Please enable JavaScript.
Coggle requires JavaScript to display documents.
FIPS 200 Minimum Security Requirements - Coggle Diagram
FIPS 200 Minimum Security Requirements
8. Incident Response (IR)
Requirement:
Detect, analyze, contain, and report incidents.
Cloud examples:
--Automated response playbooks (SOAR).
--Real-time alerts (CloudWatch, Azure Sentinel).
--Enable GuardDuty (AWS) or Microsoft Defender for Cloud for threat detection.
3. Audit and Accountability (AU)
Requirement:
Create and protect audit logs to track user actions.
Cloud Examples:
--Enable AWS CloudTrail, Azure Activity Logs.
--Use SIEM (Splunk, ELK, Sentinel) for anomaly detection.
--Store logs in immutable, encrypted storage (e.g., S3 with Object Lock).
11. Physical & Environmental Protection (PE)
Requirement:
Protect physical systems and environments.
Cloud Examples:
--Rely on cloud provider datacenter controls (biometric access, surveillance).
--Redundant power, cooling, and fire protection.
6. Contingency Planning (CP)
Requirement:
Plan for emergencies, backups, disaster recovery.
Cloud Examples:
--Multi-region automated backups.
--Disaster Recovery as a Service (DRaaS).
--Use automated failover (e.g., AWS Route 53 failover routing).
9. Maintenance (MA)
Cloud examples:
--Automated patching for VMs and containers.
--Temporary and monitored admin access.
Requirement:
Perform secure and controlled system maintenance.
2. Awareness and Training (AT)
Requirement:
Ensure staff are aware of risks and trained in security practices.
Cloud Examples:
--Phishing awareness training et AWS Security Fundamentals).
--Security best practices for managing cloud services.
--Enforce just-in-time (JIT) access training for elevated privileges.
10. Media Protection (MP)
Requirement:
Protect, sanitize, or destroy system media.
Cloud Examples:
--Encrypt disks and snapshots.
--Secure deletion with crypto-shredding.
--Disable unnecessary portable media use.
1. Access Control (AC)
Requirement:
Limit access to authorized users, processes, or devices.
Cloud examples:
--Use IAM roles and policies (AWS IAM, Azure AD,Azure RBAC).
--Enforce Multi-Factor Authentication (MFA) for sensitive accounts.
-Segment networks with Virtual Private Cloud (VPC) security groups or Network Security Groups.
7. Identification & Authentication (IA)
Requirement:
Verify the identity of users, processes, or devices.
Cloud Examples:
--Enforce Single Sign-On (SSO).
--Use cloud-managed keys and certificates (HSM, KMS).
--Use service accounts with short-lived credentials.
15. System & Services Acquisition (SA)
Requirement:
Ensure security in acquired systems/services.
Cloud Examples:
--Security clauses in SLA with cloud providers.
--Use only certified marketplaces and services.
--Include FedRAMP or ISO 27001 requirements in cloud procurement contracts.
4. Certification, Accreditation & Security Assessments (CA)
Requirement:
Assess and authorize systems periodically.
Cloud Examples:
--Perform vulnerability scans and penetration testing.
--Check compliance with FedRAMP, ISO 27001, SOC 2.
--Maintain Authority to Operate (ATO) documentation.
12. Planning (PL)
Requirement:
Develop and update security plans.
Cloud Examples:
--Document a Cloud Security Plan.
--Use DevSecOps pipelines to enforce updates.
--Define roles/responsibilities for shared responsibility (provider vs. customer).
17. System & Information Integrity (SI)
Requirement:
Detect, report, and fix system flaws.
Cloud Examples:
--Endpoint protection (EDR/antivirus on VMs & containers).
--Automated patch management.
14. Risk Assessment (RA)
Cloud Examples:
--Vulnerability scanning (Qualys, Nessus).
--Threat analysis via AWS Inspector, GCP Security Command Center.
Requirement:
Periodically assess organizational risks.
5. Configuration Management (CM)
Requirement:
Maintain secure baseline configurations.
Cloud Examples:
--Apply Infrastructure as Code (Terraform, Ansible).
--Automate compliance checks (AWS Config, Azure Policy).
13. Personnel Security (PS)
Requirement:
Ensure trustworthy personnel.
Cloud Examples:
--Background checks for cloud admins.
--Immediate account deactivation after termination.
16. System & Communications Protection (SC)
Cloud Examples:
--Always use TLS/SSL and VPNs.
--Network segmentation (VPC, Security Groups, NSGs).
--Use end-to-end encryption (AWS KMS, Azure Disk Encryption).
Requirement:
Protect communications and data in transit.