Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL Profiles
FedRAMP Rev 5 High Baseline
FedRAMP Rev 5 High Baseline
An OSCAL Profile
Details
Prose
410 controls organized in 18 groups
AC - Access Control
50 Controls
AC-1 - Policy and Procedures
AC-2 - Account Management
10 Subcontrols
AC-2.1 - Automated System Account Management
AC-2.2 - Automated Temporary and Emergency Account Management
AC-2.3 - Disable Accounts
AC-2.4 - Automated Audit Actions
AC-2.5 - Inactivity Logout
AC-2.7 - Privileged User Accounts
AC-2.9 - Restrictions on Use of Shared and Group Accounts
AC-2.11 - Usage Conditions
AC-2.12 - Account Monitoring for Atypical Usage
AC-2.13 - Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
AC-4 - Information Flow Enforcement
2 Subcontrols
AC-4.4 - Flow Control of Encrypted Information
AC-4.21 - Physical or Logical Separation of Information Flows
AC-5 - Separation of Duties
AC-6 - Least Privilege
8 Subcontrols
AC-6.1 - Authorize Access to Security Functions
AC-6.2 - Non-privileged Access for Nonsecurity Functions
AC-6.3 - Network Access to Privileged Commands
AC-6.5 - Privileged Accounts
AC-6.7 - Review of User Privileges
AC-6.8 - Privilege Levels for Code Execution
AC-6.9 - Log Use of Privileged Functions
AC-6.10 - Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
AC-8 - System Use Notification
AC-10 - Concurrent Session Control
AC-11 - Device Lock
1 Subcontrol
AC-11.1 - Pattern-hiding Displays
AC-12 - Session Termination
AC-14 - Permitted Actions Without Identification or Authentication
AC-17 - Remote Access
4 Subcontrols
AC-17.1 - Monitoring and Control
AC-17.2 - Protection of Confidentiality and Integrity Using Encryption
AC-17.3 - Managed Access Control Points
AC-17.4 - Privileged Commands and Access
AC-18 - Wireless Access
4 Subcontrols
AC-18.1 - Authentication and Encryption
AC-18.3 - Disable Wireless Networking
AC-18.4 - Restrict Configurations by Users
AC-18.5 - Antennas and Transmission Power Levels
AC-19 - Access Control for Mobile Devices
1 Subcontrol
AC-19.5 - Full Device or Container-based Encryption
AC-20 - Use of External Systems
2 Subcontrols
AC-20.1 - Limits on Authorized Use
AC-20.2 - Portable Storage Devices — Restricted Use
AC-21 - Information Sharing
AC-22 - Publicly Accessible Content
AT - Awareness and Training
6 Controls
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
2 Subcontrols
AT-2.2 - Insider Threat
AT-2.3 - Social Engineering and Mining
AT-3 - Role-based Training
AT-4 - Training Records
AU - Audit and Accountability
27 Controls
AU-1 - Policy and Procedures
AU-2 - Event Logging
AU-3 - Content of Audit Records
1 Subcontrol
AU-3.1 - Additional Audit Information
AU-4 - Audit Log Storage Capacity
AU-5 - Response to Audit Logging Process Failures
2 Subcontrols
AU-5.1 - Storage Capacity Warning
AU-5.2 - Real-time Alerts
AU-6 - Audit Record Review, Analysis, and Reporting
6 Subcontrols
AU-6.1 - Automated Process Integration
AU-6.3 - Correlate Audit Record Repositories
AU-6.4 - Central Review and Analysis
AU-6.5 - Integrated Analysis of Audit Records
AU-6.6 - Correlation with Physical Monitoring
AU-6.7 - Permitted Actions
AU-7 - Audit Record Reduction and Report Generation
1 Subcontrol
AU-7.1 - Automatic Processing
AU-8 - Time Stamps
AU-9 - Protection of Audit Information
3 Subcontrols
AU-9.2 - Store on Separate Physical Systems or Components
AU-9.3 - Cryptographic Protection
AU-9.4 - Access by Subset of Privileged Users
AU-10 - Non-repudiation
AU-11 - Audit Record Retention
