icdev 1.0.0__py3-none-any.whl

icdev/data/context/compliance/fedramp_high_baseline.json

@@ -0,0 +1,4370 @@
+{
+  "metadata": {
+    "title": "FedRAMP High Baseline Controls",
+    "source": "FedRAMP Rev 5 High Baseline (2023), NIST SP 800-53 Rev 5",
+    "classification": "CUI // SP-CTI",
+    "version": "1.0",
+    "last_updated": "2026-02-15",
+    "description": "FedRAMP High baseline control requirements for DoD IL5+ cloud systems. Extends FedRAMP Moderate with additional controls and enhanced parameters for high-impact systems processing classified or mission-critical data."
+  },
+  "controls": [
+    {
+      "id": "FRM-H-AC-1",
+      "family": "AC",
+      "nist_control_id": "AC-1",
+      "title": "Access Control Policy and Procedures",
+      "description": "Develop, document, and disseminate an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Review and update the current access control policy and procedures in accordance with FedRAMP-defined frequencies.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must explicitly address cloud-specific access control requirements including API access, multi-tenancy isolation, CSP administrative access, and high-impact data handling procedures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2",
+      "family": "AC",
+      "nist_control_id": "AC-2",
+      "title": "Account Management",
+      "description": "Define and document account types, establish conditions for group and role membership, specify authorized users and access authorizations, require approvals for account creation, create/enable/modify/disable/remove accounts in accordance with policy, monitor accounts, and review accounts for compliance.",
+      "fedramp_parameters": {
+        "account_review_frequency": "at least annually",
+        "inactivity_disable_period": "90 days",
+        "notification_period": "notify account managers within 24 hours when accounts are no longer required, users are terminated or transferred, or system usage changes"
+      },
+      "fedramp_additional_requirements": "CSP must implement automated mechanisms to support account management functions. Shared/group accounts are prohibited for privileged access. Guest/anonymous accounts must be disabled. For High systems, account reviews must include verification of need-to-know and clearance status.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2(1)",
+      "family": "AC",
+      "nist_control_id": "AC-2(1)",
+      "title": "Account Management | Automated System Account Management",
+      "description": "Employ automated mechanisms to support the management of system accounts including creation, modification, enabling, disabling, and removal of accounts.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Automated account management must integrate with CSP identity provider and support SCIM or equivalent provisioning protocols.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2(2)",
+      "family": "AC",
+      "nist_control_id": "AC-2(2)",
+      "title": "Account Management | Automated Temporary and Emergency Account Management",
+      "description": "Automatically remove or disable temporary and emergency accounts after a FedRAMP-defined time period.",
+      "fedramp_parameters": {
+        "temporary_account_duration": "no more than 72 hours",
+        "emergency_account_duration": "no more than 72 hours"
+      },
+      "fedramp_additional_requirements": "Emergency accounts must be logged and reviewed. Notification to ISSO required upon emergency account activation.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2(3)",
+      "family": "AC",
+      "nist_control_id": "AC-2(3)",
+      "title": "Account Management | Disable Accounts",
+      "description": "Disable accounts when the accounts have been inactive for a FedRAMP-defined time period.",
+      "fedramp_parameters": {
+        "inactivity_period": "90 days for user accounts, 35 days for non-interactive service accounts"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2(4)",
+      "family": "AC",
+      "nist_control_id": "AC-2(4)",
+      "title": "Account Management | Automated Audit Actions",
+      "description": "Automatically audit account creation, modification, enabling, disabling, and removal actions and notify appropriate personnel.",
+      "fedramp_parameters": {
+        "notification_recipients": "system administrators and ISSOs"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2(5)",
+      "family": "AC",
+      "nist_control_id": "AC-2(5)",
+      "title": "Account Management | Inactivity Logout",
+      "description": "Require that users log out when the FedRAMP-defined time period of expected inactivity is exceeded or when the session inactivity timeout is reached.",
+      "fedramp_parameters": {
+        "inactivity_logout": "after session inactivity timeout defined in AC-12"
+      },
+      "fedramp_additional_requirements": "Users must be notified prior to automatic logout. Re-authentication required after logout.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2(12)",
+      "family": "AC",
+      "nist_control_id": "AC-2(12)",
+      "title": "Account Management | Account Monitoring for Atypical Usage",
+      "description": "Monitor system accounts for atypical usage and report atypical usage of system accounts to designated personnel.",
+      "fedramp_parameters": {
+        "monitoring_criteria": "atypical usage patterns including off-hours access, excessive failed login attempts, access from unusual locations, and privilege escalation attempts",
+        "report_recipients": "ISSOs and system administrators"
+      },
+      "fedramp_additional_requirements": "Monitoring must include behavioral analytics for high-impact systems. Automated alerting required for anomalous privileged account activity.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-2(13)",
+      "family": "AC",
+      "nist_control_id": "AC-2(13)",
+      "title": "Account Management | Disable Accounts for High-Risk Individuals",
+      "description": "Disable accounts of individuals within 24 hours of discovery of significant risk.",
+      "fedramp_parameters": {
+        "disable_timeframe": "within 1 hour of determination of significant risk for High baseline"
+      },
+      "fedramp_additional_requirements": "Risk determinations must be documented in audit trail. Accounts must be disabled, not deleted, to preserve forensic data.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-3",
+      "family": "AC",
+      "nist_control_id": "AC-3",
+      "title": "Access Enforcement",
+      "description": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Access enforcement must address multi-tenant isolation ensuring one tenant cannot access another tenant's data or resources. API-level access enforcement is required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-4",
+      "family": "AC",
+      "nist_control_id": "AC-4",
+      "title": "Information Flow Enforcement",
+      "description": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on FedRAMP-defined information flow control policies.",
+      "fedramp_parameters": {
+        "flow_control_policies": "policies defined by the organization and approved by the JAB/AO"
+      },
+      "fedramp_additional_requirements": "Information flow enforcement must prevent data exfiltration between authorization boundaries and enforce tenant data isolation in multi-tenant architectures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-4(4)",
+      "family": "AC",
+      "nist_control_id": "AC-4(4)",
+      "title": "Information Flow Enforcement | Flow Control of Encrypted Information",
+      "description": "Prevent encrypted information from bypassing content-checking mechanisms by decrypting the information, blocking the flow of the encrypted information, or terminating communications sessions attempting to pass encrypted information.",
+      "fedramp_parameters": {
+        "encrypted_flow_action": "decrypt and inspect or block encrypted traffic that cannot be inspected"
+      },
+      "fedramp_additional_requirements": "TLS inspection required at authorization boundaries for High systems. SSL/TLS break-and-inspect must use FIPS 140-2 validated modules.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-5",
+      "family": "AC",
+      "nist_control_id": "AC-5",
+      "title": "Separation of Duties",
+      "description": "Identify and document duties of individuals requiring separation. Define system access authorizations to support separation of duties.",
+      "fedramp_parameters": {
+        "separation_duties": "at minimum: security administration, system administration, audit administration, and application administration"
+      },
+      "fedramp_additional_requirements": "CSP must document separation of duties between CSP operations and customer tenant administration.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-6",
+      "family": "AC",
+      "nist_control_id": "AC-6",
+      "title": "Least Privilege",
+      "description": "Employ the principle of least privilege, allowing only authorized accesses for users and processes which are necessary to accomplish assigned organizational tasks.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Least privilege must be enforced for CSP administrative access to customer tenants. Just-in-time access provisioning is required for privileged functions on High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-6(1)",
+      "family": "AC",
+      "nist_control_id": "AC-6(1)",
+      "title": "Least Privilege | Authorize Access to Security Functions",
+      "description": "Authorize access to security functions and security-relevant information for only those personnel explicitly designated by the organization.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Access to security functions must be reviewed quarterly for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-6(2)",
+      "family": "AC",
+      "nist_control_id": "AC-6(2)",
+      "title": "Least Privilege | Non-Privileged Access for Nonsecurity Functions",
+      "description": "Require that users of system accounts or roles with access to security functions or security-relevant information use non-privileged accounts or roles when accessing nonsecurity functions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Privileged accounts must be separate from day-to-day user accounts with no email or web browsing capability.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-6(3)",
+      "family": "AC",
+      "nist_control_id": "AC-6(3)",
+      "title": "Least Privilege | Network Access to Privileged Commands",
+      "description": "Authorize network access to privileged commands only for compelling operational needs and document the rationale for such access in the security plan for the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Network access to privileged commands must traverse a jump box or privileged access workstation (PAW). All sessions must be recorded.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-6(5)",
+      "family": "AC",
+      "nist_control_id": "AC-6(5)",
+      "title": "Least Privilege | Privileged Accounts",
+      "description": "Restrict privileged accounts on the system to specific personnel or roles designated by the organization.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CSP must maintain a list of all privileged accounts and review quarterly.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-6(9)",
+      "family": "AC",
+      "nist_control_id": "AC-6(9)",
+      "title": "Least Privilege | Log Use of Privileged Functions",
+      "description": "Log the execution of privileged functions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Logs of privileged function execution must be retained for at least one year and available for review within 72 hours.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-6(10)",
+      "family": "AC",
+      "nist_control_id": "AC-6(10)",
+      "title": "Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions",
+      "description": "Prevent non-privileged users from executing privileged functions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "System must enforce technical controls preventing privilege escalation, not rely solely on policy.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-7",
+      "family": "AC",
+      "nist_control_id": "AC-7",
+      "title": "Unsuccessful Logon Attempts",
+      "description": "Enforce a limit of consecutive invalid logon attempts by a user during a FedRAMP-defined time period and automatically lock the account or delay the next logon prompt.",
+      "fedramp_parameters": {
+        "max_unsuccessful_attempts": "not more than 3",
+        "time_period": "15 minutes",
+        "lockout_duration": "lock account for at least 30 minutes or until released by an administrator"
+      },
+      "fedramp_additional_requirements": "All failed logon attempts must be logged with source IP, timestamp, and account identifier.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-8",
+      "family": "AC",
+      "nist_control_id": "AC-8",
+      "title": "System Use Notification",
+      "description": "Display a system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable laws, policies, and standards.",
+      "fedramp_parameters": {
+        "banner_content": "US Government system notice with unauthorized use warning and monitoring consent"
+      },
+      "fedramp_additional_requirements": "Banner must be displayed for all interactive sessions including web, SSH, API console, and administrative interfaces.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-10",
+      "family": "AC",
+      "nist_control_id": "AC-10",
+      "title": "Concurrent Session Control",
+      "description": "Limit the number of concurrent sessions for each system account to the FedRAMP-defined number.",
+      "fedramp_parameters": {
+        "max_concurrent_sessions": "3 sessions for privileged users, 5 sessions for non-privileged users"
+      },
+      "fedramp_additional_requirements": "Concurrent session limits must be enforced at both the application and infrastructure layers. Exceeding session limits must generate an alert.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-11",
+      "family": "AC",
+      "nist_control_id": "AC-11",
+      "title": "Device Lock",
+      "description": "Prevent further access to the system by initiating a device lock after a FedRAMP-defined time period of inactivity, and retain the device lock until the user re-authenticates.",
+      "fedramp_parameters": {
+        "inactivity_timeout": "15 minutes"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-11(1)",
+      "family": "AC",
+      "nist_control_id": "AC-11(1)",
+      "title": "Device Lock | Pattern-Hiding Displays",
+      "description": "Conceal information previously visible on the display with a publicly viewable image via a pattern-hiding display.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Screen lock must completely obscure all displayed information. No partial screen savers permitted.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-12",
+      "family": "AC",
+      "nist_control_id": "AC-12",
+      "title": "Session Termination",
+      "description": "Automatically terminate a user session after FedRAMP-defined conditions or trigger events.",
+      "fedramp_parameters": {
+        "session_timeout": "30 minutes of inactivity for non-privileged sessions",
+        "privileged_session_timeout": "15 minutes of inactivity for privileged sessions"
+      },
+      "fedramp_additional_requirements": "Session tokens must be invalidated server-side upon termination. Re-authentication required after session timeout.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-14",
+      "family": "AC",
+      "nist_control_id": "AC-14",
+      "title": "Permitted Actions Without Identification or Authentication",
+      "description": "Identify user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions and document and justify such actions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CSP must document all unauthenticated access paths and ensure no CUI is accessible without authentication. For High, unauthenticated actions must be minimized to only public-facing content.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-17",
+      "family": "AC",
+      "nist_control_id": "AC-17",
+      "title": "Remote Access",
+      "description": "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. Authorize each type of remote access to the system prior to allowing such connections.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All remote administrative access must use encrypted channels (FIPS-validated cryptography) and multi-factor authentication.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-17(1)",
+      "family": "AC",
+      "nist_control_id": "AC-17(1)",
+      "title": "Remote Access | Monitoring and Control",
+      "description": "Employ automated mechanisms to monitor and control remote access methods.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Real-time monitoring of all remote access sessions required for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-17(2)",
+      "family": "AC",
+      "nist_control_id": "AC-17(2)",
+      "title": "Remote Access | Protection of Confidentiality and Integrity Using Encryption",
+      "description": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.",
+      "fedramp_parameters": {
+        "encryption_standard": "FIPS 140-2 validated cryptographic modules, TLS 1.2 minimum, TLS 1.3 preferred"
+      },
+      "fedramp_additional_requirements": "All remote access must use FIPS 140-2 validated encryption. SSH must use FIPS-approved algorithms only.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-17(3)",
+      "family": "AC",
+      "nist_control_id": "AC-17(3)",
+      "title": "Remote Access | Managed Access Control Points",
+      "description": "Route remote accesses through authorized and managed network access control points.",
+      "fedramp_parameters": {
+        "access_control_points": "managed VPN concentrators or zero-trust network access gateways"
+      },
+      "fedramp_additional_requirements": "All remote access must traverse a managed access control point with full packet inspection capability. Split tunneling is prohibited.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-17(4)",
+      "family": "AC",
+      "nist_control_id": "AC-17(4)",
+      "title": "Remote Access | Privileged Commands and Access",
+      "description": "Authorize the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs and document the rationale for such access in the security plan.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Remote privileged access must use dedicated privileged access workstations. Session recording required for all remote privileged commands.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-18",
+      "family": "AC",
+      "nist_control_id": "AC-18",
+      "title": "Wireless Access",
+      "description": "Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access. Authorize each type of wireless access to the system prior to allowing such connections.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Wireless access must use WPA3 or FIPS-validated encryption. Wireless IDS/IPS required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-18(1)",
+      "family": "AC",
+      "nist_control_id": "AC-18(1)",
+      "title": "Wireless Access | Authentication and Encryption",
+      "description": "Protect wireless access to the system using authentication of users and/or devices and encryption.",
+      "fedramp_parameters": {
+        "wireless_encryption": "FIPS 140-2 validated cryptographic mechanisms"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-18(4)",
+      "family": "AC",
+      "nist_control_id": "AC-18(4)",
+      "title": "Wireless Access | Restrict Configurations by Users",
+      "description": "Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Users must not be permitted to configure ad-hoc wireless networks. Configuration changes require ISSO approval.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-18(5)",
+      "family": "AC",
+      "nist_control_id": "AC-18(5)",
+      "title": "Wireless Access | Antennas and Transmission Power Levels",
