1. Home
  2. FedRAMP
  3. SI-5

BRACKETOLOGY | FEDRAMP

SI-5: SECURITY FUNCTION VERIFICATION

  • FedRAMP Baseline Membership SI-5:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The information system:

    • a. Verifies the correct operation of [Assignment: organization-defined security functions];
    • b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
    • c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
    • d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Receives information system security alerts, advisories, and directives from organization-defined external organizations to include US-CERT on an ongoing basis;
  • b. Generates internal security alerts, advisories, and directives as deemed necessary;
  • c. Disseminates security alerts, advisories, and directives to: organization-defined personnel or roles; organization-defined elements within the organization to include system security personnel and administrators with configuration/patch-management responsibilities; and
  • d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

The organization:

  • a. Receives information system security alerts, advisories, and directives from organization-defined external organizations to include US-CERT on an ongoing basis;
  • b. Generates internal security alerts, advisories, and directives as deemed necessary;
  • c. Disseminates security alerts, advisories, and directives to: organization-defined personnel or roles; organization-defined elements within the organization to include system security personnel and administrators with configuration/patch-management responsibilities; and
  • d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

The organization:

  • a. Receives information system security alerts, advisories, and directives from organization-defined external organizations to include US-CERT on an ongoing basis;
  • b. Generates internal security alerts, advisories, and directives as deemed necessary;
  • c. Disseminates security alerts, advisories, and directives to: organization-defined personnel or roles; organization-defined elements within the organization to include system security personnel and administrators with configuration/patch-management responsibilities; and
  • d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

SUPPLEMENTAL GUIDANCE

The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations.

CONTROL ENHANCEMENTS

SI-5 (1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES
  • FedRAMP Baseline Membership SI-5 (1):
  • HIGH

The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

Supplemental Guidance:

The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission/business process/enterprise architecture level, and the information system level.

REFERENCES:

  • NIST Special Publication 800-40