{"profile":{"imports":[{"href":"trestle://catalogs/nist-800-53-rev5/catalog.json","include-controls":[{"with-ids":["ac-1","ac-2","ac-3","ac-7","ac-8","ac-14","ac-17","ac-18","ac-19","ac-20","ac-22","at-1","at-2","at-2.2","at-3","at-4","au-1","au-2","au-3","au-4","au-5","au-6","au-8","au-9","au-11","au-12","ca-1","ca-2","ca-2.1","ca-3","ca-5","ca-6","ca-7","ca-7.4","ca-8","ca-9","cm-1","cm-2","cm-4","cm-5","cm-6","cm-7","cm-8","cm-10","cm-11","cp-1","cp-2","cp-3","cp-4","cp-9","cp-10","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.8","ia-2.12","ia-4","ia-5","ia-5.1","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ir-1","ir-2","ir-4","ir-5","ir-6","ir-7","ir-8","ma-1","ma-2","ma-4","ma-5","mp-1","mp-2","mp-6","mp-7","pe-1","pe-2","pe-3","pe-6","pe-8","pe-12","pe-13","pe-14","pe-15","pe-16","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-10","pl-11","ps-1","ps-2","ps-3","ps-4","ps-5","ps-6","ps-7","ps-8","ps-9","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.11","ra-7","sa-1","sa-2","sa-3","sa-4","sa-4.10","sa-5","sa-8","sa-9","sa-22","sc-1","sc-5","sc-7","sc-8","sc-8.1","sc-12","sc-13","sc-15","sc-20","sc-21","sc-22","sc-28","sc-28.1","sc-39","si-1","si-2","si-3","si-4","si-5","si-12","sr-1","sr-2","sr-2.1","sr-3","sr-5","sr-8","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"metadata":{"last-modified":"2026-04-13T19:36:41Z","links":[{"href":"https://www.fedramp.gov/","rel":"reference"},{"href":"https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Controls_Baseline.xlsx","rel":"source"}],"oscal-version":"1.2.1","props":[{"name":"keywords","value":"FedRAMP, Federal Risk and Authorization Management Program, NIST 800-53, security controls, cloud security, low baseline, authorization"},{"name":"baseline","value":"FedRAMP Low"},{"name":"baseline-level","value":"low"}],"published":"2026-04-13T19:36:41Z","remarks":"This profile represents the FedRAMP Low baseline, derived from NIST SP 800-53 Revision 5. It includes the security controls and control enhancements required for FedRAMP Low authorization. The baseline was generated from the official FedRAMP Security Controls Baseline spreadsheet.","title":"FedRAMP Low Baseline (NIST 800-53 Rev5)","version":"Rev5-Low"},"modify":{"set-parameters":[{"param-id":"ac-01_odp.05","values":["at least every 3 years"]},{"param-id":"ac-01_odp.07","values":["at least annually"]},{"param-id":"ac-01_odp.08","values":["significant changes"]},{"param-id":"ac-02_odp.06","values":["twenty-four (24) hours"]},{"param-id":"ac-02_odp.07","values":["eight (8) hours"]},{"param-id":"ac-02_odp.08","values":["eight (8) hours"]},{"param-id":"ac-02_odp.10","values":["at least annually"]},{"param-id":"ac-08_odp.01","values":["see additional Requirements and Guidance"]},{"param-id":"ac-08_odp.02","values":["see additional Requirements and Guidance"]},{"param-id":"ac-22_odp","values":["at least quarterly"]},{"param-id":"at-01_odp.05","values":["at least every 3 years"]},{"param-id":"at-01_odp.07","values":["at least annually"]},{"param-id":"at-01_odp.08","values":["significant changes"]},{"param-id":"at-2_prm_1","values":["at least annually"]},{"param-id":"at-02_odp.06","values":["at least annually"]},{"param-id":"at-03_odp.03","values":["at least annually"]},{"param-id":"at-03_odp.04","values":["at least annually"]},{"param-id":"at-04_odp","values":["at least one (1) year or 1 year after completion of a specific training program"]},{"param-id":"au-01_odp.05","values":["at least every 3 years"]},{"param-id":"au-01_odp.07","values":["at least annually"]},{"param-id":"au-01_odp.08","values":["significant changes"]},{"param-id":"au-02_odp.01","values":["successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes"]},{"param-id":"au-2_prm_2","values":["organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event"]},{"param-id":"au-02_odp.04","values":["annually and whenever there is a change in the threat environment"]},{"param-id":"au-05_odp.03","values":["overwrite oldest record"]},{"param-id":"au-06_odp.01","values":["at least weekly"]},{"param-id":"au-08_odp","values":["one second granularity of time measurement"]},{"param-id":"au-11_odp","values":["a time period in compliance with M-21-31"]},{"param-id":"au-12_odp.01","values":["all information system and network components where audit capability is deployed/available"]},{"param-id":"ca-01_odp.05","values":["at least every 3 years"]},{"param-id":"ca-01_odp.07","values":["at least annually"]},{"param-id":"ca-01_odp.08","values":["significant changes"]},{"param-id":"ca-02_odp.01","values":["at least