FedRAMP High

United States

v1.0

1 domains

417 controls

FedRAMP High baseline, based on NIST SP 800-53 Revision 5, includes all 421 security controls with FedRAMP-specific tailoring and implementation guidance.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (1)

Other

417 controls

Controls in the Other domain of FedRAMP High — 417 controls
Code	Title	Description
AC-1	Policy and Procedures	Develop and disseminate access control policy and procedures; review at least annually (FedRAMP parameter); update follo...
AC-10	Concurrent Session Control	Limit concurrent sessions per account to FedRAMP-defined number (3 for privileged, 2 for non-privileged).
AC-11	Device Lock	Prevent further access by initiating device lock after 15 minutes inactivity (FedRAMP) or upon user request.
AC-12	Session Termination	Automatically terminate user session after FedRAMP-defined conditions (idle timeout, trigger events).
AC-14	Permitted Actions Without Identification or Authentication	Identify and document actions allowed without identification or authentication.
AC-17	Remote Access	Establish usage restrictions, configuration requirements, and authorize remote access prior to allowing.
AC-17(1)	Monitoring and Control	Employ automated mechanisms to monitor and control remote access.
AC-17(2)	Protection of Confidentiality and Integrity Using Encryption	Implement cryptographic mechanisms to protect remote access sessions; FIPS-validated.
AC-17(3)	Managed Access Control Points	Route remote accesses through FedRAMP-defined number of managed network access control points.
AC-17(4)	Privileged Commands and Access	Authorize execution of privileged commands and access to security-relevant information via remote access only for define...
AC-17(9)	Disconnect or Disable Access	Provide capability to disconnect or disable remote access within FedRAMP-defined time period (15 minutes).
AC-18	Wireless Access	Establish configuration requirements, usage restrictions, authorize wireless access.
AC-18(1)	Authentication and Encryption	Protect wireless access using authentication and encryption (WPA2/3 Enterprise minimum).
AC-18(3)	Disable Wireless Networking	Disable wireless networking capabilities embedded in devices when not needed.
AC-18(4)	Restrict Configurations by Users	Identify users authorized to independently configure wireless; restrict others.
AC-18(5)	Antennas and Transmission Power Levels	Select antenna and transmission power to reduce signal leakage outside boundary.
AC-19	Access Control for Mobile Devices	Establish configuration requirements and usage restrictions for mobile devices.
AC-19(5)	Full Device or Container-Based Encryption	Employ full device or container-based encryption on mobile devices.
AC-2	Account Management	Manage accounts; review at least monthly for privileged, every six months for non-privileged (FedRAMP); notify within Fe...
AC-2(1)	Automated System Account Management	Support account management via automated mechanisms; required at HIGH baseline.
AC-2(11)	Usage Conditions	Enforce circumstances and usage conditions on account use (time of day, location, etc.).
AC-2(12)	Account Monitoring for Atypical Usage	Monitor accounts for atypical use; report anomalies to defined personnel.
AC-2(13)	Disable Accounts for High-Risk Individuals	Disable accounts of users posing significant risk within FedRAMP-defined timeframe (1 hour).
AC-2(2)	Automated Temporary and Emergency Account Management	Automatically disable temporary and emergency accounts within FedRAMP-defined timeframe (no longer than 24 hours).
AC-2(3)	Disable Accounts	Disable accounts within FedRAMP-defined timeframe when no longer required, terminated, or inactive (35 days inactive).
AC-2(4)	Automated Audit Actions	Automatically audit account creation, modification, enabling, disabling, removal; notify defined personnel.
AC-2(5)	Inactivity Logout	Require users to log out when inactivity exceeds FedRAMP-defined period (15 minutes for non-mobile, 30 for mobile).
AC-2(7)	Privileged User Accounts	Establish and administer privileged accounts per role-based scheme; monitor role assignments; revoke when no longer need...
AC-2(9)	Restrictions on Use of Shared and Group Accounts	Only permit shared/group accounts when meeting FedRAMP-defined conditions; document and approve.
AC-20	Use of External Systems	Establish terms and conditions for use of external systems; prohibit unless authorized.
AC-20(1)	Limits on Authorized Use	Permit use of external systems only after verifying security/privacy controls or approved connection agreement.
AC-20(2)	Portable Storage Devices Restricted Use	Restrict use of organization-controlled portable storage on external systems.
AC-21	Information Sharing	Enable authorized users to determine whether access authorizations match sharing restrictions.
AC-22	Publicly Accessible Content	Designate users authorized to post; train them; review content quarterly for nonpublic information.
AC-3	Access Enforcement	Enforce approved authorizations for logical access in accordance with policy.
AC-4	Information Flow Enforcement	Enforce approved information flow control policies between connected systems and within the system.
AC-4(21)	Physical or Logical Separation of Information Flows	Separate information flows logically or physically using FedRAMP-defined mechanisms.
AC-4(4)	Flow Control of Encrypted Information	Prevent encrypted information from bypassing flow control mechanisms; required at HIGH.
AC-4(8)	Security and Privacy Policy Filters	Enforce information flow control using approved security/privacy policy filters.
AC-5	Separation of Duties	Identify and document duties requiring separation; define access authorizations to support.
AC-6	Least Privilege	Employ least privilege; allow only authorized access necessary to accomplish assigned tasks.
AC-6(1)	Authorize Access to Security Functions	Authorize access for FedRAMP-defined personnel to security functions and security-relevant information.
AC-6(10)	Prohibit Non-Privileged Users from Executing Privileged Functions	Prevent non-privileged users from executing privileged functions.
AC-6(2)	Non-Privileged Access for Nonsecurity Functions	Require privileged users to use non-privileged accounts for nonsecurity functions.
AC-6(3)	Network Access to Privileged Commands	Authorize network access to privileged commands only for FedRAMP-defined needs; document rationale.
AC-6(5)	Privileged Accounts	Restrict privileged accounts to FedRAMP-defined personnel or roles.
AC-6(7)	Review of User Privileges	Review privileges at least quarterly (FedRAMP) and reassign or remove as needed.
AC-6(8)	Privilege Levels for Code Execution	Prevent specified software from executing at higher privilege levels than necessary.
AC-6(9)	Log Use of Privileged Functions	Log execution of privileged functions.
AC-7	Unsuccessful Logon Attempts	Enforce limit of 3 consecutive invalid logon attempts within 15 minutes (FedRAMP); lock for 30 min or until released.
AC-8	System Use Notification	Display approved system use notification/banner before granting access; FedRAMP requires specific language.
AT-1	Policy and Procedures	Develop, disseminate, and review awareness and training policy and procedures at least annually.
AT-2	Literacy Training and Awareness	Provide security awareness training within FedRAMP-defined timeframe of onboarding, on system change, and at least annua...
AT-2(2)	Insider Threat	Include insider threat recognition and reporting in awareness training.
AT-2(3)	Social Engineering and Mining	Include social engineering and social mining recognition in training.
AT-3	Role-Based Training	Provide role-based security training to personnel with significant security responsibilities before authorizing access a...
AT-4	Training Records	Document and monitor security training; retain records for FedRAMP-defined period (5 years).
AU-1	Policy and Procedures	Develop and review audit/accountability policy annually.
AU-10	Non-Repudiation	Provide irrefutable evidence that an entity performed an action; HIGH baseline.
AU-11	Audit Record Retention	Retain audit records for at least one year (FedRAMP minimum) with 90 days immediately accessible online.
AU-12	Audit Record Generation	Provide audit record generation capability on all system components specified in AU-2.
AU-12(1)	System-wide and Time-correlated Audit Trail	Compile audit records into system-wide audit trail that is time-correlated within FedRAMP tolerance.
AU-12(3)	Changes by Authorized Individuals	Permit authorized individuals to change audit logging selectively for FedRAMP-defined events within defined time thresho...
AU-2	Event Logging	Identify event types selected for logging including FedRAMP minimum list; review and update at least annually.
AU-3	Content of Audit Records	Audit records must contain: type, when, where, source, outcome, identity associated.
AU-3(1)	Additional Audit Information	Generate audit records containing FedRAMP-defined additional information (session, host, full text of executed commands)...
AU-4	Audit Log Storage Capacity	Allocate audit log storage capacity to accommodate FedRAMP-defined retention period.
AU-5	Response to Audit Logging Process Failures	Alert defined personnel on audit failure within FedRAMP timeframe; take defined action (overwrite oldest, shutdown, stop...
AU-5(1)	Storage Capacity Warning	Provide warning within FedRAMP-defined time period when storage capacity reaches 75 percent.
AU-5(2)	Real-Time Alerts	Provide alert within real time when FedRAMP-defined audit failure events occur.
AU-6	Audit Record Review, Analysis, and Reporting	Review and analyze audit records at least weekly (FedRAMP); report findings to defined personnel.
AU-6(1)	Automated Process Integration	Integrate audit review with automated mechanisms (SIEM).
AU-6(3)	Correlate Audit Record Repositories	Analyze and correlate audit records across different repositories.
AU-6(4)	Central Review and Analysis	Centralized review and analysis of audit records across system components; required at HIGH.
AU-6(5)	Integrated Analysis of Audit Records	Integrate analysis of audit records with analysis of vulnerability scanning, performance data, network monitoring; HIGH...
AU-6(6)	Correlation with Physical Monitoring	Correlate logical audit records with physical access records.
AU-6(7)	Permitted Actions	Specify permitted actions for users, roles, processes associated with reviewing audit records.
AU-7	Audit Record Reduction and Report Generation	Provide capability for audit record reduction and on-demand report generation.
AU-7(1)	Automatic Processing	Process audit records for events of interest based on defined criteria.
AU-8	Time Stamps	Use internal system clocks; record timestamps with FedRAMP-defined granularity (1 second), UTC or known offset.
AU-9	Protection of Audit Information	Protect audit information and tools from unauthorized access, modification, deletion.
AU-9(2)	Store on Separate Physical Systems or Components	Store audit records on separate physical system/component at least weekly (FedRAMP).
