forked from FedRAMP/docs-legacy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathFRMR.LOW.20x-low-pilot.json
More file actions
2446 lines (2446 loc) · 85.2 KB
/
Copy pathFRMR.LOW.20x-low-pilot.json
File metadata and controls
2446 lines (2446 loc) · 85.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"info": {
"name": "FedRAMP 20x Combined Requirements",
"short_name": "FRMR-LOW",
"current_release": "25.06A",
"types": [
"FRR",
"FRD",
"FRA"
],
"releases": [
{
"id": "25.06A",
"published_date": "2025-06-17",
"description": "Combined FedRAMP 20x Low Requirements"
}
]
},
"FRR": {
"SCN": {
"base": {
"id": "FRR-SCN",
"application": "These requirements apply ALWAYS to ALL _significant changes_ based on current Effective Date(s) and Overall Applicability",
"referenced_fr": [
"FRD-SCN-01"
],
"requirements": [
{
"id": "FRR-SCN-01",
"statement": "Providers MUST notify all necessary parties when Significant Change Notifications are required, including at least FedRAMP and all agency customers. Providers MAY share Significant Change Notifications publicly or with other parties.",
"affects": [
"Providers"
],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-02",
"statement": "Providers MUST follow the procedures documented in their security plan to plan, evaluate, test, perform, assess, and document changes.",
"affects": [
"Providers"
],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-03",
"statement": "Providers MUST evaluate and type label all _significant changes_, then follow FedRAMP requirements for the type.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-01"
]
},
{
"id": "FRR-SCN-04",
"statement": "Providers MUST maintain auditable records of these activities and make them available to all necessary parties.",
"affects": [
"Providers"
],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-05",
"statement": "Providers MUST keep historical Significant Change Notifications available to all necessary parties at least until the service completes its next annual assessment.",
"affects": [
"Providers"
],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-06",
"statement": "All parties SHOULD follow FedRAMP's best practices and technical assistance on _significant change_ assessment and notification where applicable.",
"affects": [
"Providers",
"Agencies",
"3PAOs"
],
"primary_key_word": "SHOULD",
"referenced_fr": [
"FRD-SCN-01"
]
},
{
"id": "FRR-SCN-07",
"statement": "Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible.",
"affects": [
"Providers"
],
"primary_key_word": "MAY",
"is_interim": true
},
{
"id": "FRR-SCN-08",
"statement": "Providers MUST make ALL Significant Change Notifications and related audit records available in similar human-readable and compatible machine-readable formats.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"is_interim": true
},
{
"id": "FRR-SCN-09",
"statement": "Providers MUST include at least the following information in Significant Change Notifications:",
"following_information": [
"Service Offering FedRAMP ID",
"3PAO Name (if applicable)",
"Related POA&M (if applicable)",
"Significant Change type and explanation of categorization",
"Short description of change",
"Reason for change",
"Summary of customer impact, including changes to services and customer configuration responsibilities",
"Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls",
"Copy of the business or security impact analysis",
"Name and title of approver"
],
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"is_interim": true
},
{
"id": "FRR-SCN-10",
"statement": "Providers MAY include additional relevant information in Significant Change Notifications.",
"affects": [
"Providers"
],
"primary_key_word": "MAY",
"is_interim": true
}
]
},
"exceptions": {
"application": "These exceptions MAY override some or all of the FedRAMP requirements for this standard.",
"id": "FRR-SCN-EX",
"requirements": [
{
"id": "FRR-SCN-EX-01",
"statement": "Providers MAY be required to delay _significant changes_ beyond the standard Significant Change Notification period and/or submit _significant changes_ for approval in advance as a condition of a formal FedRAMP Corrective Action Plan or other agreement.",
"affects": [
"Providers"
],
"primary_key_word": "MAY",
"referenced_fr": [
"FRD-SCN-01"
]
},
{
"id": "FRR-SCN-EX-02",
