FedRAMP Moderate shared security model

The FedRAMP Moderate Authorization level contains over 300 controls derived from NIST 800-53. Google Cloud is able to offer compliance support for controls labeled in the table below as Google Inherited, which means that users are able to by default inherit these controls when leveraging Google Cloud. Users are responsible for implementing the controls labeled in the table below as Customer. Google Cloud is able to support compliance for select customer responsible controls through implementation of products and services. The FedRAMP customer package provides additional information on each control and the specific product and services which are able to support compliance. Controls labeled as N/A in the table below are out of scope for the assessment of FedRAMP Moderate on Google Cloud and are subject to change based upon the customer use case and audit scope.

Shared security matrix

To filter and sort the following table, choose a menu option, type in the box, or click a column heading.

Family ID Control Name Control Responsibility
ACCESS CONTROL AC-1 ACCESS CONTROL POLICY AND PROCEDURES Customer
ACCESS CONTROL AC-2 ACCOUNT MANAGEMENT Customer
ACCESS CONTROL AC-2 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT Customer
ACCESS CONTROL AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS Customer
ACCESS CONTROL AC-2 (3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS Customer
ACCESS CONTROL AC-2 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS Customer
ACCESS CONTROL AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT Customer
ACCESS CONTROL AC-2 (7) ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES Customer
ACCESS CONTROL AC-2 (9) ACCOUNT MANAGEMENT | RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS Customer
ACCESS CONTROL AC-2 (10) ACCOUNT MANAGEMENT | SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION Customer
ACCESS CONTROL AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING / ATYPICAL USAGE Customer
ACCESS CONTROL AC-3 ACCESS ENFORCEMENT Customer
ACCESS CONTROL AC-4 INFORMATION FLOW ENFORCEMENT Customer
ACCESS CONTROL AC-4 (21) INFORMATION FLOW ENFORCEMENT | PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS Customer
ACCESS CONTROL AC-5 SEPARATION OF DUTIES Customer
ACCESS CONTROL AC-6 LEAST PRIVILEGE Customer
ACCESS CONTROL AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS Google Inherited
ACCESS CONTROL AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS Google Inherited
ACCESS CONTROL AC-6 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS Google Inherited
ACCESS CONTROL AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS Customer
ACCESS CONTROL AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS Customer
ACCESS CONTROL AC-7 UNSUCCESSFUL LOGON ATTEMPTS Google Inherited
ACCESS CONTROL AC-8 SYSTEM USE NOTIFICATION Customer
ACCESS CONTROL AC-10 CONCURRENT SESSION CONTROL Customer
ACCESS CONTROL AC-11 SESSION LOCK Customer
ACCESS CONTROL AC-11 (1) SESSION LOCK | PATTERN-HIDING DISPLAYS Customer
ACCESS CONTROL AC-12 SESSION TERMINATION Customer
ACCESS CONTROL AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION Google Inherited
ACCESS CONTROL AC-17 REMOTE ACCESS Google Inherited
ACCESS CONTROL AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL Customer
ACCESS CONTROL AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION Customer
ACCESS CONTROL AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS Customer
ACCESS CONTROL AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS / ACCESS Google Inherited
ACCESS CONTROL AC-17 (9) REMOTE ACCESS | DISCONNECT / DISABLE ACCESS Google Inherited
ACCESS CONTROL AC-18 WIRELESS ACCESS Google Inherited
ACCESS CONTROL AC-18 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION N/A
ACCESS CONTROL AC-19 ACCESS CONTROL FOR MOBILE DEVICES Google Inherited
ACCESS CONTROL AC-19 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION Google Inherited
ACCESS CONTROL AC-20 USE OF EXTERNAL INFORMATION SYSTEMS N/A
ACCESS CONTROL AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE N/A
ACCESS CONTROL AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES N/A
ACCESS CONTROL AC-21 INFORMATION SHARING Customer
ACCESS CONTROL AC-22 PUBLICLY ACCESSIBLE CONTENT Customer
AWARENESS AND TRAINING AT-1 SECURITY AWARENESS AND TRAINING POLICY ANDPROCEDURES Customer