AU-9(3)	Cryptographic Protection	Cryptographically protect integrity of audit information; HIGH only.
AU-9(4)	Access by Subset of Privileged Users	Authorize access to audit functionality only to subset of privileged users.
CA-1	Policy and Procedures	Develop and review assessment/authorization policy at least annually.
CA-2	Control Assessments	Assess controls annually (FedRAMP); third-party assessor (3PAO) required; produce SAR.
CA-2(1)	Independent Assessors	Employ independent assessors; FedRAMP-accredited 3PAO required.
CA-2(2)	Specialized Assessments	Conduct specialized assessments (announced/unannounced, in-depth, malicious user, penetration testing) at FedRAMP define...
CA-2(3)	Leveraging Results from External Organizations	Leverage assessments of FedRAMP-defined external organizations when conducted by FedRAMP-accredited bodies.
CA-3	Information Exchange	Approve and manage exchange of information with external systems using ISA, MOU, contract; review annually.
CA-5	Plan of Action and Milestones	Develop POAM; update at least monthly (FedRAMP); track remediation timelines (HIGH 30 days, MOD 90).
CA-6	Authorization	Senior official authorizes system; reauthorize every three years or upon significant change.
CA-7	Continuous Monitoring	Establish continuous monitoring strategy with FedRAMP-defined metrics, monitoring frequencies, ongoing assessments.
CA-7(1)	Independent Assessment	Employ independent assessors for ongoing monitoring; FedRAMP 3PAO annual.
CA-7(3)	Trend Analyses	Employ trend analyses for security/privacy posture; HIGH requirement.
CA-8	Penetration Testing	Conduct penetration testing annually on FedRAMP-defined systems and components.
CA-8(1)	Independent Penetration Agent or Team	Employ independent penetration testing agent or team.
CA-8(2)	Red Team Exercises	Conduct red team exercises per FedRAMP-defined frequency on HIGH systems.
CA-9	Internal System Connections	Authorize internal connections of components to system; document interface characteristics.
CM-1	Policy and Procedures	Develop and review configuration management policy annually.
CM-10	Software Usage Restrictions	Use software in accordance with contracts and copyright laws; track licenses; document peer-to-peer file sharing control...
CM-11	User-Installed Software	Establish policies governing installation of software by users; enforce; monitor compliance.
CM-12	Information Location	Identify and document location of FedRAMP-defined information types and specific system components.
CM-12(1)	Automated Tools to Support Information Location	Use automated tools to identify FedRAMP-defined information by information type on system components.
CM-2	Baseline Configuration	Develop and maintain baseline configurations; review and update annually (FedRAMP) and when required.
CM-2(2)	Automation Support for Accuracy and Currency	Maintain baseline currency via automated mechanisms.
CM-2(3)	Retention of Previous Configurations	Retain FedRAMP-defined number of previous baseline configurations (3) to support rollback.
CM-2(7)	Configure Systems and Components for High-Risk Areas	Issue systems/devices with FedRAMP-defined security safeguards to individuals traveling to high-risk locations.
CM-3	Configuration Change Control	Determine, document, and approve changes; track, review, audit; CAB or equivalent; analyze security impact.
CM-3(1)	Automated Documentation, Notification, and Prohibition	Use automated mechanisms to document, notify approvers, and prohibit changes until approved.
CM-3(2)	Testing, Validation, and Documentation of Changes	Test, validate, and document changes before implementing on operational system.
CM-3(4)	Security and Privacy Representatives	Require security and privacy representatives on change board for FedRAMP-defined configuration changes.
CM-3(6)	Cryptography Management	Ensure cryptographic mechanisms providing FedRAMP-defined safeguards are under configuration management.
CM-4	Impact Analyses	Analyze changes to determine potential security/privacy impacts.
CM-4(1)	Separate Test Environments	Analyze changes in separate test environment before implementation; HIGH baseline.
CM-5	Access Restrictions for Change	Define, document, approve, enforce physical and logical access restrictions for changes.
CM-5(1)	Automated Access Enforcement and Audit Records	Enforce access restrictions and audit enforcement actions; required at HIGH.
CM-5(2)	Review System Changes	Review system changes at FedRAMP-defined frequency to determine whether unauthorized changes occurred; HIGH only.
CM-5(3)	Signed Components	Prevent installation of system components without verifying digital signature.
CM-6	Configuration Settings	Establish/document configuration settings using checklists; CIS/USGCB/DISA STIG when available; HIGH baseline.
CM-6(1)	Automated Management, Application, and Verification	Manage, apply, and verify configuration settings via automated mechanisms; HIGH only.
CM-6(2)	Respond to Unauthorized Changes	Take FedRAMP-defined actions in response to unauthorized changes; HIGH only.
CM-7	Least Functionality	Configure system to provide only essential capabilities; prohibit unnecessary functions, services, ports, protocols.
CM-7(1)	Periodic Review	Review system functions, ports, protocols, services at least monthly (FedRAMP); disable as unnecessary.
CM-7(2)	Prevent Program Execution	Prevent program execution according to FedRAMP-defined policies (rules of behavior).
CM-7(3)	Registration Compliance	Ensure compliance with FedRAMP-defined registration requirements for ports, protocols, services.
CM-7(5)	Authorized Software Allow-by-Exception	Identify and maintain authorized software list; employ allowlist; review at least annually; HIGH requirement.
CM-8	System Component Inventory	Develop and document inventory of system components; review and update at least monthly (FedRAMP).
CM-8(1)	Updates During Installation and Removal	Update inventory as part of component installations, removals, updates.
CM-8(2)	Automated Maintenance	Maintain inventory via automated mechanisms; HIGH baseline.
CM-8(3)	Automated Unauthorized Component Detection	Employ automated mechanisms to detect unauthorized components at FedRAMP-defined frequency; HIGH only continuous.
CM-8(4)	Accountability Information	Include in inventory information about owner, position, role responsible for component; HIGH only.
CM-9	Configuration Management Plan	Develop, document, implement configuration management plan addressing roles, processes, items under CM, identification s...
CP-1	Policy and Procedures	Develop and review contingency planning policy at least annually.
CP-10	System Recovery and Reconstitution	Provide for recovery and reconstitution of system to known state within RTO.
CP-10(2)	Transaction Recovery	Implement transaction recovery for transaction-based systems.
CP-10(4)	Restore Within Time Period	Provide capability to restore system components within FedRAMP-defined time period from configuration-controlled and int...
CP-2	Contingency Plan	Develop contingency plan; review and update annually (FedRAMP); coordinate with related plans.
CP-2(1)	Coordinate with Related Plans	Coordinate contingency plan with related plans (BCP, DRP, COOP, IRP).
CP-2(2)	Capacity Planning	Conduct capacity planning so necessary capacity exists during contingency operations; HIGH baseline.
CP-2(3)	Resume Mission and Business Functions	Plan for resumption of mission/business functions within FedRAMP-defined time period after contingency plan activation.
CP-2(5)	Continue Mission and Business Functions	Plan for continuation of essential mission/business functions with little or no loss of operational continuity; HIGH onl...
CP-2(8)	Identify Critical Assets	Identify critical system assets supporting mission/business functions.
CP-3	Contingency Training	Provide contingency training to users assigned roles; within FedRAMP timeframe of role assignment and at least annually.
CP-3(1)	Simulated Events	Incorporate simulated events into contingency training to facilitate effective response; HIGH only.
CP-4	Contingency Plan Testing	Test contingency plan at least annually (FedRAMP) using FedRAMP-defined tests; review test results.
CP-4(1)	Coordinate with Related Plans	Coordinate contingency plan testing with related plan testing.
CP-4(2)	Alternate Processing Site	Test contingency plan at alternate processing site; HIGH baseline.
CP-6	Alternate Storage Site	Establish alternate storage site with agreements to permit storage and retrieval of system backup information.
CP-6(1)	Separation from Primary Site	Identify alternate storage site separated from primary to reduce same-threat susceptibility.
CP-6(2)	Recovery Time and Recovery Point Objectives	Configure alternate storage site to facilitate recovery operations in accordance with RTO/RPO; HIGH only.
CP-6(3)	Accessibility	Identify potential accessibility problems to alternate storage site in event of area-wide disruption and outline mitigat...
CP-7	Alternate Processing Site	Establish alternate processing site with agreements for resumption of operations within FedRAMP-defined RTO.
CP-7(1)	Separation from Primary Site	Identify alternate processing site separated from primary to reduce same-threat susceptibility.
CP-7(2)	Accessibility	Identify potential accessibility problems to alternate processing site in event of area-wide disruption and outline miti...
CP-7(3)	Priority of Service	Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability...
CP-7(4)	Preparation for Use	Prepare alternate processing site so it is ready to be used as the operational site; HIGH only.
CP-8	Telecommunications Services	Establish alternate telecommunications services with agreements to permit resumption of system operations.
CP-8(1)	Priority of Service Provisions	Develop primary and alternate telecommunications service agreements with priority-of-service provisions.
CP-8(2)	Single Points of Failure	Obtain alternate telecommunications services to reduce likelihood of sharing single point of failure with primary servic...
CP-8(3)	Separation of Primary and Alternate Providers	Obtain alternate telecommunications services from providers separated from primary providers; HIGH only.
CP-8(4)	Provider Contingency Plan	Require primary and alternate telecommunications providers to have contingency plans; review them; HIGH only.
CP-9	System Backup	Conduct backups of user-level, system-level, and security-related documentation; FedRAMP-defined frequency (daily increm...
CP-9(1)	Testing for Reliability and Integrity	Test backup information annually to verify reliability and integrity.
CP-9(2)	Test Restoration Using Sampling	Use sample of backup information to restore selected system functions as part of testing; HIGH only.
CP-9(3)	Separate Storage for Critical Information	Store backup copies of critical software in separate facility or fire-rated container not collocated with operational so...
CP-9(5)	Transfer to Alternate Storage Site	Transfer system backup information to alternate storage site at FedRAMP-defined rate (daily incremental, weekly full); H...