"statement": "Providers MAY execute _significant changes_ (including _transformative_ changes) during an emergency or incident without meeting Significant Change Notification requirements in advance ONLY if absolutely necessary. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.",
"affects": [
"Providers"
],
"primary_key_word": "MAY",
"referenced_fr": [
"FRD-SCN-01"
]
}
]
},
"routine_recurring": {
"application": "These requirements apply ONLY to _significant changes_ of type _routine recurring_.",
"id": "FRR-SCN-RR",
"referenced_fr": [
"FRD-SCN-01",
"FRD-SCN-02"
],
"requirements": [
{
"id": "FRR-SCN-RR-01",
"statement": "Providers SHOULD NOT make formal Significant Change Notifications for _routine recurring_ changes; this type of change is exempted from the notification requirements of this standard.",
"affects": [
"Providers"
],
"primary_key_word": "SHOULD NOT",
"referenced_fr": [
"FRD-SCN-02"
]
}
]
},
"adaptive": {
"application": "These requirements apply ONLY to _significant changes_ of type _adaptive_.",
"id": "FRR-SCN-AD",
"referenced_fr": [
"FRD-SCN-01",
"FRD-SCN-03"
],
"requirements": [
{
"id": "FRR-SCN-AD-01",
"statement": "Providers MUST notify all necessary parties within ten business days after finishing _adaptive_ changes, also including the following information:",
"following_information": [
"Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)"
],
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-03"
]
}
]
},
"transformative": {
"application": "These requirements apply ONLY to _significant changes_ of type _transformative_.",
"id": "FRR-SCN-TF",
"referenced_fr": [
"FRD-SCN-01",
"FRD-SCN-04"
],
"requirements": [
{
"id": "FRR-SCN-TF-01",
"statement": "Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting _transformative_ changes if human validation is necessary. This review SHOULD be limited to security decisions that require human validation. Providers MUST document this decision and justification.",
"affects": [
"Providers"
],
"primary_key_word": "SHOULD",
"is_interim": true,
"referenced_fr": [
"FRD-SCN-04"
]
},
{
"id": "FRR-SCN-TF-02",
"statement": "Providers MUST notify all necessary parties of initial plans for _transformative_ changes at least 30 business days before starting _transformative_ changes.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-04"
]
},
{
"id": "FRR-SCN-TF-03",
"statement": "Providers MUST notify all necessary parties of final plans for _transformative_ changes at least 10 business days before starting _transformative_ changes.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-04"
]
},
{
"id": "FRR-SCN-TF-04",
"statement": "Providers MUST notify all necessary parties within 5 business days after finishing _transformative_ changes, also including the following information:",
"following_information": [
"Updates to all previously sent information"
],
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-04"
]
},
{
"id": "FRR-SCN-TF-05",
"statement": "Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of _transformative_ changes, also including the following information:",
"following_information": [
"Updates to all previously sent information",
"Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)",
"Copy of the security assessment report (if applicable)"
],
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-04"
]
},
{
"id": "FRR-SCN-TF-06",
"statement": "Providers MUST publish updated service documentation and other materials to reflect _transformative_ changes within 30 business days after finishing _transformative_ changes.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-04"
]
},
{
"id": "FRR-SCN-TF-07",
"statement": "Providers MUST allow agency customers to OPT OUT of _transformative_ changes whenever feasible.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-SCN-04"
]
}
]
},
"impact": {
"application": "These requirements apply ONLY to _significant changes_ of type _impact categorization_.",
"id": "FRR-SCN-IM",
"referenced_fr": [
"FRD-SCN-01",
"FRD-SCN-05"
],
"requirements": [
{
"id": "FRR-SCN-IM-01",
"statement": "Providers MUST follow the legacy Significant Change Request process or full re-authorization for _impact categorization_ changes, with advance approval from an identified lead agency, until further notice.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"is_interim": true,
"referenced_fr": [
"FRD-SCN-05"
]
}
]
}
},
"MAS": {
"base": {