AWARENESS AND TRAINING AT-2 SECURITY AWARENESS TRAINING Google Inherited
AWARENESS AND TRAINING AT-2 (2) SECURITY AWARENESS | INSIDER THREAT Google Inherited
AWARENESS AND TRAINING AT-3 ROLE-BASED SECURITY TRAINING Google Inherited
AWARENESS AND TRAINING AT-4 SECURITY TRAINING RECORDS Google Inherited
AUDIT AND ACCOUNTABILITY AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES Customer
AUDIT AND ACCOUNTABILITY AU-2 AUDIT EVENTS Customer
AUDIT AND ACCOUNTABILITY AU-2 (3) AUDIT EVENTS | REVIEWS AND UPDATES Google Inherited
AUDIT AND ACCOUNTABILITY AU-3 CONTENT OF AUDIT RECORDS Customer
AUDIT AND ACCOUNTABILITY AU-3 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION Customer
AUDIT AND ACCOUNTABILITY AU-4 AUDIT STORAGE CAPACITY Customer
AUDIT AND ACCOUNTABILITY AU-5 RESPONSE TO AUDIT PROCESSING FAILURES Google Inherited
AUDIT AND ACCOUNTABILITY AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING Customer
AUDIT AND ACCOUNTABILITY AU-6 (1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION Google Inherited
AUDIT AND ACCOUNTABILITY AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES Google Inherited
AUDIT AND ACCOUNTABILITY AU-7 AUDIT REDUCTION AND REPORT GENERATION Google Inherited
AUDIT AND ACCOUNTABILITY AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING Google Inherited
AUDIT AND ACCOUNTABILITY AU-8 timestamps Customer
AUDIT AND ACCOUNTABILITY AU-8 (1) timestamps | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE Google Inherited
AUDIT AND ACCOUNTABILITY AU-9 PROTECTION OF AUDIT INFORMATION Google Inherited
AUDIT AND ACCOUNTABILITY AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS Customer
AUDIT AND ACCOUNTABILITY AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS Customer
AUDIT AND ACCOUNTABILITY AU-11 AUDIT RECORD RETENTION Customer
AUDIT AND ACCOUNTABILITY AU-12 AUDIT GENERATION Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES Customer
SECURITY ASSESSMENT AND AUTHORIZATION CA-2 SECURITY ASSESSMENTS Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-2 (2) SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-2 (3) SECURITY ASSESSMENTS | EXTERNAL ORGANIZATIONS Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-3 SYSTEM INTERCONNECTIONS Customer
SECURITY ASSESSMENT AND AUTHORIZATION CA-3 (3) SYSTEM INTERCONNECTIONS | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS Customer
SECURITY ASSESSMENT AND AUTHORIZATION CA-3 (5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS Customer
SECURITY ASSESSMENT AND AUTHORIZATION CA-5 PLAN OF ACTION AND MILESTONES Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-6 SECURITY AUTHORIZATION Customer
SECURITY ASSESSMENT AND AUTHORIZATION CA-7 CONTINUOUS MONITORING Customer
SECURITY ASSESSMENT AND AUTHORIZATION CA-7 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-8 PENETRATION TESTING Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-8 (1) PENETRATION TESTING | INDEPENDENT PENETRATION AGENT OR TEAM Google Inherited
SECURITY ASSESSMENT AND AUTHORIZATION CA-9 INTERNAL SYSTEM CONNECTIONS Google Inherited
CONFIGURATION MANAGEMENT CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES Customer
CONFIGURATION MANAGEMENT CM-2 BASELINE CONFIGURATION Customer
CONFIGURATION MANAGEMENT CM-2 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES Google Inherited
CONFIGURATION MANAGEMENT CM-2 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY Google Inherited
CONFIGURATION MANAGEMENT CM-2 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS Google Inherited
CONFIGURATION MANAGEMENT CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS Google Inherited
CONFIGURATION MANAGEMENT CM-3 CONFIGURATION CHANGE CONTROL Google Inherited
CONFIGURATION MANAGEMENT CM-4 SECURITY IMPACT ANALYSIS Google Inherited
CONFIGURATION MANAGEMENT CM-5 ACCESS RESTRICTIONS FOR CHANGE Google Inherited
CONFIGURATION MANAGEMENT CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING Google Inherited
CONFIGURATION MANAGEMENT CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS Google Inherited
CONFIGURATION MANAGEMENT CM-5 (5) ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES Google Inherited
CONFIGURATION MANAGEMENT CM-6 CONFIGURATION SETTINGS Customer
CONFIGURATION MANAGEMENT CM-6 (1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION Google Inherited
