This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.
Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.
Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.
Organizational processes for account management on the information system; automated mechanisms for implementing account management.
NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.
FED - This is related to agency data and agency policy solution.
FED - This is related to agency data and agency policy solution.
NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).
NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).
NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.
NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.
Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.
Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.
Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.
Required - Specifically include details of least functionality.
NSO- Not directly related to protection of the data.
NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.
NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.
Determine if the information system:
Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
Attestation - Specifically attest to US-CERT compliance.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.
Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.
Condition: If availability is a requirement, define protections in place as per control requirement.
Condition: If implementing need to detail how they meet it or don't meet it.
NSO - Not directly related to the security of the SaaS.
Attestation - Specifically related to US-CERT and FedRAMP communications procedures.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
This response must address all control sub-statement requirements.
Provide description
Describe the risk
This is a statement about the identified risk as provided by the tool.
This field must be present, but may be blank (or state 'No Risk Statement' if no statement is provided by the tool.
-Explain why risk was adjusted.
@@ -501,7 +501,7 @@Provide description
An example set of infrastructure scan findings.
Briefly describe the system. This will appear in the SAR.
-Only include this resource if no OSCAL-based SSP is available.
Delete it otherwise.
@@ -565,7 +565,7 @@One or more parties
If the "responsible-party" contains multiple "party-uuid", FedRAMP assumes the "ia-validated" and "csp-validated" prop values apply to each referenced party.
@@ -261,8 +261,8 @@A known subnet, which is not defined in the SSP inventory.
Use any needed prop/annotation allowed in an SSP inventory-item.
@@ -365,11 +365,11 @@Use any needed prop/annotation allowed in an SSP inventory-item.
@@ -389,9 +389,9 @@Use any needed prop/annotation allowed in an SSP inventory-item.
@@ -493,25 +493,25 @@Description of the manual test
Describe test step #1
Describe test step #2
Describe test step #3
We will login as a customer and try to see if we can gain access to the Network Administrator and Database Administrator privileges and authorizations by navigating to different views and manually forcing the browser to various URLs
We will test the CAPTCHA function on the web form manually
We will manually test to see if OCSP is validating certificates.
Describe this web application test.
Describe this web application test.
Describe this role based test.
Describe this role based test.
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. Security assessments are an integral part of the FedRAMP security authorization process.
Cloud services must be assessed by an IA. The use of an IA reduces the potential for conflicts of interest that could occur in verifying the implementation status and effectiveness of the security controls. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39, Managing Information Security Risk states:
-Assessor independence is an important factor in: (i) preserving the impartial and unbiased nature of the assessment process; (ii) determining the credibility of the security assessment results; and (iii) ensuring that the authorizing official receives the most objective information possible in order to make an informed, risk-based, authorization decision.
This SAP has been developed by [IA Name] and is for [an initial assessment/an annual assessment/an annual assessment and significant change assessment/a significant change assessment] of the [CSP Name], [CSO Name]. The SAP provides the goals for the assessment and details how the assessment will be conducted.
The FedRAMP-applicable laws, regulations, standards and guidance is included in the [CSO Name] SSP section – System Security Plan Approvals. Additionally, in Appendix L of the SSP, the [CSP Name] has included laws, regulations, standards, and guidance that apply specifically to this system.
This plan is for an initial assessment of [CSO Name], a [One: High/Moderate/ Low] baseline system. 100% of the FedRAMP security controls in the system baseline are assessed. The security controls that will be assessed are listed in Appendix A.
This plan is for an annual assessment of [CSO Name], a [One: High/Moderate/ Low] baseline system. After the initial security assessment, FedRAMP requires that the system is assessed annually thereafter (12 months from an agency ATO / JAB P-ATO date). While the entire set of security controls is assessed during the initial assessment, a subset is assessed during the annual assessment. The control selection is in accordance with the criteria outlined in the FedRAMP Annual Assessment Guidance and includes:
The detailed control list, including the rationale for each control’s selection, is included in SAP Appendix A, FedRAMP [CSO Name] Security Controls Selection Worksheet.
This document [is for/also includes] the assessment plan for [a significant change/several significant changes]. Appendix D includes the significant change request documentation submitted by [CSP Name] to the [AO/JAB].
Appendix A includes the associated control selections. [IA Name] will evaluate (review and/or test), as necessary, [all items related to continuous monitoring activities/all items related to continuous monitoring activities as well as those that are applicable to the significant change assessment/continuous monitoring activities that are only applicable to the significant change assessment], [IA Name] will evaluate all open POA&M items (including VDs); POA&M closures (to confirm adequate closure) and validate and confirm continued relevance and applicability of DRs ((false positives (FPs), risk adjustments (RAs), and operational requirements (ORs)) [(if significant change(s) are included): including those applicable to the significant change assessment/applicable only to the significant change assessment].
[CSO Name] leverages the FedRAMP Authorized CSOs listed in Table 3-2. [CSP Name], as a customer of these CSOs, must meet customer requirements documented by the leveraged CSOs in the customer responsibility matrix (CRM). Therefore, [IA Name] will validate to the best of their ability that [CSO Name] is in compliance with customer requirements documented in the CRMs of the leveraged CSOs.
@@ -639,7 +639,7 @@The physical locations of all the different components that will be tested are described in Table 3-3.
@@ -657,7 +657,7 @@SSP Appendix M, FedRAMP Integrated Inventory Workbook, captures the inventory items for the entire system and includes all the following required to be tested for the authorization of this system:
The methodology section of this document describes the approach to the assessment of the inventory.