CP-9(8)	Cryptographic Protection	Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of backup information.
IA-1	Policy and Procedures	Develop and review identification and authentication policy at least annually.
IA-11	Re-Authentication	Require re-authentication when FedRAMP-defined circumstances occur (role change, privilege change, time period elapsed).
IA-12	Identity Proofing	Identity-proof users in accordance with NIST SP 800-63A IAL2/IAL3; FedRAMP requires IAL2 minimum, IAL3 for HIGH privileg...
IA-12(2)	Identity Evidence	Require evidence of identity that meets IAL2/3 requirements during proofing.
IA-12(3)	Identity Evidence Validation and Verification	Require validation and verification of identity evidence through FedRAMP-defined methods.
IA-12(4)	In-Person Validation and Verification	Require in-person identity verification for IAL3 (HIGH privileged).
IA-12(5)	Address Confirmation	Require notice to confirmed mailing address (postal or registered electronic) as part of identity proofing.
IA-2	Identification and Authentication (Organizational Users)	Uniquely identify and authenticate organizational users and associate identity with processes acting on behalf of users.
IA-2(1)	MFA to Privileged Accounts	Implement MFA for access to privileged accounts; phishing-resistant per FedRAMP.
IA-2(12)	Acceptance of PIV Credentials	Accept and electronically verify Personal Identity Verification credentials.
IA-2(2)	MFA to Non-Privileged Accounts	Implement MFA for non-privileged accounts; phishing-resistant per FedRAMP.
IA-2(5)	Individual Authentication with Group Authentication	Require individual authentication before granting group authentication; HIGH baseline.
IA-2(6)	Access to Accounts via Separate Device	Implement MFA using a separate device that meets FedRAMP strength requirements; HIGH only for privileged.
IA-2(8)	Access to Accounts Replay Resistant	Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.
IA-3	Device Identification and Authentication	Uniquely identify and authenticate devices before establishing connection.
IA-4	Identifier Management	Manage identifiers; uniquely identify; prevent reuse for FedRAMP-defined period.
IA-4(4)	Identify User Status	Identify user status (contractor, employee, foreign national, etc.) in identifiers.
IA-5	Authenticator Management	Manage authenticators; verify identity prior to issuing; establish initial content; protect.
IA-5(1)	Password-Based Authentication	Enforce password complexity per NIST SP 800-63B; minimum 12 characters (FedRAMP); compare against breach lists.
IA-5(2)	Public Key-Based Authentication	Enforce authorized use of public key-based authentication; validate certificates; map identity to account.
IA-5(6)	Protection of Authenticators	Protect authenticators commensurate with security category of information they protect.
IA-5(7)	No Embedded Unencrypted Static Authenticators	Ensure unencrypted static authenticators are not embedded in applications, scripts, configuration files.
IA-5(8)	Multiple System Accounts	Implement security safeguards to manage risk of compromise due to individuals having accounts on multiple systems; HIGH...
IA-6	Authentication Feedback	Obscure authentication feedback during authentication process.
IA-7	Cryptographic Module Authentication	Implement authentication to cryptographic modules meeting FIPS 140 (FedRAMP requires FIPS-validated).
IA-8	Identification and Authentication (Non-Organizational Users)	Uniquely identify and authenticate non-organizational users (e.g., federal customers).
IA-8(1)	Acceptance of PIV Credentials from Other Agencies	Accept and verify PIV credentials from other federal agencies.
IA-8(2)	Acceptance of External Authenticators	Accept FICAM-approved external authenticators per FedRAMP-approved IAL/AAL levels.
IA-8(4)	Use of Defined Profiles	Conform to FedRAMP-defined identity management profiles in implementation.
IR-1	Event Detection and Triage	Detect, triage and declare cyber events using documented criteria and severity levels.
IR-2	Incident Response and Recovery	Respond to, contain and recover from cyber incidents affecting IT and OT functions.
IR-2(1)	Simulated Events	Incorporate simulated events into IR training; HIGH only.
IR-2(2)	Automated Training Environments	Provide thorough and realistic IR training via automated mechanisms; HIGH only.
IR-3	Continuity of Operations	Plan, exercise and maintain continuity of the function during and after cyber incidents.
IR-3(2)	Coordination with Related Plans	Coordinate IR testing with related plan testing.
IR-4	Incident Handling	Implement IR capability for preparation, detection/analysis, containment, eradication, recovery.
IR-4(1)	Automated Incident Handling Processes	Support incident handling via automated mechanisms.
IR-4(3)	Continuity of Operations	Identify FedRAMP-defined classes of incidents and actions to take to ensure continuation of operations.
IR-4(4)	Information Correlation	Correlate incident information and individual incident responses for organization-wide perspective; HIGH only.
IR-4(6)	Insider Threats	Implement incident handling capability for insider threats.
IR-4(8)	Correlation with External Organizations	Coordinate with FedRAMP-defined external organizations to correlate and share FedRAMP-defined incident information; HIGH...
IR-5	Incident Monitoring	Track and document incidents.
IR-5(1)	Automated Tracking, Data Collection, and Analysis	Track incidents and collect/analyze incident information via automated mechanisms; HIGH only.
IR-6	Incident Reporting	Require personnel to report incidents to organizational authorities within FedRAMP timeframe; report to FedRAMP PMO and...
IR-6(1)	Automated Reporting	Report incidents via automated mechanisms.
IR-6(3)	Supply Chain Coordination	Provide incident information to provider of products/services and other supply chain entities; HIGH only.
IR-7	Incident Response Assistance	Provide IR support resource (help desk, support group) for incident handling assistance.
IR-7(1)	Automation Support for Availability of Information and Support	Increase availability of IR information and support via automated mechanisms.
IR-8	Incident Response Plan	Develop and implement IRP; review and update annually; distribute.
IR-8(1)	Breaches	Include process to determine if notice to individuals or other organizations is needed for breaches involving PII.
IR-9	Information Spillage Response	Respond to information spills by identifying spilled information, alerting personnel, isolating contaminated system.
IR-9(2)	Training	Provide information spillage response training within FedRAMP timeframe and at least annually.
IR-9(3)	Post-Spill Operations	Implement procedures to ensure organizational personnel impacted by spill can continue carrying out assigned tasks.
IR-9(4)	Exposure to Unauthorized Personnel	Employ FedRAMP-defined safeguards for personnel exposed to spilled information.
MA-1	Policy and Procedures	Develop and review maintenance policy at least annually.
MA-2	Controlled Maintenance	Schedule, document, review records of maintenance, repair, replacement of components.
MA-2(2)	Automated Maintenance Activities	Schedule, conduct, document maintenance via automated mechanisms; HIGH only.
MA-3	Maintenance Tools	Approve, control, monitor use of maintenance tools.
MA-3(1)	Inspect Tools	Inspect maintenance tools used by personnel for improper modifications.
MA-3(2)	Inspect Media	Inspect media containing diagnostic and test programs for malicious code before use.
MA-3(3)	Prevent Unauthorized Removal	Prevent unauthorized removal of equipment containing organizational information; HIGH only.
MA-4	Nonlocal Maintenance	Approve and monitor nonlocal maintenance activities; use strong authentication.
MA-4(3)	Comparable Security and Sanitization	Require nonlocal maintenance services be performed from component with comparable security; sanitize before/after; HIGH...
MA-5	Maintenance Personnel	Establish process for authorizing maintenance personnel; maintain list of authorized personnel; supervise unauthorized.
MA-5(1)	Individuals Without Appropriate Access	Implement procedures for use of maintenance personnel that lack needed access authorizations; HIGH only.
MA-6	Timely Maintenance	Obtain maintenance support and spare parts within FedRAMP-defined time period of failure.
MP-1	Policy and Procedures	Develop and review media protection policy at least annually.
MP-2	Media Access	Restrict access to FedRAMP-defined types of digital and non-digital media to authorized personnel.
MP-3	Media Marking	Mark system media indicating distribution limitations, handling caveats, security markings.
MP-4	Media Storage	Physically control and securely store FedRAMP-defined types of media within FedRAMP-defined controlled areas.
MP-5	Media Transport	Protect and control media during transport outside controlled areas; maintain accountability; document activities; restr...
MP-6	Media Sanitization	Sanitize media prior to disposal, release, or reuse using FedRAMP-defined methods (NIST SP 800-88).
MP-6(1)	Review, Approve, Track, Document, Verify	Review, approve, track, document, verify media sanitization and disposal actions.
MP-6(2)	Equipment Testing	Test sanitization equipment and procedures at FedRAMP-defined frequency to ensure intended operation.
MP-6(3)	Nondestructive Techniques	Apply nondestructive sanitization techniques to portable storage devices prior to connecting to system under FedRAMP-def...
MP-7	Media Use	Restrict or prohibit use of FedRAMP-defined types of media on FedRAMP-defined systems using safeguards.
PE-1	Policy and Procedures	Develop and review physical/environmental policy at least annually.
PE-10	Emergency Shutoff	Provide capability for emergency shutoff of power; protect from accidental activation.
PE-11	Emergency Power	Provide short-term uninterruptible power supply for orderly shutdown or transition to long-term alternate power.
PE-11(1)	Alternate Power Supply Minimal Operational Capability	Provide alternate power that is self-contained and not reliant on external sources; HIGH only.
PE-12	Emergency Lighting	Employ and maintain automatic emergency lighting activating on power outage covering emergency exits.
PE-13	Fire Protection	Employ and maintain fire suppression and detection devices independent of energy source.
PE-13(1)	Detection Systems Automatic Activation and Notification	Employ fire detection that activates automatically and notifies FedRAMP-defined personnel and emergency responders.
PE-13(2)	Suppression Systems Automatic Activation and Notification	Employ fire suppression that activates automatically and notifies FedRAMP-defined personnel and emergency responders; HI...
PE-14	Environmental Controls	Maintain temperature and humidity within FedRAMP-defined acceptable levels; monitor at FedRAMP frequency.
PE-15	Water Damage Protection	Protect system from damage from water leakage by providing master shutoff valves accessible to key personnel.