+      "description": "Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Wireless signal leakage assessments required annually. Transmission power must be minimized to prevent emanation beyond facility boundaries.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-19",
+      "family": "AC",
+      "nist_control_id": "AC-19",
+      "title": "Access Control for Mobile Devices",
+      "description": "Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, including when such devices are outside of controlled areas. Authorize the connection of mobile devices to organizational systems.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Mobile devices accessing High systems must be organization-managed with MDM enrollment, full-device encryption, and remote wipe capability.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-19(5)",
+      "family": "AC",
+      "nist_control_id": "AC-19(5)",
+      "title": "Access Control for Mobile Devices | Full Device or Container-Based Encryption",
+      "description": "Employ full-device encryption or container-based encryption to protect the confidentiality and integrity of information on mobile devices.",
+      "fedramp_parameters": {
+        "encryption_standard": "FIPS 140-2 validated full-device encryption"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-20",
+      "family": "AC",
+      "nist_control_id": "AC-20",
+      "title": "Use of External Systems",
+      "description": "Establish terms and conditions consistent with trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems and process, store, or transmit organization-controlled information using external systems.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "External systems must meet equivalent FedRAMP High baseline requirements or connections must be restricted via controlled interfaces with data loss prevention.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-20(1)",
+      "family": "AC",
+      "nist_control_id": "AC-20(1)",
+      "title": "Use of External Systems | Limits on Authorized Use",
+      "description": "Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification that required security controls are implemented on the external system as specified in organizational policy.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-20(2)",
+      "family": "AC",
+      "nist_control_id": "AC-20(2)",
+      "title": "Use of External Systems | Portable Storage Devices \u00e2\u20ac\u201d Restricted Use",
+      "description": "Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Portable storage devices must be encrypted with FIPS 140-2 validated encryption. Use of personally-owned portable storage is prohibited on High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AC-21",
+      "family": "AC",
+      "nist_control_id": "AC-21",
+      "title": "Information Sharing",
+      "description": "Facilitate information sharing by enabling authorized users to determine whether access authorizations assigned to a sharing partner match the information's access and use restrictions and employ automated mechanisms or manual processes to assist users in making information sharing and collaboration decisions.",
+      "fedramp_parameters": {
+        "sharing_circumstances": "when processing, storing, or transmitting CUI between systems at different impact levels or with different authorization boundaries"
+      },
+      "fedramp_additional_requirements": "Information sharing agreements must be documented and approved by the AO. Automated data classification and labeling required for High systems.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AC-22",
+      "family": "AC",
+      "nist_control_id": "AC-22",
+      "title": "Publicly Accessible Content",
+      "description": "Designate individuals authorized to make information publicly accessible, train authorized individuals to ensure publicly accessible information does not contain nonpublic information, review proposed content before posting, review content on the publicly accessible system for nonpublic information and remove if found.",
+      "fedramp_parameters": {
+        "review_frequency": "at least quarterly"
+      },
+      "fedramp_additional_requirements": "Automated scanning for CUI/PII in publicly accessible content required. Immediate removal upon discovery of nonpublic information.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AT-1",
+      "family": "AT",
+      "nist_control_id": "AT-1",
+      "title": "Awareness and Training Policy and Procedures",
+      "description": "Develop, document, and disseminate a security and privacy awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Review and update the policy and procedures.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud-specific security awareness topics including phishing, social engineering, and insider threat for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AT-2",
+      "family": "AT",
+      "nist_control_id": "AT-2",
+      "title": "Literacy Training and Awareness",
+      "description": "Provide security and privacy literacy training to system users as part of initial training for new users and at least annually thereafter. Update literacy training and awareness content at least annually and following significant security events.",
+      "fedramp_parameters": {
+        "training_frequency": "at least annually",
+        "training_update_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Training must include cloud security best practices, CUI handling, and incident reporting procedures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AT-2(2)",
+      "family": "AT",
+      "nist_control_id": "AT-2(2)",
+      "title": "Literacy Training and Awareness | Insider Threat",
+      "description": "Provide literacy training on recognizing and reporting potential indicators of insider threat.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Insider threat training must be provided within 30 days of onboarding and annually thereafter.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AT-3",
+      "family": "AT",
+      "nist_control_id": "AT-3",
+      "title": "Role-Based Training",
+      "description": "Provide role-based security and privacy training to personnel with assigned security roles and responsibilities before authorizing access and at least annually thereafter.",
+      "fedramp_parameters": {
+        "training_frequency": "at least annually",
+        "initial_training": "before granting system access"
+      },
+      "fedramp_additional_requirements": "Role-based training must include system-specific security procedures, incident handling, and CUI protection requirements.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AT-4",
+      "family": "AT",
+      "nist_control_id": "AT-4",
+      "title": "Training Records",
+      "description": "Document and monitor individual security and privacy training activities including initial training, refresher training, and role-based training. Retain individual training records for at least the FedRAMP-defined time period.",
+      "fedramp_parameters": {
+        "retention_period": "at least 3 years"
+      },
+      "fedramp_additional_requirements": "Training records must be available for audit within 72 hours of request.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-1",
+      "family": "AU",
+      "nist_control_id": "AU-1",
+      "title": "Audit and Accountability Policy and Procedures",
+      "description": "Develop, document, and disseminate an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Review and update the policy and procedures.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Audit policy must address cloud-specific considerations including API logging, multi-tenant audit isolation, and CSP administrative action logging.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-2",
+      "family": "AU",
+      "nist_control_id": "AU-2",
+      "title": "Event Logging",
+      "description": "Identify the types of events that the system is capable of logging in support of the audit function. Coordinate the event logging function with other organizational entities requiring audit-related information.",
+      "fedramp_parameters": {
+        "auditable_events": "successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, system events, and all administrator activity"
+      },
+      "fedramp_additional_requirements": "Event logging must include API calls, configuration changes, data access events, and container/orchestration events. Audit review frequency: at least weekly.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-3",
+      "family": "AU",
+      "nist_control_id": "AU-3",
+      "title": "Content of Audit Records",
+      "description": "Ensure that audit records contain information that establishes the type of event, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of individuals or subjects associated with the event.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Audit records must include session ID, source IP, user agent, and request identifiers for correlation.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-3(1)",
+      "family": "AU",
+      "nist_control_id": "AU-3(1)",
+      "title": "Content of Audit Records | Additional Audit Information",
+      "description": "Generate audit records containing additional information including full text recording of privileged commands or the individual identities of group account users.",
+      "fedramp_parameters": {
+        "additional_info": "full-text recording of privileged commands, session recording for administrative access, and database query logging"
+      },
+      "fedramp_additional_requirements": "Full command-line auditing required for all privileged sessions. Database transaction logging must capture query text and affected records.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-3(2)",
+      "family": "AU",
+      "nist_control_id": "AU-3(2)",
+      "title": "Content of Audit Records | Centralized Management of Planned Audit Record Content",
+      "description": "Centrally manage the content of audit records generated by the system components defined by the organization.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Centralized audit management must be implemented using a SIEM or equivalent tool. Audit record schemas must be standardized across all system components.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-4",
+      "family": "AU",
+      "nist_control_id": "AU-4",
+      "title": "Audit Log Storage Capacity",
+      "description": "Allocate audit log storage capacity to accommodate the organization-defined audit log retention requirements and reduce the likelihood of such capacity being exceeded.",
+      "fedramp_parameters": {
+        "storage_capacity": "sufficient to retain at least 90 days online and 1 year total"
+      },
+      "fedramp_additional_requirements": "Audit log storage must support automated archival and retrieval. Storage growth monitoring and alerting required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-4(1)",
+      "family": "AU",
+      "nist_control_id": "AU-4(1)",
+      "title": "Audit Log Storage Capacity | Transfer to Alternate Storage",
+      "description": "Transfer audit logs to a different system, media type, or location when the log storage capacity of the primary audit log storage reaches the organization-defined percentage.",
+      "fedramp_parameters": {
+        "transfer_threshold": "75% of allocated storage capacity"
+      },
+      "fedramp_additional_requirements": "Alternate storage must be in a separate availability zone or region. Transfer must be automated and verified.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-5",
+      "family": "AU",
+      "nist_control_id": "AU-5",
+      "title": "Response to Audit Logging Process Failures",
+      "description": "Alert designated personnel in the event of an audit logging process failure and take organization-defined additional actions.",
+      "fedramp_parameters": {
+        "alert_personnel": "system administrators, ISSOs, and ISSMs within 5 minutes",
+        "additional_actions": "overwrite oldest audit records if storage is full and alert on overwrite"
+      },
+      "fedramp_additional_requirements": "For High systems, audit failure must trigger automated incident response procedures. System must halt processing if audit capability cannot be restored within 5 minutes.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-5(1)",
+      "family": "AU",
+      "nist_control_id": "AU-5(1)",
+      "title": "Response to Audit Logging Process Failures | Storage Capacity Warning",
+      "description": "Provide a warning to designated personnel when allocated audit log storage volume reaches the organization-defined percentage of capacity.",
+      "fedramp_parameters": {
+        "warning_threshold": "75% of allocated audit log storage capacity",
+        "warning_recipients": "system administrators and ISSOs"
+      },
+      "fedramp_additional_requirements": "Warnings must be delivered in real-time via automated alerting mechanisms.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-5(2)",
+      "family": "AU",
+      "nist_control_id": "AU-5(2)",
+      "title": "Response to Audit Logging Process Failures | Real-Time Alerts",
+      "description": "Provide an alert within the organization-defined real-time period to designated personnel when the organization-defined audit failure events occur.",
+      "fedramp_parameters": {
+        "alert_period": "within 1 minute of failure detection",
+        "failure_events": "audit logging software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity reached"
+      },
+      "fedramp_additional_requirements": "Real-time alerts must be sent via at least two independent communication channels (e.g., email and SMS/pager).",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-6",
+      "family": "AU",
+      "nist_control_id": "AU-6",
+      "title": "Audit Record Review, Analysis, and Reporting",
+      "description": "Review and analyze system audit records for indications of inappropriate or unusual activity and report findings to designated personnel.",
+      "fedramp_parameters": {
+        "review_frequency": "at least weekly",
+        "report_recipients": "ISSOs and designated security personnel"
+      },
+      "fedramp_additional_requirements": "Audit analysis must employ automated mechanisms to integrate audit review, analysis, and reporting for investigating and responding to suspicious activity.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-6(1)",
+      "family": "AU",
+      "nist_control_id": "AU-6(1)",
+      "title": "Audit Record Review, Analysis, and Reporting | Automated Process Integration",
+      "description": "Integrate audit record review, analysis, and reporting processes using automated mechanisms to support organizational processes for investigation and response to suspicious activities.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "SIEM or equivalent automated analysis platform required. Must support correlation across all system components.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-6(3)",
+      "family": "AU",
+      "nist_control_id": "AU-6(3)",
+      "title": "Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories",
+      "description": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Cross-repository correlation must include network, application, database, and infrastructure audit records. Correlation rules must be reviewed quarterly.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-6(5)",
+      "family": "AU",
+      "nist_control_id": "AU-6(5)",
+      "title": "Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records",
+      "description": "Integrate analysis of audit records with analysis of vulnerability scanning information, performance data, and system monitoring information to further enhance the ability to identify inappropriate or unusual activity.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Integrated analysis must correlate audit data with vulnerability scan results and IDS/IPS alerts.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-6(6)",
+      "family": "AU",
+      "nist_control_id": "AU-6(6)",
+      "title": "Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring",
+      "description": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Physical access logs must be correlated with logical access audit records for data center access events.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-7",
+      "family": "AU",
+      "nist_control_id": "AU-7",
+      "title": "Audit Record Reduction and Report Generation",
+      "description": "Provide and implement an audit record reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of incidents.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Audit reduction tools must support queries across all audit record fields. Report generation must produce output suitable for AO review.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-7(1)",
+      "family": "AU",
+      "nist_control_id": "AU-7(1)",
+      "title": "Audit Record Reduction and Report Generation | Automatic Processing",
+      "description": "Provide and implement the capability to process, sort, and search audit records for events of interest based on defined audit fields.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-8",
+      "family": "AU",
+      "nist_control_id": "AU-8",
+      "title": "Time Stamps",
+      "description": "Use internal system clocks to generate time stamps for audit records and record time stamps that map to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) with a defined granularity of time measurement.",
+      "fedramp_parameters": {
+        "time_granularity": "at least millisecond granularity"
+      },
+      "fedramp_additional_requirements": "All system components must synchronize to authoritative time source (e.g., NIST, DoD NTP). Time synchronization drift must not exceed 1 second.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-9",
+      "family": "AU",
+      "nist_control_id": "AU-9",
+      "title": "Protection of Audit Information",
+      "description": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Audit information must be protected using access controls that limit access to authorized audit personnel only. Integrity verification of audit logs required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-9(2)",
+      "family": "AU",
+      "nist_control_id": "AU-9(2)",
+      "title": "Protection of Audit Information | Store on Separate Physical Systems or Components",
+      "description": "Store audit records on a repository on a physically different system or system component than the system or component being audited.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Audit storage must be on a separate system with independent access controls. Cross-account or cross-region storage recommended.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-9(3)",
+      "family": "AU",
+      "nist_control_id": "AU-9(3)",
+      "title": "Protection of Audit Information | Cryptographic Protection",
+      "description": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.",
+      "fedramp_parameters": {
+        "cryptographic_mechanism": "FIPS 140-2 validated hashing (SHA-256 minimum) for audit record integrity"
+      },
+      "fedramp_additional_requirements": "Cryptographic hash chains or digital signatures required to detect tampering of audit records.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-9(4)",
+      "family": "AU",
+      "nist_control_id": "AU-9(4)",
+      "title": "Protection of Audit Information | Access by Subset of Privileged Users",
+      "description": "Authorize access to management of audit logging functionality to only a subset of privileged users or roles.",
+      "fedramp_parameters": {
+        "authorized_users": "only designated audit administrators separate from system administrators"
+      },
+      "fedramp_additional_requirements": "Audit administration role must be separate from system administration role. Dual authorization required for audit configuration changes.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-10",
+      "family": "AU",
+      "nist_control_id": "AU-10",
+      "title": "Non-Repudiation",
