πŸ“’ New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First Β· πŸ“ Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June Β· 🚦 Beacon β€” the FedRAMP 20x KSI emitter β€” design partners open ✨ Β· πŸ†• 20x Hub: program reference, kept current Β· πŸ§ͺ Free tool: KSI Quick Check β€” paste, run, get the verdict

Reference Β· FedRAMP

Rev 5 Moderate Controls Catalog

The FedRAMP Rev 5 Moderate baseline, browsable and searchable, mapped to the 20x Key Security Indicators. This is the same catalog the Novaprospect audit suite evaluates AWS environments against.

323 controls
72 KSIs mapped
18 families
Generated 2026-05-25T21:31:04Z
Showing 323 of 323 controls

AC β€” Access Control

43 controls

ControlTitleKSIs
AC-1Policy and Procedures2
AC-11Device Lockβ€”
AC-11(1)Pattern-hiding Displaysβ€”
AC-12Session Termination2
AC-14Permitted Actions Without Identification or Authentication1
AC-17Remote Access2
AC-17(1)Monitoring and Control3
AC-17(2)Protection of Confidentiality and Integrity Using Encryption3
AC-17(3)Managed Access Control Points5
AC-17(4)Privileged Commands and Accessβ€”
AC-18Wireless Accessβ€”
AC-18(1)Authentication and Encryption1
AC-18(3)Disable Wireless Networking1
AC-19Access Control for Mobile Devicesβ€”
AC-19(5)Full Device or Container-based Encryptionβ€”
AC-2Account Management5
AC-2(1)Automated System Account Management2
AC-2(12)Account Monitoring for Atypical Usageβ€”
AC-2(13)Disable Accounts for High-risk Individuals2
AC-2(2)Automated Temporary and Emergency Account Management3
AC-2(3)Disable Accounts3
AC-2(4)Automated Audit Actions4
AC-2(5)Inactivity Logout1
AC-2(7)Privileged User Accountsβ€”
AC-2(9)Restrictions on Use of Shared and Group Accountsβ€”
AC-20Use of External Systems3
AC-20(1)Limits on Authorized Use5
AC-20(2)Portable Storage Devices β€” Restricted Useβ€”
AC-21Information Sharing1
AC-22Publicly Accessible Contentβ€”
AC-3Access Enforcement4
AC-4Information Flow Enforcement4
AC-4(21)Physical or Logical Separation of Information Flowsβ€”
AC-5Separation of Duties3
AC-6Least Privilege2
AC-6(1)Authorize Access to Security Functions1
AC-6(10)Prohibit Non-privileged Users from Executing Privileged Functions1
AC-6(2)Non-privileged Access for Nonsecurity Functions1
AC-6(5)Privileged Accounts2
AC-6(7)Review of User Privileges2
AC-6(9)Log Use of Privileged Functions3
AC-7Unsuccessful Logon Attempts2
AC-8System Use Notificationβ€”

AT β€” Awareness and Training

6 controls

ControlTitleKSIs
AT-1Policy and Procedures1
AT-2Literacy Training and Awareness2
AT-2(2)Insider Threat1
AT-2(3)Social Engineering and Mining2
AT-3Role-based Training1
AT-4Training Records1

AU β€” Audit and Accountability

16 controls

ControlTitleKSIs
AU-1Policy and Procedures1
AU-11Audit Record Retention1
AU-12Audit Record Generation1
AU-2Event Logging5
AU-3Content of Audit Records2
AU-3(1)Additional Audit Information1
AU-4Audit Log Storage Capacity1
AU-5Response to Audit Logging Process Failures2
AU-6Audit Record Review, Analysis, and Reporting2
AU-6(1)Automated Process Integration2
AU-6(3)Correlate Audit Record Repositories1
AU-7Audit Record Reduction and Report Generation1
AU-7(1)Automatic Processing2
AU-8Time Stamps1
AU-9Protection of Audit Information1
AU-9(4)Access by Subset of Privileged Users1