CONFIGURATION MANAGEMENT CM-7 LEAST FUNCTIONALITY Google Inherited
CONFIGURATION MANAGEMENT CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW Google Inherited
CONFIGURATION MANAGEMENT CM-7 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION Google Inherited
CONFIGURATION MANAGEMENT CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE / WHITELISTING Google Inherited
CONFIGURATION MANAGEMENT CM-8 INFORMATION SYSTEM COMPONENT INVENTORY Google Inherited
CONFIGURATION MANAGEMENT CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS Google Inherited
CONFIGURATION MANAGEMENT CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION Google Inherited
CONFIGURATION MANAGEMENT CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS Google Inherited
CONFIGURATION MANAGEMENT CM-9 CONFIGURATION MANAGEMENT PLAN Google Inherited
CONFIGURATION MANAGEMENT CM-10 SOFTWARE USAGE RESTRICTIONS Google Inherited
CONFIGURATION MANAGEMENT CM-10 (1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE Google Inherited
CONFIGURATION MANAGEMENT CM-11 USER-INSTALLED SOFTWARE Google Inherited
CONTINGENCY PLANNING CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES Customer
CONTINGENCY PLANNING CP-2 CONTINGENCY PLAN Google Inherited
CONTINGENCY PLANNING CP-2 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS Google Inherited
CONTINGENCY PLANNING CP-2 (2) CONTINGENCY PLAN | CAPACITY PLANNING Google Inherited
CONTINGENCY PLANNING CP-2 (3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS Google Inherited
CONTINGENCY PLANNING CP-2 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS Google Inherited
CONTINGENCY PLANNING CP-3 CONTINGENCY TRAINING Google Inherited
CONTINGENCY PLANNING CP-4 CONTINGENCY PLAN TESTING Google Inherited
CONTINGENCY PLANNING CP-4 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS Google Inherited
CONTINGENCY PLANNING CP-6 ALTERNATE STORAGE SITE Google Inherited
CONTINGENCY PLANNING CP-6 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE Customer
CONTINGENCY PLANNING CP-6 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY Google Inherited
CONTINGENCY PLANNING CP-7 ALTERNATE PROCESSING SITE Google Inherited
CONTINGENCY PLANNING CP-7 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE Customer
CONTINGENCY PLANNING CP-7 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY Google Inherited
CONTINGENCY PLANNING CP-7 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE N/A
CONTINGENCY PLANNING CP-8 TELECOMMUNICATIONS SERVICES Google Inherited
CONTINGENCY PLANNING CP-8 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS Google Inherited
CONTINGENCY PLANNING CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE Google Inherited
CONTINGENCY PLANNING CP-9 INFORMATION SYSTEM BACKUP Google Inherited
CONTINGENCY PLANNING CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY Google Inherited
CONTINGENCY PLANNING CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION Google Inherited
CONTINGENCY PLANNING CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION Google Inherited
CONTINGENCY PLANNING CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY Google Inherited
IDENTIFICATION AND AUTHENTICATION IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES Customer
IDENTIFICATION AND AUTHENTICATION IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) Customer
IDENTIFICATION AND AUTHENTICATION IA-2 (1) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS Customer
IDENTIFICATION AND AUTHENTICATION IA-2 (2) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS Customer
IDENTIFICATION AND AUTHENTICATION IA-2 (3) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS N/A
IDENTIFICATION AND AUTHENTICATION IA-2 (5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | GROUP AUTHENTICATION Customer
IDENTIFICATION AND AUTHENTICATION IA-2 (8) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT Customer
IDENTIFICATION AND AUTHENTICATION IA-2 (11) IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS - SEPARATE DEVICE Customer
IDENTIFICATION AND AUTHENTICATION IA-2 (12) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS Customer
IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION Customer
IDENTIFICATION AND AUTHENTICATION IA-4 IDENTIFIER MANAGEMENT Customer
IDENTIFICATION AND AUTHENTICATION IA-4 (4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS Customer
IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT Customer
IDENTIFICATION AND AUTHENTICATION IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION Customer
IDENTIFICATION AND AUTHENTICATION IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION Customer
IDENTIFICATION AND AUTHENTICATION IA-5 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION Customer
IDENTIFICATION AND AUTHENTICATION IA-5 (4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION Customer
IDENTIFICATION AND AUTHENTICATION IA-5 (6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS Customer
IDENTIFICATION AND AUTHENTICATION IA-5 (7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS Customer
IDENTIFICATION AND AUTHENTICATION IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION Customer
IDENTIFICATION AND AUTHENTICATION IA-6 AUTHENTICATOR FEEDBACK Customer
IDENTIFICATION AND AUTHENTICATION IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION Customer
IDENTIFICATION AND AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) Customer
IDENTIFICATION AND AUTHENTICATION IA-8 (1) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES Customer
IDENTIFICATION AND AUTHENTICATION IA-8 (2) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF THIRD-PARTY CREDENTIALS Customer
IDENTIFICATION AND AUTHENTICATION IA-8 (3) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-APPROVED PRODUCTS Customer
IDENTIFICATION AND AUTHENTICATION IA-8 (4) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILES Customer
INCIDENT RESPONSE IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES Customer
INCIDENT RESPONSE IR-2 INCIDENT RESPONSE TRAINING Google Inherited
INCIDENT RESPONSE IR-3 INCIDENT RESPONSE TESTING Google Inherited
INCIDENT RESPONSE IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS Google Inherited
INCIDENT RESPONSE IR-4 INCIDENT HANDLING Google Inherited
INCIDENT RESPONSE IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES Google Inherited
INCIDENT RESPONSE IR-5 INCIDENT MONITORING Google Inherited
INCIDENT RESPONSE IR-6 INCIDENT REPORTING Customer
INCIDENT RESPONSE IR-6 (1) INCIDENT REPORTING | AUTOMATED REPORTING Google Inherited
INCIDENT RESPONSE IR-7 INCIDENT RESPONSE ASSISTANCE Google Inherited
INCIDENT RESPONSE IR-7 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT Google Inherited
INCIDENT RESPONSE IR-7 (2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS N/A
INCIDENT RESPONSE IR-8 INCIDENT RESPONSE PLAN Customer
INCIDENT RESPONSE IR-9 INFORMATION SPILLAGE RESPONSE Customer
INCIDENT RESPONSE IR-9 (1) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL Customer
INCIDENT RESPONSE IR-9 (2) INFORMATION SPILLAGE RESPONSE | TRAINING Customer
INCIDENT RESPONSE IR-9 (3) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS Customer
INCIDENT RESPONSE IR-9 (4) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL Customer
MAINTENANCE MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES Customer
MAINTENANCE MA-2 CONTROLLED MAINTENANCE Google Inherited
MAINTENANCE MA-3 MAINTENANCE TOOLS Google Inherited
MAINTENANCE MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS Google Inherited
MAINTENANCE MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA Google Inherited
MAINTENANCE MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL Google Inherited
MAINTENANCE MA-4 NONLOCAL MAINTENANCE Google Inherited
MAINTENANCE MA-4 (2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE Google Inherited
MAINTENANCE MA-5 MAINTENANCE PERSONNEL Google Inherited
MAINTENANCE MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS Google Inherited
MAINTENANCE MA-6 TIMELY MAINTENANCE Google Inherited
MEDIA PROTECTION MP-1 MEDIA PROTECTION POLICY AND PROCEDURES Customer
MEDIA PROTECTION MP-2 MEDIA ACCESS Google Inherited
MEDIA PROTECTION MP-3 MEDIA MARKING Google Inherited
MEDIA PROTECTION MP-4 MEDIA STORAGE Google Inherited
MEDIA PROTECTION MP-5 MEDIA TRANSPORT Google Inherited
MEDIA PROTECTION MP-5 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION Google Inherited
MEDIA PROTECTION MP-6 MEDIA SANITIZATION Google Inherited
MEDIA PROTECTION MP-6 (2) MEDIA SANITIZATION | EQUIPMENT TESTING Google Inherited
MEDIA PROTECTION MP-7 MEDIA USE Google Inherited
MEDIA PROTECTION MP-7 (1) MEDIA USE | PROHIBIT USE WITHOUT OWNER N/A
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES Customer