+      "description": "Provide irrefutable evidence that an individual or process performed specific actions to protect against false claims of not having performed such actions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Non-repudiation must be enforced for all privileged actions, data exports, and configuration changes. Digital signatures or equivalent mechanisms required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-11",
+      "family": "AU",
+      "nist_control_id": "AU-11",
+      "title": "Audit Record Retention",
+      "description": "Retain audit records for a FedRAMP-defined time period to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.",
+      "fedramp_parameters": {
+        "retention_period": "at least 1 year online, 3 years total for High baseline"
+      },
+      "fedramp_additional_requirements": "Audit records must be retrievable within 24 hours for the most recent 90 days, within 72 hours for records up to 1 year, and within 30 days for archived records.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-12",
+      "family": "AU",
+      "nist_control_id": "AU-12",
+      "title": "Audit Record Generation",
+      "description": "Provide audit record generation capability for the events defined in AU-2 at all system components where audit capability is deployed. Allow authorized personnel to select the events to be logged by specific components.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Audit record generation must be enabled by default and cannot be disabled by non-audit personnel.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-AU-12(1)",
+      "family": "AU",
+      "nist_control_id": "AU-12(1)",
+      "title": "Audit Record Generation | System-Wide and Time-Correlated Audit Trail",
+      "description": "Compile audit records from all system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance.",
+      "fedramp_parameters": {
+        "time_tolerance": "within 1 second tolerance across all system components"
+      },
+      "fedramp_additional_requirements": "System-wide audit trail must be centralized in SIEM and support real-time correlation.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-AU-12(3)",
+      "family": "AU",
+      "nist_control_id": "AU-12(3)",
+      "title": "Audit Record Generation | Changes by Authorized Individuals",
+      "description": "Provide and implement the capability for authorized individuals or roles to change the logging to be performed on specified system components based on defined auditable events, time thresholds, or in response to specific events.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Changes to audit logging configuration must be logged and require approval from the ISSO. Emergency changes permitted with retrospective review within 24 hours.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CA-1",
+      "family": "CA",
+      "nist_control_id": "CA-1",
+      "title": "Assessment, Authorization, and Monitoring Policy and Procedures",
+      "description": "Develop, document, and disseminate a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address FedRAMP continuous monitoring requirements and JAB/AO reporting obligations.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-2",
+      "family": "CA",
+      "nist_control_id": "CA-2",
+      "title": "Control Assessments",
+      "description": "Develop a control assessment plan and assess the controls in the system and its environment of operation at the FedRAMP-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.",
+      "fedramp_parameters": {
+        "assessment_frequency": "at least annually",
+        "assessment_scope": "all FedRAMP High baseline controls"
+      },
+      "fedramp_additional_requirements": "Assessment must be performed by an independent 3PAO. Results must be submitted to FedRAMP PMO.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-2(1)",
+      "family": "CA",
+      "nist_control_id": "CA-2(1)",
+      "title": "Control Assessments | Independent Assessors",
+      "description": "Employ independent assessors or assessment teams to conduct control assessments.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Assessors must be FedRAMP-recognized 3PAOs with appropriate clearances for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-3",
+      "family": "CA",
+      "nist_control_id": "CA-3",
+      "title": "Information Exchange",
+      "description": "Approve and manage the exchange of information between the system and other systems using interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, or other exchange agreements.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All system interconnections must be documented in ISAs and approved by AO. Interconnections to non-FedRAMP systems require risk acceptance.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-3(5)",
+      "family": "CA",
+      "nist_control_id": "CA-3(5)",
+      "title": "Information Exchange | Restrictions on External System Connections",
+      "description": "Employ an allow-all, deny-by-exception or deny-all, permit-by-exception policy for allowing external systems to connect to the system.",
+      "fedramp_parameters": {
+        "connection_policy": "deny-all, permit-by-exception"
+      },
+      "fedramp_additional_requirements": "External connections require documented approval, risk assessment, and ISA. Default deny policy required for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CA-5",
+      "family": "CA",
+      "nist_control_id": "CA-5",
+      "title": "Plan of Action and Milestones",
+      "description": "Develop a plan of action and milestones (POA&M) for the system to document planned remediation actions to correct weaknesses or deficiencies and reduce or eliminate known vulnerabilities.",
+      "fedramp_parameters": {
+        "update_frequency": "at least monthly"
+      },
+      "fedramp_additional_requirements": "POA&M must be submitted to FedRAMP PMO monthly. Critical/high findings must include remediation timelines.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-6",
+      "family": "CA",
+      "nist_control_id": "CA-6",
+      "title": "Authorization",
+      "description": "Assign a senior official as the authorizing official for the system. Ensure the authorizing official authorizes the system for processing before commencing operations.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Authorization must be granted by JAB or agency AO. Provisional ATOs from JAB are valid for 3 years with continuous monitoring.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-7",
+      "family": "CA",
+      "nist_control_id": "CA-7",
+      "title": "Continuous Monitoring",
+      "description": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy.",
+      "fedramp_parameters": {
+        "monitoring_frequency": "ongoing with monthly reporting to FedRAMP"
+      },
+      "fedramp_additional_requirements": "Continuous monitoring must include monthly vulnerability scanning, annual 3PAO assessment, and monthly POA&M updates per FedRAMP ConMon guidance.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-7(1)",
+      "family": "CA",
+      "nist_control_id": "CA-7(1)",
+      "title": "Continuous Monitoring | Independent Assessment",
+      "description": "Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Annual assessment by FedRAMP-recognized 3PAO required.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CA-8",
+      "family": "CA",
+      "nist_control_id": "CA-8",
+      "title": "Penetration Testing",
+      "description": "Conduct penetration testing at the FedRAMP-defined frequency on the system or system components.",
+      "fedramp_parameters": {
+        "penetration_test_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Penetration testing must be performed by 3PAO or independent team. Must include social engineering, network, application, and physical testing for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CA-8(1)",
+      "family": "CA",
+      "nist_control_id": "CA-8(1)",
+      "title": "Penetration Testing | Independent Penetration Testing Agent or Team",
+      "description": "Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Penetration testers must hold appropriate clearances and be independent from system development and operations teams.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CA-9",
+      "family": "CA",
+      "nist_control_id": "CA-9",
+      "title": "Internal System Connections",
+      "description": "Authorize internal connections of system components and monitor/control the connections on an ongoing basis.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Internal system connections must be documented and authorized. Micro-segmentation recommended for High systems.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-1",
+      "family": "CM",
+      "nist_control_id": "CM-1",
+      "title": "Configuration Management Policy and Procedures",
+      "description": "Develop, document, and disseminate a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address infrastructure-as-code, container image management, and cloud service configuration baselines.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-2",
+      "family": "CM",
+      "nist_control_id": "CM-2",
+      "title": "Baseline Configuration",
+      "description": "Develop, document, and maintain a current baseline configuration of the system under configuration control.",
+      "fedramp_parameters": {
+        "baseline_review_frequency": "at least annually and when significant changes occur"
+      },
+      "fedramp_additional_requirements": "Baseline must include all cloud service configurations, network diagrams, and container/VM images. Configuration drift detection required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-2(2)",
+      "family": "CM",
+      "nist_control_id": "CM-2(2)",
+      "title": "Baseline Configuration | Automation Support for Accuracy and Currency",
+      "description": "Employ automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Infrastructure-as-code and configuration management tools must be used to maintain baselines.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-2(3)",
+      "family": "CM",
+      "nist_control_id": "CM-2(3)",
+      "title": "Baseline Configuration | Retention of Previous Configurations",
+      "description": "Retain previous versions of baseline configurations of the system to support rollback.",
+      "fedramp_parameters": {
+        "retention_count": "at least 3 previous baseline versions"
+      },
+      "fedramp_additional_requirements": "Previous baselines must be stored in version control with rollback capability tested quarterly.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-3",
+      "family": "CM",
+      "nist_control_id": "CM-3",
+      "title": "Configuration Change Control",
+      "description": "Determine and document the types of changes to the system that are configuration-controlled. Review proposed configuration-controlled changes and approve or disapprove with explicit consideration for security and privacy impact analyses.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All changes must go through formal change control board review. Emergency changes require retrospective CCB approval within 48 hours.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-3(1)",
+      "family": "CM",
+      "nist_control_id": "CM-3(1)",
+      "title": "Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes",
+      "description": "Use automated mechanisms to document proposed changes, notify approval authorities, highlight unapproved changes, prohibit changes until approvals are received, and document completed changes.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CI/CD pipeline must enforce change approval gates. Unapproved changes must be automatically blocked.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-3(2)",
+      "family": "CM",
+      "nist_control_id": "CM-3(2)",
+      "title": "Configuration Change Control | Testing, Validation, and Documentation of Changes",
+      "description": "Test, validate, and document changes to the system before finalizing the implementation of the changes.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All changes must be tested in a staging environment before production deployment. Security regression testing required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-3(4)",
+      "family": "CM",
+      "nist_control_id": "CM-3(4)",
+      "title": "Configuration Change Control | Security and Privacy Representatives",
+      "description": "Require a security and privacy representative to be a member of the configuration change control element.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "ISSO or designated security representative must approve all configuration changes for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-4",
+      "family": "CM",
+      "nist_control_id": "CM-4",
+      "title": "Impact Analyses",
+      "description": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Impact analysis must document security implications including effects on authorization boundary, data flows, and compliance posture.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-5",
+      "family": "CM",
+      "nist_control_id": "CM-5",
+      "title": "Access Restrictions for Change",
+      "description": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Only authorized personnel with documented change authorization may implement changes. Separation of duties between change requestor, approver, and implementer required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-5(1)",
+      "family": "CM",
+      "nist_control_id": "CM-5(1)",
+      "title": "Access Restrictions for Change | Automated Access Enforcement and Audit Records",
+      "description": "Enforce access restrictions using automated mechanisms and generate audit records of the enforcement actions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CI/CD pipeline must enforce RBAC for deployment actions. All deployment actions must be logged with actor identity.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-6",
+      "family": "CM",
+      "nist_control_id": "CM-6",
+      "title": "Configuration Settings",
+      "description": "Establish and document configuration settings for system components using organization-defined security configuration checklists. Implement the configuration settings and identify, document, and approve any deviations.",
+      "fedramp_parameters": {
+        "configuration_checklists": "DISA STIGs, CIS Benchmarks, or vendor security guides as applicable"
+      },
+      "fedramp_additional_requirements": "Configuration settings must comply with DISA STIGs. Deviations require documented risk acceptance from AO.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-6(1)",
+      "family": "CM",
+      "nist_control_id": "CM-6(1)",
+      "title": "Configuration Settings | Automated Management, Application, and Verification",
+      "description": "Manage, apply, and verify configuration settings for system components using automated mechanisms.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Automated configuration management and compliance scanning required. Drift detection must alert within 15 minutes.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-6(2)",
+      "family": "CM",
+      "nist_control_id": "CM-6(2)",
+      "title": "Configuration Settings | Respond to Unauthorized Changes",
+      "description": "Take organization-defined actions in response to unauthorized changes to system configuration settings.",
+      "fedramp_parameters": {
+        "response_actions": "alert ISSO, revert unauthorized change, and generate incident ticket"
+      },
+      "fedramp_additional_requirements": "Automated remediation of unauthorized configuration changes required for High systems. Changes must be reverted within 1 hour.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-7",
+      "family": "CM",
+      "nist_control_id": "CM-7",
+      "title": "Least Functionality",
+      "description": "Configure the system to provide only mission-essential capabilities. Prohibit or restrict the use of specified functions, ports, protocols, software, and/or services.",
+      "fedramp_parameters": {
+        "prohibited_functions": "unnecessary services, protocols (Telnet, FTP, SNMP v1/v2), and software not required for system operation"
+      },
+      "fedramp_additional_requirements": "Only ports, protocols, and services documented in the SSP are permitted. All others must be disabled.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-7(1)",
+      "family": "CM",
+      "nist_control_id": "CM-7(1)",
+      "title": "Least Functionality | Periodic Review",
+      "description": "Review the system at the FedRAMP-defined frequency to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services.",
+      "fedramp_parameters": {
+        "review_frequency": "at least monthly"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-7(2)",
+      "family": "CM",
+      "nist_control_id": "CM-7(2)",
+      "title": "Least Functionality | Prevent Program Execution",
+      "description": "Prevent program execution in accordance with the organization-defined policies regarding software program usage and restrictions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Application whitelisting required for all server components. Only authorized executables may run on High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-7(5)",
+      "family": "CM",
+      "nist_control_id": "CM-7(5)",
+      "title": "Least Functionality | Authorized Software \u2014 Allow-by-Exception",
+      "description": "Identify and maintain a list of authorized software programs. Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.",
+      "fedramp_parameters": {
+        "review_frequency": "at least monthly"
+      },
+      "fedramp_additional_requirements": "Software inventory must be maintained and verified against authorized list. Unauthorized software must be blocked or removed within 24 hours.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-8",
+      "family": "CM",
+      "nist_control_id": "CM-8",
+      "title": "System Component Inventory",
+      "description": "Develop and document an inventory of system components that accurately reflects the system, includes all components within the authorization boundary, and is at the level of granularity deemed necessary for tracking and reporting.",
+      "fedramp_parameters": {
+        "update_frequency": "continuously with automated discovery and at least monthly manual verification"
+      },
+      "fedramp_additional_requirements": "Inventory must include all VMs, containers, cloud resources, APIs, and network components within the authorization boundary.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-8(1)",
+      "family": "CM",
+      "nist_control_id": "CM-8(1)",
+      "title": "System Component Inventory | Updates During Installation and Removal",
+      "description": "Update the inventory of system components as part of component installations, removals, and system updates.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CI/CD pipeline must automatically update inventory on deployments.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-8(3)",
+      "family": "CM",
+      "nist_control_id": "CM-8(3)",
+      "title": "System Component Inventory | Automated Unauthorized Component Detection",
+      "description": "Detect the presence of unauthorized hardware, software, and firmware components within the system using automated mechanisms.",
+      "fedramp_parameters": {
+        "detection_frequency": "continuously or at least every 72 hours"
+      },
+      "fedramp_additional_requirements": "Unauthorized components must be flagged, quarantined, and reported to ISSO within 24 hours.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-8(4)",
+      "family": "CM",
+      "nist_control_id": "CM-8(4)",
+      "title": "System Component Inventory | Accountability Information",
+      "description": "Include in the system component inventory, information to achieve effective property accountability.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Inventory must track responsible individual, acquisition date, license status, and disposal tracking.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CM-9",
+      "family": "CM",
+      "nist_control_id": "CM-9",
+      "title": "Configuration Management Plan",
+      "description": "Develop, document, and implement a configuration management plan for the system that addresses roles, responsibilities, and configuration management processes and procedures.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CM plan must address cloud service configuration, infrastructure-as-code practices, and container image management.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-10",
+      "family": "CM",
+      "nist_control_id": "CM-10",
+      "title": "Software Usage Restrictions",
+      "description": "Use software and associated documentation in accordance with contract agreements and copyright laws. Track the use of software protected by quantity licenses.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Software license compliance must be verified quarterly. Open source components must comply with license obligations.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-11",
+      "family": "CM",
+      "nist_control_id": "CM-11",
+      "title": "User-Installed Software",
+      "description": "Establish and enforce policies governing the installation of software by users.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "User-installed software prohibited on High systems without explicit ISSO approval. Application whitelisting enforced.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CM-12",
+      "family": "CM",
+      "nist_control_id": "CM-12",
+      "title": "Information Location",
+      "description": "Identify and document the location of organization-defined information and the specific system components on which the information is processed and stored.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Data residency requirements must be documented. For High/DoD systems, data must reside within CONUS in authorized GovCloud regions.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-1",
+      "family": "CP",
+      "nist_control_id": "CP-1",
+      "title": "Contingency Planning Policy and Procedures",
+      "description": "Develop, document, and disseminate a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud-specific contingency scenarios including region failures, CSP service outages, and multi-tenant recovery.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-2",
+      "family": "CP",
+      "nist_control_id": "CP-2",
+      "title": "Contingency Plan",
+      "description": "Develop a contingency plan for the system that identifies essential mission and business functions and associated contingency requirements, provides recovery objectives, restoration priorities, and metrics.",
+      "fedramp_parameters": {
+        "plan_review_frequency": "at least annually",
+        "plan_update_triggers": "significant changes to the system, operating environment, or after contingency plan testing"
+      },
+      "fedramp_additional_requirements": "Contingency plan must be tested at least annually and updated based on test results. Plan must include RPO and RTO targets.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-2(1)",
+      "family": "CP",
+      "nist_control_id": "CP-2(1)",
+      "title": "Contingency Plan | Coordinate with Related Plans",
+      "description": "Coordinate contingency plan development with organizational elements responsible for related plans.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Coordination must include CSP disaster recovery, customer notification, and FedRAMP PMO notification.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-2(2)",
+      "family": "CP",
+      "nist_control_id": "CP-2(2)",
+      "title": "Contingency Plan | Capacity Planning",
+      "description": "Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Alternate processing capacity must support full production workload. Auto-scaling policies must account for failover scenarios.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-2(3)",
+      "family": "CP",
+      "nist_control_id": "CP-2(3)",
+      "title": "Contingency Plan | Resume Mission and Business Functions",
+      "description": "Plan for the resumption of mission and business functions within the organization-defined time period of contingency plan activation.",
+      "fedramp_parameters": {
+        "resumption_period": "within 24 hours for High baseline"
+      },
+      "fedramp_additional_requirements": "Full mission capability must be restored within 24 hours. Essential functions must resume within 4 hours.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-2(5)",
+      "family": "CP",
+      "nist_control_id": "CP-2(5)",
+      "title": "Contingency Plan | Continue Mission and Business Functions",
+      "description": "Plan for the continuance of mission and business functions with minimal or no loss of operational continuity.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Active-active or active-warm standby configurations required for High systems. Zero data loss (RPO=0) required for critical data.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-2(8)",
+      "family": "CP",
+      "nist_control_id": "CP-2(8)",
+      "title": "Contingency Plan | Identify Critical Assets",
+      "description": "Identify critical system assets supporting mission and business functions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Critical assets inventory must be maintained and prioritized for recovery. Business impact analysis required annually.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-3",
+      "family": "CP",
+      "nist_control_id": "CP-3",
+      "title": "Contingency Training",
+      "description": "Provide contingency training to system users consistent with assigned roles and responsibilities.",
+      "fedramp_parameters": {
+        "initial_training": "within 10 days of assuming role",
+        "refresher_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Training must include tabletop exercises and hands-on recovery procedures.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-4",
+      "family": "CP",
+      "nist_control_id": "CP-4",
+      "title": "Contingency Plan Testing",
+      "description": "Test the contingency plan for the system at the FedRAMP-defined frequency to determine the effectiveness of the plan and the readiness to execute the plan.",
+      "fedramp_parameters": {
+        "test_frequency": "at least annually",
+        "test_types": "functional testing with full recovery for High baseline"
+      },
+      "fedramp_additional_requirements": "Full failover test required annually for High systems. Results must be documented and deficiencies tracked in POA&M.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-4(1)",
+      "family": "CP",
+      "nist_control_id": "CP-4(1)",
+      "title": "Contingency Plan Testing | Coordinate with Related Plans",
+      "description": "Coordinate contingency plan testing with organizational elements responsible for related plans.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-6",
+      "family": "CP",
+      "nist_control_id": "CP-6",
+      "title": "Alternate Storage Site",
+      "description": "Establish an alternate storage site and initiate necessary agreements to permit the storage and retrieval of system backup information.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Alternate storage must be in a geographically separate region. Must meet same FedRAMP High requirements.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-6(1)",
+      "family": "CP",
+      "nist_control_id": "CP-6(1)",
+      "title": "Alternate Storage Site | Separation from Primary Site",
+      "description": "Identify an alternate storage site that is geographically separated from the primary storage site.",
+      "fedramp_parameters": {
+        "separation_distance": "at least 100 miles from primary site"
+      },
+      "fedramp_additional_requirements": "Alternate site must be in a different FEMA region when possible.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-6(2)",
+      "family": "CP",
+      "nist_control_id": "CP-6(2)",
+      "title": "Alternate Storage Site | Recovery Time and Recovery Point Objectives",
+      "description": "Configure the alternate storage site to facilitate recovery operations in accordance with RTO and RPO.",
+      "fedramp_parameters": {
+        "rto": "24 hours maximum",
+        "rpo": "1 hour maximum for High baseline"
+      },
+      "fedramp_additional_requirements": "Automated replication required to meet RPO. Recovery testing must validate RTO/RPO targets.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-6(3)",
+      "family": "CP",
+      "nist_control_id": "CP-6(3)",
+      "title": "Alternate Storage Site | Accessibility",
+      "description": "Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Alternate site must have independent network connectivity and power infrastructure.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-7",
+      "family": "CP",
+      "nist_control_id": "CP-7",
+      "title": "Alternate Processing Site",
+      "description": "Establish an alternate processing site and initiate necessary agreements to permit the transfer and resumption of system operations.",
+      "fedramp_parameters": {
+        "transfer_period": "within 24 hours for High baseline"
+      },
+      "fedramp_additional_requirements": "Alternate processing site must be pre-provisioned with capacity to handle full production workload.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-7(1)",
+      "family": "CP",
+      "nist_control_id": "CP-7(1)",
+      "title": "Alternate Processing Site | Separation from Primary Site",
+      "description": "Identify an alternate processing site that is geographically separated from the primary processing site.",
+      "fedramp_parameters": {
+        "separation_distance": "at least 100 miles from primary site"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-7(2)",
+      "family": "CP",
+      "nist_control_id": "CP-7(2)",
+      "title": "Alternate Processing Site | Accessibility",
+      "description": "Identify potential accessibility problems to the alternate processing site in the event of an area-wide disruption.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-7(3)",
+      "family": "CP",
+      "nist_control_id": "CP-7(3)",
+      "title": "Alternate Processing Site | Priority of Service",
+      "description": "Develop alternate processing site agreements that contain priority-of-service provisions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Service level agreements must guarantee processing priority during failover events.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-8",
+      "family": "CP",
+      "nist_control_id": "CP-8",
+      "title": "Telecommunications Services",
+      "description": "Establish alternate telecommunications services to permit the resumption of system operations when the primary telecommunications capabilities are unavailable.",
+      "fedramp_parameters": {
+        "resumption_period": "within 24 hours"
+      },
+      "fedramp_additional_requirements": "Alternate telecommunications must use diverse routing and different service providers where possible.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-8(1)",
+      "family": "CP",
+      "nist_control_id": "CP-8(1)",
+      "title": "Telecommunications Services | Priority of Service Provisions",
+      "description": "Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Telecommunications priority must be established through TSP program.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-8(2)",
+      "family": "CP",
+      "nist_control_id": "CP-8(2)",
+      "title": "Telecommunications Services | Single Points of Failure",
+      "description": "Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Network path diversity analysis required. No shared last-mile connectivity between primary and alternate.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-9",
+      "family": "CP",
+      "nist_control_id": "CP-9",
+      "title": "System Backup",
+      "description": "Conduct backups of user-level information, system-level information, and system documentation consistent with recovery time and recovery point objectives.",
+      "fedramp_parameters": {
+        "user_backup_frequency": "at least daily",
+        "system_backup_frequency": "at least daily",
+        "documentation_backup_frequency": "at least weekly"
+      },
+      "fedramp_additional_requirements": "Backups must be encrypted with FIPS 140-2 validated modules. Three copies in two media types with one offsite.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-9(1)",
+      "family": "CP",
+      "nist_control_id": "CP-9(1)",
+      "title": "System Backup | Testing for Reliability and Integrity",
+      "description": "Test backup information to verify media reliability and information integrity.",
+      "fedramp_parameters": {
+        "test_frequency": "at least quarterly for High baseline"
+      },
+      "fedramp_additional_requirements": "Full restoration test required quarterly. Results must be documented.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-9(2)",
+      "family": "CP",
+      "nist_control_id": "CP-9(2)",
+      "title": "System Backup | Test Restoration Using Sampling",
+      "description": "Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-9(3)",
+      "family": "CP",
+      "nist_control_id": "CP-9(3)",
+      "title": "System Backup | Separate Storage for Critical Information",
+      "description": "Store backup copies of the operating system and other critical system software in a separate facility.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Critical system backups must be stored in a geographically separate GovCloud region.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-9(5)",
+      "family": "CP",
+      "nist_control_id": "CP-9(5)",
+      "title": "System Backup | Transfer to Alternate Storage Site",
+      "description": "Transfer system backup information to the alternate storage site at the FedRAMP-defined frequency.",
+      "fedramp_parameters": {
+        "transfer_frequency": "at least daily for High baseline"
+      },
+      "fedramp_additional_requirements": "Replication to alternate site must be automated and verified. Transfer must be encrypted in transit.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-10",
+      "family": "CP",
+      "nist_control_id": "CP-10",
+      "title": "System Recovery and Reconstitution",
+      "description": "Provide for the recovery and reconstitution of the system to a known state after a disruption, compromise, or failure.",
+      "fedramp_parameters": {
+        "recovery_period": "within 24 hours for High baseline"
+      },
+      "fedramp_additional_requirements": "Recovery procedures must be automated where possible. System must be reconstituted to a known secure state.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-CP-10(2)",
+      "family": "CP",
+      "nist_control_id": "CP-10(2)",
+      "title": "System Recovery and Reconstitution | Transaction Recovery",
+      "description": "Implement transaction recovery for systems that are transaction-based.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Database transaction logging and point-in-time recovery required. Transaction replay capability must be tested.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-CP-10(4)",
+      "family": "CP",
+      "nist_control_id": "CP-10(4)",
+      "title": "System Recovery and Reconstitution | Restore Within Time Period",
+      "description": "Provide the capability to restore system components within the FedRAMP-defined restoration time periods.",
+      "fedramp_parameters": {
+        "restoration_period": "within 24 hours for full system, 4 hours for critical components"
+      },
+      "fedramp_additional_requirements": "Infrastructure-as-code must support automated reprovisioning. Immutable infrastructure patterns recommended.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-1",
+      "family": "IA",
+      "nist_control_id": "IA-1",
+      "title": "Identification and Authentication Policy and Procedures",
+      "description": "Develop, document, and disseminate an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud-specific authentication including API key management, federation, and multi-tenant identity isolation.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-2",
+      "family": "IA",
+      "nist_control_id": "IA-2",
+      "title": "Identification and Authentication (Organizational Users)",
+      "description": "Uniquely identify and authenticate organizational users or processes acting on behalf of organizational users.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All user accounts must be uniquely identifiable. No shared or generic accounts for interactive access.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-2(1)",
+      "family": "IA",
+      "nist_control_id": "IA-2(1)",
+      "title": "Identification and Authentication | Multi-Factor Authentication to Privileged Accounts",
+      "description": "Implement multi-factor authentication for access to privileged accounts.",
+      "fedramp_parameters": {
+        "mfa_type": "phishing-resistant MFA (FIDO2, PIV, or equivalent) required for High baseline"
+      },
+      "fedramp_additional_requirements": "MFA must be hardware-backed or FIDO2/PIV for privileged access on High systems. SMS-based MFA prohibited.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-2(2)",
+      "family": "IA",
+      "nist_control_id": "IA-2(2)",
+      "title": "Identification and Authentication | Multi-Factor Authentication to Non-Privileged Accounts",
+      "description": "Implement multi-factor authentication for access to non-privileged accounts.",
+      "fedramp_parameters": {
+        "mfa_type": "phishing-resistant MFA preferred; at minimum TOTP or push notification"
+      },
+      "fedramp_additional_requirements": "All interactive user accounts must use MFA. API access must use certificate-based or equivalent strong authentication.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-2(5)",
+      "family": "IA",
+      "nist_control_id": "IA-2(5)",
+      "title": "Identification and Authentication | Individual Authentication with Group Authentication",
+      "description": "When shared accounts or credentials are necessary, require individual authentication prior to granting access to the shared account or resource.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Individual accountability must be maintained even when shared resources are accessed. All shared account usage must be logged with individual identity.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-2(8)",
+      "family": "IA",
+      "nist_control_id": "IA-2(8)",
+      "title": "Identification and Authentication | Access to Accounts \u2014 Replay Resistant",
+      "description": "Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Authentication protocols must be replay-resistant (e.g., challenge-response, time-based tokens). Session tokens must include anti-replay protections.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-2(12)",
+      "family": "IA",
+      "nist_control_id": "IA-2(12)",
+      "title": "Identification and Authentication | Acceptance of PIV Credentials",
+      "description": "Accept and electronically verify Personal Identity Verification (PIV) credentials.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "System must accept and verify PIV/CAC credentials for DoD users. OCSP or CRL checking required for certificate validation.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-3",
+      "family": "IA",
+      "nist_control_id": "IA-3",
+      "title": "Device Identification and Authentication",
+      "description": "Uniquely identify and authenticate devices before establishing a local, remote, or network connection.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Device certificates or equivalent strong device authentication required. 802.1X network access control recommended.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-3(1)",
+      "family": "IA",
+      "nist_control_id": "IA-3(1)",
+      "title": "Device Identification and Authentication | Cryptographic Bidirectional Authentication",
