1. Home
  2. FedRAMP
  3. SI-6

BRACKETOLOGY | FEDRAMP

SI-6: SECURITY FUNCTION VERIFICATION

  • FedRAMP Baseline Membership SI-6:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The information system:

    • a. Verifies the correct operation of [Assignment: organization-defined security functions];
    • b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
    • c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
    • d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The information system:

  • a. Verifies the correct operation of organization-defined security functions;
  • b. Performs this verification organization-defined system transitional states; upon command by user with appropriate privilege; to include upon system startup and/or restart at least monthly;
  • c. Notifies organization-defined personnel or roles to include system administrators and security personnel of failed security verification tests; and
  • d. [Selection (one or more): shuts the information system down; restarts the information system; to include notification of system administrators and security personnel when anomalies are discovered.

The information system:

  • a. Verifies the correct operation of organization-defined security functions;
  • b. Performs this verification organization-defined system transitional states; upon command by user with appropriate privilege; to include upon system startup and/or restart at least monthly;
  • c. Notifies organization-defined personnel or roles to include system administrators and security personnel of failed security verification tests; and
  • d. [Selection (one or more): shuts the information system down; restarts the information system; to include notification of system administrators and security personnel when anomalies are discovered.

SUPPLEMENTAL GUIDANCE

Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights.

CONTROL ENHANCEMENTS

SI-6 (1) SECURITY FUNCTION VERIFICATION | NOTIFICATION OF FAILED SECURITY TESTS

[Withdrawn: Incorporated into SI-6]. (See above.)

SI-6 (2) SECURITY FUNCTION VERIFICATION | AUTOMATION SUPPORT FOR DISTRIBUTED TESTING

The information system implements automated mechanisms to support the management of distributed security testing.

Supplemental Guidance: NONE

RELATED CONTROLS: SI-6 (2)

SI-6 (3) SECURITY FUNCTION VERIFICATION | REPORT VERIFICATION RESULTS

The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles].

Supplemental Guidance:

Organizational personnel with potential interest in security function verification results include, for example, senior information security officers, information system security managers, and information systems security officers.

RELATED CONTROLS: SI-6 (3)

REFERENCES:

  • NO REFERENCES