FedRAMP Controls / SI
SI-5 Security Alerts, Advisories, and Directives
Family SI
Baselines moderate
Mapped KSIs 3
Control statement
a. Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;
b. Generate internal security alerts, advisories, and directives as deemed necessary;
c. Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and
d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.
Requirement: Service Providers must address the CISA Emergency and Binding Operational Directives applicable to their cloud service offering per FedRAMP guidance. This includes listing the applicable directives and stating compliance status. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-AFR-05 | Significant Change Notifications Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations. | Authorization by FedRAMP |
| KSI-SVC-04 | Configuration Automation Manage configuration of machine-based information resources using automation. | Service Configuration |
| KSI-TPR-04 | Supply Chain Risk Monitoring Automatically monitor third party software _information resources_ for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services. | Third-Party Information Resources |