Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL Profiles
FedRAMP Rev 5 Moderate Baseline
FedRAMP Rev 5 Moderate Baseline
An OSCAL Profile
Details
Prose
323 controls organized in 18 groups
AC - Access Control
43 Controls
AC-1 - Policy and Procedures
AC-2 - Account Management
9 Subcontrols
AC-2.1 - Automated System Account Management
AC-2.2 - Automated Temporary and Emergency Account Management
AC-2.3 - Disable Accounts
AC-2.4 - Automated Audit Actions
AC-2.5 - Inactivity Logout
AC-2.7 - Privileged User Accounts
AC-2.9 - Restrictions on Use of Shared and Group Accounts
AC-2.12 - Account Monitoring for Atypical Usage
AC-2.13 - Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
AC-4 - Information Flow Enforcement
1 Subcontrol
AC-4.21 - Physical or Logical Separation of Information Flows
AC-5 - Separation of Duties
AC-6 - Least Privilege
6 Subcontrols
AC-6.1 - Authorize Access to Security Functions
AC-6.2 - Non-privileged Access for Nonsecurity Functions
AC-6.5 - Privileged Accounts
AC-6.7 - Review of User Privileges
AC-6.9 - Log Use of Privileged Functions
AC-6.10 - Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
AC-8 - System Use Notification
AC-11 - Device Lock
1 Subcontrol
AC-11.1 - Pattern-hiding Displays
AC-12 - Session Termination
AC-14 - Permitted Actions Without Identification or Authentication
AC-17 - Remote Access
4 Subcontrols
AC-17.1 - Monitoring and Control
AC-17.2 - Protection of Confidentiality and Integrity Using Encryption
AC-17.3 - Managed Access Control Points
AC-17.4 - Privileged Commands and Access
AC-18 - Wireless Access
2 Subcontrols
AC-18.1 - Authentication and Encryption
AC-18.3 - Disable Wireless Networking
AC-19 - Access Control for Mobile Devices
1 Subcontrol
AC-19.5 - Full Device or Container-based Encryption
AC-20 - Use of External Systems
2 Subcontrols
AC-20.1 - Limits on Authorized Use
AC-20.2 - Portable Storage Devices — Restricted Use
AC-21 - Information Sharing
AC-22 - Publicly Accessible Content
AT - Awareness and Training
6 Controls
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
2 Subcontrols
AT-2.2 - Insider Threat
AT-2.3 - Social Engineering and Mining
AT-3 - Role-based Training
AT-4 - Training Records
AU - Audit and Accountability
16 Controls
AU-1 - Policy and Procedures
AU-2 - Event Logging
AU-3 - Content of Audit Records
1 Subcontrol
AU-3.1 - Additional Audit Information
AU-4 - Audit Log Storage Capacity
AU-5 - Response to Audit Logging Process Failures
AU-6 - Audit Record Review, Analysis, and Reporting
2 Subcontrols
AU-6.1 - Automated Process Integration
AU-6.3 - Correlate Audit Record Repositories
AU-7 - Audit Record Reduction and Report Generation
1 Subcontrol
AU-7.1 - Automatic Processing
AU-8 - Time Stamps
AU-9 - Protection of Audit Information
1 Subcontrol
AU-9.4 - Access by Subset of Privileged Users
AU-11 - Audit Record Retention
AU-12 - Audit Record Generation
CA - Assessment, Authorization, and Monitoring
14 Controls
CA-1 - Policy and Procedures
CA-2 - Control Assessments
2 Subcontrols
CA-2.1 - Independent Assessors
CA-2.3 - Leveraging Results from External Organizations
CA-3 - Information Exchange
CA-5 - Plan of Action and Milestones
CA-6 - Authorization
CA-7 - Continuous Monitoring
2 Subcontrols
CA-7.1 - Independent Assessment
CA-7.4 - Risk Monitoring
CA-8 - Penetration Testing
2 Subcontrols
CA-8.1 - Independent Penetration Testing Agent or Team
CA-8.2 - Red Team Exercises