AU-12 - Audit Record Generation
2 Subcontrols
AU-12.1 - System-wide and Time-correlated Audit Trail
AU-12.3 - Changes by Authorized Individuals
CA - Assessment, Authorization, and Monitoring
16 Controls
CA-1 - Policy and Procedures
CA-2 - Control Assessments
3 Subcontrols
CA-2.1 - Independent Assessors
CA-2.2 - Specialized Assessments
CA-2.3 - Leveraging Results from External Organizations
CA-3 - Information Exchange
1 Subcontrol
CA-3.6 - Transfer Authorizations
CA-5 - Plan of Action and Milestones
CA-6 - Authorization
CA-7 - Continuous Monitoring
2 Subcontrols
CA-7.1 - Independent Assessment
CA-7.4 - Risk Monitoring
CA-8 - Penetration Testing
2 Subcontrols
CA-8.1 - Independent Penetration Testing Agent or Team
CA-8.2 - Red Team Exercises
CA-9 - Internal System Connections
CM - Configuration Management
34 Controls
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
3 Subcontrols
CM-2.2 - Automation Support for Accuracy and Currency
CM-2.3 - Retention of Previous Configurations
CM-2.7 - Configure Systems and Components for High-risk Areas
CM-3 - Configuration Change Control
4 Subcontrols
CM-3.1 - Automated Documentation, Notification, and Prohibition of Changes
CM-3.2 - Testing, Validation, and Documentation of Changes
CM-3.4 - Security and Privacy Representatives
CM-3.6 - Cryptography Management
CM-4 - Impact Analyses
2 Subcontrols
CM-4.1 - Separate Test Environments
CM-4.2 - Verification of Controls
CM-5 - Access Restrictions for Change
2 Subcontrols
CM-5.1 - Automated Access Enforcement and Audit Records
CM-5.5 - Privilege Limitation for Production and Operation
CM-6 - Configuration Settings
2 Subcontrols
CM-6.1 - Automated Management, Application, and Verification
CM-6.2 - Respond to Unauthorized Changes
CM-7 - Least Functionality
3 Subcontrols
CM-7.1 - Periodic Review
CM-7.2 - Prevent Program Execution
CM-7.5 - Authorized Software — Allow-by-exception
CM-8 - System Component Inventory
4 Subcontrols
CM-8.1 - Updates During Installation and Removal
CM-8.2 - Automated Maintenance
CM-8.3 - Automated Unauthorized Component Detection
CM-8.4 - Accountability Information
CM-9 - Configuration Management Plan
CM-10 - Software Usage Restrictions
CM-11 - User-installed Software
CM-12 - Information Location
1 Subcontrol
CM-12.1 - Automated Tools to Support Information Location
CM-14 - Signed Components
CP - Contingency Planning
35 Controls
CP-1 - Policy and Procedures
CP-2 - Contingency Plan
5 Subcontrols
CP-2.1 - Coordinate with Related Plans
CP-2.2 - Capacity Planning
CP-2.3 - Resume Mission and Business Functions
CP-2.5 - Continue Mission and Business Functions
CP-2.8 - Identify Critical Assets
CP-3 - Contingency Training
1 Subcontrol
CP-3.1 - Simulated Events
CP-4 - Contingency Plan Testing
2 Subcontrols
CP-4.1 - Coordinate with Related Plans
CP-4.2 - Alternate Processing Site
CP-6 - Alternate Storage Site
3 Subcontrols
CP-6.1 - Separation from Primary Site
CP-6.2 - Recovery Time and Recovery Point Objectives
CP-6.3 - Accessibility
CP-7 - Alternate Processing Site
4 Subcontrols
CP-7.1 - Separation from Primary Site
CP-7.2 - Accessibility
CP-7.3 - Priority of Service
CP-7.4 - Preparation for Use
CP-8 - Telecommunications Services
4 Subcontrols
CP-8.1 - Priority of Service Provisions
CP-8.2 - Single Points of Failure
CP-8.3 - Separation of Primary and Alternate Providers
CP-8.4 - Provider Contingency Plan
CP-9 - System Backup
5 Subcontrols
CP-9.1 - Testing for Reliability and Integrity