"application": "These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability.",
"id": "FRR-MAS",
"requirements": [
{
"id": "FRR-MAS-01",
"statement": "Providers MUST identify a set of _information resources_ to assess for FedRAMP authorization that includes all _information resources_ that are likely to _handle_ _federal information_ or _likely_ to impact the confidentiality, integrity, or availability of _federal information_ _handled_ by the _cloud service offering_.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRD-MAS-01",
"FRD-MAS-02",
"FRD-MAS-03",
"FRD-MAS-04"
]
},
{
"id": "FRR-MAS-02",
"statement": "Providers MUST include the configuration and usage of _third-party information resources_, ONLY IF _FRR-MAS-01_ APPLIES.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRR-MAS-01",
"FRD-MAS-05"
]
},
{
"id": "FRR-MAS-03",
"statement": "Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to _federal information_ from the configuration and usage of non-FedRAMP authorized _third-party information resources_, ONLY IF _FRR-MAS-01_ APPLIES.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRR-MAS-01",
"FRD-MAS-01",
"FRD-MAS-05"
]
},
{
"id": "FRR-MAS-04",
"statement": "Providers MUST include metadata (including metadata about _federal information_), ONLY IF _FRR-MAS-01_ APPLIES.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRR-MAS-01",
"FRD-MAS-01"
]
},
{
"id": "FRR-MAS-05",
"statement": "Providers MUST clearly identify, document, and explain information flows and impact levels for ALL _information resources_, ONLY IF _FRR-MAS-01_ APPLIES.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRR-MAS-01",
"FRD-MAS-02"
]
}
]
},
"exceptions": {
"application": "These exceptions MAY override some or all of the FedRAMP requirements for this standard.",
"id": "FRR-MAS-EX",
"requirements": [
{
"id": "FRR-MAS-EX-01",
"statement": "Providers MAY include documentation of _information resources_ beyond the _cloud service offering, or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the _cloud service offering_.",
"affects": [
"Providers"
],
"primary_key_word": "MAY",
"referenced_fr": [
"FRD-MAS-02"
]
}
]
},
"application": {
"application": "These rules provide general guidance on the application of this standard.",
"id": "FRR-MAS-AY",
"requirements": [
{
"id": "FRR-MAS-AY-01",
"statement": "Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the _cloud service offering_ for FedRAMP. For more, see fedramp.gov/scope.",
"affects": [
"All"
],
"primary_key_word": "MUST",
"reference": "Overall Scope of FedRAMP",
"reference_url": "http://fedramp.gov/scope"
},
{
"id": "FRR-MAS-AY-02",
"statement": "Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the _cloud service offering_ for FedRAMP. For more, see fedramp.gov/scope.",
"affects": [
"All"
],
"primary_key_word": "MUST",
"reference": "Overall Scope of FedRAMP",
"reference_url": "http://fedramp.gov/scope"
},
{
"id": "FRR-MAS-AY-03",
"statement": "_Information resources_ (including _third-party information resources_) that do not meet the conditions in FRR-MAS-01 are not included in the _cloud service offering_ for FedRAMP(_FRR-MAS-02_).",
"affects": [
"All"
],
"primary_key_word": "MUST",
"referenced_fr": [
"FRR-MAS-01",
"FRR-MAS-02",
"FRD-MAS-02",
"FRD-MAS-05"
]
},
{
"id": "FRR-MAS-AY-04",
"statement": "_Information resources_ (including _third-party information resources_+_) MAY vary by impact level as appropriate to the level of information _handled_ or impacted by the information resource (_FRR-MAS-05_).",
"affects": [
"All"
],
"primary_key_word": "MAY",
"referenced_fr": [
"FRR-MAS-05",
"FRD-MAS-02",
"FRD-MAS-03",
"FRD-MAS-05"
]
},
{
"id": "FRR-MAS-AY-05",
"statement": "All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Standard as needed.",
"affects": [
"All"
],
"primary_key_word": "SHOULD"
},
{
"id": "FRR-MAS-AY-06",
"statement": "All aspects of the _cloud service offering_ are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials.",
"affects": [
"Providers"
],
"primary_key_word": "MUST"
}
]
}
},
"KSI": {
"base": {
"application": "These requirements apply ALWAYS to ALL FedRAMP 20x authorizations based on the Effective Date(s) and Overall Applicability.",
"id": "FRR-KSI",
"requirements": [
{
"id": "FRR-KSI-01",
"statement": "Cloud service providers MUST apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.",
"affects": [
"Providers"
],
"primary_key_word": "MUST",