PE-15(1)	Automation Support	Detect leaks and alert FedRAMP-defined personnel via automated mechanisms; HIGH only.
PE-16	Delivery and Removal	Authorize and control system components entering/exiting facility; maintain records.
PE-17	Alternate Work Site	Determine alternate work sites; employ FedRAMP-defined controls at alternate sites; assess effectiveness.
PE-18	Location of System Components	Position system components to minimize damage from physical/environmental hazards and unauthorized access; HIGH only.
PE-2	Physical Access Authorizations	Develop, approve, maintain list of individuals with authorized facility access; review at least quarterly (FedRAMP).
PE-3	Physical Access Control	Enforce physical access at entry/exit points; verify authorizations; control ingress/egress; maintain audit logs.
PE-3(1)	System Access	Enforce physical access authorizations to system in addition to physical access controls for facility; HIGH only.
PE-4	Access Control for Transmission	Control physical access to system distribution and transmission lines.
PE-5	Access Control for Output Devices	Control physical access to output from system devices to prevent unauthorized individuals from obtaining output.
PE-6	Monitoring Physical Access	Monitor physical access to facility; review access logs at least weekly (FedRAMP); coordinate review with IR.
PE-6(1)	Intrusion Alarms and Surveillance Equipment	Monitor physical access via intrusion alarms and surveillance equipment.
PE-6(4)	Monitoring Physical Access to Systems	Monitor physical access to system in addition to facility access at FedRAMP-defined components; HIGH only.
PE-8	Visitor Access Records	Maintain visitor access records for FedRAMP-defined period (1 year); review records monthly (FedRAMP).
PE-8(1)	Automated Records Maintenance and Review	Maintain and review visitor access records via automated mechanisms; HIGH only.
PE-9	Power Equipment and Cabling	Protect power equipment and cabling from damage and destruction.
PL-1	Policy and Procedures	Develop and review planning policy at least annually.
PL-10	Baseline Selection	Select FedRAMP High baseline; tailor in accordance with risk assessment.
PL-11	Baseline Tailoring	Tailor selected control baseline; document tailoring actions; review and update annually.
PL-2	System Security and Privacy Plans	Develop SSP that aligns with FedRAMP template; review and update annually.
PL-4	Rules of Behavior	Establish and provide rules describing user responsibilities; receive signed acknowledgement.
PL-4(1)	Social Media and External Site/Application Usage Restrictions	Include in rules of behavior explicit restrictions on use of social media and external sites/applications.
PL-8	Security and Privacy Architectures	Develop, document, maintain security/privacy architectures; review annually.
PS-1	Policy and Procedures	Develop and review personnel security policy at least annually.
PS-2	Position Risk Designation	Assign risk designation to positions; review and update at least every three years.
PS-3	Personnel Screening	Screen individuals prior to authorizing access; rescreen at FedRAMP frequency per position risk; US citizenship may appl...
PS-3(3)	Information Requiring Special Protective Measures	Ensure individuals accessing information requiring special protective measures meet additional access requirements; HIGH...
PS-4	Personnel Termination	Disable access and revoke authenticators within FedRAMP-defined time (same day); conduct exit interview; retrieve proper...
PS-4(2)	Automated Actions	Use automated mechanisms to notify defined personnel upon termination and disable access; HIGH only.
PS-5	Personnel Transfer	Review/confirm ongoing operational need for access when personnel transfer; modify access; notify within FedRAMP timefra...
PS-6	Access Agreements	Develop access agreements; review and update annually; require signature before access.
PS-7	External Personnel Security	Establish personnel security requirements for external providers; require providers to notify within FedRAMP timeframe o...
PS-8	Personnel Sanctions	Employ formal sanctions for personnel failing to comply with security/privacy policies; notify defined personnel within...
PS-9	Position Descriptions	Incorporate security/privacy roles and responsibilities into position descriptions.
RA-1	Policy and Procedures	Develop and review risk assessment policy at least annually.
RA-2	Security Categorization	Categorize system per FIPS 199; document; review and update annually.
RA-3	Risk Assessment	Conduct risk assessment annually (FedRAMP); document; review and update.
RA-3(1)	Supply Chain Risk Assessment	Assess supply chain risks per FedRAMP guidance; document; update annually.
RA-5	Vulnerability Monitoring and Scanning	Scan for vulnerabilities monthly (FedRAMP); OS/network weekly, web app monthly, database monthly; remediate within FedRA...
RA-5(11)	Public Disclosure Program	Establish public reporting channel for receiving vulnerability information; FedRAMP requires VDP.
RA-5(2)	Update Vulnerabilities to be Scanned	Update vulnerability list prior to scan, when new vulnerabilities identified, or at FedRAMP frequency.
RA-5(4)	Discoverable Information	Determine what information about system is discoverable and take corrective actions; HIGH only.
RA-5(5)	Privileged Access	Implement privileged access authorization to FedRAMP-defined components for vulnerability scanning.
RA-7	Identifies and Analyzes Risk	The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis f...
RA-9	Identifies and Analyzes Significant Change	The organization identifies and assesses changes that could significantly impact the system of internal control.
SA-1	Logging and Monitoring	Collect, retain and monitor logs from IT and OT assets to detect anomalous activity.
SA-10	Developer Configuration Management	Require developer to perform CM during development, implementation, operation; document/track changes; implement only ap...
SA-10(1)	Software and Firmware Integrity Verification	Require developer to enable integrity verification of software/firmware via FedRAMP-defined mechanisms.
SA-11	Developer Testing and Evaluation	Require developer to test at FedRAMP-defined depth and coverage; document; correct flaws.
SA-11(1)	Static Code Analysis	Require developer to employ static code analysis tools to identify common flaws.
SA-11(2)	Threat Modeling and Vulnerability Analyses	Require developer to perform threat modeling and vulnerability analyses.
SA-11(8)	Dynamic Code Analysis	Require developer to employ dynamic code analysis tools to identify common flaws; HIGH only.
SA-15	Development Process, Standards, and Tools	Require developer to follow documented development process addressing security/privacy requirements.
SA-16	Developer-Provided Training	Require developer to provide training on correct use and operation of security/privacy functions; HIGH only.
SA-17	Developer Security and Privacy Architecture and Design	Require developer to produce design specification and security architecture; HIGH only.
SA-2	Common Operating Picture	Establish a common operating picture across IT, OT and physical security functions for cyber events.
SA-21	Developer Screening	Require developer of FedRAMP-defined components to have personnel access authorizations and screening; HIGH only.
SA-22	Unsupported System Components	Replace unsupported components or provide justification with risk acceptance and alternative protections.
SA-3	System Development Life Cycle	Manage system using SDLC incorporating security/privacy considerations.
SA-4	Acquisition Process	Include security/privacy requirements in contracts; FedRAMP-defined assurance requirements.
SA-4(1)	Functional Properties of Controls	Require developer to provide description of functional properties of security controls.
SA-4(10)	Use of Approved PIV Products	Employ only information technology products on FIPS 201-approved products list for PIV capability.
SA-4(2)	Design and Implementation Information for Controls	Require developer to provide design and implementation information for security/privacy controls.
SA-4(5)	System, Component, and Service Configurations	Require developer to deliver system with security configurations preconfigured.
SA-4(8)	Continuous Monitoring Plan for Controls	Require developer to produce plan for continuous monitoring of control effectiveness.
SA-4(9)	Functions, Ports, Protocols, and Services in Use	Require developer to identify functions, ports, protocols, services intended for organizational use.
SA-5	System Documentation	Obtain administrator and user documentation; protect; distribute to FedRAMP-defined personnel.
SA-8	Security and Privacy Engineering Principles	Apply FedRAMP-defined systems security and privacy engineering principles in development.
SA-9	External System Services	Require providers of external system services to comply with security/privacy requirements; document oversight roles.
SA-9(1)	Risk Assessments and Organizational Approvals	Conduct risk assessment prior to acquisition of dedicated information security services; HIGH only.
SA-9(2)	Identification of Functions, Ports, Protocols, and Services	Require providers to identify functions, ports, protocols, services required for external services.
SA-9(4)	Consistent Interests of Consumers and Providers	Employ FedRAMP-defined safeguards to ensure provider interests are consistent with consumer interests; HIGH only.
SA-9(5)	Processing, Storage, and Service Location	Restrict location of processing, storage, services to FedRAMP-defined locations; data sovereignty (US-only).
SC-1	Policy and Procedures	Develop and review system/comms protection policy at least annually.
SC-10	Network Disconnect	Terminate network connection at end of session or after FedRAMP-defined inactivity period (no longer than 30 minutes).
SC-12	Cryptographic Key Establishment and Management	Establish and manage cryptographic keys per FedRAMP requirements (FIPS-validated, key escrow/recovery as appropriate).
SC-12(1)	Availability	Maintain availability of information in event of loss of cryptographic keys via key escrow or recovery; HIGH only.
SC-12(2)	Symmetric Keys	Produce, control, distribute symmetric keys using NIST FIPS-compliant or NSA-approved key management technology.
SC-12(3)	Asymmetric Keys	Produce, control, distribute asymmetric keys via FedRAMP-approved PKI or approved hardware.
SC-13	Cryptographic Protection	Implement FedRAMP-defined cryptographic uses and approved cryptography (FIPS 140 validated).
SC-15	Collaborative Computing Devices and Applications	Prohibit remote activation of collaborative computing devices (cameras, mics) without explicit user indication; provide...
SC-17	Public Key Infrastructure Certificates	Issue public key certificates under FedRAMP-defined policy or obtain from approved service providers.
SC-18	Mobile Code	Define acceptable and unacceptable mobile code; authorize use; monitor.
SC-2	Separation of System and User Functionality	Separate user functionality from system management functionality.