CA β€” Assessment, Authorization, and Monitoring

14 controls

ControlTitleKSIs
CA-1Policy and Procedures1
CA-2Control Assessments3
CA-2(1)Independent Assessors1
CA-2(3)Leveraging Results from External Organizationsβ€”
CA-3Information Exchange1
CA-5Plan of Action and Milestones1
CA-6Authorizationβ€”
CA-7Continuous Monitoring3
CA-7(1)Independent Assessment1
CA-7(4)Risk Monitoring3
CA-8Penetration Testingβ€”
CA-8(1)Independent Penetration Testing Agent or Teamβ€”
CA-8(2)Red Team Exercisesβ€”
CA-9Internal System Connections3

CM β€” Configuration Management

27 controls

ControlTitleKSIs
CM-1Policy and Procedures1
CM-10Software Usage Restrictionsβ€”
CM-11User-installed Softwareβ€”
CM-12Information Location1
CM-12(1)Automated Tools to Support Information Location2
CM-2Baseline Configuration5
CM-2(2)Automation Support for Accuracy and Currency3
CM-2(3)Retention of Previous Configurations2
CM-2(7)Configure Systems and Components for High-risk Areas1
CM-3Configuration Change Control4
CM-3(2)Testing, Validation, and Documentation of Changes3
CM-3(4)Security and Privacy Representatives3
CM-4Impact Analyses1
CM-4(2)Verification of Controls2
CM-5Access Restrictions for Change3
CM-5(1)Automated Access Enforcement and Audit Recordsβ€”
CM-5(5)Privilege Limitation for Production and Operationβ€”
CM-6Configuration Settings4
CM-6(1)Automated Management, Application, and Verificationβ€”
CM-7Least Functionality2
CM-7(1)Periodic Review5
CM-7(2)Prevent Program Execution1
CM-7(5)Authorized Software β€” Allow-by-exception2
CM-8System Component Inventory1
CM-8(1)Updates During Installation and Removal2
CM-8(3)Automated Unauthorized Component Detection2
CM-9Configuration Management Plan3

CP β€” Contingency Planning

23 controls

ControlTitleKSIs
CP-1Policy and Procedures1
CP-10System Recovery and Reconstitution4
CP-10(2)Transaction Recovery2
CP-2Contingency Plan1
CP-2(1)Coordinate with Related Plans4
CP-2(3)Resume Mission and Business Functions3
CP-2(8)Identify Critical Assets2
CP-3Contingency Training1
CP-4Contingency Plan Testing1
CP-4(1)Coordinate with Related Plans4
CP-6Alternate Storage Site3
CP-6(1)Separation from Primary Site2
CP-6(3)Accessibility1
CP-7Alternate Processing Site1
CP-7(1)Separation from Primary Site1
CP-7(2)Accessibility1
CP-7(3)Priority of Service1
CP-8Telecommunications Services1
CP-8(1)Priority of Service Provisions1
CP-8(2)Single Points of Failure1
CP-9System Backup1
CP-9(1)Testing for Reliability and Integrity1
CP-9(8)Cryptographic Protection1

IA β€” Identification and Authentication

27 controls

ControlTitleKSIs
IA-1Policy and Procedures1
IA-11Re-authentication1
IA-12Identity Proofing1
IA-12(2)Identity Evidence1
IA-12(3)Identity Evidence Validation and Verification1
IA-12(5)Address Confirmation1
IA-2Identification and Authentication (Organizational Users)2
IA-2(1)Multi-factor Authentication to Privileged Accounts2
IA-2(12)Acceptance of PIV Credentialsβ€”
IA-2(2)Multi-factor Authentication to Non-privileged Accounts2
IA-2(5)Individual Authentication with Group Authenticationβ€”
IA-2(6)Access to Accounts β€”separate Deviceβ€”
IA-2(8)Access to Accounts β€” Replay Resistant2
IA-3Device Identification and Authentication2
IA-4Identifier Management2
IA-4(4)Identify User Status3
IA-5Authenticator Management1
IA-5(1)Password-based Authentication1
IA-5(2)Public Key-based Authentication4
IA-5(6)Protection of Authenticators3
IA-5(7)No Embedded Unencrypted Static Authenticatorsβ€”
IA-6Authentication Feedback1
IA-7Cryptographic Module Authentication1
IA-8Identification and Authentication (Non-organizational Users)1
IA-8(1)Acceptance of PIV Credentials from Other Agenciesβ€”
IA-8(2)Acceptance of External Authenticatorsβ€”
IA-8(4)Use of Defined Profilesβ€”