CP-9.2 - Test Restoration Using Sampling
CP-9.3 - Separate Storage for Critical Information
CP-9.5 - Transfer to Alternate Storage Site
CP-9.8 - Cryptographic Protection
CP-10 - System Recovery and Reconstitution
2 Subcontrols
CP-10.2 - Transaction Recovery
CP-10.4 - Restore Within Time Period
IA - Identification and Authentication
30 Controls
IA-1 - Policy and Procedures
IA-2 - Identification and Authentication (Organizational Users)
6 Subcontrols
IA-2.1 - Multi-factor Authentication to Privileged Accounts
IA-2.2 - Multi-factor Authentication to Non-privileged Accounts
IA-2.5 - Individual Authentication with Group Authentication
IA-2.6 - Access to Accounts —separate Device
IA-2.8 - Access to Accounts — Replay Resistant
IA-2.12 - Acceptance of PIV Credentials
IA-3 - Device Identification and Authentication
IA-4 - Identifier Management
1 Subcontrol
IA-4.4 - Identify User Status
IA-5 - Authenticator Management
6 Subcontrols
IA-5.1 - Password-based Authentication
IA-5.2 - Public Key-based Authentication
IA-5.6 - Protection of Authenticators
IA-5.7 - No Embedded Unencrypted Static Authenticators
IA-5.8 - Multiple System Accounts
IA-5.13 - Expiration of Cached Authenticators
IA-6 - Authentication Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (Non-organizational Users)
3 Subcontrols
IA-8.1 - Acceptance of PIV Credentials from Other Agencies
IA-8.2 - Acceptance of External Authenticators
IA-8.4 - Use of Defined Profiles
IA-11 - Re-authentication
IA-12 - Identity Proofing
4 Subcontrols
IA-12.2 - Identity Evidence
IA-12.3 - Identity Evidence Validation and Verification
IA-12.4 - In-person Validation and Verification
IA-12.5 - Address Confirmation
IR - Incident Response
24 Controls
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
2 Subcontrols
IR-2.1 - Simulated Events
IR-2.2 - Automated Training Environments
IR-3 - Incident Response Testing
1 Subcontrol
IR-3.2 - Coordination with Related Plans
IR-4 - Incident Handling
5 Subcontrols
IR-4.1 - Automated Incident Handling Processes
IR-4.2 - Dynamic Reconfiguration
IR-4.4 - Information Correlation
IR-4.6 - Insider Threats
IR-4.11 - Integrated Incident Response Team
IR-5 - Incident Monitoring
1 Subcontrol
IR-5.1 - Automated Tracking, Data Collection, and Analysis
IR-6 - Incident Reporting
2 Subcontrols
IR-6.1 - Automated Reporting
IR-6.3 - Supply Chain Coordination
IR-7 - Incident Response Assistance
1 Subcontrol
IR-7.1 - Automation Support for Availability of Information and Support
IR-8 - Incident Response Plan
IR-9 - Information Spillage Response
3 Subcontrols
IR-9.2 - Training
IR-9.3 - Post-spill Operations
IR-9.4 - Exposure to Unauthorized Personnel
MA - Maintenance
12 Controls
MA-1 - Policy and Procedures
MA-2 - Controlled Maintenance
1 Subcontrol
MA-2.2 - Automated Maintenance Activities
MA-3 - Maintenance Tools
3 Subcontrols
MA-3.1 - Inspect Tools
MA-3.2 - Inspect Media
MA-3.3 - Prevent Unauthorized Removal
MA-4 - Nonlocal Maintenance
1 Subcontrol
MA-4.3 - Comparable Security and Sanitization
MA-5 - Maintenance Personnel
1 Subcontrol
MA-5.1 - Individuals Without Appropriate Access
MA-6 - Timely Maintenance
MP - Media Protection
10 Controls
MP-1 - Policy and Procedures
MP-2 - Media Access
MP-3 - Media Marking
MP-4 - Media Storage
MP-5 - Media Transport
MP-6 - Media Sanitization
3 Subcontrols
MP-6.1 - Review, Approve, Track, Document, and Verify
MP-6.2 - Equipment Testing
MP-6.3 - Nondestructive Techniques
MP-7 - Media Use
PE - Physical and Environmental Protection