"referenced_rules": [
"FRR-MAS-01"
]
},
{
"id": "FRR-KSI-02",
"statement": "All parties SHOULD follow FedRAMP's best practices and technical assistance on assessing Key Security Indicators where applicable.",
"affects": [
"Providers",
"Agencies",
"3PAOs"
],
"primary_key_word": "SHOULD"
},
{
"id": "FRR-KSI-03",
"statement": "All parties SHOULD continuously monitor and review materials in the FedRAMP 20x Phase One (20xP1) pilot requirements and the 20x Community Working Group. Additional details, interim best practices and technical assistance, answers to common questions, and more will be provided asynchronously during 20xP1.",
"affects": [
"Providers",
"Agencies",
"3PAOs"
],
"primary_key_word": "SHOULD",
"is_interim": true
}
]
}
}
},
"FRD": {
"SCN": [
{
"id": "FRD-SCN-01",
"term": "Significant change",
"definition": "Has the meaning given in NIST SP 800-37 Rev. 2 which is \"a change that is _likely_ to substantively affect the security or privacy posture of a system.\"",
"reference": "NIST SP 800-37 Rev. 2",
"reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final",
"referenced_fr": [
"FRD-MAS-04"
]
},
{
"id": "FRD-SCN-02",
"term": "Routine Recurring",
"definition": "The type of _significant change_ that _regularly_ and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation.",
"referenced_fr": [
"FRD-SCN-01",
"FRD-KSI-01"
]
},
{
"id": "FRD-SCN-03",
"term": "Adaptive",
"definition": "The type of _significant change_ that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth.",
"note": "Adaptive changes typically require careful planning that focuses on engineering execution instead of customer adoption, can be verified with minor changes to existing automated validation procedures, and do not require large changes to operational procedures, deployment plans, or documentation.",
"referenced_fr": [
"FRD-SCN-01"
]
},
{
"id": "FRD-SCN-04",
"term": "Transformative",
"definition": "The type of _significant change_ that introduces substantive potential security risks that are _likely_ to affect existing risk determinations and must be assessed in depth.",
"note": "Transformative changes typically introduce major features or capabilities that may change how a customer uses the service (in whole or in part) and require extensive updates to security assessments, operational procedures, deployment plans, and documentation.",
"referenced_fr": [
"FRD-SCN-01",
"FRD-MAS-04"
]
},
{
"id": "FRD-SCN-05",
"term": "Impact Categorization",
"definition": "The type of _significant change_ that is _likely_ to increase or decrease the impact level categorization for the entire cloud service offering (e.g. from low to moderate or from high to moderate).",
"referenced_fr": [
"FRD-SCN-01",
"FRD-MAS-04"
]
},
{
"id": "FRD-SCN-06",
"term": "Interim Requirement",
"definition": "A temporary requirement included as part of a FedRAMP Pilot or Beta Test that will _likely_ be replaced, updated, or removed prior to the formal wide release of the requirement.",
"referenced_fr": [
"FRD-MAS-04"
]
}
],
"MAS": [
{
"id": "FRD-MAS-01",
"term": "Federal Information",
"definition": "Has the meaning from OMB Circular A-130 and any successor documents. As of Apr 2025, this means \"information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the federal government, in any medium or form.\"",
"note": "This typically does not include information that a cloud service provider produces outside of a government contract or agreement. Review FedRAMP's Technical Assistance and consult qualified legal experts for additional assistance identifying federal information.",
"reference": "OMB Circular A-130",
"reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf"
},
{
"id": "FRD-MAS-02",
"term": "Information Resource",
"definition": "Has the meaning from 44 USC § 3502 (6): \"information and related resources, such as personnel, equipment, funds, and information technology.\"",
"note": "This applies to any aspect of the cloud service offering, both technical and managerial, including everything that makes up the business of the offering from organizational policies and procedures to hardware, software, and code.",
"reference": "44 USC § 3502 (6)",
"reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502"
},
{
"id": "FRD-MAS-03",
"term": "Handle",
"definition": "Has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use... etc."
