GovRAMP vRev 5
Government Risk and Authorization Management Program - Security Baselines for State and Local Government Cloud Services
Baseline levels, control titles, and core control designations sourced from the official GovRAMP published documents. Cross-framework mappings derived from the Secure Controls Framework (SCF), licensed under CC BY-ND 4.0.
AC — Access Control (54 controls)
AC-01Policy and Procedures
AC-02Account Management
AC-02(01)Account Management | Automated System Account Management
AC-02(02)Account Management | Automated Temporary and Emergency Account Management
AC-02(03)Account Management | Disable Accounts
AC-02(04)Account Management | Automated Audit Actions
AC-02(05)Account Management | Inactivity Logout
AC-02(07)Account Management | Privileged User Accounts
AC-02(09)Account Management | Restrictions on Use of Shared and Group Accounts
AC-02(10)AC-02(10)
AC-02(11)AC-02(11)
AC-02(12)Account Management | Account Monitoring for Atypical Usage
AC-02(13)Account Management | Disable Accounts for High-risk Individuals
AC-03Access Enforcement
AC-04Information Flow Enforcement
AC-04(08)AC-04(08)
AC-04(21)Information Flow Enforcement | Physical or Logical Separation of Information Flows
AC-05Separation of Duties
AC-06Least Privilege
AC-06(01)Least Privilege | Authorize Access to Security Functions
AC-06(02)Least Privilege | Non-privileged Access for Nonsecurity Functions
AC-06(03)AC-06(03)
AC-06(05)Least Privilege | Privileged Accounts
AC-06(07)Least Privilege | Review of User Privileges
AC-06(08)AC-06(08)
AC-06(09)Least Privilege | Log Use of Privileged Functions
AC-06(10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions
AC-07Unsuccessful Logon Attempts
AC-07(02)AC-07(02)
AC-08System Use Notification
AC-10AC-10
AC-11Device Lock
AC-11(01)Device Lock | Pattern-hiding Displays
AC-12Session Termination
AC-12(01)AC-12(01)
AC-14Permitted Actions Without Identification or Authentication
AC-17Remote Access
AC-17(01)Remote Access | Monitoring and Control
AC-17(02)Remote Access | Protection of Confidentiality and Integrity Using Encryption
AC-17(03)Remote Access | Managed Access Control Points
AC-17(04)Remote Access | Privileged Commands and Access
AC-17(09)AC-17(09)
AC-18Wireless Access
AC-18(01)Wireless Access | Authentication and Encryption
AC-18(03)Wireless Access | Disable Wireless Networking
AC-18(04)AC-18(04)
AC-18(05)AC-18(05)
AC-19Access Control for Mobile Devices
AC-19(05)Access Control for Mobile Devices | Full Device or Container-based Encryption
AC-20Use of External Systems
AC-20(01)Use of External Systems | Limits on Authorized Use
AC-20(02)Use of External Systems | Portable Storage Devices — Restricted Use
AC-21Information Sharing
AC-22Publicly Accessible Content
AT — Awareness and Training (7 controls)
AU — Audit and Accountability (31 controls)
AU-01Policy and Procedures
AU-02Event Logging
AU-02(03)AU-02(03)
AU-03Content of Audit Records
AU-03(01)Content of Audit Records | Additional Audit Information
AU-03(02)AU-03(02)
AU-04Audit Log Storage Capacity
AU-05Response to Audit Logging Process Failures
AU-05(01)AU-05(01)
AU-05(02)AU-05(02)
AU-06Audit Record Review, Analysis, and Reporting
AU-06(01)Audit Record Review, Analysis, and Reporting | Automated Process Integration
AU-06(03)Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
AU-06(04)AU-06(04)
AU-06(05)AU-06(05)
AU-06(06)AU-06(06)
AU-06(07)AU-06(07)
AU-06(10)AU-06(10)
AU-07Audit Record Reduction and Report Generation
AU-07(01)Audit Record Reduction and Report Generation | Automatic Processing
AU-08Time Stamps
AU-08(01)AU-08(01)
AU-09Protection of Audit Information
AU-09(02)AU-09(02)
AU-09(03)AU-09(03)
AU-09(04)Protection of Audit Information | Access by Subset of Privileged Users
AU-10AU-10
AU-11Audit Record Retention
AU-12Audit Record Generation
AU-12(01)AU-12(01)
AU-12(03)AU-12(03)
CA — Assessment, Authorization, and Monitoring (15 controls)
CA-01Policy and Procedures
CA-02Control Assessments
CA-02(01)Control Assessments | Independent Assessors
CA-02(02)CA-02(02)
