  
  Independent assessors are typically external experts who are not directly involved in the day-to-day operations or implementation of the system. This ensures that the findings and recommendations are impartial and based solely on an objective evaluation of the security controls and their effectiveness in mitigating risks.

• Information Exchange

  CA-3 pertains to ensuring secure and controlled information exchange between the system being assessed and other entities during the security assessment and authorization process. This subcontrol focuses on the protection and proper handling of sensitive information exchanged between internal and external entities, including stakeholders, vendors, third-party auditors, and regulatory bodies.
  
  The objective is to establish clear, secure methods for exchanging information, such as audit logs, vulnerability assessments, and system security documentation, while ensuring compliance with applicable security requirements. Information exchanged must be protected from unauthorized access and disclosure, and its integrity must be maintained throughout the process. This subcontrol ensures that the system’s security information is managed properly and securely shared with authorized parties only.

• Plan of Action and Milestones

  CA-5 requires the creation, maintenance, and execution of a Plan of Action and Milestones (POA&M). This plan is a key element of the security assessment and authorization process. It identifies and tracks the remediation of security weaknesses or deficiencies that were discovered during the security assessment or during routine operations. The POA&M should detail the corrective actions, assign responsibilities, set timelines, and outline the resources required to resolve the identified issues.
  
  This subcontrol ensures that security deficiencies are tracked and addressed in a timely and efficient manner to maintain an acceptable risk posture and ensure that systems continue to operate in compliance with FedRAMP security standards.

• Authorization

  CA-6 refers to the process of formally authorizing an information system to operate within an organization. This authorization process involves assessing the system's security posture, determining if the system meets the required security controls, and granting approval for the system to operate. The authorization decision is based on a comprehensive evaluation of the system’s compliance with security requirements, as outlined in the System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M).
  
  The Authorization subcontrol ensures that only systems that meet the necessary security standards are authorized to operate and that the risks associated with their operation are acceptable. This process should involve senior management or designated authorizing officials who review the security documentation, the results of security assessments, and the mitigation of any identified risks before making a decision.

• Continuous Monitoring

  CA-7 focuses on the ongoing, continuous monitoring of information systems and their security controls. It requires organizations to continuously assess the security posture of their systems after the authorization to operate (ATO) has been granted. The goal is to ensure that the system continues to meet security requirements and that any changes in the system or the environment that could affect security are identified, evaluated, and addressed in a timely manner.
  
  Continuous monitoring involves the ongoing collection of security data, the assessment of vulnerabilities and threats, and the application of security updates and patches. This process helps detect new security threats, ensure compliance with security requirements, and maintain the authorization status of the system.

• Continuous Monitoring | Risk Monitoring

  CA-7 (4) focuses on integrating risk monitoring into the continuous monitoring program. This subcontrol emphasizes the need for ongoing identification, assessment, and management of security risks as part of the organization's continuous monitoring efforts. Risk monitoring should provide the necessary data and insights to proactively address vulnerabilities, threats, and potential risks that could impact the system’s security and compliance posture. It requires the organization to have a systematic process for identifying emerging risks and adjusting security measures accordingly.

• Penetration Testing

  CA-8 requires that penetration testing be conducted as part of the overall security assessment process to identify vulnerabilities and weaknesses in the system. Penetration testing simulates a cyberattack on the system's defenses to identify potential exploitation points that could lead to unauthorized access or data breaches. The goal is to ensure that systems can withstand sophisticated attack techniques and that vulnerabilities are remediated before being exploited in the real world.
  
  Penetration testing should be conducted periodically or whenever there are significant changes to the system or the threat landscape. The results of the testing should be used to improve the overall security posture and address any discovered vulnerabilities.

• Internal System Connections

  CA-9 focuses on ensuring that internal system connections are properly managed, assessed, and monitored to maintain security and operational integrity. The control requires that organizations establish, manage, and review internal connections, such as those between network segments, servers, databases, or services that are within the scope of the security authorization. This ensures that these internal connections do not inadvertently introduce security vulnerabilities and that their design and configuration align with the security requirements of the organization.
  
  In the context of FedRAMP, CA-9 emphasizes the importance of safeguarding connections between systems or components that support the operational functions of the information system, ensuring that they adhere to the security policies and procedures set forth in the security authorization.