+      "description": "Authenticate devices before establishing remote or network connections using bidirectional authentication that is cryptographically based.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Mutual TLS (mTLS) required for all inter-service communication on High systems. Device certificates must be managed via PKI.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-4",
+      "family": "IA",
+      "nist_control_id": "IA-4",
+      "title": "Identifier Management",
+      "description": "Manage system identifiers by receiving authorization from designated personnel to assign individual, group, role, service, or device identifiers. Select identifiers that identify individuals, groups, roles, services, or devices. Assign the identifiers to intended individuals, groups, roles, services, or devices. Prevent reuse of identifiers for a defined time period.",
+      "fedramp_parameters": {
+        "reuse_prevention_period": "at least 2 years for user identifiers"
+      },
+      "fedramp_additional_requirements": "Identifier lifecycle management must be automated. Orphaned identifiers must be detected and disabled within 30 days.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-5",
+      "family": "IA",
+      "nist_control_id": "IA-5",
+      "title": "Authenticator Management",
+      "description": "Manage system authenticators by verifying the identity of individuals, groups, roles, services, or devices receiving authenticators as part of initial authenticator distribution. Establish initial authenticator content, administrative procedures for lost or compromised authenticators, and provisions for changing or refreshing authenticators.",
+      "fedramp_parameters": {
+        "password_complexity": "minimum 12 characters with complexity requirements or minimum 15 characters without complexity",
+        "password_lifetime": "maximum 60 days",
+        "password_history": "last 24 passwords"
+      },
+      "fedramp_additional_requirements": "Passwords must be stored using FIPS-approved one-way hashing. Default passwords must be changed before production. Authenticator compromise procedures must be documented.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-5(1)",
+      "family": "IA",
+      "nist_control_id": "IA-5(1)",
+      "title": "Authenticator Management | Password-Based Authentication",
+      "description": "For password-based authentication, enforce minimum password complexity, store and transmit only cryptographically protected passwords, enforce password minimum and maximum lifetime restrictions, prohibit password reuse, and allow temporary password use for system logons with immediate change.",
+      "fedramp_parameters": {
+        "min_length": "12 characters minimum",
+        "max_lifetime": "60 days",
+        "min_lifetime": "1 day",
+        "history_count": "24 passwords"
+      },
+      "fedramp_additional_requirements": "Passwords must be checked against known compromised password lists. Account lockout after 3 failed attempts.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-5(2)",
+      "family": "IA",
+      "nist_control_id": "IA-5(2)",
+      "title": "Authenticator Management | PKI-Based Authentication",
+      "description": "For PKI-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor, enforce authorized access to the corresponding private key, and map the authenticated identity to the account of the individual or group.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "PKI certificates must be issued by DoD-approved CA or FedRAMP-approved CA. OCSP stapling or CRL checking required. Certificate pinning recommended for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-5(6)",
+      "family": "IA",
+      "nist_control_id": "IA-5(6)",
+      "title": "Authenticator Management | Protection of Authenticators",
+      "description": "Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Authenticators for High systems must be stored in hardware security modules (HSMs) or equivalent FIPS 140-2 Level 2+ validated modules.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-6",
+      "family": "IA",
+      "nist_control_id": "IA-6",
+      "title": "Authentication Feedback",
+      "description": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Authentication error messages must not reveal which element (username or password) was incorrect.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-7",
+      "family": "IA",
+      "nist_control_id": "IA-7",
+      "title": "Cryptographic Module Authentication",
+      "description": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.",
+      "fedramp_parameters": {
+        "fips_level": "FIPS 140-2 Level 1 minimum; Level 2 for High baseline sensitive operations"
+      },
+      "fedramp_additional_requirements": "All cryptographic modules must be FIPS 140-2 validated. CMVP validation certificate numbers must be documented in SSP.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-8",
+      "family": "IA",
+      "nist_control_id": "IA-8",
+      "title": "Identification and Authentication (Non-Organizational Users)",
+      "description": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Non-organizational users must be identified and authenticated with the same rigor as organizational users. Guest access prohibited on High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IA-8(1)",
+      "family": "IA",
+      "nist_control_id": "IA-8(1)",
+      "title": "Identification and Authentication | Acceptance of PIV Credentials from Other Agencies",
+      "description": "Accept and electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Cross-agency PIV/CAC acceptance must be supported. Federal PKI bridge trust required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-8(2)",
+      "family": "IA",
+      "nist_control_id": "IA-8(2)",
+      "title": "Identification and Authentication | Acceptance of External Authenticators",
+      "description": "Accept only external authenticators that are NIST-compliant and meet the assurance level requirements.",
+      "fedramp_parameters": {
+        "assurance_level": "AAL2 minimum for High baseline, AAL3 for privileged access"
+      },
+      "fedramp_additional_requirements": "External authenticators must meet NIST SP 800-63B assurance levels. Federation must use SAML 2.0 or OIDC with signed assertions.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IA-8(4)",
+      "family": "IA",
+      "nist_control_id": "IA-8(4)",
+      "title": "Identification and Authentication | Use of Defined Profiles",
+      "description": "Conform to organization-defined profiles for identity management.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Identity management must conform to FICAM profiles. SAML/OIDC implementations must follow NIST SP 800-63C federation guidelines.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-1",
+      "family": "IR",
+      "nist_control_id": "IR-1",
+      "title": "Incident Response Policy and Procedures",
+      "description": "Develop, document, and disseminate an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address FedRAMP incident reporting requirements including US-CERT notification timelines.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IR-2",
+      "family": "IR",
+      "nist_control_id": "IR-2",
+      "title": "Incident Response Training",
+      "description": "Provide incident response training to system users consistent with assigned roles and responsibilities.",
+      "fedramp_parameters": {
+        "initial_training": "within 10 days of assuming incident response role",
+        "refresher_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Training must include FedRAMP-specific incident reporting procedures and US-CERT notification requirements.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IR-2(1)",
+      "family": "IR",
+      "nist_control_id": "IR-2(1)",
+      "title": "Incident Response Training | Simulated Events",
+      "description": "Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Simulated incident exercises must be conducted at least annually. Scenarios must include data breach, ransomware, and insider threat.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-2(2)",
+      "family": "IR",
+      "nist_control_id": "IR-2(2)",
+      "title": "Incident Response Training | Automated Training Environments",
+      "description": "Provide an incident response training environment using automated mechanisms.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Automated training environment must simulate realistic attack scenarios and allow practice of containment and eradication procedures.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-3",
+      "family": "IR",
+      "nist_control_id": "IR-3",
+      "title": "Incident Response Testing",
+      "description": "Test the effectiveness of the incident response capability for the system at the FedRAMP-defined frequency using FedRAMP-defined tests.",
+      "fedramp_parameters": {
+        "test_frequency": "at least annually",
+        "test_types": "tabletop exercises and functional testing"
+      },
+      "fedramp_additional_requirements": "Test results must be documented and deficiencies tracked in POA&M.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IR-4",
+      "family": "IR",
+      "nist_control_id": "IR-4",
+      "title": "Incident Handling",
+      "description": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Incident handling must include automated detection and correlation. FedRAMP PMO and US-CERT must be notified within 1 hour of confirmed incident for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IR-4(1)",
+      "family": "IR",
+      "nist_control_id": "IR-4(1)",
+      "title": "Incident Handling | Automated Incident Handling Processes",
+      "description": "Employ automated mechanisms to support the incident handling process.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "SOAR or equivalent automated incident response platform required for High systems. Automated containment actions for known attack patterns.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-4(4)",
+      "family": "IR",
+      "nist_control_id": "IR-4(4)",
+      "title": "Incident Handling | Information Correlation",
+      "description": "Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Incident correlation must integrate with SIEM and threat intelligence feeds. Cross-tenant incident correlation required for CSP-level awareness.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-4(11)",
+      "family": "IR",
+      "nist_control_id": "IR-4(11)",
+      "title": "Incident Handling | Integrated Incident Response Team",
+      "description": "Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in an organization-defined time period.",
+      "fedramp_parameters": {
+        "deployment_time": "within 4 hours of incident escalation"
+      },
+      "fedramp_additional_requirements": "Incident response team must include security, operations, legal, and communications representatives. Team must be available 24/7 for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-5",
+      "family": "IR",
+      "nist_control_id": "IR-5",
+      "title": "Incident Monitoring",
+      "description": "Track and document incidents on an ongoing basis.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Incident tracking system must maintain chain of custody for evidence. All incident data must be retained for at least 3 years.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IR-6",
+      "family": "IR",
+      "nist_control_id": "IR-6",
+      "title": "Incident Reporting",
+      "description": "Require personnel to report suspected incidents to the organizational incident response capability within the FedRAMP-defined time period.",
+      "fedramp_parameters": {
+        "reporting_period": "within 1 hour of discovery for High baseline"
+      },
+      "fedramp_additional_requirements": "US-CERT must be notified within 1 hour of confirmed incident. FedRAMP PMO notification required per FedRAMP Incident Communications Procedures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IR-6(1)",
+      "family": "IR",
+      "nist_control_id": "IR-6(1)",
+      "title": "Incident Reporting | Automated Reporting",
+      "description": "Employ automated mechanisms to assist in the reporting of incidents.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Automated incident notification to FedRAMP PMO and US-CERT required. Incident reports must include IOCs and TTPs when available.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-6(3)",
+      "family": "IR",
+      "nist_control_id": "IR-6(3)",
+      "title": "Incident Reporting | Supply Chain Coordination",
+      "description": "Provide incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Supply chain incident coordination procedures must be documented. Vendor notification required for incidents involving third-party components.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-IR-7",
+      "family": "IR",
+      "nist_control_id": "IR-7",
+      "title": "Incident Response Assistance",
+      "description": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "24/7 incident response support required for High systems. Contact information must be readily available to all system users.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-IR-8",
+      "family": "IR",
+      "nist_control_id": "IR-8",
+      "title": "Incident Response Plan",
+      "description": "Develop an incident response plan that provides the organization with a roadmap for implementing its incident response capability.",
+      "fedramp_parameters": {
+        "plan_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Plan must address FedRAMP-specific reporting requirements, US-CERT coordination, and customer notification procedures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-1",
+      "family": "MA",
+      "nist_control_id": "MA-1",
+      "title": "System Maintenance Policy and Procedures",
+      "description": "Develop, document, and disseminate a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud infrastructure maintenance windows, customer notification requirements, and patch management.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-2",
+      "family": "MA",
+      "nist_control_id": "MA-2",
+      "title": "Controlled Maintenance",
+      "description": "Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Maintenance activities must be approved and scheduled through change management. Emergency maintenance requires retrospective documentation within 24 hours.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-3",
+      "family": "MA",
+      "nist_control_id": "MA-3",
+      "title": "Maintenance Tools",
+      "description": "Approve, control, and monitor the use of system maintenance tools.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Maintenance tools must be inventoried and inspected before use. Remote maintenance tools must be authorized and logged.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-3(1)",
+      "family": "MA",
+      "nist_control_id": "MA-3(1)",
+      "title": "Maintenance Tools | Inspect Tools",
+      "description": "Inspect the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Tool inspection must be documented. Digital tools must be scanned for malware before connecting to production systems.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-3(2)",
+      "family": "MA",
+      "nist_control_id": "MA-3(2)",
+      "title": "Maintenance Tools | Inspect Media",
+      "description": "Check media containing diagnostic and test programs for malicious code before the media are used in the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All removable media must be scanned in a quarantine environment before use on production systems.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-4",
+      "family": "MA",
+      "nist_control_id": "MA-4",
+      "title": "Nonlocal Maintenance",
+      "description": "Approve and monitor nonlocal maintenance and diagnostic activities. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All nonlocal maintenance sessions must use MFA, encrypted channels, and session recording. Sessions must be terminated upon completion.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-5",
+      "family": "MA",
+      "nist_control_id": "MA-5",
+      "title": "Maintenance Personnel",
+      "description": "Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel. Verify that non-escorted personnel performing maintenance possess required access authorizations. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Maintenance personnel must have appropriate background checks and clearances for High systems. Foreign nationals performing maintenance require additional oversight.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MA-6",
+      "family": "MA",
+      "nist_control_id": "MA-6",
+      "title": "Timely Maintenance",
+      "description": "Obtain maintenance support and/or spare parts for system components within the FedRAMP-defined time period of failure.",
+      "fedramp_parameters": {
+        "maintenance_timeframe": "within 24 hours for critical components, 72 hours for non-critical"
+      },
+      "fedramp_additional_requirements": "Spare parts inventory or vendor SLAs must support defined maintenance timeframes. Hot-spare capability required for critical infrastructure.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MP-1",
+      "family": "MP",
+      "nist_control_id": "MP-1",
+      "title": "Media Protection Policy and Procedures",
+      "description": "Develop, document, and disseminate a media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud storage media, virtual disk images, backup media, and CUI marking requirements for media.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MP-2",
+      "family": "MP",
+      "nist_control_id": "MP-2",
+      "title": "Media Access",
+      "description": "Restrict access to digital and non-digital media to authorized individuals using organization-defined controls.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Media containing CUI must be stored in controlled-access areas. Digital media access must be logged.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MP-3",
+      "family": "MP",
+      "nist_control_id": "MP-3",
+      "title": "Media Marking",
+      "description": "Mark system media indicating the distribution limitations, handling caveats, and applicable security markings of the information.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All media containing CUI must be marked with CUI banner and handling instructions. Digital media must include metadata markings.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MP-4",
+      "family": "MP",
+      "nist_control_id": "MP-4",
+      "title": "Media Storage",
+      "description": "Physically control and securely store digital and non-digital media within controlled areas using organization-defined controls.",
+      "fedramp_parameters": {
+        "controlled_areas": "locked rooms, safes, or containers with access limited to authorized personnel"
+      },
+      "fedramp_additional_requirements": "CUI media must be stored in GSA-approved security containers or equivalent. Encryption at rest required for all digital media.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MP-5",
+      "family": "MP",
+      "nist_control_id": "MP-5",
+      "title": "Media Transport",
+      "description": "Protect and control digital and non-digital media during transport outside of controlled areas using organization-defined controls.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CUI media in transit must be encrypted and tracked. Chain of custody documentation required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MP-5(3)",
+      "family": "MP",
+      "nist_control_id": "MP-5(3)",
+      "title": "Media Transport | Custodians",
+      "description": "Employ an identified custodian during transport of system media outside of controlled areas.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Custodians must be cleared personnel. Media custody transfer must be documented with signatures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-MP-5(4)",
+      "family": "MP",
+      "nist_control_id": "MP-5(4)",
+      "title": "Media Transport | Cryptographic Protection",
+      "description": "Implement cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.",
