NIST 800-53 Reference¶
The Road to ATO¶
This is a little idealized, but should create familiarity.
![digraph roadtoato {
rankdir = "LR";
node [shape = "box", color=blue];
Dev [ label="Software\nProvider" ]
Documentation [ shape=component, label="Supporting\nDocumentation" ]
ISSO -> POAM -> SSP -> ATD -> ATT -> Interim_ATO -> ATO [ color=blue ]
Dev -> Documentation -> SSP [ color=orange ]
Dev -> Interim_ATO [ dir=back, color=red, label="Liens remaining" ]
Dev -> Resolution -> ATO [ color=red, label="Liens resolved" ]
}](_images/graphviz-cf93d70ab0a1608541720824bdc86658c62e6c33.png)
Controls by family¶
See NIST SP 800-53 site.
AC - Access Control¶
No. |
Control |
Priority |
Low |
Moderate |
High |
|---|---|---|---|---|---|
AC-1 |
ACCESS CONTROL POLICY AND PROCEDURES |
P1 |
AC-1 |
AC-1 |
AC-1 |
AC-2 |
ACCOUNT MANAGEMENT |
P1 |
AC-2 |
AC-2 (1) (2) (3) (4) |
AC-2 (1) (2) (3) (4) (5) (11) (12) (13) |
AC-3 |
ACCESS ENFORCEMENT |
P1 |
AC-3 |
AC-3 |
AC-3 |
AC-4 |
INFORMATION FLOW ENFORCEMENT |
P1 |
AC-4 |
AC-4 |
|
AC-5 |
SEPARATION OF DUTIES |
P1 |
AC-5 |
AC-5 |
|
AC-6 |
LEAST PRIVILEGE |
P1 |
AC-6 (1) (2) (5) (9) (10) |
AC-6 (1) (2) (3) (5) (9) (10) |
|
AC-7 |
UNSUCCESSFUL LOGON ATTEMPTS |
P2 |
AC-7 |
AC-7 |
AC-7 |
AC-8 |
SYSTEM USE NOTIFICATION |
P1 |
AC-8 |
AC-8 |
AC-8 |
AC-9 |
PREVIOUS LOGON (ACCESS) NOTIFICATION |
P0 |
|||
AC-10 |
CONCURRENT SESSION CONTROL |
P3 |
AC-10 |
||
AC-11 |
SESSION LOCK |
P3 |
AC-11 (1) |
AC-11 (1) |
|
AC-12 |
SESSION TERMINATION |
P2 |
AC-12 |
AC-12 |
|
AC-13 |
SUPERVISION AND REVIEW - ACCESS CONTROL |
? |
|||
AC-14 |
PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
P3 |
AC-14 |
AC-14 |
AC-14 |
AC-15 |
AUTOMATED MARKING |
? |
|||
AC-16 |
SECURITY ATTRIBUTES |
P0 |
|||
AC-17 |
REMOTE ACCESS |
P1 |
AC-17 |
AC-17 (1) (2) (3) (4) |
AC-17 (1) (2) (3) (4) |
AC-18 |
WIRELESS ACCESS |
P1 |
AC-18 |
AC-18 (1) |
AC-18 (1) (4) (5) |
AC-19 |
ACCESS CONTROL FOR MOBILE DEVICES |
P1 |
AC-19 |
AC-19 (5) |
AC-19 (5) |
AC-20 |
USE OF EXTERNAL INFORMATION SYSTEMS |
P1 |
AC-20 |
AC-20 (1) (2) |
AC-20 (1) (2) |
AC-21 |
INFORMATION SHARING |
P2 |
AC-21 |
AC-21 |
|
AC-22 |
PUBLICLY ACCESSIBLE CONTENT |
P3 |
AC-22 |
AC-22 |
AC-22 |
AC-23 |
DATA MINING PROTECTION |
P0 |
|||
AC-24 |
ACCESS CONTROL DECISIONS |
P0 |
|||
AC-25 |
REFERENCE MONITOR |
P0 |
AU - Audit and Accountability¶
No. |
Control |
Priority |
Low |
Moderate |
High |
|---|---|---|---|---|---|
AU-1 |
AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES |
P1 |
AU-1 |
AU-1 |
AU-1 |
AU-2 |
AUDIT EVENTS |
P1 |
AU-2 |
AU-2 (3) |
AU-2 (3) |