SC-20	Secure Name/Address Resolution Service (Authoritative)	Provide artifacts for additional data origin authentication and integrity verification (DNSSEC) for child zones; FedRAMP...
SC-21	Secure Name/Address Resolution Service (Recursive or Caching Resolver)	Request and perform data origin authentication and data integrity verification on name/address resolution responses; DNS...
SC-22	Architecture and Provisioning for Name/Address Resolution Service	Ensure DNS systems are fault-tolerant and implement role separation.
SC-23	Session Authenticity	Protect authenticity of communications sessions.
SC-23(1)	Invalidate Session Identifiers at Logout	Invalidate session identifiers upon user logout or other session termination.
SC-24	Fail in Known State	Fail to FedRAMP-defined known secure state for FedRAMP-defined failures; preserve FedRAMP-defined information in failure...
SC-28	Protection of Information at Rest	Protect confidentiality and integrity of FedRAMP-defined information at rest.
SC-28(1)	Cryptographic Protection	Implement cryptographic mechanisms to prevent unauthorized disclosure/modification of FedRAMP-defined information on Fed...
SC-3	Security Function Isolation	Isolate security functions from non-security functions; HIGH only.
SC-39	Process Isolation	Maintain separate execution domain for each executing system process.
SC-4	Information in Shared System Resources	Prevent unauthorized and unintended information transfer via shared system resources.
SC-45	System Time Synchronization	Synchronize system clocks within and between systems.
SC-45(1)	Synchronization with Authoritative Time Source	Compare internal system clocks at FedRAMP-defined frequency with FedRAMP-defined authoritative time source; synchronize...
SC-5	Denial-of-Service Protection	Protect against or limit effects of DoS attacks using FedRAMP-defined safeguards.
SC-5(1)	Restrict Ability to Attack Other Systems	Restrict ability of individuals to launch DoS attacks against other systems; HIGH only.
SC-5(2)	Capacity, Bandwidth, and Redundancy	Manage capacity, bandwidth, redundancy to limit effects of bandwidth-consuming attacks; HIGH only.
SC-5(3)	Detection and Monitoring	Employ FedRAMP-defined monitoring tools to detect indicators of DoS attacks; monitor system resources; HIGH only.
SC-6	Resource Availability	Protect availability of resources by allocating FedRAMP-defined resources by priority, quota, or other safeguards.
SC-7	Boundary Protection	Monitor/control communications at external boundary and key internal boundaries; implement subnetworks for publicly acce...
SC-7(10)	Prevent Exfiltration	Prevent exfiltration of information; conduct exfiltration tests at FedRAMP-defined frequency; HIGH only.
SC-7(12)	Host-Based Protection	Implement host-based boundary protection mechanisms at FedRAMP-defined components.
SC-7(13)	Isolation of Security Tools, Mechanisms, and Support Components	Isolate FedRAMP-defined security tools, mechanisms, and support components from other internal components; HIGH only.
SC-7(18)	Fail Secure	Prevent systems from entering unsecure state in event of operational failure of boundary protection device; HIGH only.
SC-7(20)	Dynamic Isolation and Segregation	Provide capability to dynamically isolate FedRAMP-defined system components.
SC-7(21)	Isolation of System Components	Employ boundary protection mechanisms to separate FedRAMP-defined components supporting FedRAMP-defined missions; HIGH o...
SC-7(3)	Access Points	Limit number of external network connections to system; TIC-aligned.
SC-7(4)	External Telecommunications Services	Implement managed interface for each external telecommunications service; establish traffic flow policy; protect confide...
SC-7(5)	Deny by Default Allow by Exception	Deny network communications by default; allow by exception.
SC-7(7)	Split Tunneling for Remote Devices	Prevent split tunneling for remote devices unless securely provisioned.
SC-7(8)	Route Traffic to Authenticated Proxy Servers	Route internal traffic to FedRAMP-defined external networks through authenticated proxies.
SC-8	Transmission Confidentiality and Integrity	Protect confidentiality and integrity of transmitted information using cryptographic mechanisms.
SC-8(1)	Cryptographic Protection	Implement FIPS-validated cryptographic mechanisms to prevent unauthorized disclosure and detect changes during transmiss...
SI-1	Policy and Procedures	Develop and review system/information integrity policy at least annually.
SI-10	Information Input Validation	Check validity of FedRAMP-defined information inputs.
SI-11	Error Handling	Generate error messages providing necessary info without revealing sensitive info; reveal only to authorized.
SI-12	Information Management and Retention	Manage and retain information consistent with applicable laws, regulations, policies, standards.
SI-16	Memory Protection	Implement FedRAMP-defined safeguards to protect memory from unauthorized code execution (DEP, ASLR).
SI-17	Fail-Safe Procedures	Implement FedRAMP-defined fail-safe procedures when FedRAMP-defined failures occur; HIGH only.
SI-2	Flaw Remediation	Identify, report, and correct system flaws; remediate within FedRAMP-defined timeframes (HIGH critical 15d, high 30d).
SI-2(1)	Central Management	Centrally manage flaw remediation process; HIGH only.
SI-2(2)	Automated Flaw Remediation Status	Determine status of flaw remediation via automated mechanisms at FedRAMP-defined frequency (at least monthly).
SI-2(3)	Time to Remediate Flaws and Benchmarks for Corrective Actions	Measure time between flaw identification and remediation; establish benchmarks; HIGH only.
SI-3	Malicious Code Protection	Implement signature-based and non-signature-based malicious code protection; configure to scan endpoints and entry/exit...
SI-4	System Monitoring	Monitor system to detect attacks; identify unauthorized use; deploy monitoring devices at boundaries and key internal po...
SI-4(1)	System-Wide Intrusion Detection System	Connect/configure individual intrusion detection tools into system-wide IDS.
SI-4(10)	Visibility of Encrypted Communications	Provide capability to render visible information in encrypted communications traffic to FedRAMP-defined system monitorin...
SI-4(11)	Analyze Communications Traffic Anomalies	Analyze outbound traffic for anomalies indicating exfiltration or compromise.
SI-4(12)	Automated Organization-Generated Alerts	Alert FedRAMP-defined personnel using automated mechanisms when FedRAMP-defined events occur; HIGH only.
SI-4(14)	Wireless Intrusion Detection	Employ wireless intrusion detection to identify rogue wireless devices and detect attack attempts; HIGH only.
SI-4(16)	Correlate Monitoring Information	Correlate information from monitoring tools to achieve organization-wide situational awareness.
SI-4(18)	Analyze Traffic and Covert Exfiltration	Analyze outbound communications traffic at external boundary and FedRAMP-defined interior points for covert exfiltration...
SI-4(19)	Risk for Individuals	Implement FedRAMP-defined additional monitoring of individuals identified as posing increased risk; HIGH only.
SI-4(2)	Automated Tools and Mechanisms for Real-Time Analysis	Employ automated tools to support near-real-time analysis of events.
SI-4(20)	Privileged Users	Implement FedRAMP-defined additional monitoring of privileged users; HIGH only.
SI-4(22)	Unauthorized Network Services	Detect network services not authorized; audit or alert FedRAMP-defined personnel.
SI-4(23)	Host-Based Devices	Implement FedRAMP-defined host-based monitoring mechanisms at FedRAMP-defined components; HIGH only.
SI-4(4)	Inbound and Outbound Communications Traffic	Determine criteria for unusual or unauthorized activity; monitor inbound/outbound communications.
SI-4(5)	System-Generated Alerts	Alert FedRAMP-defined personnel when indications of compromise/potential compromise occur.
SI-5	Security Alerts, Advisories, and Directives	Receive alerts/advisories/directives from FedRAMP-defined external organizations (US-CERT, CISA); generate internal; dis...
SI-5(1)	Automated Alerts and Advisories	Broadcast security alerts and advisories throughout organization via automated mechanisms; HIGH only.
SI-6	Security and Privacy Function Verification	Verify correct operation of security/privacy functions; perform at FedRAMP-defined frequency; notify on failure; HIGH on...
SI-7	Software, Firmware, and Information Integrity	Employ integrity verification tools to detect unauthorized changes to software, firmware, information; HIGH only.
SI-7(1)	Integrity Checks	Perform integrity checks of software, firmware, information at FedRAMP-defined frequency or trigger events.
SI-7(14)	Binary or Machine-Executable Code	Prohibit binary or machine-executable code from sources with limited or no warranty without source code; HIGH only.
SI-7(2)	Automated Notifications of Integrity Violations	Employ automated tools to provide notification of integrity violations to FedRAMP-defined personnel; HIGH only.
SI-7(5)	Automated Response to Integrity Violations	Automatically shut down, restart, or implement FedRAMP-defined safeguards when integrity violations discovered; HIGH onl...
SI-7(7)	Integration of Detection and Response	Incorporate detection of FedRAMP-defined unauthorized changes into IR capability.
SI-8	Spam Protection	Employ spam protection at entry/exit points; update spam protection mechanisms when new releases available.
SI-8(2)	Automatic Updates	Automatically update spam protection mechanisms.
SR-1	Policy and Procedures (SR-1)	Develop, document, disseminate, and review supply chain risk management policy and procedures at defined frequency.
SR-10	Inspection of Systems or Components (SR-10)	Inspect systems or components at defined frequency or upon indications of tampering to detect compromise.
SR-11	Component Authenticity (SR-11)	Implement anti-counterfeit policy and procedures to detect and prevent counterfeit components.
SR-11(1)	Anti-counterfeit Training (SR-11(1))	Train personnel to detect counterfeit system components.
SR-11(2)	Configuration Control for Component Service and Repair (SR-11(2))	Maintain configuration control over components awaiting service or repair, and after return.
SR-12	Component Disposal (SR-12)	Dispose of data, documentation, tools, or system components using defined techniques and methods.
SR-2	Supply Chain Risk Management Plan (SR-2)	Develop a C-SCRM plan for managing supply chain risks for systems, components, and services; review and update at define...
SR-3	Supply Chain Controls and Processes (SR-3)	Establish processes to identify, protect, detect, respond, and recover across the supply chain lifecycle.
SR-5	Acquisition Strategies, Tools, and Methods (SR-5)	Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply...
SR-6	Supplier Assessments and Reviews (SR-6)	Assess and review the supply chain risk posture of suppliers at defined frequency and after significant events.
SR-8	Notification Agreements (SR-8)	Establish agreements with suppliers for notification of supply chain compromises and relevant changes.