FedRAMP's Configuration Management (CM) ensures secure system settings, change control, and continuous monitoring to prevent unauthorized modifications, maintain integrity, and enhance security compliance.

• Policy and Procedures

  CM-1 focuses on establishing, documenting, and maintaining policies and procedures for configuration management (CM). These policies and procedures ensure that the configuration of information systems is properly managed throughout their lifecycle, from initial design and development to decommissioning. The goal is to establish consistent and secure configuration practices that maintain the security posture of the system, minimize vulnerabilities, and comply with regulatory standards such as FedRAMP. This subcontrol also mandates regular updates and improvements to configuration management practices as part of ongoing system maintenance.

• Baseline Configuration

  CM-2 requires the establishment, documentation, and maintenance of baseline configurations for information systems. A baseline configuration is a predefined, secure configuration of system components (hardware, software, firmware, and network devices) that serves as a reference point for the security and operational integrity of the system. This baseline must be maintained and updated regularly to ensure that it aligns with current security standards, addresses vulnerabilities, and reflects any changes in the system or its environment.
  
  The baseline configuration defines the minimum security controls that must be in place to protect the system. By creating and enforcing this baseline, organizations can ensure consistency, reduce security vulnerabilities, and facilitate easier audits and assessments.

• Impact Analyses

  CM-4 focuses on the systematic analysis of the impact of proposed changes to an information system's configuration. This process helps ensure that changes made to the system, whether related to hardware, software, or configurations, do not unintentionally degrade system security, functionality, or performance. Impact analyses are critical for assessing potential risks, system dependencies, and the broader effects on the organization’s security posture before implementing changes.

• Access Restrictions for Change

  CM-5 mandates that access to change management processes be restricted to authorized individuals. This subcontrol ensures that only personnel with the necessary permissions are allowed to implement or request changes to system configurations. It reduces the risk of unauthorized changes, which could undermine system security, create vulnerabilities, or compromise compliance with regulatory requirements.

• Configuration Settings

  CM-6 addresses the necessity of managing configuration settings to ensure that systems and components are securely configured. It mandates that systems must be set to operate in a secure and consistent state, with predefined security and operational settings established and maintained. The goal of this control is to prevent systems from being deployed or used with insecure configurations that could expose the system to vulnerabilities or operational inefficiencies.

• Least Functionality

  CM-7 focuses on ensuring that systems are configured to provide only the essential functionalities necessary for their intended operation. This principle, known as least functionality, is designed to minimize the attack surface by reducing the number of services, applications, and features running on a system. By limiting functionality, organizations decrease the potential avenues for unauthorized access, exploitation, or other security breaches.
  
  This subcontrol is a core component of system hardening efforts and ensures that systems are not unnecessarily exposed to risks due to unused or unneeded services or software.

• System Component Inventory

  CM-8 requires that organizations maintain an up-to-date and accurate inventory of all system components. This includes all hardware, software, and firmware elements that make up the system, as well as the relationships between them. The inventory should be comprehensive and continually updated to reflect changes in the system’s configuration and infrastructure.
  
  The purpose of this control is to ensure that all components of the information system are known, traceable, and can be monitored for vulnerabilities, compliance, and performance. By maintaining a complete system component inventory, organizations can improve system management, mitigate risk, and streamline security assessments

• Software Usage Restrictions

  CM-10 requires organizations to establish and enforce policies and procedures for restricting the use of unauthorized or unapproved software on system components. This includes ensuring that only approved software is installed, configured, and executed on systems, in alignment with security requirements and operational needs. These restrictions help mitigate risks related to malicious software, software vulnerabilities, and non-compliance with licensing or regulatory requirements. Enforcing software usage restrictions also assists in maintaining the integrity and security of systems and helps to prevent unauthorized changes or security breaches.

• User-installed Software

  CM-11 addresses the need for organizations to manage software installations performed by users, ensuring that any software installed by end-users is authorized, compliant, and does not introduce security risks. This control ensures that user-installed software does not compromise system integrity, data confidentiality, or security posture. It requires mechanisms to monitor, control, and restrict software installations by non-administrative users, including enforcing policies for the installation of software on systems, and auditing any installations that occur.

FedRAMP's Contingency Planning (CP) ensures systems can recover from disruptions through backups, disaster recovery plans, and regular testing to maintain operational resilience and data integrity.

