FedRAMP Moderate | Daydream

Requirements in this framework

Access Agreements
Access Control for Mobile Devices
Access Control for Mobile Devices | Full Device or Container-Based Encryption
Access Control for Output Devices
Access Control for Transmission
Access Enforcement
Access Restrictions for Change
Access Restrictions for Change | Automated Access Enforcement and Audit Records
Access Restrictions for Change | Privilege Limitation for Production and Operation
Account Management
Account Management | Account Monitoring for Atypical Usage
Account Management | Automated Audit Actions
Account Management | Automated System Account Management
Account Management | Automated Temporary and Emergency Account Management
Account Management | Disable Accounts
Account Management | Disable Accounts for High-Risk Individuals
Account Management | Inactivity Logout
Account Management | Privileged User Accounts
Account Management | Restrictions on Use of Shared and Group Accounts
Acquisition Process
Acquisition Process | Design and Implementation Information for Controls
Acquisition Process | Functional Properties of Controls
Acquisition Process | Functions, Ports, Protocols, and Services in Use
Acquisition Process | Use of Approved PIV Products
Acquisition Strategies, Tools, and Methods
Allocation of Resources
Alternate Processing Site
Alternate Processing Site | Accessibility
Alternate Processing Site | Priority of Service
Alternate Processing Site | Separation from Primary Site
Alternate Storage Site
Alternate Storage Site | Accessibility
Alternate Storage Site | Separation from Primary Site
Alternate Work Site
Architecture and Provisioning for Name/Address Resolution Service
Audit Log Storage Capacity
Audit Record Generation
Audit Record Reduction and Report Generation
Audit Record Reduction and Report Generation | Automatic Processing
Audit Record Retention
Audit Record Review, Analysis, and Reporting
Audit Record Review, Analysis, and Reporting | Automated Process Integration
Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
Authentication Feedback
Authenticator Management
Authenticator Management | No Embedded Unencrypted Static Authenticators
Authenticator Management | Password-Based Authentication
Authenticator Management | Protection of Authenticators
Authenticator Management | Public Key-Based Authentication
Authorization
Baseline Configuration
Baseline Configuration | Automation Support for Accuracy and Currency
Baseline Configuration | Configure Systems and Components for High-Risk Areas
Baseline Configuration | Retention of Previous Configurations
Baseline Selection
Baseline Tailoring
Boundary Protection
Boundary Protection | Access Points
Boundary Protection | Deny by Default — Allow by Exception
Boundary Protection | External Telecommunications Services
Boundary Protection | Fail Secure
Boundary Protection | Host-Based Protection
Boundary Protection | Route Traffic to Authenticated Proxy Servers
Boundary Protection | Split Tunneling for Remote Devices
Collaborative Computing Devices and Applications
Component Authenticity
Component Authenticity | Anti-Counterfeit Training
Component Authenticity | Configuration Control for Component Service and Repair
Component Disposal
Configuration Change Control
Configuration Change Control | Security and Privacy Representatives
Configuration Change Control | Testing, Validation, and Documentation of Changes
Configuration Management Plan
Configuration Settings
Configuration Settings | Automated Management, Application, and Verification
Content of Audit Records
Content of Audit Records | Additional Audit Information
Contingency Plan
Contingency Plan | Coordinate with Related Plans
Contingency Plan | Identify Critical Assets
Contingency Plan | Resume Mission and Business Functions
Contingency Plan Testing
Contingency Plan Testing | Coordinate with Related Plans
Contingency Training
Continuous Monitoring
Continuous Monitoring | Independent Assessment
Continuous Monitoring | Risk Monitoring
Control Assessments
Control Assessments | Independent Assessors
Control Assessments | Leveraging Results from External Organizations
Controlled Maintenance
Criticality Analysis
Cryptographic Key Establishment and Management
Cryptographic Module Authentication
Cryptographic Protection
Delivery and Removal
Denial-of-Service Protection
Developer Configuration Management
Developer Testing and Evaluation
Developer Testing and Evaluation | Static Code Analysis
Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
Development Process, Standards, and Tools
Development Process, Standards, and Tools | Criticality Analysis
Device Identification and Authentication
Device Lock
Device Lock | Pattern-Hiding Displays
Emergency Lighting
Emergency Power
Emergency Shutoff
Environmental Controls
Error Handling
Event Logging
External Personnel Security
External System Services
External System Services | Identification of Functions, Ports, Protocols, and Services
External System Services | Processing, Storage, and Service Location
External System Services | Risk Assessments and Organizational Approvals
Fire Protection
Fire Protection | Detection Systems — Automatic Activation and Notification
Fire Protection | Suppression Systems — Automatic Activation and Notification
Flaw Remediation
Flaw Remediation | Automated Flaw Remediation Status
Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions
Identification and Authentication (Non-Organizational Users)
Identification and Authentication (Non-Organizational Users) | Acceptance of External Authenticators
Identification and Authentication (Non-Organizational Users) | Acceptance of PIV Credentials from Other Agencies
Identification and Authentication (Non-Organizational Users) | Use of Defined Profiles
Identification and Authentication (Organizational Users)
Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials
Identification and Authentication (Organizational Users) | Access to Accounts — Replay Resistant
Identification and Authentication (Organizational Users) | Access to Accounts — Separate Device
Identification and Authentication (Organizational Users) | Individual Authentication with Group Authentication
Identification and Authentication (Organizational Users) | Multi-Factor Authentication to Non-Privileged Accounts
Identification and Authentication (Organizational Users) | Multi-Factor Authentication to Privileged Accounts
Identifier Management
Identifier Management | Identify User Status
Identity Proofing
Identity Proofing | Address Confirmation