CA-9 - Internal System Connections
CM - Configuration Management
27 Controls
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
3 Subcontrols
CM-2.2 - Automation Support for Accuracy and Currency
CM-2.3 - Retention of Previous Configurations
CM-2.7 - Configure Systems and Components for High-risk Areas
CM-3 - Configuration Change Control
2 Subcontrols
CM-3.2 - Testing, Validation, and Documentation of Changes
CM-3.4 - Security and Privacy Representatives
CM-4 - Impact Analyses
1 Subcontrol
CM-4.2 - Verification of Controls
CM-5 - Access Restrictions for Change
2 Subcontrols
CM-5.1 - Automated Access Enforcement and Audit Records
CM-5.5 - Privilege Limitation for Production and Operation
CM-6 - Configuration Settings
1 Subcontrol
CM-6.1 - Automated Management, Application, and Verification
CM-7 - Least Functionality
3 Subcontrols
CM-7.1 - Periodic Review
CM-7.2 - Prevent Program Execution
CM-7.5 - Authorized Software — Allow-by-exception
CM-8 - System Component Inventory
2 Subcontrols
CM-8.1 - Updates During Installation and Removal
CM-8.3 - Automated Unauthorized Component Detection
CM-9 - Configuration Management Plan
CM-10 - Software Usage Restrictions
CM-11 - User-installed Software
CM-12 - Information Location
1 Subcontrol
CM-12.1 - Automated Tools to Support Information Location
CP - Contingency Planning
23 Controls
CP-1 - Policy and Procedures
CP-2 - Contingency Plan
3 Subcontrols
CP-2.1 - Coordinate with Related Plans
CP-2.3 - Resume Mission and Business Functions
CP-2.8 - Identify Critical Assets
CP-3 - Contingency Training
CP-4 - Contingency Plan Testing
1 Subcontrol
CP-4.1 - Coordinate with Related Plans
CP-6 - Alternate Storage Site
2 Subcontrols
CP-6.1 - Separation from Primary Site
CP-6.3 - Accessibility
CP-7 - Alternate Processing Site
3 Subcontrols
CP-7.1 - Separation from Primary Site
CP-7.2 - Accessibility
CP-7.3 - Priority of Service
CP-8 - Telecommunications Services
2 Subcontrols
CP-8.1 - Priority of Service Provisions
CP-8.2 - Single Points of Failure
CP-9 - System Backup
2 Subcontrols
CP-9.1 - Testing for Reliability and Integrity
CP-9.8 - Cryptographic Protection
CP-10 - System Recovery and Reconstitution
1 Subcontrol
CP-10.2 - Transaction Recovery
IA - Identification and Authentication
27 Controls
IA-1 - Policy and Procedures
IA-2 - Identification and Authentication (Organizational Users)
6 Subcontrols
IA-2.1 - Multi-factor Authentication to Privileged Accounts
IA-2.2 - Multi-factor Authentication to Non-privileged Accounts
IA-2.5 - Individual Authentication with Group Authentication
IA-2.6 - Access to Accounts —separate Device
IA-2.8 - Access to Accounts — Replay Resistant
IA-2.12 - Acceptance of PIV Credentials
IA-3 - Device Identification and Authentication
IA-4 - Identifier Management
1 Subcontrol
IA-4.4 - Identify User Status
IA-5 - Authenticator Management
4 Subcontrols
IA-5.1 - Password-based Authentication
IA-5.2 - Public Key-based Authentication
IA-5.6 - Protection of Authenticators
IA-5.7 - No Embedded Unencrypted Static Authenticators
IA-6 - Authentication Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (Non-organizational Users)
3 Subcontrols
IA-8.1 - Acceptance of PIV Credentials from Other Agencies
IA-8.2 - Acceptance of External Authenticators
IA-8.4 - Use of Defined Profiles
IA-11 - Re-authentication
IA-12 - Identity Proofing
3 Subcontrols
IA-12.2 - Identity Evidence