• Policy and Procedures

  The CP-1 control requires that an organization establishes, documents, and implements contingency planning policies and procedures to ensure ongoing operations during unexpected disruptions. The purpose of this control is to set the foundation for an effective contingency planning program by defining the responsibilities, procedures, and resources needed to restore system operations and minimize impact on organizational objectives in the event of a crisis.

• Contingency Plan

  The CP-2 control requires the organization to develop, document, and implement a contingency plan for information systems. This plan provides a roadmap for responding to potential disruptions and outlines actions necessary for restoring system operations. The contingency plan focuses on preparing for incidents, detailing recovery strategies, and minimizing the impact on essential services.

• Contingency Training

  CP-3 focuses on the establishment and maintenance of contingency training for organizational personnel. The objective is to ensure that all individuals who are part of the contingency planning process are equipped with the necessary knowledge and skills to effectively execute the contingency plan during an emergency or system failure. This includes training on roles and responsibilities, emergency procedures, and the recovery of critical assets.

• Contingency Plan Testing

  CP-4 mandates the testing of contingency plans to ensure they are effective and can be executed in a real-world scenario. The goal of this control is to verify that the contingency plan meets the organization's recovery and business continuity objectives and that personnel are familiar with their roles and responsibilities in executing the plan. Testing should be done regularly to ensure that the plan is up-to-date, comprehensive, and aligned with the organization's current operational needs and threat landscape.

• System Backup

  CP-9 focuses on the need for organizations to implement system backups to ensure that data and critical system components can be restored in the event of a disaster, system failure, or other unexpected events. This control mandates that organizations regularly back up essential system configurations, software, and data to maintain the ability to recover from potential disruptions. The backup process must ensure that data remains available and can be restored within a predefined time frame to meet business continuity and disaster recovery objectives.

• System Recovery and Reconstitution

  CP-10 focuses on ensuring that the organization has a structured approach to system recovery and reconstitution following a disruption or incident. It involves the processes, policies, and tools needed to restore the system to its operational state, ensuring minimal downtime and a quick return to business as usual. This includes not only technical recovery but also the reconstitution of systems to a functional state after an outage, cyberattack, or disaster, by utilizing backup data, previous configurations, or alternate systems.

FedRAMP's Identification and Authentication (IA) enforces secure user access through identity verification, multi-factor authentication, and credential management to prevent unauthorized access and ensure system integrity.

• Policy and Procedures

  IA-1 establishes the requirement for developing and maintaining a formal set of policies and procedures that guide the identification and authentication of users, devices, and systems. These policies and procedures are essential to ensure that only authorized individuals, devices, and systems are granted access to organizational assets and services. The purpose is to protect the confidentiality, integrity, and availability of systems and data by preventing unauthorized access.

• Identification and Authentication (organizational Users)

  IA-2 requires the implementation of processes and controls to uniquely identify and authenticate users within the organization. This includes ensuring that every organizational user (including employees, contractors, and third-party users) is uniquely identified and authenticated prior to gaining access to any organizational information systems. The goal is to verify the identity of users to prevent unauthorized access, which is crucial for safeguarding sensitive data and resources.

• Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

  IA-2 (1) mandates the implementation of multi-factor authentication (MFA) for privileged accounts in organizational systems. Privileged accounts have elevated access and control over critical systems and sensitive data, making them attractive targets for malicious actors. Multi-factor authentication adds an extra layer of security by requiring users to provide more than one form of verification (something they know, something they have, or something they are) to gain access. This control aims to reduce the likelihood of unauthorized access to privileged accounts by enhancing the authentication process beyond simple passwords.

• Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

  IA-2 (2) requires the implementation of multi-factor authentication (MFA) for non-privileged organizational accounts, ensuring that all users, regardless of their privilege level, are authenticated using more than one factor. This control is designed to protect against unauthorized access by adding an additional layer of security to the authentication process. While privileged accounts have direct access to sensitive systems and data, non-privileged accounts may still hold access to critical or personally identifiable information (PII), so the need for enhanced security is still necessary. MFA for non-privileged accounts reduces the likelihood of successful attacks such as phishing or credential theft.

• Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant

  IA-2 (8) requires that systems and applications implement mechanisms to protect against replay attacks in the authentication process. A replay attack occurs when an attacker intercepts a valid authentication message and reuses it to gain unauthorized access. To prevent this, authentication systems must ensure that credentials, tokens, or other authentication data are resistant to replay. This typically involves using time-sensitive tokens, one-time passwords (OTPs), or cryptographic nonce values that cannot be reused.

• Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

  IA-2 (12) mandates that federal information systems accept Personal Identity Verification (PIV) credentials as a means of authentication for organizational users. PIV credentials are government-issued identity credentials that incorporate multifactor authentication and are used to verify the identity of users accessing federal systems. The control ensures that federal systems accept PIV credentials for access in a manner that meets NIST standards, particularly the guidelines provided in FIPS 201-2

• Identifier Management

  IA-4 pertains to the management of identifiers used for identification and authentication processes within an organization. This control requires organizations to implement procedures to establish, maintain, and retire user identifiers in a secure and consistent manner. The purpose is to ensure that identifiers are managed across their lifecycle—from creation and maintenance to deletion—without compromising security or accountability.

• Authenticator Management

  IA-5 requires organizations to establish and maintain effective management of authenticators (e.g., passwords, PINs, cryptographic keys, biometrics, smart cards, etc.) used to verify the identity of users accessing organizational systems. The control ensures that authenticators are securely handled, protected, and regularly updated to maintain the integrity of the authentication process.
  
  Authenticator management includes issuing, revoking, storing, and maintaining authenticators to ensure their security and proper usage in line with the organization's access control policies.

• Authenticator Management | Password-based Authentication

  IA-5 (1) focuses on managing password-based authentication. This subcontrol ensures that password policies are established and enforced to maintain the security of user authentication, mitigating the risks associated with weak or compromised passwords. The subcontrol requires that passwords meet certain complexity, length, and expiration criteria, and are stored securely. Furthermore, it ensures that passwords are used correctly and that secure mechanisms are in place to reset or recover passwords when necessary.

• Authentication Feedback

  IA-6 focuses on providing feedback to users during the authentication process to help them understand whether the provided credentials (username, password, etc.) were correct. This control requires that feedback provided by the system should not reveal sensitive information about whether the user ID or the password was incorrect. For example, error messages should not specify which part of the credential (user ID or password) is incorrect. This helps to prevent attackers from using trial and error to guess valid usernames or passwords.

• Cryptographic Module Authentication

  IA-7 addresses the requirement for the authentication of cryptographic modules used to protect sensitive information within an organization's system. The subcontrol mandates that cryptographic modules must be properly authenticated before use to ensure their integrity, security, and that they function as intended. Cryptographic module authentication ensures that systems are not using counterfeit or unauthorized cryptographic algorithms or keys, protecting the system from unauthorized access and misuse of sensitive information.
  
  This control specifically applies to systems that use cryptographic modules, such as those that use encryption, decryption, key management, digital signatures, or other cryptographic operations to secure data or authenticate users and devices

• Identification and Authentication (non-organizational Users)

  IA-8 focuses on the identification and authentication processes for non-organizational users. Non-organizational users include contractors, vendors, and third-party service providers who may access organizational systems or data but are not directly employed by the organization. This control ensures that proper procedures are in place to verify the identity of non-organizational users before granting access to sensitive information or systems. This is critical for maintaining the security of the system and ensuring that access is limited to authorized individuals only.
  
  Non-organizational users often access systems remotely or through external interfaces, which increases the need for secure authentication methods to prevent unauthorized access, especially if sensitive data is involved. The control outlines the requirements for authenticating these external users, ensuring that they are properly identified and that their access is appropriately managed.

• Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

  IA-8 (1) addresses the requirement for an organization to accept Personal Identity Verification (PIV) credentials issued by other federal agencies for non-organizational users. PIV credentials are used as an authentication mechanism to establish the identity of an individual. This subcontrol ensures that non-organizational users, such as contractors or vendors, from other government agencies can securely access systems by using their PIV credentials. It helps standardize authentication practices across federal agencies, fostering interoperability while ensuring secure access to sensitive resources.
  
  The acceptance of PIV credentials from other agencies simplifies user management and access control by allowing individuals who already possess valid, government-issued credentials to authenticate and gain access to organizational systems without needing separate, redundant credentialing processes.

• Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

  IA-8 (2) addresses the requirement for organizations to accept external authenticators for non-organizational users when they need to access systems and services. External authenticators are authentication mechanisms provided by trusted third-party organizations or vendors, such as external identity providers (IdPs), authentication services, or single sign-on (SSO) systems. This subcontrol ensures that external users—such as contractors, vendors, or other partners—can securely access organizational systems using external credentials that meet the organization’s security requirements.
  
  By accepting external authenticators, the organization can facilitate secure and efficient authentication for external parties, reducing the need for maintaining separate, organization-specific authentication systems while adhering to the security standards outlined by FedRAMP.

• Identification and Authentication (non-organizational Users) | Use of Defined Profiles

  IA-8 (4) requires organizations to ensure that non-organizational users (e.g., contractors, vendors, partners) who are authenticated for access to organizational resources use defined profiles. These profiles provide a standardized approach to how external users authenticate and interact with organizational systems, ensuring that access is consistent, secure, and aligned with security policies.
  
  Defined profiles help organizations control and manage non-organizational user identities in a way that supports compliance with security requirements while limiting exposure to risks. This subcontrol ensures that external users are assigned appropriate roles and privileges, preventing excessive access and ensuring that only necessary permissions are granted based on their specific needs.

• Re-authentication

  IA-11 requires that organizations implement re-authentication mechanisms to ensure that a user continues to have valid authentication for an ongoing session. This control is crucial to mitigate risks from session hijacking or other types of unauthorized access that may occur during long-lived sessions. Re-authentication involves requiring the user to authenticate again at specific intervals or under certain conditions, such as after a certain period of inactivity or when sensitive operations are performed.
  
  Re-authentication enhances the overall security posture by ensuring that an authenticated user is still authorized to perform the actions they are attempting to do, especially in environments where sessions may persist over an extended period.

FedRAMP's Incident Response (IR) ensures timely detection, reporting, and mitigation of security incidents through predefined procedures, continuous monitoring, and regular testing to minimize impact and enhance resilience.

• Policy and Procedures

  IR-1 requires organizations to establish and maintain formal policies and procedures for incident response. This subcontrol ensures that an organization is prepared to manage security incidents effectively and efficiently, minimizing potential damage. These policies and procedures must define the roles, responsibilities, and actions required when an incident occurs and should guide the organization in detecting, reporting, analyzing, and responding to security incidents promptly.
  
  An incident response policy should cover all phases of incident management, from preparation and identification to containment, eradication, recovery, and lessons learned. Clear, documented processes ensure consistency in response efforts, provide accountability, and promote a structured approach to incident handling. The procedures should be tested regularly to ensure they are effective and align with industry standards and regulatory requirements.

• Incident Response Training

  IR-2 requires organizations to provide ongoing training to personnel involved in incident response activities. This ensures that all individuals, including incident responders, security analysts, and other relevant personnel, are well-prepared to detect, respond to, and manage security incidents in a coordinated and efficient manner. Training should cover the roles and responsibilities of incident response, response protocols, and the technical skills necessary to mitigate and recover from incidents.
  
  The training should include awareness of the organization's incident response policy, procedures, tools, and communication protocols. Additionally, employees should be regularly tested through exercises and simulations to ensure they understand their roles and can respond effectively in a real incident.

• Incident Handling

  IR-4 focuses on ensuring that an organization has defined procedures for handling incidents, including detection, reporting, assessment, response, and recovery activities. These procedures should cover both the technical and operational aspects of incident management. The goal is to provide a structured and effective approach for managing incidents, minimizing impact, and recovering from disruptions as quickly as possible.
  
  Incident handling includes a clear flow from the initial identification of an incident through to its resolution. Effective incident handling procedures ensure that the appropriate personnel, tools, and resources are in place to manage a variety of potential security incidents. This includes incidents such as unauthorized access attempts, data breaches, malware infections, and system outages.

• Incident Monitoring

  IR-5 requires the implementation of procedures for continuous monitoring of incidents to ensure early detection and response. Incident monitoring involves the ongoing observation of system activities to identify potential security incidents, ensuring that anomalies or malicious activities are recognized promptly. This includes the use of automated tools to monitor network traffic, system logs, and user behavior, as well as leveraging threat intelligence feeds and other relevant data sources to identify potential threats in real time.
  