},
{
"id": "FRD-MAS-04",
"term": "Likely",
"definition": "A reasonable degree of probability based on context."
},
{
"id": "FRD-MAS-05",
"term": "Third-party Information Resource",
"definition": "Any _information resource_ that is not entirely included in the assessment for the _cloud service offering_ seeking authorization.",
"referenced_fr": [
"FRD-SCN-02"
]
},
{
"id": "FRD-MAS-06",
"term": "Cloud Service Offering",
"definition": "A specific, packaged cloud computing product or service provided by a cloud service provider that can be used by a customer. FedRAMP assessment and authorization of the cloud computing product or service is based on the Minimum Assessment Standard."
}
],
"KSI": [
{
"id": "FRD-KSI-01",
"term": "Regularly",
"definition": "Performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements."
}
]
},
"FRA": {
"SCN": {
"id": "FRA-SCN",
"disclaimer": "Every cloud service provider is different, every architecture is different, and every environment is different. Best practices and technical assistance MUST NOT be used as a checklist. All examples are for discussion purposes ONLY.",
"purpose": "This Technical Assistance helps stakeholders evaluate and label _significant changes_ by type as required by _FRR-SCN-03_. This assistance is designed for the 20x Phase One Pilot and Rev5 Closed Beta Balance Improvement Test. The Significant Change Notification Requirements will be tested, evaluated, and improved in partnership with stakeholders based on real-world experience.",
"requirements": [
{
"id": "FRA-SCN-03",
"applies_to": "FRR-SCN-03",
"statement": "Once a change has been identified as a _significant change_ in general, FedRAMP recommends next determining if a change is of the type _routine recurring_. If it is not, work down from the highest impact to lowest to identify the type of change.\n\n1. Is it a _significant change_?\n2. If it is, is it a _routine recurring_ change?\n3. If it is not, is it an _impact categorization_ change?\n4. If it is not, is it a _transformative_ change?\n5. If it is not, then it is an _adaptive_ change."