IA-12.3 - Identity Evidence Validation and Verification
IA-12.5 - Address Confirmation
IR - Incident Response
17 Controls
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
IR-3 - Incident Response Testing
1 Subcontrol
IR-3.2 - Coordination with Related Plans
IR-4 - Incident Handling
1 Subcontrol
IR-4.1 - Automated Incident Handling Processes
IR-5 - Incident Monitoring
IR-6 - Incident Reporting
2 Subcontrols
IR-6.1 - Automated Reporting
IR-6.3 - Supply Chain Coordination
IR-7 - Incident Response Assistance
1 Subcontrol
IR-7.1 - Automation Support for Availability of Information and Support
IR-8 - Incident Response Plan
IR-9 - Information Spillage Response
3 Subcontrols
IR-9.2 - Training
IR-9.3 - Post-spill Operations
IR-9.4 - Exposure to Unauthorized Personnel
MA - Maintenance
10 Controls
MA-1 - Policy and Procedures
MA-2 - Controlled Maintenance
MA-3 - Maintenance Tools
3 Subcontrols
MA-3.1 - Inspect Tools
MA-3.2 - Inspect Media
MA-3.3 - Prevent Unauthorized Removal
MA-4 - Nonlocal Maintenance
MA-5 - Maintenance Personnel
1 Subcontrol
MA-5.1 - Individuals Without Appropriate Access
MA-6 - Timely Maintenance
MP - Media Protection
7 Controls
MP-1 - Policy and Procedures
MP-2 - Media Access
MP-3 - Media Marking
MP-4 - Media Storage
MP-5 - Media Transport
MP-6 - Media Sanitization
MP-7 - Media Use
PE - Physical and Environmental Protection
19 Controls
PE-1 - Policy and Procedures
PE-2 - Physical Access Authorizations
PE-3 - Physical Access Control
PE-4 - Access Control for Transmission
PE-5 - Access Control for Output Devices
PE-6 - Monitoring Physical Access
1 Subcontrol
PE-6.1 - Intrusion Alarms and Surveillance Equipment
PE-8 - Visitor Access Records
PE-9 - Power Equipment and Cabling
PE-10 - Emergency Shutoff
PE-11 - Emergency Power
PE-12 - Emergency Lighting
PE-13 - Fire Protection
2 Subcontrols
PE-13.1 - Detection Systems — Automatic Activation and Notification
PE-13.2 - Suppression Systems — Automatic Activation and Notification
PE-14 - Environmental Controls
PE-15 - Water Damage Protection
PE-16 - Delivery and Removal
PE-17 - Alternate Work Site
PL - Planning
7 Controls
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PL-4 - Rules of Behavior
1 Subcontrol
PL-4.1 - Social Media and External Site/Application Usage Restrictions
PL-8 - Security and Privacy Architectures
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PS - Personnel Security
10 Controls
PS-1 - Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
1 Subcontrol
PS-3.3 - Information Requiring Special Protective Measures
PS-4 - Personnel Termination
PS-5 - Personnel Transfer
PS-6 - Access Agreements
PS-7 - External Personnel Security
PS-8 - Personnel Sanctions
PS-9 - Position Descriptions
RA - Risk Assessment
11 Controls
RA-1 - Policy and Procedures
RA-2 - Security Categorization
RA-3 - Risk Assessment
1 Subcontrol
RA-3.1 - Supply Chain Risk Assessment
RA-5 - Vulnerability Monitoring and Scanning
4 Subcontrols
RA-5.2 - Update Vulnerabilities to Be Scanned
RA-5.3 - Breadth and Depth of Coverage
RA-5.5 - Privileged Access
RA-5.11 - Public Disclosure Program
RA-7 - Risk Response
RA-9 - Criticality Analysis
SA - System and Services Acquisition
21 Controls
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
4 Subcontrols
SA-4.1 - Functional Properties of Controls
SA-4.2 - Design and Implementation Information for Controls
SA-4.9 - Functions, Ports, Protocols, and Services in Use