IR β€” Incident Response

17 controls

ControlTitleKSIs
IR-1Policy and Procedures2
IR-2Incident Response Training1
IR-3Incident Response Testing3
IR-3(2)Coordination with Related Plans2
IR-4Incident Handling5
IR-4(1)Automated Incident Handling Processes5
IR-5Incident Monitoring2
IR-6Incident Reporting2
IR-6(1)Automated Reporting2
IR-6(3)Supply Chain Coordination2
IR-7Incident Response Assistance1
IR-7(1)Automation Support for Availability of Information and Support1
IR-8Incident Response Plan3
IR-9Information Spillage Responseβ€”
IR-9(2)Trainingβ€”
IR-9(3)Post-spill Operationsβ€”
IR-9(4)Exposure to Unauthorized Personnelβ€”

MA β€” Maintenance

10 controls

ControlTitleKSIs
MA-1Policy and Procedures1
MA-2Controlled Maintenance2
MA-3Maintenance Toolsβ€”
MA-3(1)Inspect Toolsβ€”
MA-3(2)Inspect Mediaβ€”
MA-3(3)Prevent Unauthorized Removalβ€”
MA-4Nonlocal Maintenanceβ€”
MA-5Maintenance Personnelβ€”
MA-5(1)Individuals Without Appropriate Accessβ€”
MA-6Timely Maintenanceβ€”

MP β€” Media Protection

7 controls

ControlTitleKSIs
MP-1Policy and Procedures1
MP-2Media Accessβ€”
MP-3Media Markingβ€”
MP-4Media Storageβ€”
MP-5Media Transportβ€”
MP-6Media Sanitizationβ€”
MP-7Media Useβ€”

PE β€” Physical and Environmental Protection

19 controls

ControlTitleKSIs
PE-1Policy and Procedures1
PE-10Emergency Shutoffβ€”
PE-11Emergency Powerβ€”
PE-12Emergency Lightingβ€”
PE-13Fire Protectionβ€”
PE-13(1)Detection Systems β€” Automatic Activation and Notificationβ€”
PE-13(2)Suppression Systems β€” Automatic Activation and Notificationβ€”
PE-14Environmental Controlsβ€”
PE-15Water Damage Protectionβ€”
PE-16Delivery and Removalβ€”
PE-17Alternate Work Siteβ€”
PE-2Physical Access Authorizationsβ€”
PE-3Physical Access Controlβ€”
PE-4Access Control for Transmissionβ€”
PE-5Access Control for Output Devicesβ€”
PE-6Monitoring Physical Accessβ€”
PE-6(1)Intrusion Alarms and Surveillance Equipmentβ€”
PE-8Visitor Access Recordsβ€”
PE-9Power Equipment and Cablingβ€”

PL β€” Planning

7 controls

ControlTitleKSIs
PL-1Policy and Procedures1
PL-10Baseline Selection2
PL-11Baseline Tailoringβ€”
PL-2System Security and Privacy Plans1
PL-4Rules of Behavior1
PL-4(1)Social Media and External Site/Application Usage Restrictions1
PL-8Security and Privacy Architectures2

PS β€” Personnel Security

10 controls

ControlTitleKSIs
PS-1Policy and Procedures1
PS-2Position Risk Designation2
PS-3Personnel Screening2
PS-3(3)Information Requiring Special Protective Measuresβ€”
PS-4Personnel Termination3
PS-5Personnel Transfer2
PS-6Access Agreements3
PS-7External Personnel Security1
PS-8Personnel Sanctions1
PS-9Position Descriptions1

RA β€” Risk Assessment

11 controls

ControlTitleKSIs
RA-1Policy and Procedures1
RA-2Security Categorization1
RA-3Risk Assessment1
RA-3(1)Supply Chain Risk Assessment1
RA-5Vulnerability Monitoring and Scanning4
RA-5(11)Public Disclosure Program2
RA-5(2)Update Vulnerabilities to Be Scanned2
RA-5(3)Breadth and Depth of Coverage1
RA-5(5)Privileged Access3
RA-7Risk Response1
RA-9Criticality Analysis2

