FedRAMP FAQ

← FedRAMP FAQ

Control Objectives

The Access Control (AC) objective is based around the policies and procedures in place at a 3pao to limit access to various resources within the environment to appropriate individuals. Below is a list of the various activities that are required to be implemented to address and mitigate access control related risks.

  • Access Control Policy and Procedures
  • Account Management
  • Access Enforcement
  • Information Flow Enforcement
  • Separation of Duties
  • Least Privilege
  • Unsuccessful Login Attempts
  • System Use Notification
  • Concurrent Session Control
  • Session Lock
  • Permitted Actions Without Identification/ Authentication
  • Security Attributes
  • Remote Access
  • Wireless Access
  • Access Control for Mobile Devices
  • Use of External Information Systems
  • Publicly Accessible Content

Please log in to rate this.
0 people found this helpful. Permalink

0 Comments - Leave a Comment

The Awareness and Training (AT) objective is based around the policies and procedures in place at a 3pao to properly inform employees of security risks and provide the appropriate training to identify and mitigate the common issues that put organizations at risk. Additionally, the controls assist in providing sufficient audit evidence and also being able to hold employees accountable for their actions.

  • Security Awareness and Training Policy and Procedures
  • Security Awareness
  • Security Training
  • Security Training Records

Please log in to rate this.
0 people found this helpful. Permalink

0 Comments - Leave a Comment

The goal of theĀ Audit and Accountability (AU) objective is to ensure there are sufficient controls in place to provide auditable evidence for system transactions and that key records are available for a sufficient amount of time. This way if the system crashes, hacked, or someone fat fingers an entry, there are ways to recover data, and traceback and rollback changes.

  • Audit and Accountability Policy and Procedures
  • Auditable Events
  • Content of Audit Records
  • Audit Storage Capacity
  • Response to Audit Processing Failures
  • Audit Review, Analysis, and Reporting
  • Audit Reduction and Report Generation
  • Time Stamps
  • Protection of Audit Information
  • Non-Repudiation
  • Audit Record Retention
  • Audit Generation

Please log in to rate this.
0 people found this helpful. Permalink

0 Comments - Leave a Comment

← FedRAMP FAQ

Signup for the Security Audit Mailing List: