FedRAMP’s moderate security level controls are required for any cloud service provider solution that accesses and stores personally identifiable information (PII) that, if compromised, could result in serious consequences for the organization using the solution.
This objective is based on preserving authorized restrictions on information access and dissemination. A moderate level impact means that a confidentiality breach could have a serious impact on an organization’s proprietary information as well as individuals who work for the company.
This objective is based on preventing unauthorized data modification or destruction. A moderate impact level impact means that an integrity breach could have a serious impact on the organization and its employees.
This objective is based on access to and the reliability of information. A moderate impact level means that an availability breach could have a serious adverse effect on an organization's data and employees.
Moderate level requirements for FedRAMP have 325 controls, including…
43 Access Controls
32 Systems and Communications Protection Controls
28 System and Information Integrity Controls
27 Identification and Authentication Controls
26 Configuration Management Controls
23 Contingency Planning Controls
22 System and Services Acquisition Controls
20 Physical and Environmental Protection Controls
17 Incident Response Controls
16 Security Assessment and Authorization Controls
12 Maintenance Controls
10 Audit and Accountability Controls
10 Media Protection Controls
10 Risk Assessment Controls
9 Personnel Security Controls
6 Planning Controls
5 Awareness Training Controls