Additional roles that are being introduced as part of significant changes will be tested and are noted in Appendix D. Role testing will be performed to test the authorization restrictions for each role. [IA Name] will access the system while logged in as different user types and attempt to perform restricted functions for that user.
The following assumptions were agreed upon between [CSP Name] and [IA Name] when developing this SAP:
[IA Name] will perform an assessment of the [CSO Name] security controls using the methodology described in NIST SP 800-53A, incorporating the methodology required by FedRAMP as noted below, and any other methods of testing that may be required to thoroughly test this system authorization boundary. [IA Name] will use the FedRAMP Security Requirements Traceability Matrix (SRTM) Workbook to evaluate the security controls. Contained in Excel worksheets, these test procedures contain the test objectives and associated test cases to determine if a control is effectively implemented and operating as intended. The results of the testing shall be recorded in the SRTM workbook for the appropriate High, Moderate, or Low baseline (provided on the FedRAMP Documents and Resources page under Templates) along with information that notes whether the control (or control enhancement) is satisfied or not.
[IA Name] will ensure that all [CSO Name] security controls that have an alternative implementation are included in the final SRTM workbook with test procedures that capture the intent of the control. [CSP Name] is advised that testing alternative control implementations involves additional IA rigor since it is much more difficult to prove the intent of the control is being met. The alternative control implementations that are tested for this assessment are:
Deviations from the SAP-defined methodology are described below.
[IA Name] data gathering activities will consist of the following:
The sampling methodology for evidence/artifact gathering, related to controls assessment, is described in Appendix B.
[IA Name] [will/will not] use sampling when performing vulnerability scanning.
[IA Name] [will/will not] use sampling when testing the following controls:
@@ -763,19 +763,19 @@[IA Name] validates that all security controls required to be tested have appropriate sample sizes for items such as account requests, account terminations, account transfers, change control processes as captured in the [CSO Name] SSP, [Version X.X], [MM/DD/YYYY]. The controls sampling methodology is described in Appendix B.
The Penetration Test Plan and Methodology is attached in Appendix C.
The [IA Name] security assessment team, [CSP Name] points of contact, testing schedule, and testing tools that will be used are described in the sections that follow.
-The [IA Name] security assessment team consists of the individuals listed in Table 6-1. [CSP Name] is urged to check the capabilities of the named individuals to ensure that each is qualified to hold the position, per A2LA’s personnel requirements specified in the A2LA R311 - Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP).
Note that this document is signed in Section 8, by the [IA Name] and [CSP Name]. [CSP Name] has a right and a responsibility to ensure that competent assessors are providing the assessment services. The document should not be signed until [CSP Name] has validated the IA team.
@@ -795,9 +795,9 @@The [CSP Name] POCs are found in Table 6-2. [IA Name] has internal processes to contact the CSP should the need arise.
The security assessment schedule can be found in Table 6-5. Any deviations from this accepted schedule are recorded in the SAR as Deviations.
This describes an activity that was not defined in the SAP, but was performed during the assessment. The justification must be included.
-Describe test step #1
Describe test step #2
Describe test step #3
A Windows laptop, which is not defined in the SSP inventory.
Describe assessment laptop.
Ideally, this assessment laptop would have been defined in the SAP, and not repeated here.
@@ -493,36 +493,36 @@[IA Name] recommends this system for authorization.
[IA Name] does not recommend this system for authorization.
[IA Name] recommends this system for continued authorization.
[IA Name] does not recommend this system for continued authorization.
[IA Name] recommends the following [significant change/significant changes] for authorization:
[IA Name] does not recommend the following [significant change/significant changes] for authorization:
Infrastructure Scan Percentage.
Database Scan Percentage.
Web Scan Percentage.
EXAMPLE - Next Gen Web Application Firewall is blocking requests from scanner.
This is a statement about the identified risk as provided by the tool.
This field must be present, but may be blank (or state 'No Risk Statement' if no statement is provided by the tool.
-This is a statement about the risk identified by penetration testing.
Signed SAR
Initial publication.
Minor prop updates.
Lastly, provide any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).
-For example, any supporting notes on FIPS status (e.g. historical) or lack of FIPS compliance (e.g., Module in Process).
-If the leveraged system owner provides a UUID for their system (such as in an OSCAL-based CRM), it should be reflected in the inherited-uuid property.
Must include all leveraged services and features from the leveraged authorization here.
-Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.).
If "other", remarks are required. Optional otherwise.
FUNCTION: Describe typical component function.
FUNCTION: Describe typical component function.
None
None
None
Briefly describe the interconnection.
If "other", remarks are required. Optional otherwise.
If no, explain why. If yes, omit remarks field.
@@ -1217,7 +1217,7 @@If no, explain why. If yes, omit remark.
FedRAMP does not require any specific information here.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe any customer-configured requirements for satisfying this control.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
Describe the plan to complete the implementation.
SSP Signature
FedRAMP Logo
Separation of Duties Matrix
This is a test checking that profiles validation fails if more than one response point is specified for a given (control) part.
This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.
Secure connection to an external API for data enrichment.
Implementation of controls for the Enhanced Example System
Access Control Policy and Procedures (AC-1) is fully implemented in our system.
Information System Component Inventory (CM-8) is partially implemented.
Detailed access control policy document
Separation of Duties Matrix
Authorization Boundary Diagram
Network Architecture Diagram
Data flow Diagram
Detailed access control policy document
Detailed access control policy document
Detailed access control policy document
Detailed access control policy document
Detailed access control policy document
Detailed access control policy document
Secure connection to an external API for data enrichment.
Secure connection to an external API for data enrichment.
Implementation of controls for the Enhanced Example System
Detailed access control policy document
Detailed access control policy document