Update to our Customer Responsibility Matrix (CRM)

The Control Implementation Summary (CIS) + Customer Responsibility Matrix (CRM) + Control-by-Control Inheritance (.xlsx) is a summary of each Low and Moderate security control and whether it is handled by cloud.gov, shared responsibility, or customer responsibility. It includes guidance on which controls a customer system can fully or partially inherit from cloud.gov.

We’ve made some recent changes to this document that we wanted to summarize for platform users, and those interested in implementing a solution on the platform.

Recent changes to CRM

• Added another page listing Low-impact controls, which provides color-coded conditional formatting to the CRM

Updates to controls

• AC-02(5) Corrected inheritance to “No” was “Partial”, for inactivity logout
• AU-04: Corrected inheritance to Yes, was Partial, for logging capacity
• CA-08: Corrected inheritance to No, was Partial, for penetration tests
• CP-06: Clarified to use “service-level objectives” instead of SLAs
• CP-07: Clarified to use “service-level objectives” instead of SLAs
• IA-02: Corrected inheritance to “No”, was “Partial” for local access
• IA-05 (02): Corrected inheritance to “Partial” as cloud.gov can use PKI for agency authentication. Was “No”
• IA-05 (04): Corrected inheritance to “Partial” as the cloud.gov IdP enforces password strength
• IA-05 (06): Corrected inheritance to “Partial” as the cloud.gov IdP protects authenticators
• SC-08: Corrected typo so it reads “HTTPS” (not “HTTS”)
• SC-13: Corrected to refer to “encryption,” (not “credentials”)
• SC-17: Corrected inheritance from “No” to “Partial” for obtaining certs from approved provider
• SC-19: Corrected inheritance to “Yes” from “No” since cloud.gov does not support VOIP
• SI-04 (05): Note regarding alert routing for A/V detection

Using this document

You can read more on how to start the ATO process with cloud.gov at our FedRAMP Authorized page.