annually"]},{"param-id":"ca-02_odp.02","values":["individuals or roles to include FedRAMP PMO"]},{"param-id":"ca-03_odp.03","values":["at least annually"]},{"param-id":"ca-05_odp","values":["at least monthly"]},{"param-id":"ca-06_odp","values":["in accordance with OMB A-130 requirements or when a significant change occurs"]},{"param-id":"ca-08_odp.01","values":["at least annually"]},{"param-id":"cm-01_odp.05","values":["at least every 3 years"]},{"param-id":"cm-01_odp.07","values":["at least annually"]},{"param-id":"cm-01_odp.08","values":["significant changes"]},{"param-id":"cm-02_odp.01","values":["at least annually and when a significant change occurs"]},{"param-id":"cm-08_odp.02","values":["at least monthly"]},{"param-id":"cm-11_odp.03","values":["Continuously (via CM-7 (5))"]},{"param-id":"cp-01_odp.05","values":["at least every 3 years"]},{"param-id":"cp-01_odp.07","values":["at least annually"]},{"param-id":"cp-01_odp.08","values":["significant changes"]},{"param-id":"cp-02_odp.05","values":["at least annually"]},{"param-id":"cp-03_odp.01","values":["*See Additional Requirements"]},{"param-id":"cp-03_odp.02","values":["at least annually"]},{"param-id":"cp-03_odp.03","values":["at least annually"]},{"param-id":"cp-04_odp.01","values":["at least every 3 years"]},{"param-id":"cp-4_prm_2","values":["classroom exercise/table top written tests"]},{"param-id":"cp-09_odp.02","values":["daily incremental; weekly full"]},{"param-id":"cp-09_odp.03","values":["daily incremental; weekly full"]},{"param-id":"cp-09_odp.04","values":["daily incremental; weekly full"]},{"param-id":"ia-01_odp.05","values":["at least every 3 years"]},{"param-id":"ia-01_odp.07","values":["at least annually"]},{"param-id":"ia-01_odp.08","values":["significant changes"]},{"param-id":"ia-04_odp.01","values":["at a minimum, the ISSO (or similar role within the organization)"]},{"param-id":"ia-04_odp.02","values":["at least two (2) years"]},{"param-id":"ir-01_odp.05","values":["at least every 3 years"]},{"param-id":"ir-01_odp.07","values":["at least annually"]},{"param-id":"ir-01_odp.08","values":["significant changes"]},{"param-id":"ir-02_odp.01","values":["ten (10) days for privileged users, thirty (30) days for Incident Response roles"]},{"param-id":"ir-02_odp.02","values":["at least annually"]},{"param-id":"ir-02_odp.03","values":["at least annually"]},{"param-id":"ir-06_odp.01","values":["US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)"]},{"param-id":"ir-08_odp.02","values":["at least annually"]},{"param-id":"ir-08_odp.04","values":["see additional FedRAMP Requirements and Guidance"]},{"param-id":"ir-8_prm_5","values":["see additional FedRAMP Requirements and Guidance"]},{"param-id":"ma-01_odp.05","values":["at least every 3 years"]},{"param-id":"ma-01_odp.07","values":["at least annually"]},{"param-id":"ma-01_odp.08","values":["significant changes"]},{"param-id":"mp-01_odp.05","values":["at least every 3 years"]},{"param-id":"mp-01_odp.07","values":["at least annually"]},{"param-id":"mp-01_odp.08","values":["significant changes"]},{"param-id":"mp-6_prm_2","values":["techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware"]},{"param-id":"pe-01_odp.05","values":["at least every 3 years"]},{"param-id":"pe-01_odp.07","values":["at least annually"]},{"param-id":"pe-01_odp.08","values":["significant changes"]},{"param-id":"pe-02_odp","values":["at least annually"]},{"param-id":"pe-03_odp.02","values":["CSP defined physical access control systems/devices AND guards"]},{"param-id":"pe-03_odp.06","values":["in all circumstances within restricted access area where the information system resides"]},{"param-id":"pe-03_odp.08","values":["at least annually"]},{"param-id":"pe-3_prm_9","values":["at least annually"]},{"param-id":"pe-06_odp.01","values":["at least monthly"]},{"param-id":"pe-08_odp.01","values":["for a minimum of one (1) year"]},{"param-id":"pe-08_odp.02","values":["at least monthly"]},{"param-id":"pe-14_odp.01","values":["consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments"]},{"param-id":"pe-14_odp.04","values":["continuously"]},{"param-id":"pe-16_prm_1","values":["all information system components"]},{"param-id":"pl-01_odp.05","values":["at least every 3 years"]},{"param-id":"pl-01_odp.07","values":["at least annually"]},{"param-id":"pl-01_odp.08","values":["significant changes"]},{"param-id":"pl-02_odp.03","values":["at least annually"]},{"param-id":"pl-04_odp.01","values":["at least every 3 years"]},{"param-id":"pl-04_odp.02","values":["at least annually and when the rules are revised or changed"]},{"param-id":"pl-08_odp","values":["at