+      "fedramp_parameters": {
+        "encryption_standard": "FIPS 140-2 validated, AES-256 or equivalent"
+      },
+      "fedramp_additional_requirements": "Full-disk encryption required for all transportable digital media. Encryption keys must be managed separately from encrypted media.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-MP-6",
+      "family": "MP",
+      "nist_control_id": "MP-6",
+      "title": "Media Sanitization",
+      "description": "Sanitize system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures.",
+      "fedramp_parameters": {
+        "sanitization_standard": "NIST SP 800-88 Guidelines for Media Sanitization"
+      },
+      "fedramp_additional_requirements": "Sanitization must follow NIST SP 800-88 Rev 1. Certificates of sanitization required. CSP must document media sanitization procedures for cloud storage.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-MP-6(1)",
+      "family": "MP",
+      "nist_control_id": "MP-6(1)",
+      "title": "Media Sanitization | Review, Approve, Track, Document, and Verify",
+      "description": "Review, approve, track, document, and verify media sanitization and disposal actions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All sanitization actions must be tracked in audit trail. Third-party sanitization vendors must provide certificates of destruction.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-MP-6(2)",
+      "family": "MP",
+      "nist_control_id": "MP-6(2)",
+      "title": "Media Sanitization | Equipment Testing",
+      "description": "Test sanitization equipment and procedures at the FedRAMP-defined frequency to ensure correct performance.",
+      "fedramp_parameters": {
+        "test_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Sanitization verification testing must confirm complete data removal. Results must be documented.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-MP-6(3)",
+      "family": "MP",
+      "nist_control_id": "MP-6(3)",
+      "title": "Media Sanitization | Nondestructive Techniques",
+      "description": "Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All portable storage devices must be sanitized and scanned before connection to High systems. Automated kiosk scanning recommended.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-MP-7",
+      "family": "MP",
+      "nist_control_id": "MP-7",
+      "title": "Media Use",
+      "description": "Restrict the use of certain types of system media on systems or system components using organization-defined controls.",
+      "fedramp_parameters": {
+        "restricted_media": "removable media, personally-owned media, and unencrypted portable storage"
+      },
+      "fedramp_additional_requirements": "Use of removable media must be restricted and logged. USB mass storage must be disabled by default on High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-1",
+      "family": "PE",
+      "nist_control_id": "PE-1",
+      "title": "Physical and Environmental Protection Policy and Procedures",
+      "description": "Develop, document, and disseminate a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address data center physical security, visitor management, and environmental controls for cloud infrastructure.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-2",
+      "family": "PE",
+      "nist_control_id": "PE-2",
+      "title": "Physical Access Authorizations",
+      "description": "Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides. Issue authorization credentials for facility access. Review the access list detailing authorized facility access by individuals.",
+      "fedramp_parameters": {
+        "review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Physical access list must be reviewed annually. Removed personnel must have access revoked within 24 hours.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-2(1)",
+      "family": "PE",
+      "nist_control_id": "PE-2(1)",
+      "title": "Physical Access Authorizations | Access by Position or Role",
+      "description": "Authorize physical access to the facility where the system resides based on position or role.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Role-based physical access must follow least privilege. Data center access limited to operations personnel only.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-3",
+      "family": "PE",
+      "nist_control_id": "PE-3",
+      "title": "Physical Access Control",
+      "description": "Enforce physical access authorizations at entry and exit points to the facility where the system resides by verifying individual access authorizations before granting access. Control ingress and egress using physical access control systems/devices or guards.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Multi-factor physical access control required (badge + biometric or badge + PIN). Mantrap/sally port required for data center access.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-3(1)",
+      "family": "PE",
+      "nist_control_id": "PE-3(1)",
+      "title": "Physical Access Control | System Access",
+      "description": "Enforce physical access authorizations to the system in addition to the physical access controls for the facility.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Individual server rack or cage locking required. Access to individual system components must be controlled and logged.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-3(2)",
+      "family": "PE",
+      "nist_control_id": "PE-3(2)",
+      "title": "Physical Access Control | Facility and Systems",
+      "description": "Perform security checks at the physical boundary of the facility or system for unauthorized exfiltration of information or removal of system components.",
+      "fedramp_parameters": {
+        "check_frequency": "at random intervals, at least daily"
+      },
+      "fedramp_additional_requirements": "Checks must include inspection for unauthorized recording devices, removable media, and system components.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-3(3)",
+      "family": "PE",
+      "nist_control_id": "PE-3(3)",
+      "title": "Physical Access Control | Continuous Guards",
+      "description": "Employ guards to control physical access to the facility where the system resides.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "24/7 security guard presence required at data center facilities housing High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-4",
+      "family": "PE",
+      "nist_control_id": "PE-4",
+      "title": "Access Control for Transmission",
+      "description": "Control physical access to system distribution and transmission lines within organizational facilities using organization-defined security controls.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Network cabling must be in secured conduit or plenum. Fiber optic preferred for inter-building connections. Wiretap detection capability required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-5",
+      "family": "PE",
+      "nist_control_id": "PE-5",
+      "title": "Access Control for Output Devices",
+      "description": "Control physical access to output from output devices to prevent unauthorized individuals from obtaining the output.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Printers and displays in shared areas must require authentication for output. Screen privacy filters required in shared spaces.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-6",
+      "family": "PE",
+      "nist_control_id": "PE-6",
+      "title": "Monitoring Physical Access",
+      "description": "Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "CCTV coverage required at all entry points, server rooms, and sensitive areas. Video retained for at least 90 days.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-6(1)",
+      "family": "PE",
+      "nist_control_id": "PE-6(1)",
+      "title": "Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment",
+      "description": "Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Intrusion detection systems with 24/7 monitoring center required. Alarm response within 15 minutes.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-6(4)",
+      "family": "PE",
+      "nist_control_id": "PE-6(4)",
+      "title": "Monitoring Physical Access | Monitoring Physical Access to Systems",
+      "description": "Monitor physical access to the system in addition to the physical access monitoring of the facility.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Individual rack/cage access must be monitored and logged with tamper detection.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-8",
+      "family": "PE",
+      "nist_control_id": "PE-8",
+      "title": "Visitor Access Records",
+      "description": "Maintain visitor access records to the facility where the system resides that include name, organization, badge number, date/time of access, escort, and purpose of visit. Review visitor access records.",
+      "fedramp_parameters": {
+        "record_retention": "at least 1 year",
+        "review_frequency": "at least monthly"
+      },
+      "fedramp_additional_requirements": "Visitor logs must be maintained electronically. Visitor badges must be visually distinct from employee badges.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-9",
+      "family": "PE",
+      "nist_control_id": "PE-9",
+      "title": "Power Equipment and Cabling",
+      "description": "Protect power equipment and power cabling for the system from damage and destruction.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Power distribution must be redundant (A+B feeds). UPS and generator backup required with automatic transfer switches.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-10",
+      "family": "PE",
+      "nist_control_id": "PE-10",
+      "title": "Emergency Shutoff",
+      "description": "Provide the capability of shutting off power to the system or individual system components in emergency situations. Place emergency shutoff switches or devices in a location to facilitate safe and easy access for personnel. Protect emergency power shutoff capability from unauthorized activation.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Emergency power off (EPO) buttons must be clearly marked, protected from accidental activation, and tested annually.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-11",
+      "family": "PE",
+      "nist_control_id": "PE-11",
+      "title": "Emergency Power",
+      "description": "Provide an uninterruptible power supply to facilitate an orderly shutdown of the system in the event of a primary power source loss.",
+      "fedramp_parameters": {
+        "ups_capacity": "sufficient to support orderly shutdown or sustained operations for at least 72 hours with generator backup"
+      },
+      "fedramp_additional_requirements": "UPS must support system operations during generator transfer. Diesel generator with minimum 72-hour fuel supply required for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-12",
+      "family": "PE",
+      "nist_control_id": "PE-12",
+      "title": "Emergency Lighting",
+      "description": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Emergency lighting must cover all data center areas, not just evacuation routes. Battery backup for minimum 90 minutes.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-13",
+      "family": "PE",
+      "nist_control_id": "PE-13",
+      "title": "Fire Protection",
+      "description": "Employ and maintain fire detection and suppression systems for the system that are supported by an independent energy source.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Data centers must have pre-action dry-pipe or clean agent fire suppression. VESDA (Very Early Smoke Detection Apparatus) or equivalent required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-13(1)",
+      "family": "PE",
+      "nist_control_id": "PE-13(1)",
+      "title": "Fire Protection | Detection Systems \u2014 Automatic Activation and Notification",
+      "description": "Employ fire detection systems that activate automatically and notify the organization and emergency responders in the event of a fire.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Fire detection must integrate with building management system and automatically notify local fire department.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-13(2)",
+      "family": "PE",
+      "nist_control_id": "PE-13(2)",
+      "title": "Fire Protection | Suppression Systems \u2014 Automatic Activation and Notification",
+      "description": "Employ fire suppression systems that activate automatically and notify the organization and emergency responders.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Clean agent suppression systems preferred to minimize equipment damage. Automatic notification to operations center required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-13(3)",
+      "family": "PE",
+      "nist_control_id": "PE-13(3)",
+      "title": "Fire Protection | Automatic Fire Suppression",
+      "description": "Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "For unmanned data center areas, automatic suppression is mandatory with remote monitoring.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-14",
+      "family": "PE",
+      "nist_control_id": "PE-14",
+      "title": "Environmental Controls",
+      "description": "Maintain temperature and humidity levels within the facility where the system resides at organization-defined acceptable levels. Monitor environmental conditions.",
+      "fedramp_parameters": {
+        "temperature_range": "64-75 degrees Fahrenheit (18-24 Celsius)",
+        "humidity_range": "40-60% relative humidity"
+      },
+      "fedramp_additional_requirements": "Environmental monitoring must include hot/cold aisle containment temperature, humidity, and water leak detection. Alerting on threshold violation required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-14(2)",
+      "family": "PE",
+      "nist_control_id": "PE-14(2)",
+      "title": "Environmental Controls | Monitoring with Alarms and Notifications",
+      "description": "Employ environmental monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Environmental alerts must be sent to 24/7 operations center. Automated HVAC failover required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-15",
+      "family": "PE",
+      "nist_control_id": "PE-15",
+      "title": "Water Damage Protection",
+      "description": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Water leak detection sensors required under raised floors and above ceiling tiles. Automatic shutoff valves recommended.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-15(1)",
+      "family": "PE",
+      "nist_control_id": "PE-15(1)",
+      "title": "Water Damage Protection | Automation Support",
+      "description": "Detect the presence of water near the system and alert personnel using automated mechanisms.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Automated water detection with integration to building management system and operations center alerting.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-16",
+      "family": "PE",
+      "nist_control_id": "PE-16",
+      "title": "Delivery and Removal",
+      "description": "Authorize and control the entry and exit of system components and maintain records of the items.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All equipment delivery and removal must be logged with asset tracking. Verification of authorization required before equipment leaves facility.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PE-17",
+      "family": "PE",
+      "nist_control_id": "PE-17",
+      "title": "Alternate Work Site",
+      "description": "Employ management, operational, and technical controls at alternate work sites equivalent to those at the primary site.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Alternate work sites accessing High systems must meet equivalent security controls. VDI or equivalent required for remote access to CUI.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PE-18",
+      "family": "PE",
+      "nist_control_id": "PE-18",
+      "title": "Location of System Components",
+      "description": "Position system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Critical systems must be located away from exterior walls, above ground floor, and away from loading docks. Electromagnetic shielding considerations required.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-PL-1",
+      "family": "PL",
+      "nist_control_id": "PL-1",
+      "title": "Planning Policy and Procedures",
+      "description": "Develop, document, and disseminate a planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PL-2",
+      "family": "PL",
+      "nist_control_id": "PL-2",
+      "title": "System Security and Privacy Plans",
+      "description": "Develop security and privacy plans for the system that are consistent with the organization's enterprise architecture, define the scope of the system, describe the operational context of the system in terms of mission and business processes, provide the security categorization of the system, and describe the current control implementation.",
+      "fedramp_parameters": {
+        "plan_review_frequency": "at least annually",
+        "plan_update_frequency": "at least annually or upon significant change"
+      },
+      "fedramp_additional_requirements": "SSP must be submitted to FedRAMP PMO and updated annually. SSP must follow FedRAMP SSP template. All sections required for High baseline.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PL-4",
+      "family": "PL",
+      "nist_control_id": "PL-4",
+      "title": "Rules of Behavior",
+      "description": "Establish and provide to individuals requiring access to the system the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Rules of behavior must include CUI handling requirements, acceptable use policy, and consequences for violations. Annual re-acknowledgment required.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PL-4(1)",
+      "family": "PL",
+      "nist_control_id": "PL-4(1)",
+      "title": "Rules of Behavior | Social Media and External Site/Application Usage Restrictions",
+      "description": "Include in the rules of behavior restrictions on the use of social media, social networking sites, and external sites/applications.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Social media usage restrictions must be clearly defined. Posting of CUI on social media platforms is prohibited.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PL-8",
+      "family": "PL",
+      "nist_control_id": "PL-8",
+      "title": "Security and Privacy Architectures",
+      "description": "Develop security and privacy architectures for the system that describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information, that are consistent with the organization's enterprise architecture, and that address requirements for segmentation, isolation, and defense-in-depth.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Architecture must document defense-in-depth strategy, network segmentation, data flow diagrams, and trust boundaries. Architecture review required annually.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-1",
+      "family": "PS",
+      "nist_control_id": "PS-1",
+      "title": "Personnel Security Policy and Procedures",
+      "description": "Develop, document, and disseminate a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud-specific personnel security including CSP employee vetting, clearance requirements, and separation procedures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-2",
+      "family": "PS",
+      "nist_control_id": "PS-2",
+      "title": "Position Risk Designation",
+      "description": "Assign a risk designation to all organizational positions. Establish screening criteria for individuals filling those positions. Review and update position risk designations.",
+      "fedramp_parameters": {
+        "review_frequency": "at least every 3 years"
+      },
+      "fedramp_additional_requirements": "All CSP personnel with access to High systems must be designated at least moderate risk. Privileged access positions must be designated high risk.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-3",