SA β€” System and Services Acquisition

21 controls

ControlTitleKSIs
SA-1Policy and Procedures1
SA-10Developer Configuration Management1
SA-11Developer Testing and Evaluation1
SA-11(1)Static Code Analysisβ€”
SA-11(2)Threat Modeling and Vulnerability Analysesβ€”
SA-15Development Process, Standards, and Toolsβ€”
SA-15(3)Criticality Analysis1
SA-2Allocation of Resources1
SA-22Unsupported System Components2
SA-3System Development Life Cycle2
SA-4Acquisition Processβ€”
SA-4(1)Functional Properties of Controlsβ€”
SA-4(10)Use of Approved PIV Productsβ€”
SA-4(2)Design and Implementation Information for Controlsβ€”
SA-4(9)Functions, Ports, Protocols, and Services in Useβ€”
SA-5System Documentation1
SA-8Security and Privacy Engineering Principles1
SA-9External System Services2
SA-9(1)Risk Assessments and Organizational Approvalsβ€”
SA-9(2)Identification of Functions, Ports, Protocols, and Servicesβ€”
SA-9(5)Processing, Storage, and Service Locationβ€”

SC β€” System and Communications Protection

29 controls

ControlTitleKSIs
SC-1Policy and Procedures1
SC-10Network Disconnect2
SC-12Cryptographic Key Establishment and Management1
SC-13Cryptographic Protection2
SC-15Collaborative Computing Devices and Applicationsβ€”
SC-17Public Key Infrastructure Certificates1
SC-18Mobile Code2
SC-2Separation of System and User Functionality1
SC-20Secure Name/Address Resolution Service (Authoritative Source)2
SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)2
SC-22Architecture and Provisioning for Name/Address Resolution Service2
SC-23Session Authenticity6
SC-28Protection of Information at Restβ€”
SC-28(1)Cryptographic Protectionβ€”
SC-39Process Isolation3
SC-4Information in Shared System Resources4
SC-45System Time Synchronizationβ€”
SC-45(1)Synchronization with Authoritative Time Sourceβ€”
SC-5Denial-of-service Protection1
SC-7Boundary Protection2
SC-7(12)Host-based Protectionβ€”
SC-7(18)Fail Secureβ€”
SC-7(3)Access Points1
SC-7(4)External Telecommunications Services1
SC-7(5)Deny by Default β€” Allow by Exception2
SC-7(7)Split Tunneling for Remote Devices1
SC-7(8)Route Traffic to Authenticated Proxy Servers1
SC-8Transmission Confidentiality and Integrity4
SC-8(1)Cryptographic Protection1

SI β€” System and Information Integrity

24 controls

ControlTitleKSIs
SI-1Policy and Procedures1
SI-10Information Input Validation3
SI-11Error Handling4
SI-12Information Management and Retention1
SI-16Memory Protection2
SI-2Flaw Remediation3
SI-2(2)Automated Flaw Remediation Status3
SI-2(3)Time to Remediate Flaws and Benchmarks for Corrective Actionsβ€”
SI-3Malicious Code Protection5
SI-4System Monitoring3
SI-4(1)System-wide Intrusion Detection Systemβ€”
SI-4(16)Correlate Monitoring Informationβ€”
SI-4(18)Analyze Traffic and Covert Exfiltrationβ€”
SI-4(2)Automated Tools and Mechanisms for Real-time Analysis2
SI-4(23)Host-based Devicesβ€”
SI-4(4)Inbound and Outbound Communications Traffic3
SI-4(5)System-generated Alerts2
SI-5Security Alerts, Advisories, and Directives3
SI-6Security and Privacy Function Verificationβ€”
SI-7Software, Firmware, and Information Integrity1
SI-7(1)Integrity Checks3
SI-7(7)Integration of Detection and Response4
SI-8Spam Protection2
SI-8(2)Automatic Updates1

SR β€” Supply Chain Risk Management

12 controls

ControlTitleKSIs
SR-1Policy and Procedures1
SR-10Inspection of Systems or Components3
SR-11Component Authenticity1
SR-11(1)Anti-counterfeit Training1
SR-11(2)Configuration Control for Component Service and Repairβ€”
SR-12Component Disposalβ€”
SR-2Supply Chain Risk Management Plan1
SR-2(1)Establish SCRM Team1
SR-3Supply Chain Controls and Processes1
SR-5Acquisition Strategies, Tools, and Methods2
SR-6Supplier Assessments and Reviews2
SR-8Notification Agreements1