Your Compliance Coverage

If you comply with FedRAMP High, you already cover:

AWS Well-Architected Security Pillar

6 controls mapped

Compare →

Azure Security Benchmark

6 controls mapped

Compare →

ISO 27701:2019

5 controls mapped

Compare →

+ 247 more: NIST SP 800-190 (1%), ISO 27017 (1%)

See all 250 mapped frameworks ↓

Maps to 250 other frameworks

417 total controls

AWS Well-Architected Security Pillar

6 source controls mapped|4 target controls covered

Azure Security Benchmark

6 source controls mapped|4 target controls covered

ISO 27701:2019

5 source controls mapped|3 target controls covered

NIST SP 800-190

5 source controls mapped|4 target controls covered

ISO 27017

5 source controls mapped|4 target controls covered

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

5 source controls mapped|5 target controls covered

ISO 27018

5 source controls mapped|4 target controls covered

API 1164

4 source controls mapped|3 target controls covered

BSI IT-Grundschutz

4 source controls mapped|3 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

4 source controls mapped|6 target controls covered

NIST Cybersecurity Framework 2.0

4 source controls mapped|5 target controls covered

IEC 62443

4 source controls mapped|3 target controls covered

NIST SP 800-146

4 source controls mapped|2 target controls covered

NIST SP 800-145

4 source controls mapped|3 target controls covered

NIST SP 800-144

4 source controls mapped|2 target controls covered

MTCS (Singapore)

4 source controls mapped|3 target controls covered

ISMAP (Japan)

4 source controls mapped|2 target controls covered

Florida Digital Bill of Rights (FDBR)

