Update to our Customer Responsibility Matrix (CRM)
The Control Implementation Summary (CIS) + Customer Responsibility Matrix (CRM) + Control-by-Control Inheritance (.xlsx) is a summary of each Low and Moderate security control and whether it is handled by cloud.gov, shared responsibility, or customer responsibility. It includes guidance on which controls a customer system can fully or partially inherit from cloud.gov.
We’ve made some recent changes to this document that we wanted to summarize for platform users, and those interested in implementing a solution on the platform.
Recent changes to CRM
- Added another page listing Low-impact controls, which provides color-coded conditional formatting to the CRM
Updates to controls
- AC-02(5) Corrected inheritance to “No” was “Partial”, for inactivity logout
- AU-04: Corrected inheritance to Yes, was Partial, for logging capacity
- CA-08: Corrected inheritance to No, was Partial, for penetration tests
- CP-06: Clarified to use “service-level objectives” instead of SLAs
- CP-07: Clarified to use “service-level objectives” instead of SLAs
- IA-02: Corrected inheritance to “No”, was “Partial” for local access
- IA-05 (02): Corrected inheritance to “Partial” as cloud.gov can use PKI for agency authentication. Was “No”
- IA-05 (04): Corrected inheritance to “Partial” as the cloud.gov IdP enforces password strength
- IA-05 (06): Corrected inheritance to “Partial” as the cloud.gov IdP protects authenticators
- SC-08: Corrected typo so it reads “HTTPS” (not “HTTS”)
- SC-13: Corrected to refer to “encryption,” (not “credentials”)
- SC-17: Corrected inheritance from “No” to “Partial” for obtaining certs from approved provider
- SC-19: Corrected inheritance to “Yes” from “No” since cloud.gov does not support VOIP
- SI-04 (05): Note regarding alert routing for A/V detection
Using this document
You can read more on how to start the ATO process with cloud.gov at our FedRAMP Authorized page.