Identity Proofing | Identity Evidence
Identity Proofing | Identity Evidence Validation and Verification
Impact Analyses
Impact Analyses | Verification of Controls
Incident Handling
Incident Handling | Automated Incident Handling Processes
Incident Monitoring
Incident Reporting
Incident Reporting | Automated Reporting
Incident Reporting | Supply Chain Coordination
Incident Response Assistance
Incident Response Assistance | Automation Support for Availability of Information and Support
Incident Response Plan
Incident Response Testing
Incident Response Testing | Coordination with Related Plans
Incident Response Training
Information Exchange
Information Flow Enforcement
Information Flow Enforcement | Physical or Logical Separation of Information Flows
Information in Shared System Resources
Information Input Validation
Information Location
Information Location | Automated Tools to Support Information Location
Information Management and Retention
Information Sharing
Information Spillage Response
Information Spillage Response | Exposure to Unauthorized Personnel
Information Spillage Response | Post-Spill Operations
Information Spillage Response | Training
Inspection of Systems or Components
Internal System Connections
Least Functionality
Least Functionality | Authorized Software — Allow-by-Exception
Least Functionality | Periodic Review
Least Functionality | Prevent Program Execution
Least Privilege
Least Privilege | Authorize Access to Security Functions
Least Privilege | Log Use of Privileged Functions
Least Privilege | Non-Privileged Access for Nonsecurity Functions
Least Privilege | Privileged Accounts
Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions
Least Privilege | Review of User Privileges
Literacy Training and Awareness
Literacy Training and Awareness | Insider Threat
Literacy Training and Awareness | Social Engineering and Mining
Maintenance Personnel
Maintenance Personnel | Individuals Without Appropriate Access
Maintenance Tools
Maintenance Tools | Inspect Media
Maintenance Tools | Inspect Tools
Maintenance Tools | Prevent Unauthorized Removal
Malicious Code Protection
Media Access
Media Marking
Media Sanitization
Media Storage
Media Transport
Media Use
Memory Protection
Mobile Code
Monitoring Physical Access
Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
Network Disconnect
Nonlocal Maintenance
Notification Agreements
Penetration Testing
Penetration Testing | Independent Penetration Testing Agent or Team
Penetration Testing | Red Team Exercises
Permitted Actions Without Identification or Authentication
Personnel Sanctions
Personnel Screening
Personnel Screening | Information Requiring Special Protective Measures
Personnel Termination
Personnel Transfer
Physical Access Authorizations
Physical Access Control
Plan of Action and Milestones
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Policy and Procedures
Position Descriptions
Position Risk Designation
Power Equipment and Cabling
Process Isolation
Protection of Audit Information
Protection of Audit Information | Access by Subset of Privileged Users
Protection of Information at Rest
Protection of Information at Rest | Cryptographic Protection
Public Key Infrastructure Certificates
Publicly Accessible Content
Re-Authentication
Remote Access
Remote Access | Managed Access Control Points
Remote Access | Monitoring and Control
Remote Access | Privileged Commands and Access
Remote Access | Protection of Confidentiality and Integrity Using Encryption
Response to Audit Logging Process Failures
Risk Assessment
Risk Assessment | Supply Chain Risk Assessment
Risk Response
Role-Based Training
Rules of Behavior
Rules of Behavior | Social Media and External Site/Application Usage Restrictions
Secure Name/Address Resolution Service (Authoritative Source)
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
Security Alerts, Advisories, and Directives
Security and Privacy Architectures
Security and Privacy Engineering Principles
Security and Privacy Function Verification
Security Categorization
Separation of Duties
Separation of System and User Functionality
Session Authenticity
Session Termination
Software Usage Restrictions
Software, Firmware, and Information Integrity
Software, Firmware, and Information Integrity | Integration of Detection and Response
Software, Firmware, and Information Integrity | Integrity Checks
Spam Protection
Spam Protection | Automatic Updates
Supplier Assessments and Reviews
Supply Chain Controls and Processes
Supply Chain Risk Management Plan
Supply Chain Risk Management Plan | Establish SCRM Team
System Backup
System Backup | Cryptographic Protection
System Backup | Testing for Reliability and Integrity
System Component Inventory
System Component Inventory | Automated Unauthorized Component Detection
System Component Inventory | Updates During Installation and Removal
System Development Life Cycle
System Documentation
System Monitoring
System Monitoring | Analyze Traffic and Covert Exfiltration
System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis
System Monitoring | Correlate Monitoring Information
System Monitoring | Host-Based Devices
System Monitoring | Inbound and Outbound Communications Traffic
System Monitoring | System-Generated Alerts
System Monitoring | System-Wide Intrusion Detection System
System Recovery and Reconstitution
System Recovery and Reconstitution | Transaction Recovery
System Security and Privacy Plans
System Time Synchronization
System Time Synchronization | Synchronization with Authoritative Time Source
System Use Notification
Telecommunications Services
Telecommunications Services | Priority of Service Provisions
Telecommunications Services | Single Points of Failure
Time Stamps
Timely Maintenance
Training Records
Transmission Confidentiality and Integrity
Transmission Confidentiality and Integrity | Cryptographic Protection
Unsuccessful Logon Attempts
Unsupported System Components
Use of External Systems
Use of External Systems | Limits on Authorized Use
Use of External Systems | Portable Storage Devices — Restricted Use
User-Installed Software
Visitor Access Records
Vulnerability Monitoring and Scanning
Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
Vulnerability Monitoring and Scanning | Privileged Access
Vulnerability Monitoring and Scanning | Public Disclosure Program
Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
Water Damage Protection
Wireless Access
Wireless Access | Authentication and Encryption
Wireless Access | Disable Wireless Networking