CA-02(03)Control Assessments | Leveraging Results from External Organizations
CA-03Information Exchange
CA-03(05)CA-03(05)
CA-05Plan of Action and Milestones
CA-06Authorization
CA-07Continuous Monitoring
CA-07(01)Continuous Monitoring | Independent Assessment
CA-07(03)CA-07(03)
CA-08Penetration Testing
CA-08(01)Penetration Testing | Independent Penetration Testing Agent or Team
CA-09Internal System Connections
CM — Configuration Management (36 controls)
CM-01Policy and Procedures
CM-02Baseline Configuration
CM-02(01)CM-02(01)
CM-02(02)Baseline Configuration | Automation Support for Accuracy and Currency
CM-02(03)Baseline Configuration | Retention of Previous Configurations
CM-02(07)Baseline Configuration | Configure Systems and Components for High-risk Areas
CM-03Configuration Change Control
CM-03(01)CM-03(01)
CM-03(02)Configuration Change Control | Testing, Validation, and Documentation of Changes
CM-03(04)Configuration Change Control | Security and Privacy Representatives
CM-03(06)CM-03(06)
CM-04Impact Analyses
CM-04(01)CM-04(01)
CM-05Access Restrictions for Change
CM-05(01)Access Restrictions for Change | Automated Access Enforcement and Audit Records
CM-05(02)CM-05(02)
CM-05(03)CM-05(03)
CM-05(05)Access Restrictions for Change | Privilege Limitation for Production and Operation
CM-06Configuration Settings
CM-06(01)Configuration Settings | Automated Management, Application, and Verification
CM-06(02)CM-06(02)
CM-07Least Functionality
CM-07(01)Least Functionality | Periodic Review
CM-07(02)Least Functionality | Prevent Program Execution
CM-07(05)Least Functionality | Authorized Software — Allow-by-exception
CM-08System Component Inventory
CM-08(01)System Component Inventory | Updates During Installation and Removal
CM-08(02)CM-08(02)
CM-08(03)System Component Inventory | Automated Unauthorized Component Detection
CM-08(04)CM-08(04)
CM-08(05)CM-08(05)
CM-09Configuration Management Plan
CM-10Software Usage Restrictions
CM-10(01)CM-10(01)
CM-11User-installed Software
CM-11(01)CM-11(01)
CP — Contingency Planning (35 controls)
CP-01Policy and Procedures
CP-02Contingency Plan
CP-02(01)Contingency Plan | Coordinate with Related Plans
CP-02(02)CP-02(02)
CP-02(03)Contingency Plan | Resume Mission and Business Functions
CP-02(04)CP-02(04)
CP-02(05)CP-02(05)
CP-02(08)Contingency Plan | Identify Critical Assets
CP-03Contingency Training
CP-03(01)CP-03(01)
CP-04Contingency Plan Testing
CP-04(01)Contingency Plan Testing | Coordinate with Related Plans
CP-04(02)CP-04(02)
CP-06Alternate Storage Site
CP-06(01)Alternate Storage Site | Separation from Primary Site
CP-06(02)CP-06(02)
CP-06(03)Alternate Storage Site | Accessibility
CP-07Alternate Processing Site
CP-07(01)Alternate Processing Site | Separation from Primary Site
CP-07(02)Alternate Processing Site | Accessibility
CP-07(03)Alternate Processing Site | Priority of Service
CP-07(04)CP-07(04)
CP-08Telecommunications Services
CP-08(01)Telecommunications Services | Priority of Service Provisions
CP-08(02)Telecommunications Services | Single Points of Failure
CP-08(03)CP-08(03)
CP-08(04)CP-08(04)
CP-09System Backup
CP-09(01)System Backup | Testing for Reliability and Integrity
CP-09(02)CP-09(02)
CP-09(03)CP-09(03)
CP-09(05)CP-09(05)
CP-10System Recovery and Reconstitution
CP-10(02)System Recovery and Reconstitution | Transaction Recovery
CP-10(04)CP-10(04)
IA — Identification and Authentication (31 controls)
IA-01Policy and Procedures
IA-02Identification and Authentication (organizational Users)
IA-02(01)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IA-02(02)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
IA-02(03)IA-02(03)
IA-02(04)IA-02(04)
IA-02(05)Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication
IA-02(08)Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant
IA-02(09)IA-02(09)
IA-02(11)IA-02(11)
IA-02(12)IA-02(12)
IA-03Device Identification and Authentication
IA-04Identifier Management
IA-04(04)Identifier Management | Identify User Status
IA-05Authenticator Management