  An effective incident monitoring system ensures that security incidents are detected as soon as they occur, allowing for a quick response to mitigate potential damage. Additionally, continuous monitoring helps organizations to stay ahead of emerging threats by providing insights into attack patterns and trends.

• Incident Reporting

  IR-6 mandates that organizations establish and maintain a structured process for reporting security incidents. This process should ensure timely and accurate reporting of incidents to internal and external stakeholders, such as senior management, affected individuals, regulatory bodies, and other relevant parties. The goal is to facilitate an organized and effective response to security incidents and to ensure compliance with applicable reporting requirements, including any legal or regulatory obligations.
  
  The incident reporting process should include clear procedures for documenting the nature, scope, and impact of an incident, as well as the response actions taken. This ensures that stakeholders are properly informed and can take appropriate action if necessary.

• Incident Response Assistance

  Provides assistance for incident handling

• Incident Response Plan

  Ensures a documented plan for handling incidents

FedRAMP's Maintenance (MA) ensures secure system upkeep through controlled updates, inspections, and repairs while preventing unauthorized access and maintaining operational integrity.

• Policy and Procedures

  Establishes maintenance policies and procedures

• Controlled Maintenance

  Ensures maintenance activities are authorized and tracked

• Nonlocal Maintenance

  Controls maintenance performed remotely

• Maintenance Personnel

  Controls access to maintenance personnel

FedRAMP's Media Protection (MP) ensures secure handling, storage, and disposal of digital and physical media to prevent unauthorized access, data leaks, and information compromise.

• Policy and Procedures

  Establishes media protection policies

• Media Access

  Restricts access to digital and physical media.

• Media Sanitization

  Ensures proper disposal of sensitive media.

• Media Use

  Restricts the use of removable media.

FedRAMP's Physical and Environmental Protection (PE) safeguards facilities, hardware, and data through access controls, surveillance, environmental monitoring, and disaster prevention to ensure system availability and security.

• Policy and Procedures

  Establish, document, and disseminate physical and environmental protection policies.

• Physical Access Authorizations

  Control access to facilities where information systems reside.

• Physical Access Control

  Implement mechanisms to restrict physical access to information systems.

• Monitoring Physical Access

  Implement monitoring mechanisms to detect unauthorized physical access.

• Visitor Access Records

  Maintain logs of visitor access to secure facilities.

• Emergency Lighting

  Ensures that emergency lighting is available in the event of power loss.

• Fire Protection

  Establishes fire protection mechanisms for safeguarding assets.

• Environmental Controls

  Ensures environmental conditions are monitored and maintained.

• Water Damage Protection

  Protects systems from water damage.

• Delivery and Removal

  Controls asset deliveries and removals.

FedRAMP's Planning (PL) ensures the development, documentation, and implementation of security policies, procedures, and system security plans to manage risks and maintain compliance.

• Policy and Procedures

  Establishes planning policies and procedures.

• System Security and Privacy Plans

  Develops security and privacy plans.

• Rules of Behavior

  Defines expected behaviors for system users to prevent unauthorized activities.

• Rules of Behavior | Social Media and External Site/application Usage Restrictions

  Specifies limitations on the use of social media and external applications for security purposes.

• Security and Privacy Architectures

  Establishes the framework for integrating security and privacy into system architecture.

• Baseline Selection

  Identifies and selects security control baselines based on system impact levels.

• Baseline Tailoring

  Customizes security control baselines to align with specific system needs.

FedRAMP's Personnel Security (PS) ensures background checks, access controls, and security training to minimize insider threats and protect sensitive information.

• Policy and Procedures

  Establishes personnel security policies and procedures.

• Position Risk Designation

  Assigns risk levels to job positions based on security sensitivity.

• Personnel Screening

  Conducts background checks on employees based on risk levels.

• Personnel Termination

  Defines procedures for revoking access upon employee termination.

• Personnel Transfer

  Ensures access rights are updated when employees change roles.

• Access Agreements

  Requires employees to formally acknowledge security responsibilities.

• External Personnel Security

  Ensures security measures extend to external personnel (e.g., contractors, vendors).

• Personnel Sanctions

  Defines disciplinary actions for non-compliance with security policies.

• Position Descriptions

  Establishes security responsibilities in job descriptions.

