Home / Frameworks / FedRAMP / LI-SaaS Baseline

FedRAMP Rev 5

Federal Risk and Authorization Management Program Security Baselines

410 All 138 LI-SaaS 156 Low 323 Moderate 410 High

Showing 138 controls in LI-SaaS baseline

AC — Access Control (11 controls)

AC-1Policy and Procedures

AC-2Account Management

AC-3Access Enforcement

AC-7Unsuccessful Logon Attempts

AC-8System Use Notification

AC-14Permitted Actions Without Identification or Authentication

AC-19Access Control for Mobile Devices

AC-20Use of External Systems

AC-22Publicly Accessible Content

AT — Awareness and Training (4 controls)

AT-1Policy and Procedures

AT-2Literacy Training and Awareness

AT-3Role-based Training

AU — Audit and Accountability (10 controls)

AU-1Policy and Procedures

AU-3Content of Audit Records

AU-4Audit Log Storage Capacity

AU-5Response to Audit Logging Process Failures

AU-6Audit Record Review, Analysis, and Reporting

AU-9Protection of Audit Information

AU-11Audit Record Retention

AU-12Audit Record Generation

CA — Assessment, Authorization, and Monitoring (8 controls)

CA-1Policy and Procedures

CA-2Control Assessments

CA-3Information Exchange

CA-5Plan of Action and Milestones

CA-7Continuous Monitoring

CA-8Penetration Testing

CA-9Internal System Connections

CM — Configuration Management (9 controls)

CM-1Policy and Procedures

CM-2Baseline Configuration

CM-5Access Restrictions for Change

CM-6Configuration Settings

CM-7Least Functionality

CM-8System Component Inventory

CM-10Software Usage Restrictions

CM-11User-installed Software

CP — Contingency Planning (6 controls)

CP-1Policy and Procedures

CP-3Contingency Training

CP-4Contingency Plan Testing

CP-10System Recovery and Reconstitution

IA — Identification and Authentication (9 controls)

IA-1Policy and Procedures

IA-2Identification and Authentication (organizational Users)

IA-2 (12)Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

IA-4Identifier Management

IA-5Authenticator Management

IA-6Authentication Feedback

IA-7Cryptographic Module Authentication

IA-8Identification and Authentication (non-organizational Users)

IA-11Re-authentication

IR — Incident Response (7 controls)

IR-1Policy and Procedures

IR-2Incident Response Training

IR-4Incident Handling

IR-5Incident Monitoring

IR-6Incident Reporting

IR-7Incident Response Assistance

IR-8Incident Response Plan

MA — Maintenance (4 controls)

MA-1Policy and Procedures

MA-2Controlled Maintenance

MA-4Nonlocal Maintenance

MA-5Maintenance Personnel

MP — Media Protection (4 controls)

MP-1Policy and Procedures

MP-6Media Sanitization

PE — Physical and Environmental Protection (10 controls)

PE-1Policy and Procedures

PE-2Physical Access Authorizations

PE-3Physical Access Control

PE-6Monitoring Physical Access

PE-8Visitor Access Records

PE-12Emergency Lighting

PE-14Environmental Controls

PE-15Water Damage Protection

PE-16Delivery and Removal

PL — Planning (6 controls)

PL-1Policy and Procedures

PL-2System Security and Privacy Plans

PL-4Rules of Behavior

PL-8Security and Privacy Architectures

PL-10Baseline Selection

PL-11Baseline Tailoring

PS — Personnel Security (9 controls)

PS-1Policy and Procedures

PS-2Position Risk Designation

PS-3Personnel Screening

PS-4Personnel Termination

PS-5Personnel Transfer

PS-6Access Agreements

PS-7External Personnel Security

PS-8Personnel Sanctions

PS-9Position Descriptions

RA — Risk Assessment (6 controls)

RA-1Policy and Procedures

RA-2Security Categorization

RA-5Vulnerability Monitoring and Scanning

RA-5 (11)Vulnerability Monitoring and Scanning | Public Disclosure Program

SA — System and Services Acquisition (9 controls)

SA-1Policy and Procedures

SA-2Allocation of Resources

SA-3System Development Life Cycle

SA-4Acquisition Process

SA-4 (10)Acquisition Process | Use of Approved PIV Products

SA-5System Documentation

SA-8Security and Privacy Engineering Principles

SA-9External System Services

SA-22Unsupported System Components

SC — System and Communications Protection (12 controls)

SC-1Policy and Procedures

SC-5Denial-of-service Protection

SC-7Boundary Protection

SC-8Transmission Confidentiality and Integrity

SC-12Cryptographic Key Establishment and Management

SC-13Cryptographic Protection

SC-15Collaborative Computing Devices and Applications

SC-20Secure Name/address Resolution Service (authoritative Source)

SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)

SC-22Architecture and Provisioning for Name/address Resolution Service

SC-28Protection of Information at Rest

SC-39Process Isolation

SI — System and Information Integrity (6 controls)

SI-1Policy and Procedures

SI-3Malicious Code Protection

SI-4System Monitoring

SI-5Security Alerts, Advisories, and Directives

SI-12Information Management and Retention

SR — Supply Chain Risk Management (8 controls)

SR-1Policy and Procedures

SR-2Supply Chain Risk Management Plan

SR-3Supply Chain Controls and Processes

SR-5Acquisition Strategies, Tools, and Methods

SR-8Notification Agreements

SR-10Inspection of Systems or Components

SR-11Component Authenticity

SR-12Component Disposal