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-2 PHYSICAL ACCESS AUTHORIZATIONS Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3 PHYSICAL ACCESS CONTROL Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-5 ACCESS CONTROL FOR OUTPUT DEVICES N/A
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6 MONITORING PHYSICAL ACCESS Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-8 VISITOR ACCESS RECORDS Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-9 POWER EQUIPMENT AND CABLING Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-10 EMERGENCY shut off Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-11 EMERGENCY POWER Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-12 EMERGENCY LIGHTING Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 FIRE PROTECTION Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 (2) FIRE PROTECTION | SUPPRESSION DEVICES / SYSTEMS Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION N/A
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-14 TEMPERATURE AND HUMIDITY CONTROLS Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-14 (2) TEMPERATURE AND HUMIDITY CONTROLS | MONITORING WITH ALARMS / NOTIFICATIONS Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-15 WATER DAMAGE PROTECTION Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-16 DELIVERY AND REMOVAL Google Inherited
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-17 ALTERNATE WORK SITE Google Inherited
PLANNING PL-1 SECURITY PLANNING POLICY AND PROCEDURES Customer
PLANNING PL-2 SYSTEM SECURITY PLAN Google Inherited
PLANNING PL-2 (3) SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES Google Inherited
PLANNING PL-4 RULES OF BEHAVIOR Google Inherited
PLANNING PL-4 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS Google Inherited
PLANNING PL-8 INFORMATION SECURITY ARCHITECTURE Google Inherited
PERSONNEL SECURITY PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES Customer
PERSONNEL SECURITY PS-2 POSITION RISK DESIGNATION Customer
PERSONNEL SECURITY PS-3 PERSONNEL SCREENING Customer
PERSONNEL SECURITY PS-3 (3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES Customer
PERSONNEL SECURITY PS-4 PERSONNEL TERMINATION Google Inherited
PERSONNEL SECURITY PS-5 PERSONNEL TRANSFER Google Inherited
PERSONNEL SECURITY PS-6 ACCESS AGREEMENTS Google Inherited
PERSONNEL SECURITY PS-7 THIRD-PARTY PERSONNEL SECURITY Google Inherited
PERSONNEL SECURITY PS-8 PERSONNEL SANCTIONS Google Inherited
RISK ASSESSMENT RA-1 RISK ASSESSMENT POLICY AND PROCEDURES Customer
RISK ASSESSMENT RA-2 SECURITY CATEGORIZATION Customer
RISK ASSESSMENT RA-3 RISK ASSESSMENT Google Inherited
RISK ASSESSMENT RA-5 VULNERABILITY SCANNING Google Inherited
RISK ASSESSMENT RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY Google Inherited
RISK ASSESSMENT RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED Google Inherited
RISK ASSESSMENT RA-5 (3) VULNERABILITY SCANNING | BREADTH / DEPTH OF COVERAGE Google Inherited
RISK ASSESSMENT RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS Google Inherited
RISK ASSESSMENT RA-5 (6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES Google Inherited
RISK ASSESSMENT RA-5 (8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES Customer
SYSTEM AND SERVICES ACQUISITION SA-2 ALLOCATION OF RESOURCES Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-3 SYSTEM DEVELOPMENT LIFE CYCLE Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-4 ACQUISITION PROCESS Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-4 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-4 (2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-4 (8) ACQUISITION PROCESS | CONTINUOUS MONITORING PLAN Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-4 (9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS Customer
SYSTEM AND SERVICES ACQUISITION SA-5 INFORMATION SYSTEM DOCUMENTATION Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-8 SECURITY ENGINEERING PRINCIPLES Customer
SYSTEM AND SERVICES ACQUISITION SA-9 EXTERNAL INFORMATION SYSTEM SERVICES N/A
SYSTEM AND SERVICES ACQUISITION SA-9 (1) EXTERNAL INFORMATION SYSTEMS | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS N/A
SYSTEM AND SERVICES ACQUISITION SA-9 (2) EXTERNAL INFORMATION SYSTEMS | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES N/A
