What are the FEDRAMP "complementary controls"?

Question

FedRAMP requirements include additional controls above the standard NIST baseline controls in NIST SP 800-53 Revision 4. These additional controls address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.

However when I download the list of controls via the Official Fedramp Website (see this for "HIGH", and similar links for the other levels), I get what looks like the NIST 800-53 controls. Depending on the FedRAMP impact level, a subset of the NIST controls are selected.

So, what are those "additional controls above the NIST baseline"? I can’t find those on the web.

Are you sure that fedramp needs its own tag? – Dec 10 '19 at 09:36 — , Dec 10 '19 at 09:36
How about I'm unsure that it doesn't ? – niilzon Dec 11 '19 at 16:03 — niilzon, Dec 11 '19 at 16:03

score 0 · Accepted Answer · answered Dec 11 '19 at 15:43

0

What FedRAMP calls "complementary controls" are simply the classic NIST "security control enhancements" selected for FedRAMP, and that are available in the usual NIST templates.

It was just a vocabulary issue..

answered Dec 11 '19 at 15:43

niilzon

1,587
2
10
17

What are the FEDRAMP "complementary controls"?

1 Answers1