AU-3 |
CONTENT OF AUDIT RECORDS |
P1 |
AU-3 |
AU-3 (1) |
AU-3 (1) (2) |
AU-4 |
AUDIT STORAGE CAPACITY |
P1 |
AU-4 |
AU-4 |
AU-4 |
AU-5 |
RESPONSE TO AUDIT PROCESSING FAILURES |
P1 |
AU-5 |
AU-5 |
AU-5 (1) (2) |
AU-6 |
AUDIT REVIEW, ANALYSIS, AND REPORTING |
P1 |
AU-6 |
AU-6 (1) (3) |
AU-6 (1) (3) (5) (6) |
AU-7 |
AUDIT REDUCTION AND REPORT GENERATION |
P2 |
AU-7 (1) |
AU-7 (1) |
|
AU-8 |
TIME STAMPS |
P1 |
AU-8 |
AU-8 (1) |
AU-8 (1) |
AU-9 |
PROTECTION OF AUDIT INFORMATION |
P1 |
AU-9 |
AU-9 (4) |
AU-9 (2) (3) (4) |
AU-10 |
NON-REPUDIATION |
P2 |
AU-10 |
||
AU-11 |
AUDIT RECORD RETENTION |
P3 |
AU-11 |
AU-11 |
AU-11 |
AU-12 |
AUDIT GENERATION |
P1 |
AU-12 |
AU-12 |
AU-12 (1) (3) |
AU-13 |
MONITORING FOR INFORMATION DISCLOSURE |
P0 |
|||
AU-14 |
SESSION AUDIT |
P0 |
|||
AU-15 |
ALTERNATE AUDIT CAPABILITY |
P0 |
|||
AU-16 |
CROSS-ORGANIZATIONAL AUDITING |
P0 |
AT - Awareness and Training¶
CM - Configuration Management¶
CP - Contingency Planning¶
IA - Identification and Authentication¶
IR - Incident Response¶
MA - Maintenance¶
MP - Media Protection¶
PS - Personnel Security¶
PE - Physical and Environmental Protection¶
PL - Planning¶
PM - Program Management¶
RA - Risk Assessment¶
SC - System and Communications Protection¶
SI - System and Information Integrity¶
SA - System and Services Acquisition¶
FedRAMP POAM¶
Federal Risk and Authorization Management Program (FedRAMP) Plan of Actions and Milestones (POAM)
When the government decides to move our cloud service through the A&A process, they will use a POAM to make this manageable and give it a goal-post to reach.
This will come in the form of a spreadsheet, with the following standard columns, customizable by the approver.
Column A: POA&M ID
Column B: Controls
Column C: Weakness Name
Column D: Weakness Description
Column E: Weakness Detector Source
Column F: Weakness Source Identifier
Column G: Asset Identifier
Column H: Point of Contact
Column I: Resources Required
Column J: Overall Remediation Plan
Column K: Original Detection Date
Column L: Scheduled Completion Date
Column M: Planned Milestones
Column N: Milestone Changes
Column M: Planned Milestones
Column O: Status Date
Column P: Vendor Dependency
Column Q: Last Vendor Check-in Date
Column P: Vendor Dependency
Column R: Vendor Dependent Product Name
Column S: Original Risk Rating
Column T: Adjusted Risk Rating
Column U: Risk Adjustment
Column V: False Positive
Column W: Operational Requirement
Column X: Deviation Rationale
Column Y: Supporting Documents
Column Z: Comments
Column AA: Auto-Approve