IA-05(01)Authenticator Management | Password-based Authentication
IA-05(02)Authenticator Management | Public Key-based Authentication
IA-05(03)IA-05(03)
IA-05(04)IA-05(04)
IA-05(06)Authenticator Management | Protection of Authenticators
IA-05(07)Authenticator Management | No Embedded Unencrypted Static Authenticators
IA-05(08)IA-05(08)
IA-05(11)IA-05(11)
IA-05(13)IA-05(13)
IA-06Authentication Feedback
IA-07Cryptographic Module Authentication
IA-08Identification and Authentication (non-organizational Users)
IA-08(01)IA-08(01)
IA-08(02)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators
IA-08(03)IA-08(03)
IA-08(04)Identification and Authentication (non-organizational Users) | Use of Defined Profiles
IR — Incident Response (25 controls)
IR-01Policy and Procedures
IR-02Incident Response Training
IR-02(01)IR-02(01)
IR-02(02)IR-02(02)
IR-03Incident Response Testing
IR-03(02)Incident Response Testing | Coordination with Related Plans
IR-04Incident Handling
IR-04(01)Incident Handling | Automated Incident Handling Processes
IR-04(02)IR-04(02)
IR-04(03)IR-04(03)
IR-04(06)IR-04(06)
IR-04(08)IR-04(08)
IR-05Incident Monitoring
IR-05(01)IR-05(01)
IR-06Incident Reporting
IR-06(01)Incident Reporting | Automated Reporting
IR-07Incident Response Assistance
IR-07(01)Incident Response Assistance | Automation Support for Availability of Information and Support
IR-07(02)IR-07(02)
IR-08Incident Response Plan
IR-09Information Spillage Response
IR-09(01)IR-09(01)
IR-09(02)Information Spillage Response | Training
IR-09(03)Information Spillage Response | Post-spill Operations
IR-09(04)Information Spillage Response | Exposure to Unauthorized Personnel
MA — Maintenance (14 controls)
MA-01Policy and Procedures
MA-02Controlled Maintenance
MA-02(02)MA-02(02)
MA-03Maintenance Tools
MA-03(01)Maintenance Tools | Inspect Tools
MA-03(02)Maintenance Tools | Inspect Media
MA-03(03)Maintenance Tools | Prevent Unauthorized Removal
MA-04Nonlocal Maintenance
MA-04(02)MA-04(02)
MA-04(03)MA-04(03)
MA-04(06)MA-04(06)
MA-05Maintenance Personnel
MA-05(01)Maintenance Personnel | Individuals Without Appropriate Access
MA-06Timely Maintenance
MP — Media Protection (12 controls)
PE — Physical and Environmental Protection (27 controls)
PE-01Policy and Procedures
PE-02Physical Access Authorizations
PE-03Physical Access Control
PE-03(01)PE-03(01)
PE-04Access Control for Transmission
PE-05Access Control for Output Devices
PE-06Monitoring Physical Access
PE-06(01)Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
PE-06(04)PE-06(04)
PE-08Visitor Access Records
PE-08(01)PE-08(01)
PE-09Power Equipment and Cabling
PE-10Emergency Shutoff
PE-11Emergency Power
PE-11(01)PE-11(01)
PE-12Emergency Lighting
PE-13Fire Protection
PE-13(01)Fire Protection | Detection Systems — Automatic Activation and Notification
PE-13(02)Fire Protection | Suppression Systems — Automatic Activation and Notification
PE-13(03)PE-13(03)
PE-14Environmental Controls
PE-14(02)PE-14(02)
PE-15Water Damage Protection
PE-15(01)PE-15(01)
PE-16Delivery and Removal
PE-17Alternate Work Site
PE-18PE-18
PL — Planning (6 controls)
PS — Personnel Security (10 controls)
PS-01Policy and Procedures
PS-02Position Risk Designation
PS-03Personnel Screening
PS-03(03)Personnel Screening | Information Requiring Special Protective Measures
PS-04Personnel Termination
PS-04(02)PS-04(02)
PS-05Personnel Transfer
PS-06Access Agreements
PS-07External Personnel Security
PS-08Personnel Sanctions
RA — Risk Assessment (12 controls)
RA-01Policy and Procedures
RA-02Security Categorization
RA-03Risk Assessment
RA-05Vulnerability Monitoring and Scanning
RA-05(01)RA-05(01)
RA-05(02)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
RA-05(03)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
RA-05(04)RA-05(04)
RA-05(05)Vulnerability Monitoring and Scanning | Privileged Access
RA-05(06)RA-05(06)
RA-05(08)RA-05(08)
RA-05(10)RA-05(10)
SA — System and Services Acquisition (26 controls)
SA-01Policy and Procedures
SA-02Allocation of Resources
SA-03System Development Life Cycle
SA-04Acquisition Process