least annually and when a significant change occurs"]},{"param-id":"ps-01_odp.05","values":["at least every 3 years"]},{"param-id":"ps-01_odp.07","values":["at least annually"]},{"param-id":"ps-01_odp.08","values":["significant changes"]},{"param-id":"ps-02_odp","values":["at least every three years"]},{"param-id":"ps-04_odp.01","values":["four (4) hours"]},{"param-id":"ps-05_odp.02","values":["twenty-four (24) hours"]},{"param-id":"ps-05_odp.04","values":["twenty-four (24) hours"]},{"param-id":"ps-06_odp.01","values":["at least annually"]},{"param-id":"ps-06_odp.02","values":["at least annually and any time there is a change to the user's level of access"]},{"param-id":"ps-07_odp.01","values":["including access control personnel responsible for the system and/or facilities, as appropriate"]},{"param-id":"ps-07_odp.02","values":["within twenty-four (24) hours"]},{"param-id":"ps-08_odp.01","values":["at a minimum, the ISSO and/or similar role within the organization"]},{"param-id":"ra-01_odp.05","values":["at least every 3 years"]},{"param-id":"ra-01_odp.07","values":["at least annually"]},{"param-id":"ra-01_odp.08","values":["significant changes"]},{"param-id":"ra-03_odp.01","values":["security assessment report"]},{"param-id":"ra-03_odp.03","values":["at least every three (3) years and when a significant change occurs"]},{"param-id":"ra-03_odp.05","values":["at least every three (3) years"]},{"param-id":"ra-5_prm_1","values":["monthly operating system/infrastructure; monthly web applications (including APIs) and databases"]},{"param-id":"ra-05_odp.03","values":["high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery"]},{"param-id":"ra-05.02_odp.01","values":["prior to a new scan"]},{"param-id":"sa-01_odp.05","values":["at least every 3 years"]},{"param-id":"sa-01_odp.07","values":["at least annually"]},{"param-id":"sa-01_odp.08","values":["significant changes"]},{"param-id":"sa-05_odp.02","values":["at a minimum, the ISSO (or similar role within the organization)"]},{"param-id":"sa-09_odp.01","values":["Appropriate FedRAMP Security Controls Baseline (s) if federal customer data is processed or stored within the external system"]},{"param-id":"sa-09_odp.02","values":["Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where federal customer data is processed or stored"]},{"param-id":"sc-01_odp.05","values":["at least every 3 years"]},{"param-id":"sc-01_odp.07","values":["at least annually"]},{"param-id":"sc-01_odp.08","values":["significant changes"]},{"param-id":"sc-05_odp.02","values":["Protect against"]},{"param-id":"sc-05_odp.01","values":["at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack"]},{"param-id":"sc-12_odp","values":["In accordance with Federal requirements"]},{"param-id":"sc-13_odp.02","values":["FIPS-validated or NSA-approved cryptography"]},{"param-id":"sc-15_odp","values":["no exceptions for computing devices"]},{"param-id":"sc-28.01_odp.02","values":["all information system components storing Federal customer data or system data that must be protected at the High or Moderate impact levels"]},{"param-id":"si-01_odp.05","values":["at least every 3 years"]},{"param-id":"si-01_odp.07","values":["at least annually"]},{"param-id":"si-01_odp.08","values":["significant changes"]},{"param-id":"si-02_odp","values":["within thirty (30) days of release of updates"]},{"param-id":"si-03_odp.01","values":["signature based and non-signature based"]},{"param-id":"si-03_odp.02","values":["at least weekly"]},{"param-id":"si-03_odp.03","values":["to include endpoints and network entry and exit points"]},{"param-id":"si-03_odp.04","values":["to include blocking and quarantining malicious code"]},{"param-id":"si-03_odp.06","values":["administrator or defined security personnel near-realtime"]},{"param-id":"si-05_odp.01","values":["to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives"]},{"param-id":"si-05_odp.02","values":["to include system security personnel and administrators with configuration/patch-management responsibilities"]},{"param-id":"sr-1_prm_1","values":["to include chief privacy and ISSO and/or similar role or designees"]},{"param-id":"sr-01_odp.05","values":["at least every 3 years"]},{"param-id":"sr-01_odp.07","values":["at least annually"]},{"param-id":"sr-01_odp.08","values":["significant changes"]},{"param-id":"sr-02_odp.02","values":["at least annually"]},{"param-id":"sr-08_odp.01","values":["notification of supply chain compromises and results of assessment or audits"]},{"param-id":"sr-11.02_odp","values":["all"]}]},"uuid":"989c24d7-5467-4871-9be4-b109695b1f09"}}