26 Controls
PE-1 - Policy and Procedures
PE-2 - Physical Access Authorizations
PE-3 - Physical Access Control
1 Subcontrol
PE-3.1 - System Access
PE-4 - Access Control for Transmission
PE-5 - Access Control for Output Devices
PE-6 - Monitoring Physical Access
2 Subcontrols
PE-6.1 - Intrusion Alarms and Surveillance Equipment
PE-6.4 - Monitoring Physical Access to Systems
PE-8 - Visitor Access Records
1 Subcontrol
PE-8.1 - Automated Records Maintenance and Review
PE-9 - Power Equipment and Cabling
PE-10 - Emergency Shutoff
PE-11 - Emergency Power
1 Subcontrol
PE-11.1 - Alternate Power Supply — Minimal Operational Capability
PE-12 - Emergency Lighting
PE-13 - Fire Protection
2 Subcontrols
PE-13.1 - Detection Systems — Automatic Activation and Notification
PE-13.2 - Suppression Systems — Automatic Activation and Notification
PE-14 - Environmental Controls
1 Subcontrol
PE-14.2 - Monitoring with Alarms and Notifications
PE-15 - Water Damage Protection
1 Subcontrol
PE-15.1 - Automation Support
PE-16 - Delivery and Removal
PE-17 - Alternate Work Site
PE-18 - Location of System Components
PL - Planning
7 Controls
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PL-4 - Rules of Behavior
1 Subcontrol
PL-4.1 - Social Media and External Site/Application Usage Restrictions
PL-8 - Security and Privacy Architectures
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PS - Personnel Security
11 Controls
PS-1 - Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
1 Subcontrol
PS-3.3 - Information Requiring Special Protective Measures
PS-4 - Personnel Termination
1 Subcontrol
PS-4.2 - Automated Actions
PS-5 - Personnel Transfer
PS-6 - Access Agreements
PS-7 - External Personnel Security
PS-8 - Personnel Sanctions
PS-9 - Position Descriptions
RA - Risk Assessment
13 Controls
RA-1 - Policy and Procedures
RA-2 - Security Categorization
RA-3 - Risk Assessment
1 Subcontrol
RA-3.1 - Supply Chain Risk Assessment
RA-5 - Vulnerability Monitoring and Scanning
6 Subcontrols
RA-5.2 - Update Vulnerabilities to Be Scanned
RA-5.3 - Breadth and Depth of Coverage
RA-5.4 - Discoverable Information
RA-5.5 - Privileged Access
RA-5.8 - Review Historic Audit Logs
RA-5.11 - Public Disclosure Program
RA-7 - Risk Response
RA-9 - Criticality Analysis
SA - System and Services Acquisition
25 Controls
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
5 Subcontrols
SA-4.1 - Functional Properties of Controls
SA-4.2 - Design and Implementation Information for Controls
SA-4.5 - System, Component, and Service Configurations
SA-4.9 - Functions, Ports, Protocols, and Services in Use
SA-4.10 - Use of Approved PIV Products
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
3 Subcontrols
SA-9.1 - Risk Assessments and Organizational Approvals
SA-9.2 - Identification of Functions, Ports, Protocols, and Services
SA-9.5 - Processing, Storage, and Service Location
SA-10 - Developer Configuration Management
SA-11 - Developer Testing and Evaluation
2 Subcontrols
SA-11.1 - Static Code Analysis
SA-11.2 - Threat Modeling and Vulnerability Analyses
SA-15 - Development Process, Standards, and Tools
1 Subcontrol
SA-15.3 - Criticality Analysis
SA-16 - Developer-provided Training
SA-17 - Developer Security and Privacy Architecture and Design
SA-21 - Developer Screening
SA-22 - Unsupported System Components
SC - System and Communications Protection
35 Controls
SC-1 - Policy and Procedures
SC-2 - Separation of System and User Functionality
SC-3 - Security Function Isolation