},
{
"id": "FRA-SCN-RR",
"applies_to": "FRR-SCN-RR",
"statement": "Activities that match the _routine recurring_ _significant change_ type are performed _regularly_ and routinely by cloud service providers to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations.\n\nThese changes leverage mature processes and capabilities to identify, mitigate, and remediate risks as part of the change. They are often entirely automated and may occur without human intervention, even though they have an impact on security of the service.\n\nIf the activity does not occur _regularly_ and routinely then it cannot be a _significant change_ of this type (e.g., replacing all physical firewalls to remediate a vulnerability is obviously not regular or routine).",
"examples": [
{
"id": "Ongoing operations",
"key_tests": [
"Routine care and feeding by staff during normal duties",
"No major impact to service availability",
"Does not require executive approval"
],
"examples": [
"Provisioning or deprovisioning capacity to support service elasticity",
"Changing or tuning performance configurations for instances or services",
"Updating and maintaining operational handling of information flows and protection across physical and logical networks (e.g., updating firewall rules)",
"Generating or refreshing API or access tokens"
]
},
{
"id": "Vulnerability Management",
"key_tests": [
"Minor, incremental patching or updates",
"Significant refactoring or migration process NOT required",
"No breaking changes"
],
"examples": [
"Updating security service or endpoint signatures",
"Routine patching of devices, operating systems, software or libraries",
"Updating and deploying code that applies normal fixes and improvements as part of a regular development cycle",
"Vulnerability remediation activity that simply replaces a known-bad component(s) with a better version of the exact same thing, running in the exact same way with no changes to processes"
]
}
]
},
{
"id": "FRA-SCN-TF",
"applies_to": "FRR-SCN-TF",
"statement": "Activities that match the _transformative_ _significant change_ type are rare for a cloud service offering, adjusted for the size, scale, and complexity of the service. Small cloud service offerings may go years without _transformative_ changes, while hyperscale providers may release multiple _transformative_ changes per year.",
"examples": [
{
"id": "Transformative changes",
"key_tests": [
"Alters the service risk profile or require new or significantly different actions to address customer responsibilities",
"Requires significant new design, development and testing with discrete associated project planning, budget, marketing, etc.",
"Requires extensive updates to security assessments, documentation, and how a large number of security requirements are met and validated"
],
"examples": [
"The addition, removal, or replacement of a critical third party service that handles a significant portion of information (e.g., IaaS change)",
"Increasing the security categorization of a service within the offering that actively handles federal information (does NOT include impact change of entire offering - see impact categorization change)",
"Replacement of underlying management planes or paradigm shift in workload orchestration (e.g., bare-metal servers or virtual machines to containers, migration to kubernetes)",
"Datacenter migration where large amounts of federal information is moved across boundaries different from normal day-to-day operations",
"Adding a new AI-based capability that impacts federal information in a different way than existing services or capabilities (such as integrating a new third-party service or training on federal information)"
]
}
]
},
{
"id": "FRA-SCN-AD",
"applies_to": "FRR-SCN-AD",
"statement": "Activities that match the _adaptive_ _significant change_ type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks.\n\nIn general, most changes that do not happen _regularly_ will be _adaptive_ changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration.",
"examples": [
{
"id": "Service adjustments",
"key_tests": [
"Requires minimal changes to security plans or procedures",
"Requires some careful planning and project management to implement, but does not rise to the level of planning required for transformative changes",
"Requires verification of existing functionality and secure configuration after implementation"
],
"examples": [
"Updates to operating systems, containers, virtual machines, software or libraries with known breaking changes, complex steps, or service disruption",
"Deploying larger than normal incremental feature improvements in code or libraries that are the work of multiple weeks of development efforts but are not considered a major new service",
"Changing cryptographic modules where the new module meets the same standards and characteristics of the former",
"Replacing a like-for-like component where some security plan or procedure adjustments are required (e.g., scanning tool or managed database swap)",