+      "family": "PS",
+      "nist_control_id": "PS-3",
+      "title": "Personnel Screening",
+      "description": "Screen individuals prior to authorizing access to the system. Rescreen individuals in accordance with organization-defined conditions and frequencies.",
+      "fedramp_parameters": {
+        "rescreening_frequency": "at least every 5 years or upon position change"
+      },
+      "fedramp_additional_requirements": "Background investigations must be completed before granting access to High systems. For DoD IL5+, Secret clearance or higher required for privileged access.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-4",
+      "family": "PS",
+      "nist_control_id": "PS-4",
+      "title": "Personnel Termination",
+      "description": "Upon termination of individual employment, disable system access within the organization-defined time period, terminate or revoke authenticators and credentials, conduct exit interviews, retrieve all security-related property, and retain access to organizational information formerly controlled by the terminated individual.",
+      "fedramp_parameters": {
+        "access_disable_period": "same day as termination, within 4 hours for High systems"
+      },
+      "fedramp_additional_requirements": "For involuntary terminations, access must be disabled immediately (within 1 hour). All access credentials must be revoked. Exit interview must include reminder of NDA obligations.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-5",
+      "family": "PS",
+      "nist_control_id": "PS-5",
+      "title": "Personnel Transfer",
+      "description": "Review and confirm ongoing operational need for current logical and physical access authorizations to the system and facility when individuals are reassigned or transferred to other positions within the organization.",
+      "fedramp_parameters": {
+        "review_period": "within 5 business days of transfer"
+      },
+      "fedramp_additional_requirements": "Access from previous role must be removed before granting new role access. No accumulation of privileges across role changes.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-6",
+      "family": "PS",
+      "nist_control_id": "PS-6",
+      "title": "Access Agreements",
+      "description": "Develop and document access agreements for organizational systems. Review and update the access agreements. Verify that individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access.",
+      "fedramp_parameters": {
+        "review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Access agreements must include NDA, acceptable use policy, and CUI handling acknowledgment. Agreements must be re-signed annually.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-7",
+      "family": "PS",
+      "nist_control_id": "PS-7",
+      "title": "External Personnel Security",
+      "description": "Establish personnel security requirements, including security roles and responsibilities, for external providers. Require external providers to comply with personnel security policies and procedures. Document personnel security requirements. Monitor provider compliance.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "External providers must meet same background investigation requirements as organizational personnel. Subcontractor security requirements must be flowed down.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-8",
+      "family": "PS",
+      "nist_control_id": "PS-8",
+      "title": "Personnel Sanctions",
+      "description": "Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Sanctions process must be documented and consistently applied. Security violations must be reported to ISSO and documented in audit trail.",
+      "priority": "P3",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-PS-9",
+      "family": "PS",
+      "nist_control_id": "PS-9",
+      "title": "Position Descriptions",
+      "description": "Incorporate security and privacy role responsibilities in organizational position descriptions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All positions with system access must have documented security responsibilities. ISSO, ISSM, and AO roles must be explicitly defined.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-RA-1",
+      "family": "RA",
+      "nist_control_id": "RA-1",
+      "title": "Risk Assessment Policy and Procedures",
+      "description": "Develop, document, and disseminate a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud-specific risk assessment methodologies and continuous risk monitoring.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-RA-2",
+      "family": "RA",
+      "nist_control_id": "RA-2",
+      "title": "Security Categorization",
+      "description": "Categorize the system and information it processes, stores, and transmits. Document the security categorization results in the security plan for the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Security categorization must follow FIPS 199 and CNSSI 1253 for DoD systems. High-water mark principle applied.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-RA-3",
+      "family": "RA",
+      "nist_control_id": "RA-3",
+      "title": "Risk Assessment",
+      "description": "Conduct a risk assessment, including identifying threats to and vulnerabilities in the system, determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system and information, and determining the risk.",
+      "fedramp_parameters": {
+        "assessment_frequency": "at least annually",
+        "update_frequency": "at least annually or when significant changes occur"
+      },
+      "fedramp_additional_requirements": "Risk assessment must address cloud-specific threats including multi-tenant risks, supply chain risks, and data sovereignty concerns.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-RA-5",
+      "family": "RA",
+      "nist_control_id": "RA-5",
+      "title": "Vulnerability Monitoring and Scanning",
+      "description": "Monitor and scan for vulnerabilities in the system and hosted applications at the FedRAMP-defined frequency and when new vulnerabilities potentially affecting the system are identified and reported.",
+      "fedramp_parameters": {
+        "scan_frequency": "monthly for operating systems, monthly for web applications, monthly for databases",
+        "remediation_high": "within 30 days",
+        "remediation_moderate": "within 90 days"
+      },
+      "fedramp_additional_requirements": "Scanning must include OS, application, database, container, and infrastructure-as-code vulnerabilities. Results must be reported to FedRAMP PMO monthly.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-RA-5(2)",
+      "family": "RA",
+      "nist_control_id": "RA-5(2)",
+      "title": "Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned",
+      "description": "Update the system vulnerabilities to be scanned before conducting new scans or when new vulnerabilities are identified and reported.",
+      "fedramp_parameters": {
+        "update_frequency": "prior to each scan and within 24 hours of new vulnerability disclosure"
+      },
+      "fedramp_additional_requirements": "Vulnerability databases must be updated from NVD and vendor-specific advisories. Zero-day vulnerability scanning capability required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-RA-5(5)",
+      "family": "RA",
+      "nist_control_id": "RA-5(5)",
+      "title": "Vulnerability Monitoring and Scanning | Privileged Access",
+      "description": "Implement privileged access authorization to organization-defined system components for selected vulnerability scanning activities.",
+      "fedramp_parameters": {
+        "privileged_components": "all operating systems, databases, web applications, and network devices"
+      },
+      "fedramp_additional_requirements": "Credentialed/authenticated vulnerability scanning required for all system components. Non-credentialed scanning alone is insufficient for High baseline.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-RA-7",
+      "family": "RA",
+      "nist_control_id": "RA-7",
+      "title": "Risk Response",
+      "description": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Risk response decisions must be documented with AO concurrence. Accepted risks must be tracked in POA&M with compensating controls.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-1",
+      "family": "SA",
+      "nist_control_id": "SA-1",
+      "title": "System and Services Acquisition Policy and Procedures",
+      "description": "Develop, document, and disseminate a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud service procurement, FedRAMP authorization requirements for third-party services, and supply chain risk management.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-2",
+      "family": "SA",
+      "nist_control_id": "SA-2",
+      "title": "Allocation of Resources",
+      "description": "Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning. Determine, document, and allocate the resources required to protect the system as part of the organizational capital planning and investment control process.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Security resource allocation must include continuous monitoring, annual assessment, and incident response costs.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-3",
+      "family": "SA",
+      "nist_control_id": "SA-3",
+      "title": "System Development Life Cycle",
+      "description": "Acquire, develop, and manage the system using an organization-defined system development life cycle that incorporates information security and privacy considerations.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "SDLC must include security requirements analysis, secure coding practices, security testing, and compliance verification at each phase.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-4",
+      "family": "SA",
+      "nist_control_id": "SA-4",
+      "title": "Acquisition Process",
+      "description": "Include security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, controls needed to satisfy security and privacy requirements, and security and privacy documentation requirements in the acquisition contract.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Acquisition contracts must require FedRAMP authorization for cloud services. Supply chain risk management requirements must be included.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-4(1)",
+      "family": "SA",
+      "nist_control_id": "SA-4(1)",
+      "title": "Acquisition Process | Functional Properties of Controls",
+      "description": "Require the developer of the system, system component, or system service to provide a description of the functional properties of the security and privacy controls to be employed.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Functional properties documentation must be sufficient for independent verification of control effectiveness.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-4(2)",
+      "family": "SA",
+      "nist_control_id": "SA-4(2)",
+      "title": "Acquisition Process | Design and Implementation Information for Controls",
+      "description": "Require the developer of the system, system component, or system service to provide design and implementation information for the security and privacy controls.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Design documentation must include security architecture, threat model, and control implementation details sufficient for assessment.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-4(9)",
+      "family": "SA",
+      "nist_control_id": "SA-4(9)",
+      "title": "Acquisition Process | Functions, Ports, Protocols, and Services in Use",
+      "description": "Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Complete inventory of ports, protocols, and services must be provided and documented in SSP. Only documented PPS are authorized.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-4(10)",
+      "family": "SA",
+      "nist_control_id": "SA-4(10)",
+      "title": "Acquisition Process | Use of Approved PIV Products",
+      "description": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "PIV/CAC products must be on GSA APL. FIPS 201 compliance required for all identity verification products.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-5",
+      "family": "SA",
+      "nist_control_id": "SA-5",
+      "title": "System Documentation",
+      "description": "Obtain or develop administrator documentation and user documentation for the system, system component, or system service that describes secure configuration, installation, and operation of the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Documentation must include security configuration guides, hardening procedures, and incident response procedures specific to the system.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-8",
+      "family": "SA",
+      "nist_control_id": "SA-8",
+      "title": "Security and Privacy Engineering Principles",
+      "description": "Apply systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Security engineering principles must include defense-in-depth, least privilege, fail-secure, separation of duties, and minimal attack surface.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-9",
+      "family": "SA",
+      "nist_control_id": "SA-9",
+      "title": "External System Services",
+      "description": "Require that providers of external system services comply with organizational security and privacy requirements and employ controls in accordance with applicable laws, policies, directives, regulations, and standards.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "External services must be FedRAMP authorized at equal or higher impact level. Service-level agreements must include security requirements.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-9(2)",
+      "family": "SA",
+      "nist_control_id": "SA-9(2)",
+      "title": "External System Services | Identification of Functions, Ports, Protocols, and Services",
+      "description": "Require providers of external system services to identify the functions, ports, protocols, and other services required for the use of such services.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "External service PPS documentation must be maintained current and reflected in system network diagrams and firewall rules.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-10",
+      "family": "SA",
+      "nist_control_id": "SA-10",
+      "title": "Developer Configuration Management",
+      "description": "Require the developer of the system, system component, or system service to perform configuration management during system, component, or service design, development, implementation, and operation.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Developer must use version control, track security-relevant changes, and maintain configuration baselines. Code signing required for releases.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-11",
+      "family": "SA",
+      "nist_control_id": "SA-11",
+      "title": "Developer Testing and Evaluation",
+      "description": "Require the developer of the system, system component, or system service to create and implement a security and privacy assessment plan. Perform unit, integration, system, and regression testing/evaluation. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Developer must provide security test results including SAST, DAST, and SCA findings. Test evidence must be available for 3PAO review.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-11(1)",
+      "family": "SA",
+      "nist_control_id": "SA-11(1)",
+      "title": "Developer Testing and Evaluation | Static Code Analysis",
+      "description": "Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "SAST must be integrated into CI/CD pipeline. All critical and high findings must be remediated before release.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-11(2)",
+      "family": "SA",
+      "nist_control_id": "SA-11(2)",
+      "title": "Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses",
+      "description": "Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development that uses the attack surface, threat modeling methodology, and analysis of all custom code.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Threat modeling must follow STRIDE or equivalent methodology. Results must inform security test plans and control selection.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-11(8)",
+      "family": "SA",
+      "nist_control_id": "SA-11(8)",
+      "title": "Developer Testing and Evaluation | Dynamic Code Analysis",
+      "description": "Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "DAST must be performed on deployed applications. OWASP Top 10 coverage required. Automated DAST in CI/CD pipeline recommended.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-15",
+      "family": "SA",
+      "nist_control_id": "SA-15",
+      "title": "Development Process, Standards, and Tools",
+      "description": "Require the developer of the system, system component, or system service to follow a documented development process that explicitly addresses security and privacy requirements, identifies the standards and tools used in the development process, and documents the specific tool options and tool configurations used.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Development standards must include secure coding guidelines (OWASP, CERT). Tool chain must include SAST, DAST, SCA, and secrets detection.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SA-15(1)",
+      "family": "SA",
+      "nist_control_id": "SA-15(1)",
+      "title": "Development Process, Standards, and Tools | Quality Metrics",
+      "description": "Require the developer of the system, system component, or system service to measure and document the quality of the development artifacts (e.g., code quality, test coverage, defect density).",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Quality metrics must include code coverage (minimum 80%), defect density, and security finding density.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-17",
+      "family": "SA",
+      "nist_control_id": "SA-17",
+      "title": "Developer Security and Privacy Architecture and Design",
+      "description": "Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that is consistent with the organization's security and privacy architecture.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Architecture must document trust boundaries, data flow controls, and security mechanism placement. Architecture review by ISSO required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SA-22",
+      "family": "SA",
+      "nist_control_id": "SA-22",
+      "title": "Unsupported System Components",
+      "description": "Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer. Provide options for alternative sources for continued support for unsupported components.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Unsupported/end-of-life components must have documented migration plans. Compensating controls required for any unsupported components remaining in production.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-1",
+      "family": "SC",
+      "nist_control_id": "SC-1",
+      "title": "System and Communications Protection Policy and Procedures",
+      "description": "Develop, document, and disseminate a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud network security, encryption requirements, and multi-tenant communications isolation.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-2",
+      "family": "SC",
+      "nist_control_id": "SC-2",
+      "title": "Separation of System and User Functionality",
+      "description": "Separate user functionality, including user interface services, from system management functionality.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Management interfaces must be on separate network segments from user-facing services. Administrative APIs must not be publicly accessible.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-3",
+      "family": "SC",
+      "nist_control_id": "SC-3",
+      "title": "Security Function Isolation",