SC-4 - Information in Shared System Resources
SC-5 - Denial-of-service Protection
SC-7 - Boundary Protection
10 Subcontrols
SC-7.3 - Access Points
SC-7.4 - External Telecommunications Services
SC-7.5 - Deny by Default — Allow by Exception
SC-7.7 - Split Tunneling for Remote Devices
SC-7.8 - Route Traffic to Authenticated Proxy Servers
SC-7.10 - Prevent Exfiltration
SC-7.12 - Host-based Protection
SC-7.18 - Fail Secure
SC-7.20 - Dynamic Isolation and Segregation
SC-7.21 - Isolation of System Components
SC-8 - Transmission Confidentiality and Integrity
1 Subcontrol
SC-8.1 - Cryptographic Protection
SC-10 - Network Disconnect
SC-12 - Cryptographic Key Establishment and Management
1 Subcontrol
SC-12.1 - Availability
SC-13 - Cryptographic Protection
SC-15 - Collaborative Computing Devices and Applications
SC-17 - Public Key Infrastructure Certificates
SC-18 - Mobile Code
SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
SC-21 - Secure Name/Address Resolution Service (Recursive or Caching Resolver)
SC-22 - Architecture and Provisioning for Name/Address Resolution Service
SC-23 - Session Authenticity
SC-24 - Fail in Known State
SC-28 - Protection of Information at Rest
1 Subcontrol
SC-28.1 - Cryptographic Protection
SC-39 - Process Isolation
SC-45 - System Time Synchronization
1 Subcontrol
SC-45.1 - Synchronization with Authoritative Time Source
SI - System and Information Integrity
35 Controls
SI-1 - Policy and Procedures
SI-2 - Flaw Remediation
2 Subcontrols
SI-2.2 - Automated Flaw Remediation Status
SI-2.3 - Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
14 Subcontrols
SI-4.1 - System-wide Intrusion Detection System
SI-4.2 - Automated Tools and Mechanisms for Real-time Analysis
SI-4.4 - Inbound and Outbound Communications Traffic
SI-4.5 - System-generated Alerts
SI-4.10 - Visibility of Encrypted Communications
SI-4.11 - Analyze Communications Traffic Anomalies
SI-4.12 - Automated Organization-generated Alerts
SI-4.14 - Wireless Intrusion Detection
SI-4.16 - Correlate Monitoring Information
SI-4.18 - Analyze Traffic and Covert Exfiltration
SI-4.19 - Risk for Individuals
SI-4.20 - Privileged Users
SI-4.22 - Unauthorized Network Services
SI-4.23 - Host-based Devices
SI-5 - Security Alerts, Advisories, and Directives
1 Subcontrol
SI-5.1 - Automated Alerts and Advisories
SI-6 - Security and Privacy Function Verification
SI-7 - Software, Firmware, and Information Integrity
5 Subcontrols
SI-7.1 - Integrity Checks
SI-7.2 - Automated Notifications of Integrity Violations
SI-7.5 - Automated Response to Integrity Violations
SI-7.7 - Integration of Detection and Response
SI-7.15 - Code Authentication
SI-8 - Spam Protection
1 Subcontrol
SI-8.2 - Automatic Updates
SI-10 - Information Input Validation
SI-11 - Error Handling
SI-12 - Information Management and Retention
SI-16 - Memory Protection
SR - Supply Chain Risk Management
14 Controls
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
1 Subcontrol
SR-2.1 - Establish SCRM Team
SR-3 - Supply Chain Controls and Processes
SR-5 - Acquisition Strategies, Tools, and Methods
SR-6 - Supplier Assessments and Reviews
SR-8 - Notification Agreements
SR-9 - Tamper Resistance and Detection
1 Subcontrol
SR-9.1 - Multiple Stages of System Development Life Cycle
SR-10 - Inspection of Systems or Components
SR-11 - Component Authenticity
2 Subcontrols
SR-11.1 - Anti-counterfeit Training
SR-11.2 - Configuration Control for Component Service and Repair
SR-12 - Component Disposal