"Adding models to existing approved AI services without exposing federal information to new services"
]
}
]
}
]
}
},
"KSI": {
"CED": {
"id": "KSI-CED",
"name": "Cybersecurity Education",
"indicator": "A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly to ensure their knowledge is satisfactory.",
"requirements": [
{
"id": "KSI-CED-01",
"statement": "Ensure all employees receive security awareness training",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "at-2",
"title": "Literacy Training and Awareness"
},
{
"control_id": "at-2.2",
"title": "Insider Threat"
},
{
"control_id": "at-2.3",
"title": "Social Engineering and Mining"
},
{
"control_id": "at-4",
"title": "Training Records"
}
]
},
{
"id": "KSI-CED-02",
"statement": "Require role-specific training for high risk roles, including at least roles with privileged access",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "at-2",
"title": "Literacy Training and Awareness"
},
{
"control_id": "at-3",
"title": "Role-based Training"
},
{
"control_id": "sr-11.1",
"title": "Anti-counterfeit Training"
}
]
}
]
},
"CMT": {
"id": "KSI-CMT",
"name": "Change Management",
"indicator": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly.",
"requirements": [
{
"id": "KSI-CMT-01",
"statement": "Log and monitor system modifications",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "au-2",
"title": "Event Logging"
},
{
"control_id": "cm-3",
"title": "Configuration Change Control"
},
{
"control_id": "cm-4.2",
"title": "Verification of Controls"
},
{
"control_id": "cm-6",
"title": "Configuration Settings"
},
{
"control_id": "ma-2",
"title": "Controlled Maintenance"
}
]
},
{
"id": "KSI-CMT-02",
"statement": "Execute changes though redeployment of version controlled immutable resources rather than direct modification wherever possible",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "cm-2",
"title": "Baseline Configuration"
},
{
"control_id": "cm-3",
"title": "Configuration Change Control"
},
{
"control_id": "cm-5",
"title": "Access Restrictions for Change"
},
{
"control_id": "cm-6",
"title": "Configuration Settings"
},
{
"control_id": "cm-7",
"title": "Least Functionality"
},
{
"control_id": "cm-8.1",
"title": "Updates During Installation and Removal"
},
{
"control_id": "si-3",
"title": "Malicious Code Protection"
}
]
},
{
"id": "KSI-CMT-03",
"statement": "Implement automated testing and validation of changes prior to deployment",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "cm-3",
"title": "Configuration Change Control"
},
{
"control_id": "cm-3.2",
"title": "Testing, Validation, and Documentation of Changes"
},
{
"control_id": "si-2",
"title": "Flaw Remediation"
}
]
},
{
"id": "KSI-CMT-04",
"statement": "Have a documented change management procedure",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "cm-3",
"title": "Configuration Change Control"
},
{
"control_id": "cm-3.4",
"title": "Security and Privacy Representatives"
},
{
"control_id": "cm-5",
"title": "Access Restrictions for Change"
},
{
"control_id": "cm-7.1",
"title": "Periodic Review"
},
{
"control_id": "cm-9",
"title": "Configuration Management Plan"
}
]
},
{
"id": "KSI-CMT-05",
"statement": "Evaluate the risk and potential impact of any change",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "ca-7.4",
"title": "Risk Monitoring"
},
{
"control_id": "cm-3.4",
"title": "Security and Privacy Representatives"
},
{
"control_id": "cm-4",
"title": "Impact Analyses"
},
{
"control_id": "si-2",
"title": "Flaw Remediation"
}
]
}
]
},
"CNA": {
"id": "KSI-CNA",
"name": "Cloud Native Architecture",
"indicator": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system.",
"requirements": [
{
"id": "KSI-CNA-01",
"statement": "Configure ALL information resources to limit inbound and outbound traffic",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "ac-17.3",
"title": "Managed Access Control Points"
},
{
"control_id": "ca-9",
"title": "Internal System Connections"
}
]
},
{
"id": "KSI-CNA-02",
"statement": "Design systems to minimize the attack surface and minimize lateral movement if compromised",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "ac-17.3",
"title": "Managed Access Control Points"
},
{
"control_id": "ca-9",
"title": "Internal System Connections"
}
]
},
{
"id": "KSI-CNA-03",
"statement": "Use logical networking and related capabilities to enforce traffic flow controls",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "ac-17.3",
"title": "Managed Access Control Points"
},
{
"control_id": "ca-9",
"title": "Internal System Connections"
},
{
"control_id": "sc-7",
"title": "Boundary Protection"
}
]
},
{
"id": "KSI-CNA-04",
"statement": "Use immutable infrastructure with strictly defined functionality and privileges by default",
"applied_impact_levels": [
"Low"
],
"controls": [
{
"control_id": "cm-2",
"title": "Baseline Configuration"
},
{
"control_id": "si-3",
"title": "Malicious Code Protection"