FedRAMP's Risk Assessment (RA) ensures continuous identification, analysis, and mitigation of security risks through regular assessments, vulnerability scans, and threat modeling to enhance system resilience and compliance.

• Policy and Procedures

  Defines the risk assessment policy and procedures.

• Security Categorization

  Categorizes information and systems based on impact.

• Risk Assessment

  Conducts regular risk assessments.

• Risk Assessment | Supply Chain Risk Assessment

  Evaluates supply chain security risks.

• Vulnerability Monitoring and Scanning

  Implements continuous vulnerability assessment.

• Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

  Ensures up-to-date vulnerability scanning.

• Vulnerability Monitoring and Scanning | Public Disclosure Program

  Implements vulnerability disclosure mechanisms.

• Risk Response

  Establishes risk response strategies.

FedRAMP's System and Services Acquisition (SA) ensures security is integrated into procurement, development, and maintenance processes by enforcing risk management, secure coding, and supply chain protections.

• Allocation of Resources

  Ensures that security resources are allocated to acquisition activities.

• System Development Life Cycle

  Incorporates security into the system development lifecycle (SDLC).

• Acquisition Process

  Ensures that security is a requirement in system and service acquisitions.

• System Documentation

  Ensures that security documentation is maintained for acquired systems.

• Security and Privacy Engineering Principles

  Integrates security engineering principles into system development and acquisition.

• External System Services

  Ensures security oversight for external services.

FedRAMP's System and Services Acquisition (SA) ensures security is integrated into procurement, development, and maintenance processes by enforcing risk management, secure coding, and supply chain protections.

• Policy and Procedures

  Establishes security policies and procedures.

• Denial-of-service Protection

  Implements protections against DoS attacks.

• Boundary Protection

  Controls communications across system boundaries.

• Transmission Confidentiality and Integrity

  Protects data in transit from eavesdropping and tampering.

• Transmission Confidentiality and Integrity | Cryptographic Protection

  Uses cryptography to secure data transmission.

• Cryptographic Protection

  Ensures data protection using encryption.

• Collaborative Computing Devices and Applications

  Implements security controls for collaboration tools.

• Secure Name/address Resolution Service (authoritative Source)

  Ensures authoritative name/address resolution services protect integrity and authenticity.

• Secure Name/address Resolution Service (recursive or Caching Resolver)

  Ensures integrity and authenticity of recursive/caching name/address resolution.

• Architecture and Provisioning for Name/address Resolution Service

  Ensures secure design and implementation of name/address resolution services.

• Protection of Information at Rest

  Protects stored sensitive data from unauthorized access.

• Protection of Information at Rest | Cryptographic Protection

  Encrypts information at rest using cryptographic methods.

• Process Isolation

  Ensures isolation of processes to prevent unauthorized access.

FedRAMP's System and Information Integrity (SI) ensures continuous monitoring, vulnerability management, and malware protection to detect, prevent, and respond to security threats, ensuring data accuracy and system reliability.

• Policy and Procedures

  Establishes system integrity policies and procedures.

• Flaw Remediation

  Ensures timely detection and remediation of security flaws.

• Malicious Code Protection

  Protects systems against malware and other malicious code.

• System Monitoring

  Ensures continuous monitoring of systems for security threats.

• Security Alerts, Advisories, and Directives

  Implements alerting mechanisms for security threats.

• Information Management and Retention

  Policy and procedures for supply chain risk management (SCRM).

FedRAMP's Supply Chain Risk Management (SR) ensures the identification, assessment, and mitigation of risks from external vendors and service providers to protect system integrity, confidentiality, and availability.

• Policy and Procedures

  Implementation of supply chain controls and processes.

• Supply Chain Risk Management Plan | Establish SCRM Team

  Verification of component authenticity to prevent counterfeit products.

• Acquisition Strategies, Tools, and Methods

  Requires organizations to implement security-focused acquisition strategies.

• Notification Agreements

  Establishes formal agreements for supply chain risk notifications.

• Inspection of Systems or Components

  Mandates physical and logical inspections of supply chain components.

• Component Authenticity

  Requires verification of IT component authenticity.

• Component Authenticity | Anti-counterfeit Training

  Requires training personnel on detecting counterfeit components.

• Component Authenticity | Configuration Control for Component Service and Repair

  Ensures security controls for servicing and repairing components.

• Component Disposal

  Requires secure disposal of IT components.