4 source controls mapped|3 target controls covered

ISO/IEC 42001:2023

3 source controls mapped|3 target controls covered

ISO/IEC 23894:2023

3 source controls mapped|7 target controls covered

TSA Pipeline Cybersecurity Directives

3 source controls mapped|2 target controls covered

Bahrain PDPL

3 source controls mapped|2 target controls covered

ASIS SPC.1-2009 - Organizational Resilience Standard

3 source controls mapped|2 target controls covered

ISO/IEC 29147:2018

3 source controls mapped|4 target controls covered

NIST SP 1800-32

3 source controls mapped|3 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

3 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5

3 source controls mapped|4 target controls covered

ISO 27019

3 source controls mapped|3 target controls covered

ISO/IEC 27031:2011

3 source controls mapped|2 target controls covered

ISO/IEC 29134:2023

3 source controls mapped|5 target controls covered

ISO/IEC 27014:2020

3 source controls mapped|4 target controls covered

Barbados Data Protection Act 2019

3 source controls mapped|2 target controls covered

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

3 source controls mapped|6 target controls covered

Annex 11 to EU GMP - Computerised Systems

3 source controls mapped|4 target controls covered

NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security

3 source controls mapped|3 target controls covered

New Zealand Information Security Manual (NZISM)

3 source controls mapped|2 target controls covered

IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

3 source controls mapped|4 target controls covered

IAIS Insurance Core Principles (ICPs)

3 source controls mapped|2 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

3 source controls mapped|3 target controls covered

ISO/IEC 27006:2024

3 source controls mapped|4 target controls covered

ISO/IEC 27400:2022

3 source controls mapped|4 target controls covered

ISO 28001:2007 Supply Chain Security Management

3 source controls mapped|2 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

3 source controls mapped|4 target controls covered

GLI-33 - Gaming Laboratories International Event Wagering Systems

3 source controls mapped|3 target controls covered

ISO 27018:2019

2 source controls mapped|2 target controls covered

ISO 31000:2018

2 source controls mapped|2 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

2 source controls mapped|5 target controls covered

ISO 20400:2017 - Sustainable Procurement

2 source controls mapped|3 target controls covered

Virginia CDPA

2 source controls mapped|2 target controls covered

Uruguay DPL

2 source controls mapped|1 target controls covered

UNICEF Policy Guidance on AI for Children (2021)

2 source controls mapped|1 target controls covered

UK GDPR (UK General Data Protection Regulation)

2 source controls mapped|2 target controls covered

UK AI Regulation Framework

2 source controls mapped|2 target controls covered

Texas Data Privacy Act

2 source controls mapped|1 target controls covered

Taiwan PDPA

2 source controls mapped|2 target controls covered

French Sapin II Law (Law No. 2016-1691)

2 source controls mapped|3 target controls covered

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)

2 source controls mapped|2 target controls covered

AS9100D - Aerospace Quality Management System

2 source controls mapped|3 target controls covered

ISO/IEC 27003:2017

2 source controls mapped|3 target controls covered

FBI CJIS Security Policy

2 source controls mapped|1 target controls covered

APPI

2 source controls mapped|1 target controls covered

AICPA Privacy Management Framework (PMF)

2 source controls mapped|3 target controls covered

ISO 41001:2018 - Facility Management Systems

2 source controls mapped|4 target controls covered

ISO 39001:2012 - Road Traffic Safety Management

2 source controls mapped|4 target controls covered

ISO 22313:2020 - Guidance on Business Continuity Management Systems

2 source controls mapped|4 target controls covered

APRA CPS 230 Operational Risk Management

2 source controls mapped|1 target controls covered

AML/CTF Act 2006 (Australia)

2 source controls mapped|1 target controls covered

ISO 45001

2 source controls mapped|2 target controls covered

ISO 22000

2 source controls mapped|2 target controls covered

GDPR

2 source controls mapped|1 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

2 source controls mapped|2 target controls covered

ISO 26262:2018 - Functional Safety for Road Vehicles

2 source controls mapped|2 target controls covered

SSAE 18 - Attestation Standards (SOC Reporting)

2 source controls mapped|5 target controls covered

ISO 27002:2022

2 source controls mapped|2 target controls covered

Oman National Cybersecurity Framework

2 source controls mapped|1 target controls covered

NIS2 Directive

2 source controls mapped|1 target controls covered

NERC CIP

2 source controls mapped|1 target controls covered

Japan FSA Cybersecurity Guidelines for Financial Institutions

2 source controls mapped|1 target controls covered

NIST SP 800-53 Revision 5.1 HIGH

2 source controls mapped|2 target controls covered

FedRAMP Moderate

2 source controls mapped|2 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

2 source controls mapped|2 target controls covered

FFIEC Cybersecurity Assessment Tool (CAT)

2 source controls mapped|1 target controls covered

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)

2 source controls mapped|1 target controls covered

Regulation on the European Health Data Space (EHDS)

2 source controls mapped|2 target controls covered

NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems

2 source controls mapped|2 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

2 source controls mapped|4 target controls covered

Nebraska Data Privacy Act

2 source controls mapped|4 target controls covered

South Korea PIPA

2 source controls mapped|2 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

2 source controls mapped|2 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

2 source controls mapped|2 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

2 source controls mapped|2 target controls covered

FedRAMP Rev 5

2 source controls mapped|2 target controls covered

ISO 27017:2015

1 source controls mapped|1 target controls covered

ISO 22301:2019

1 source controls mapped|2 target controls covered

ISO 26000:2010

1 source controls mapped|3 target controls covered

ICAO Annex 17 - Aviation Security (AVSEC)

1 source controls mapped|2 target controls covered

UNESCO Recommendation on the Ethics of AI

1 source controls mapped|1 target controls covered

UK FCA/PRA Operational Resilience Framework

1 source controls mapped|1 target controls covered

SEC Climate Disclosure Rule

1 source controls mapped|1 target controls covered

ISO 27799

1 source controls mapped|1 target controls covered

EASA Part-IS - Information Security in Aviation

1 source controls mapped|2 target controls covered

ISO 31000

1 source controls mapped|3 target controls covered

ISO 27005

1 source controls mapped|3 target controls covered

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

1 source controls mapped|1 target controls covered

NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management

1 source controls mapped|1 target controls covered

Authorised Economic Operator (AEO) Programmes - Global Standards

1 source controls mapped|1 target controls covered

ISO 13485

1 source controls mapped|1 target controls covered

APRA SPS 220 Risk Management (Superannuation)

1 source controls mapped|1 target controls covered

ISO/IEC 38500:2024

1 source controls mapped|2 target controls covered

ISO/IEC 30111:2019

1 source controls mapped|3 target controls covered

WCAG 2.2

1 source controls mapped|1 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

1 source controls mapped|1 target controls covered

UK Gambling Commission - Cyber Resilience Requirements

1 source controls mapped|2 target controls covered

Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter

1 source controls mapped|1 target controls covered

UK Bribery Act 2010

1 source controls mapped|1 target controls covered

Trinidad and Tobago Data Protection Act 2011

1 source controls mapped|3 target controls covered

Tanzania Personal Data Protection Act (Draft)

1 source controls mapped|2 target controls covered

SLSA

1 source controls mapped|1 target controls covered

SIG (Shared Assessments)

1 source controls mapped|1 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

1 source controls mapped|1 target controls covered

PSD2 SCA

1 source controls mapped|1 target controls covered

PTES

1 source controls mapped|1 target controls covered

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

1 source controls mapped|3 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

1 source controls mapped|1 target controls covered

Pakistan Personal Data Protection Bill 2023

1 source controls mapped|2 target controls covered

OWASP Top 10:2025

1 source controls mapped|1 target controls covered

OWASP SAMM

1 source controls mapped|1 target controls covered

OWASP MASVS

1 source controls mapped|1 target controls covered

OSFI B-13

1 source controls mapped|1 target controls covered

OpenSSF Scorecard

1 source controls mapped|1 target controls covered

Open Banking Security

1 source controls mapped|1 target controls covered

OCC Heightened Standards (12 CFR Part 30, Appendix D)

1 source controls mapped|1 target controls covered

O-RAN WG11 Security Specification

1 source controls mapped|3 target controls covered

NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity

1 source controls mapped|2 target controls covered

Notifiable Data Breaches Scheme (Australia)

1 source controls mapped|1 target controls covered

NIST SP 800-92

1 source controls mapped|1 target controls covered

NIST SP 800-88

1 source controls mapped|1 target controls covered

NIST SP 800-63-4

1 source controls mapped|1 target controls covered

NIST SP 800-61

1 source controls mapped|1 target controls covered

NIST SP 800-137

1 source controls mapped|1 target controls covered

NIST SP 800-123

1 source controls mapped|1 target controls covered

NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)

1 source controls mapped|1 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

1 source controls mapped|1 target controls covered

NATO STANAG 4774 (Confidentiality Metadata Labels) and STANAG 4778 (Metadata Binding)

