In manual SSP process, FedRAMP specific REQs were included in the base line and had sections to answer, like NIST CONTROL STATEMENTS. In FedRAMP HIGH Baseline Profile,
Example: AC-8 Req.
Requirement 1: The service provider shall determine elements of the cloud
environment that require the System Use Notification control.The elements of the cloud environment that
require System Use Notification are approved and accepted by the JAB/AO.
Requirement 2: The service provider shall determine how System Use
Notification is going to be verified and provide appropriate periodicity of the
check.The System Use Notification
verification and periodicity are approved and accepted by the JAB/AO.If performed as part of a Configuration
Baseline check, then the % of items requiring setting that are checked and that
pass (or fail) check can be provided.
Requirement
3: If not
performed as part of a Configuration Baseline check, then there must be documented
agreement on how to provide results of verification and the necessary
periodicity of the verification by the service provider.The documented agreement on how to provide
verification of the results are approved and accepted by the JAB/AO.
AC-8 Req. | Control Summary Information
-- | --
Responsible Role:
Implementation Status (check all that apply): ☐ Implemented ☐ Partially implemented ☐ Planned ☐ Alternative implementation ☐ Not applicable
Control Origination (check all that apply): ☐ Service Provider Corporate ☐ Service Provider System Specific ☐ Service Provider Hybrid (Corporate and System Specific) ☐ Configured by Customer (Customer System Specific) ☐ Provided by Customer (Customer System Specific) ☐ Shared (Service Provider and Customer Responsibility) ☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. , Date of Authorization
Action Item
This is a ...
This relates to ...
NOTE: For issues related to the OSCAL syntax itself, please create or add to an issue in the NIST OSCAL Repository.
Describe the problem or enhancement
In manual SSP process, FedRAMP specific REQs were included in the base line and had sections to answer, like NIST CONTROL STATEMENTS. In FedRAMP HIGH Baseline Profile, Example: AC-8 Req.
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
Additional FedRAMP Requirements and Guidance
Requirement 1: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
Requirement 2: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO. If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
Requirement 3: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.