See CM-6(a) Additional FedRAMP Requirements and Guidance
+The organization employs assessors or assessment teams with
The information system implements multifactor authentication for network access to privileged accounts.
The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.
Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials
Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
+Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12.
+The information system, for password-based authentication:
The information system, for hardware token-based authentication, employs mechanisms that satisfy
Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability
FED - for Federal privileged users. Condition - Must document and assess for privileged users. May attest to this control for non-privileged users.
+The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
automated mechanisms that accept and verify PIV credentials
+Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
+The information system accepts only FICAM-approved third-party credentials.
automated mechanisms that accept FICAM-approved credentials
+Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.
+The organization employs only FICAM-approved information system components in
The information system conforms to FICAM-issued profiles.
The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.
See CM-6(a) Additional FedRAMP Requirements and Guidance
+