1 source controls mapped|2 target controls covered

Monetary Authority of Singapore Technology Risk Management Guidelines

1 source controls mapped|1 target controls covered

MITRE D3FEND

1 source controls mapped|1 target controls covered

MITRE ATT&CK

1 source controls mapped|1 target controls covered

ITU Radio Regulations and Space Security Standards

1 source controls mapped|1 target controls covered

ITAR - International Traffic in Arms Regulations

1 source controls mapped|1 target controls covered

Israel Protection of Privacy Law (5741-1981)

1 source controls mapped|2 target controls covered

ICH Q10 - Pharmaceutical Quality System

1 source controls mapped|2 target controls covered

ICH E6(R3) - Good Clinical Practice

1 source controls mapped|1 target controls covered

IATF 16949:2016 - Quality Management System for Automotive Production

1 source controls mapped|2 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

1 source controls mapped|1 target controls covered

HKMA SPM

1 source controls mapped|1 target controls covered

GLBA

1 source controls mapped|1 target controls covered

GAMP 5 - Good Automated Manufacturing Practice

1 source controls mapped|2 target controls covered

FDA Quality Management System Regulation (QMSR)

1 source controls mapped|1 target controls covered

FATF Recommendation 16 - Virtual Asset Travel Rule

1 source controls mapped|1 target controls covered

ISO/IEC 27011:2024

1 source controls mapped|3 target controls covered

ISO 19011

1 source controls mapped|2 target controls covered

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

1 source controls mapped|5 target controls covered

21 CFR Part 58 - Good Laboratory Practice (GLP)

1 source controls mapped|2 target controls covered

BRCGS Global Standard for Food Safety Issue 9

1 source controls mapped|3 target controls covered

IEC 62351 - Power Systems Communication Security

1 source controls mapped|1 target controls covered

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

1 source controls mapped|3 target controls covered

ISO/IEC 29115:2023 - Entity Authentication Assurance Framework

1 source controls mapped|1 target controls covered

IEC 60601-1 - Medical Electrical Equipment Safety

1 source controls mapped|2 target controls covered

ISO/IEC 27007:2020

1 source controls mapped|1 target controls covered

ISO/IEC 29100:2024

1 source controls mapped|3 target controls covered

Azerbaijan Law on Personal Data (2010)

1 source controls mapped|1 target controls covered

ISO/IEC 27004:2016

1 source controls mapped|3 target controls covered

Albania Law on Protection of Personal Data (Law No. 9887, 2008, amended 2014)

1 source controls mapped|2 target controls covered

ISO/IEC 27050 - Electronic Discovery (Parts 1-4)

1 source controls mapped|1 target controls covered

ISO/IEC 38500:2024 - Governance of IT

1 source controls mapped|3 target controls covered

ISO 37000:2021 - Governance of Organizations

1 source controls mapped|3 target controls covered

NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices

1 source controls mapped|3 target controls covered

ISO 8000 - Data Quality

1 source controls mapped|2 target controls covered

SOC 2

1 source controls mapped|2 target controls covered

PCI PIN Security

1 source controls mapped|1 target controls covered

ISO 56002

1 source controls mapped|4 target controls covered

ISO 37002:2021 - Whistleblowing Management Systems

1 source controls mapped|3 target controls covered

ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary

1 source controls mapped|3 target controls covered

ISO/SAE 21434

1 source controls mapped|1 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

1 source controls mapped|3 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

1 source controls mapped|1 target controls covered

21 CFR Part 211 - Current Good Manufacturing Practice

1 source controls mapped|1 target controls covered

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

1 source controls mapped|3 target controls covered

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

1 source controls mapped|3 target controls covered

ISO/IEC 25012:2008 - Data Quality Model

1 source controls mapped|2 target controls covered

ISO 22320:2018

1 source controls mapped|3 target controls covered

ISO 19650 - Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)

1 source controls mapped|3 target controls covered

Automotive SPICE (ASPICE) v4.0 - Process Assessment Model

1 source controls mapped|2 target controls covered

FFIEC IT Examination Handbook

1 source controls mapped|1 target controls covered

ISO 14064 - Greenhouse Gas Accounting and Verification (Parts 1-3)

1 source controls mapped|1 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

1 source controls mapped|1 target controls covered

APRA CPS 234

1 source controls mapped|1 target controls covered

ISO 27043

1 source controls mapped|1 target controls covered

COBIT 2019

1 source controls mapped|1 target controls covered

PCI P2PE

1 source controls mapped|1 target controls covered

PCI SSF

1 source controls mapped|1 target controls covered

IEEE 1686

1 source controls mapped|1 target controls covered

Ghana Cybersecurity Act

1 source controls mapped|1 target controls covered

FISMA

1 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 MODERATE

1 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 LOW

1 source controls mapped|1 target controls covered

Vietnam PDPD

1 source controls mapped|1 target controls covered

Turkey KVKK

1 source controls mapped|1 target controls covered

TCFD Recommendations

1 source controls mapped|1 target controls covered

SASB Standards

1 source controls mapped|1 target controls covered

Qatar DPL

1 source controls mapped|1 target controls covered

Privacy Act 2020

1 source controls mapped|1 target controls covered

Privacy Act 1988 (Australia)

1 source controls mapped|1 target controls covered

POPIA

1 source controls mapped|1 target controls covered

Personal Data Act (personopplysningsloven)

1 source controls mapped|1 target controls covered

PDPA Thailand

1 source controls mapped|1 target controls covered

PDPA Singapore

1 source controls mapped|1 target controls covered

Oregon Consumer Privacy Act

1 source controls mapped|1 target controls covered

OECD AI Principles

1 source controls mapped|1 target controls covered

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

1 source controls mapped|1 target controls covered

NIST SP 800-122

1 source controls mapped|1 target controls covered

NIST Privacy Framework

1 source controls mapped|1 target controls covered

Nigeria Data Protection Regulation (NDPR)

1 source controls mapped|1 target controls covered

New Jersey Data Privacy Act

1 source controls mapped|1 target controls covered

New Hampshire Data Privacy Act

1 source controls mapped|1 target controls covered

Montana Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

Minnesota Consumer Data Privacy Act

1 source controls mapped|1 target controls covered

Mexico LFPDPPP

1 source controls mapped|1 target controls covered

Mauritius DPA

1 source controls mapped|1 target controls covered

Maryland Online Data Privacy Act of 2024

1 source controls mapped|1 target controls covered

Malaysia PDPA 2010

1 source controls mapped|1 target controls covered

Liechtenstein DPA

1 source controls mapped|1 target controls covered

LGPD

1 source controls mapped|1 target controls covered

Ley Orgánica de Protección de Datos Personales (LOPDP)

1 source controls mapped|1 target controls covered

Law No. 172-13 on the Protection of Personal Data

1 source controls mapped|1 target controls covered

Kentucky Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Japan AI Guidelines

1 source controls mapped|1 target controls covered

Jamaica Data Protection Act 2020

1 source controls mapped|1 target controls covered

ISSB Standards

1 source controls mapped|1 target controls covered

Iowa Consumer Data Protection Act

1 source controls mapped|1 target controls covered

Indonesia PDP Law

1 source controls mapped|1 target controls covered

Indiana Consumer Data Protection Act

1 source controls mapped|1 target controls covered

India DPDP Act

1 source controls mapped|1 target controls covered

IEEE 7000

1 source controls mapped|1 target controls covered

Iceland Data Protection and Processing of Personal Data Act (Act No. 90/2018)

1 source controls mapped|1 target controls covered

GRI Standards

1 source controls mapped|1 target controls covered

Global Cross-Border Privacy Rules (Global CBPR) Forum

1 source controls mapped|1 target controls covered

Family Educational Rights and Privacy Act (FERPA)

1 source controls mapped|1 target controls covered

ISO 14001

1 source controls mapped|1 target controls covered

US Children's Online Privacy Protection Act (COPPA) and COPPA 2.0 Proposed Updates

1 source controls mapped|1 target controls covered

Compare FedRAMP High with AWS Well-Architected Security Pillar

Frequently Asked Questions

What is FedRAMP High?

FedRAMP High is a compliance framework from United States with 1 domains and 417 controls. FedRAMP High baseline, based on NIST SP 800-53 Revision 5, includes all 421 security controls with FedRAMP-specific tailoring and implementation guidance. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does FedRAMP High have?

FedRAMP High has 417 controls organised across 1 domains. The largest domains are Other (417 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does FedRAMP High map to?

FedRAMP High maps to 250 other compliance frameworks. The top mapping partners are AWS Well-Architected Security Pillar (1% coverage), Azure Security Benchmark (1% coverage), ISO 27701:2019 (1% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with FedRAMP High compliance?

Start your FedRAMP High compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FedRAMP High requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 417 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required