SA-4.10 - Use of Approved PIV Products
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
3 Subcontrols
SA-9.1 - Risk Assessments and Organizational Approvals
SA-9.2 - Identification of Functions, Ports, Protocols, and Services
SA-9.5 - Processing, Storage, and Service Location
SA-10 - Developer Configuration Management
SA-11 - Developer Testing and Evaluation
2 Subcontrols
SA-11.1 - Static Code Analysis
SA-11.2 - Threat Modeling and Vulnerability Analyses
SA-15 - Development Process, Standards, and Tools
1 Subcontrol
SA-15.3 - Criticality Analysis
SA-22 - Unsupported System Components
SC - System and Communications Protection
29 Controls
SC-1 - Policy and Procedures
SC-2 - Separation of System and User Functionality
SC-4 - Information in Shared System Resources
SC-5 - Denial-of-service Protection
SC-7 - Boundary Protection
7 Subcontrols
SC-7.3 - Access Points
SC-7.4 - External Telecommunications Services
SC-7.5 - Deny by Default — Allow by Exception
SC-7.7 - Split Tunneling for Remote Devices
SC-7.8 - Route Traffic to Authenticated Proxy Servers
SC-7.12 - Host-based Protection
SC-7.18 - Fail Secure
SC-8 - Transmission Confidentiality and Integrity
1 Subcontrol
SC-8.1 - Cryptographic Protection
SC-10 - Network Disconnect
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
SC-15 - Collaborative Computing Devices and Applications
SC-17 - Public Key Infrastructure Certificates
SC-18 - Mobile Code
SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
SC-21 - Secure Name/Address Resolution Service (Recursive or Caching Resolver)
SC-22 - Architecture and Provisioning for Name/Address Resolution Service
SC-23 - Session Authenticity
SC-28 - Protection of Information at Rest
1 Subcontrol
SC-28.1 - Cryptographic Protection
SC-39 - Process Isolation
SC-45 - System Time Synchronization
1 Subcontrol
SC-45.1 - Synchronization with Authoritative Time Source
SI - System and Information Integrity
24 Controls
SI-1 - Policy and Procedures
SI-2 - Flaw Remediation
2 Subcontrols
SI-2.2 - Automated Flaw Remediation Status
SI-2.3 - Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
7 Subcontrols
SI-4.1 - System-wide Intrusion Detection System
SI-4.2 - Automated Tools and Mechanisms for Real-time Analysis
SI-4.4 - Inbound and Outbound Communications Traffic
SI-4.5 - System-generated Alerts
SI-4.16 - Correlate Monitoring Information
SI-4.18 - Analyze Traffic and Covert Exfiltration
SI-4.23 - Host-based Devices
SI-5 - Security Alerts, Advisories, and Directives
SI-6 - Security and Privacy Function Verification
SI-7 - Software, Firmware, and Information Integrity
2 Subcontrols
SI-7.1 - Integrity Checks
SI-7.7 - Integration of Detection and Response
SI-8 - Spam Protection
1 Subcontrol
SI-8.2 - Automatic Updates
SI-10 - Information Input Validation
SI-11 - Error Handling
SI-12 - Information Management and Retention
SI-16 - Memory Protection
SR - Supply Chain Risk Management
12 Controls
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
1 Subcontrol
SR-2.1 - Establish SCRM Team
SR-3 - Supply Chain Controls and Processes
SR-5 - Acquisition Strategies, Tools, and Methods
SR-6 - Supplier Assessments and Reviews
SR-8 - Notification Agreements
SR-10 - Inspection of Systems or Components
SR-11 - Component Authenticity
2 Subcontrols
SR-11.1 - Anti-counterfeit Training
SR-11.2 - Configuration Control for Component Service and Repair
SR-12 - Component Disposal