NIST 800-53 Reference ##################### The Road to ATO --------------- This is a little idealized, but should create familiarity. .. graphviz:: digraph roadtoato { rankdir = "LR"; node [shape = "box", color=blue]; Dev [ label="Software\nProvider" ] Documentation [ shape=component, label="Supporting\nDocumentation" ] ISSO -> POAM -> SSP -> ATD -> ATT -> Interim_ATO -> ATO [ color=blue ] Dev -> Documentation -> SSP [ color=orange ] Dev -> Interim_ATO [ dir=back, color=red, label="Liens remaining" ] Dev -> Resolution -> ATO [ color=red, label="Liens resolved" ] } Controls by family ------------------ See NIST `SP 800-53`_ site. AC - Access Control +++++++++++++++++++ +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | No. | Control | Priority | Low | Moderate | High | +========+=============================================================+==========+=================================+=================================+=========================================+ | AC-1 | ACCESS CONTROL POLICY AND PROCEDURES | P1 | AC-1 | AC-1 | AC-1 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-2 | ACCOUNT MANAGEMENT | P1 | AC-2 | AC-2 (1) (2) (3) (4) | AC-2 (1) (2) (3) (4) (5) (11) (12) (13) | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-3 | ACCESS ENFORCEMENT | P1 | AC-3 | AC-3 | AC-3 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-4 | INFORMATION FLOW ENFORCEMENT | P1 | | AC-4 | AC-4 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-5 | SEPARATION OF DUTIES | P1 | | AC-5 | AC-5 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-6 | LEAST PRIVILEGE | P1 | | AC-6 (1) (2) (5) (9) (10) | AC-6 (1) (2) (3) (5) (9) (10) | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-7 | UNSUCCESSFUL LOGON ATTEMPTS | P2 | AC-7 | AC-7 | AC-7 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-8 | SYSTEM USE NOTIFICATION | P1 | AC-8 | AC-8 | AC-8 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-9 | PREVIOUS LOGON (ACCESS) NOTIFICATION | P0 | | | | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-10 | CONCURRENT SESSION CONTROL | P3 | | | AC-10 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-11 | SESSION LOCK | P3 | | AC-11 (1) | AC-11 (1) | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-12 | SESSION TERMINATION | P2 | | AC-12 | AC-12 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-13 | SUPERVISION AND REVIEW - ACCESS CONTROL | ? | | | | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-14 | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | P3 | AC-14 | AC-14 | AC-14 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-15 | AUTOMATED MARKING | ? | | | | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-16 | SECURITY ATTRIBUTES | P0 | | | | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-17 | REMOTE ACCESS | P1 | AC-17 | AC-17 (1) (2) (3) (4) | AC-17 (1) (2) (3) (4) | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-18 | WIRELESS ACCESS | P1 | AC-18 | AC-18 (1) | AC-18 (1) (4) (5) | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-19 | ACCESS CONTROL FOR MOBILE DEVICES | P1 | AC-19 | AC-19 (5) | AC-19 (5) | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-20 | USE OF EXTERNAL INFORMATION SYSTEMS | P1 | AC-20 | AC-20 (1) (2) | AC-20 (1) (2) | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-21 | INFORMATION SHARING | P2 | | AC-21 | AC-21 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-22 | PUBLICLY ACCESSIBLE CONTENT | P3 | AC-22 | AC-22 | AC-22 | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-23 | DATA MINING PROTECTION | P0 | | | | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-24 | ACCESS CONTROL DECISIONS | P0 | | | | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ | AC-25 | REFERENCE MONITOR | P0 | | | | +--------+-------------------------------------------------------------+----------+---------------------------------+---------------------------------+-----------------------------------------+ AU - Audit and Accountability +++++++++++++++++++++++++++++ +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | No. | Control | Priority | Low | Moderate | High | +=======+=================================================+============+========+==============+======================+ | AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES | P1 | AU-1 | AU-1 | AU-1 | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-2 | AUDIT EVENTS | P1 | AU-2 | AU-2 (3) | AU-2 (3) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-3 | CONTENT OF AUDIT RECORDS | P1 | AU-3 | AU-3 (1) | AU-3 (1) (2) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-4 | AUDIT STORAGE CAPACITY | P1 | AU-4 | AU-4 | AU-4 | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-5 | RESPONSE TO AUDIT PROCESSING FAILURES | P1 | AU-5 | AU-5 | AU-5 (1) (2) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-6 | AUDIT REVIEW, ANALYSIS, AND REPORTING | P1 | AU-6 | AU-6 (1) (3) | AU-6 (1) (3) (5) (6) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-7 | AUDIT REDUCTION AND REPORT GENERATION | P2 | | AU-7 (1) | AU-7 (1) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-8 | TIME STAMPS | P1 | AU-8 | AU-8 (1) | AU-8 (1) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-9 | PROTECTION OF AUDIT INFORMATION | P1 | AU-9 | AU-9 (4) | AU-9 (2) (3) (4) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-10 | NON-REPUDIATION | P2 | | | AU-10 | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-11 | AUDIT RECORD RETENTION | P3 | AU-11 | AU-11 | AU-11 | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-12 | AUDIT GENERATION | P1 | AU-12 | AU-12 | AU-12 (1) (3) | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-13 | MONITORING FOR INFORMATION DISCLOSURE | P0 | | | | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-14 | SESSION AUDIT | P0 | | | | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-15 | ALTERNATE AUDIT CAPABILITY | P0 | | | | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ | AU-16 | CROSS-ORGANIZATIONAL AUDITING | P0 | | | | +-------+-------------------------------------------------+------------+--------+--------------+----------------------+ AT - Awareness and Training +++++++++++++++++++++++++++ CM - Configuration Management +++++++++++++++++++++++++++++ CP - Contingency Planning +++++++++++++++++++++++++ IA - Identification and Authentication ++++++++++++++++++++++++++++++++++++++ IR - Incident Response ++++++++++++++++++++++ MA - Maintenance ++++++++++++++++ MP - Media Protection +++++++++++++++++++++ PS - Personnel Security +++++++++++++++++++++++ PE - Physical and Environmental Protection ++++++++++++++++++++++++++++++++++++++++++ PL - Planning +++++++++++++ PM - Program Management +++++++++++++++++++++++ RA - Risk Assessment ++++++++++++++++++++ CA - Security Assessment and Authorization ++++++++++++++++++++++++++++++++++++++++++ SC - System and Communications Protection +++++++++++++++++++++++++++++++++++++++++ SI - System and Information Integrity +++++++++++++++++++++++++++++++++++++ SA - System and Services Acquisition ++++++++++++++++++++++++++++++++++++ FedRAMP POAM ------------ Federal Risk and Authorization Management Program (FedRAMP) Plan of Actions and Milestones (`POAM`_) * When the government decides to move our cloud service through the A&A process, they will use a POAM to make this manageable and give it a goal-post to reach. * This will come in the form of a spreadsheet, with the following standard columns, customizable by the approver. * Column A: POA&M ID * Column B: Controls * Column C: Weakness Name * Column D: Weakness Description * Column E: Weakness Detector Source * Column F: Weakness Source Identifier * Column G: Asset Identifier * Column H: Point of Contact * Column I: Resources Required * Column J: Overall Remediation Plan * Column K: Original Detection Date * Column L: Scheduled Completion Date * Column M: Planned Milestones * Column N: Milestone Changes * Column M: Planned Milestones * Column O: Status Date * Column P: Vendor Dependency * Column Q: Last Vendor Check-in Date * Column P: Vendor Dependency * Column R: Vendor Dependent Product Name * Column S: Original Risk Rating * Column T: Adjusted Risk Rating * Column U: Risk Adjustment * Column V: False Positive * Column W: Operational Requirement * Column X: Deviation Rationale * Column Y: Supporting Documents * Column Z: Comments * Column AA: Auto-Approve .. _`POAM`: https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf .. _`SP 800-53`: https://nvd.nist.gov/800-53/Rev4