☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,
CA-3 What is the solution and how is it implemented?
Part a
See Table 11 -17. System Interconnections for information about implementation.
Part b
See Table 13 -21. Control Origination and Definitions and Table 11 -17. System Interconnections for information about implementation.
Part c
CA-3 (3) Control Enhancement (M) (H)
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [FedRAMP Assignment: boundary protections which meet Trusted Internet Connection (TIC) requirements].
CA-3 (3) Additional FedRAMP Requirements and Guidance:
Guidance: Refer to Appendix H – Cloud Considerations of the TIC Reference Architecture document. Link: https://www.dhs.gov/publication/tic-reference-architecture-22
CA-3 (3)
Control Summary Information
Responsible Role:
Parameter CA-3 (3)-1:
Parameter CA-3 (3)-2:
Implementation Status (check all that apply):
☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable
Control Origination (check all that apply):
☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,
CA-3 (3) What is the solution and how is it implemented?
CA-3 (5) Control Enhancement (H)
The organization employs [FedRAMP Selection: deny-all, permit by exception] policy for allowing [FedRAMP Assignment: any systems] to connect to external information systems.
CA-3 (5) Additional FedRAMP Requirements and Guidance:
Guidance: For JAB Authorization, CSPs shall include details of this control in their architecture briefing.
CA-3 (5)
Control Summary Information
Responsible Role:
Parameter CA-3 (5)-1:
Parameter CA-3 (5)-2:
Implementation Status (check all that apply):
☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable
Control Origination (check all that apply):
☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,
CA-3 (5) What is the solution and how is it implemented?
CA-5 Plan of Action and Milestones (L) (M) (H)
The organization:
Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
Updates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
CA-5 Additional FedRAMP Requirements and Guidance:
Requirement: Plan of Action & Milestones (POA&M) must be provided at least monthly.
Guidance: See the FedRAMP Documents page under Key Cloud Service
Provider (CSP) Documents> Plan of Action and Milestones (POA&M) Template Completion Guide
https://www.fedramp.gov/documents/
CA-5
Control Summary Information
Responsible Role:
Parameter CA-5 (b):
Implementation Status (check all that apply):
☐ Implemented
☐ Partially implemented
☐ Planned
☐ Alternative implementation
☐ Not applicable
Control Origination (check all that apply):
☐ Service Provider Corporate
☐ Service Provider System Specific
☐ Service Provider Hybrid (Corporate and System Specific)
☐ Configured by Customer (Customer System Specific)
☐ Provided by Customer (Customer System Specific)
☐ Shared (Service Provider and Customer Responsibility)
☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,
CA-5 What is the solution and how is it implemented?