SA-04(01)Acquisition Process | Functional Properties of Controls
SA-04(02)Acquisition Process | Design and Implementation Information for Controls
SA-04(08)SA-04(08)
SA-04(09)Acquisition Process | Functions, Ports, Protocols, and Services in Use
SA-04(10)SA-04(10)
SA-05System Documentation
SA-08Security and Privacy Engineering Principles
SA-09External System Services
SA-09(01)External System Services | Risk Assessments and Organizational Approvals
SA-09(02)External System Services | Identification of Functions, Ports, Protocols, and Services
SA-09(04)SA-09(04)
SA-09(05)External System Services | Processing, Storage, and Service Location
SA-10Developer Configuration Management
SA-10(01)SA-10(01)
SA-11Developer Testing and Evaluation
SA-11(01)Developer Testing and Evaluation | Static Code Analysis
SA-11(02)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
SA-11(08)SA-11(08)
SA-12SA-12
SA-15Development Process, Standards, and Tools
SA-16SA-16
SA-17SA-17
SC — System and Communications Protection (39 controls)
SC-01Policy and Procedures
SC-02Separation of System and User Functionality
SC-03SC-03
SC-04Information in Shared System Resources
SC-05Denial-of-service Protection
SC-06SC-06
SC-07Boundary Protection
SC-07(03)Boundary Protection | Access Points
SC-07(04)Boundary Protection | External Telecommunications Services
SC-07(05)Boundary Protection | Deny by Default — Allow by Exception
SC-07(07)Boundary Protection | Split Tunneling for Remote Devices
SC-07(08)Boundary Protection | Route Traffic to Authenticated Proxy Servers
SC-07(10)SC-07(10)
SC-07(12)Boundary Protection | Host-based Protection
SC-07(13)SC-07(13)
SC-07(18)Boundary Protection | Fail Secure
SC-07(20)SC-07(20)
SC-07(21)SC-07(21)
SC-08Transmission Confidentiality and Integrity
SC-08(01)Transmission Confidentiality and Integrity | Cryptographic Protection
SC-10Network Disconnect
SC-12Cryptographic Key Establishment and Management
SC-12(01)SC-12(01)
SC-12(02)SC-12(02)
SC-12(03)SC-12(03)
SC-13Cryptographic Protection
SC-15Collaborative Computing Devices and Applications
SC-17Public Key Infrastructure Certificates
SC-18Mobile Code
SC-19SC-19
SC-20Secure Name/address Resolution Service (authoritative Source)
SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-22Architecture and Provisioning for Name/address Resolution Service
SC-23Session Authenticity
SC-23(01)SC-23(01)
SC-24SC-24
SC-28Protection of Information at Rest
SC-28(01)Protection of Information at Rest | Cryptographic Protection
SC-39Process Isolation
SI — System and Information Integrity (39 controls)
SI-01Policy and Procedures
SI-02Flaw Remediation
SI-02(01)SI-02(01)
SI-02(02)Flaw Remediation | Automated Flaw Remediation Status
SI-02(03)Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-03Malicious Code Protection
SI-03(01)SI-03(01)
SI-03(02)SI-03(02)
SI-03(07)SI-03(07)
SI-04System Monitoring
SI-04(01)System Monitoring | System-wide Intrusion Detection System
SI-04(02)System Monitoring | Automated Tools and Mechanisms for Real-time Analysis
SI-04(04)System Monitoring | Inbound and Outbound Communications Traffic
SI-04(05)System Monitoring | System-generated Alerts
SI-04(11)SI-04(11)
SI-04(14)SI-04(14)
SI-04(16)System Monitoring | Correlate Monitoring Information
SI-04(18)System Monitoring | Analyze Traffic and Covert Exfiltration
SI-04(19)SI-04(19)
SI-04(20)SI-04(20)
SI-04(22)SI-04(22)
SI-04(23)System Monitoring | Host-based Devices
SI-04(24)SI-04(24)
SI-05Security Alerts, Advisories, and Directives
SI-05(01)SI-05(01)
SI-06Security and Privacy Function Verification
SI-07Software, Firmware, and Information Integrity
SI-07(01)Software, Firmware, and Information Integrity | Integrity Checks
SI-07(02)SI-07(02)
SI-07(05)SI-07(05)
SI-07(07)Software, Firmware, and Information Integrity | Integration of Detection and Response
SI-07(14)SI-07(14)
SI-08Spam Protection
SI-08(01)SI-08(01)
SI-08(02)Spam Protection | Automatic Updates
SI-10Information Input Validation
SI-11Error Handling
SI-12Information Management and Retention
SI-16Memory Protection