SYSTEM AND SERVICES ACQUISITION SA-9 (4) EXTERNAL INFORMATION SYSTEMS | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS N/A
SYSTEM AND SERVICES ACQUISITION SA-9 (5) EXTERNAL INFORMATION SYSTEMS | PROCESSING, STORAGE, AND SERVICE LOCATION N/A
SYSTEM AND SERVICES ACQUISITION SA-10 DEVELOPER CONFIGURATION MANAGEMENT Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-10 (1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-11 DEVELOPER SECURITY TESTING AND EVALUATION Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-11 (1) DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS Customer
SYSTEM AND SERVICES ACQUISITION SA-11 (2) DEVELOPER SECURITY TESTING AND EVALUATION | THREAT AND VULNERABILITY ANALYSES Google Inherited
SYSTEM AND SERVICES ACQUISITION SA-11 (8) DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-2 APPLICATION PARTITIONING Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-4 INFORMATION IN SHARED RESOURCES Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-5 DENIAL OF SERVICE PROTECTION Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-6 RESOURCE AVAILABILITY Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 BOUNDARY PROTECTION Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (3) BOUNDARY PROTECTION | ACCESS POINTS Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (12) BOUNDARY PROTECTION | HOST-BASED PROTECTION Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (13) BOUNDARY PROTECTION | ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (18) BOUNDARY PROTECTION | FAIL SECURE Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-8 (1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-10 NETWORK DISCONNECT Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-12 (2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-12 (3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-13 CRYPTOGRAPHIC PROTECTION Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-15 COLLABORATIVE COMPUTING DEVICES N/A
SYSTEM AND COMMUNICATIONS PROTECTION SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-18 MOBILE CODE Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-19 VOICE OVER INTERNET PROTOCOL N/A
SYSTEM AND COMMUNICATIONS PROTECTION SC-20 SECURE NAME /ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-21 SECURE NAME /ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-22 ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-23 SESSION AUTHENTICITY Customer
SYSTEM AND COMMUNICATIONS PROTECTION SC-28 PROTECTION OF INFORMATION AT REST Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-28 (1) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION Google Inherited
SYSTEM AND COMMUNICATIONS PROTECTION SC-39 PROCESS ISOLATION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES Customer
SYSTEM AND INFORMATION INTEGRITY SI-2 FLAW REMEDIATION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-2 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-3 MALICIOUS CODE PROTECTION Customer
SYSTEM AND INFORMATION INTEGRITY SI-3 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-3 (2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-3 (7) MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 INFORMATION SYSTEM MONITORING Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 (1) INFORMATION SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 (14) INFORMATION SYSTEM MONITORING | WIRELESS INTRUSION DETECTION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 (16) INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-4 (23) INFORMATION SYSTEM MONITORING | HOST-BASED DEVICES Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-6 SECURITY FUNCTION VERIFICATION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-7 (1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-7 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-8 SPAM PROTECTION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-8 (1) SPAM PROTECTION | CENTRAL MANAGEMENT Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-8 (2) SPAM PROTECTION | AUTOMATIC UPDATES Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-10 INFORMATION INPUT VALIDATION Google Inherited
SYSTEM AND INFORMATION INTEGRITY SI-11 ERROR HANDLING Customer
SYSTEM AND INFORMATION INTEGRITY SI-12 INFORMATION HANDLING AND RETENTION Customer
SYSTEM AND INFORMATION INTEGRITY SI-16 MEMORY PROTECTION Google Inherited

What's next