+      "description": "Isolate security functions from nonsecurity functions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Security services (authentication, authorization, audit, encryption) must run in isolated processes or containers with hardened configurations. Privilege separation enforced.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-4",
+      "family": "SC",
+      "nist_control_id": "SC-4",
+      "title": "Information in Shared System Resources",
+      "description": "Prevent unauthorized and unintended information transfer via shared system resources.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Object reuse protection required. Shared memory, disk space, and CPU cache must be cleared between tenant workloads. No information leakage between tenants.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-5",
+      "family": "SC",
+      "nist_control_id": "SC-5",
+      "title": "Denial-of-Service Protection",
+      "description": "Protect against or limit the effects of denial-of-service attacks by employing organization-defined controls.",
+      "fedramp_parameters": {
+        "dos_protections": "rate limiting, traffic filtering, automated scaling, and DDoS mitigation services"
+      },
+      "fedramp_additional_requirements": "DDoS mitigation service required (e.g., AWS Shield Advanced for GovCloud). Rate limiting on all API endpoints. Auto-scaling to absorb traffic spikes.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-5(3)",
+      "family": "SC",
+      "nist_control_id": "SC-5(3)",
+      "title": "Denial-of-Service Protection | Detection and Monitoring",
+      "description": "Employ monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system and take organization-defined actions.",
+      "fedramp_parameters": {
+        "monitoring_actions": "alert security operations, activate DDoS mitigation, and log the event"
+      },
+      "fedramp_additional_requirements": "Real-time DDoS detection and automated mitigation activation required. Monitoring must cover network, application, and DNS layers.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-7",
+      "family": "SC",
+      "nist_control_id": "SC-7",
+      "title": "Boundary Protection",
+      "description": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal organizational networks.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All external boundary interfaces must be protected by firewalls, IDS/IPS, and WAF. DMZ required for public-facing components. Defense-in-depth at all boundary layers.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-7(3)",
+      "family": "SC",
+      "nist_control_id": "SC-7(3)",
+      "title": "Boundary Protection | Access Points",
+      "description": "Limit the number of external network connections to the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Minimize external access points. All access points must be documented in SSP with justification. Unused access points must be disabled.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-7(4)",
+      "family": "SC",
+      "nist_control_id": "SC-7(4)",
+      "title": "Boundary Protection | External Telecommunications Services",
+      "description": "Implement a managed interface for each external telecommunication service. Establish a traffic flow policy for each managed interface.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Each external connection must have documented traffic flow policies. Stateful inspection firewalls required at all external interfaces.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-7(5)",
+      "family": "SC",
+      "nist_control_id": "SC-7(5)",
+      "title": "Boundary Protection | Deny by Default \u2014 Allow by Exception",
+      "description": "Deny network communications traffic by default and allow network communications traffic by exception at managed interfaces.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Default deny firewall rules required on all network boundaries. Security group and NACL rules must follow deny-all, permit-by-exception.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-7(7)",
+      "family": "SC",
+      "nist_control_id": "SC-7(7)",
+      "title": "Boundary Protection | Split Tunneling for Remote Devices",
+      "description": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Split tunneling prohibited for connections to High systems unless explicitly approved with compensating controls. Full tunnel VPN required by default.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-7(8)",
+      "family": "SC",
+      "nist_control_id": "SC-7(8)",
+      "title": "Boundary Protection | Route Traffic to Authenticated Proxy Servers",
+      "description": "Route internal communications traffic to external networks through authenticated proxy servers at managed interfaces.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All outbound traffic must traverse an authenticated proxy or next-generation firewall. Direct internet access from production systems prohibited.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-7(18)",
+      "family": "SC",
+      "nist_control_id": "SC-7(18)",
+      "title": "Boundary Protection | Fail Secure",
+      "description": "Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Boundary protection devices must fail closed (deny all traffic) on failure. Automatic failover to redundant boundary devices required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-7(21)",
+      "family": "SC",
+      "nist_control_id": "SC-7(21)",
+      "title": "Boundary Protection | Isolation of System Components",
+      "description": "Employ boundary protection mechanisms to isolate organization-defined system components supporting organization-defined missions and/or business functions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Micro-segmentation required for High systems. Each application tier must be in separate network segments with controlled inter-segment communication.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-8",
+      "family": "SC",
+      "nist_control_id": "SC-8",
+      "title": "Transmission Confidentiality and Integrity",
+      "description": "Protect the confidentiality and integrity of transmitted information.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All data in transit must be encrypted using FIPS-validated cryptography. TLS 1.2 minimum, TLS 1.3 preferred.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-8(1)",
+      "family": "SC",
+      "nist_control_id": "SC-8(1)",
+      "title": "Transmission Confidentiality and Integrity | Cryptographic Protection",
+      "description": "Implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission.",
+      "fedramp_parameters": {
+        "cryptographic_standard": "FIPS 140-2 validated modules, TLS 1.2 minimum with FIPS-approved cipher suites"
+      },
+      "fedramp_additional_requirements": "FIPS 140-2 validated cryptographic modules required. Perfect forward secrecy (PFS) cipher suites required. Certificate validation mandatory.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-10",
+      "family": "SC",
+      "nist_control_id": "SC-10",
+      "title": "Network Disconnect",
+      "description": "Terminate the network connection associated with a communications session at the end of the session or after the FedRAMP-defined time period of inactivity.",
+      "fedramp_parameters": {
+        "inactivity_timeout": "30 minutes for non-privileged, 15 minutes for privileged network sessions"
+      },
+      "fedramp_additional_requirements": "TCP keepalive must be configured appropriately. Idle connections must be terminated and resources released.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-12",
+      "family": "SC",
+      "nist_control_id": "SC-12",
+      "title": "Cryptographic Key Establishment and Management",
+      "description": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Key management must follow NIST SP 800-57. Keys must be stored in HSMs or AWS KMS (FIPS 140-2 Level 2+). Key rotation required at least annually.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-12(1)",
+      "family": "SC",
+      "nist_control_id": "SC-12(1)",
+      "title": "Cryptographic Key Establishment and Management | Availability",
+      "description": "Maintain availability of information in the event of the loss of cryptographic keys by users.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Key escrow or key recovery mechanisms required. Backup encryption keys must be stored securely in a separate location.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-13",
+      "family": "SC",
+      "nist_control_id": "SC-13",
+      "title": "Cryptographic Protection",
+      "description": "Determine the cryptographic uses and type of cryptography required for each use in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Implement the following types of cryptography required for each specified cryptographic use.",
+      "fedramp_parameters": {
+        "cryptographic_types": "FIPS-approved algorithms: AES-256 for symmetric, RSA-2048/ECDSA-256 minimum for asymmetric, SHA-256 minimum for hashing"
+      },
+      "fedramp_additional_requirements": "All cryptography must use FIPS 140-2 validated modules. CMVP certificate numbers must be documented. Non-FIPS algorithms prohibited for data protection.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-15",
+      "family": "SC",
+      "nist_control_id": "SC-15",
+      "title": "Collaborative Computing Devices and Applications",
+      "description": "Prohibit remote activation of collaborative computing devices and applications with exceptions for defined situations. Provide an explicit indication of use to users physically present at the devices.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Video/audio conferencing devices in sensitive areas must have physical disconnect capability. Remote activation of cameras/microphones prohibited.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-17",
+      "family": "SC",
+      "nist_control_id": "SC-17",
+      "title": "Public Key Infrastructure Certificates",
+      "description": "Issue public key certificates under an organization-defined certificate policy or obtain public key certificates from an approved service provider. Include only approved trust anchors in trust stores or certificate stores managed by the organization.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Certificates must be issued by DoD-approved or FedRAMP-approved CA. Certificate transparency logging required. Certificate lifecycle management automated.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-18",
+      "family": "SC",
+      "nist_control_id": "SC-18",
+      "title": "Mobile Code",
+      "description": "Define acceptable and unacceptable mobile code and mobile code technologies. Establish usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies. Authorize, monitor, and control the use of mobile code within the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "JavaScript, ActiveX, and other mobile code technologies must be controlled. Content Security Policy (CSP) headers required for web applications.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-20",
+      "family": "SC",
+      "nist_control_id": "SC-20",
+      "title": "Secure Name/Address Resolution Service (Authoritative Source)",
+      "description": "Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "DNSSEC required for authoritative DNS zones. DNS responses must be signed and verifiable.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-21",
+      "family": "SC",
+      "nist_control_id": "SC-21",
+      "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)",
+      "description": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Recursive resolvers must validate DNSSEC signatures. DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) recommended for internal resolution.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-22",
+      "family": "SC",
+      "nist_control_id": "SC-22",
+      "title": "Architecture and Provisioning for Name/Address Resolution Service",
+      "description": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "DNS must be redundant across availability zones. Internal and external DNS must be separated. DNS query logging required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-23",
+      "family": "SC",
+      "nist_control_id": "SC-23",
+      "title": "Session Authenticity",
+      "description": "Protect the authenticity of communications sessions.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Session tokens must be cryptographically random, transmitted over TLS, and validated server-side. Anti-CSRF tokens required for web applications.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-24",
+      "family": "SC",
+      "nist_control_id": "SC-24",
+      "title": "Fail in Known State",
+      "description": "Fail to an organization-defined known state for the organization-defined types of system failures. Preserve system state information in failure.",
+      "fedramp_parameters": {
+        "known_state": "fail secure \u2014 deny access and halt processing rather than allow unauthorized access"
+      },
+      "fedramp_additional_requirements": "Systems must fail closed (deny all access) rather than fail open. State information must be preserved for forensic analysis.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SC-28",
+      "family": "SC",
+      "nist_control_id": "SC-28",
+      "title": "Protection of Information at Rest",
+      "description": "Protect the confidentiality and integrity of information at rest.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All data at rest must be encrypted with FIPS-validated cryptography. Encryption must cover databases, file systems, backups, and object storage.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-28(1)",
+      "family": "SC",
+      "nist_control_id": "SC-28(1)",
+      "title": "Protection of Information at Rest | Cryptographic Protection",
+      "description": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of information at rest on organization-defined system components or media.",
+      "fedramp_parameters": {
+        "encryption_standard": "AES-256 with FIPS 140-2 validated modules, customer-managed keys preferred"
+      },
+      "fedramp_additional_requirements": "Customer-managed encryption keys (CMEK) required for High baseline. Key management through AWS KMS or equivalent FIPS 140-2 Level 2+ HSM-backed service.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SC-38",
+      "family": "SC",
+      "nist_control_id": "SC-38",
+      "title": "Operations Security",
+      "description": "Employ operations security controls to protect key organizational information throughout the system development life cycle.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "OPSEC measures must prevent disclosure of system architecture, security mechanisms, and vulnerability information. Information classification and handling procedures required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-1",
+      "family": "SI",
+      "nist_control_id": "SI-1",
+      "title": "System and Information Integrity Policy and Procedures",
+      "description": "Develop, document, and disseminate a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud-specific integrity protections including container image integrity, infrastructure-as-code validation, and supply chain integrity.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-2",
+      "family": "SI",
+      "nist_control_id": "SI-2",
+      "title": "Flaw Remediation",
+      "description": "Identify, report, and correct system flaws. Install security-relevant software and firmware updates within the FedRAMP-defined time period of the release of the updates.",
+      "fedramp_parameters": {
+        "critical_patch_timeline": "within 30 days for critical, 90 days for high, 180 days for moderate",
+        "zero_day_timeline": "within 48 hours for actively exploited vulnerabilities"
+      },
+      "fedramp_additional_requirements": "Flaw remediation must include scanning verification post-patch. Emergency patching procedures must be documented for zero-day vulnerabilities.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-2(2)",
+      "family": "SI",
+      "nist_control_id": "SI-2(2)",
+      "title": "Flaw Remediation | Automated Flaw Remediation Status",
+      "description": "Determine the state of system components with regard to flaw remediation using automated mechanisms at the FedRAMP-defined frequency.",
+      "fedramp_parameters": {
+        "status_frequency": "at least monthly or continuously via automated patch management"
+      },
+      "fedramp_additional_requirements": "Automated patch compliance reporting required. Systems out of compliance must be flagged and tracked. Dashboard visibility for patch status.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-3",
+      "family": "SI",
+      "nist_control_id": "SI-3",
+      "title": "Malicious Code Protection",
+      "description": "Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. Update malicious code protection mechanisms as new releases are available.",
+      "fedramp_parameters": {
+        "signature_update_frequency": "at least daily or as signatures become available"
+      },
+      "fedramp_additional_requirements": "Anti-malware must cover endpoints, servers, email gateways, and web proxies. Behavioral analysis in addition to signature-based detection required for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-3(2)",
+      "family": "SI",
+      "nist_control_id": "SI-3(2)",
+      "title": "Malicious Code Protection | Automatic Updates",
+      "description": "Automatically update malicious code protection mechanisms.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Signature and engine updates must be automated. Failed updates must generate alerts to security operations.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-4",
+      "family": "SI",
+      "nist_control_id": "SI-4",
+      "title": "System Monitoring",
+      "description": "Monitor the system to detect attacks and indicators of potential attacks, unauthorized local, network, and remote connections, and identify unauthorized use of the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Continuous monitoring must include IDS/IPS, SIEM, file integrity monitoring, and network flow analysis. Monitoring coverage must include all system components.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-4(2)",
+      "family": "SI",
+      "nist_control_id": "SI-4(2)",
+      "title": "System Monitoring | Automated Tools and Mechanisms for Real-Time Analysis",
+      "description": "Employ automated tools and mechanisms to support near real-time analysis of events.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "SIEM with real-time correlation and alerting required. Mean time to detect (MTTD) target: less than 15 minutes for critical events.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-4(4)",
+      "family": "SI",
+      "nist_control_id": "SI-4(4)",
+      "title": "System Monitoring | Inbound and Outbound Communications Traffic",
+      "description": "Monitor inbound and outbound communications traffic at the external managed interfaces to the system and at selected interior points within the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Full packet capture capability required at external boundaries. NetFlow/VPC Flow Logs required for internal traffic monitoring.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-4(5)",
+      "family": "SI",
+      "nist_control_id": "SI-4(5)",
+      "title": "System Monitoring | System-Generated Alerts",
+      "description": "Alert organization-defined personnel or roles when organization-defined indicators of compromise or potential compromise occur.",
+      "fedramp_parameters": {
+        "alert_recipients": "SOC analysts, ISSOs, and system administrators",
+        "alert_timeline": "within 5 minutes of detection"
+      },
+      "fedramp_additional_requirements": "Automated alerting for IOCs must be integrated with threat intelligence feeds. Alert fatigue reduction through tuned detection rules required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-4(12)",
+      "family": "SI",
+      "nist_control_id": "SI-4(12)",
+      "title": "System Monitoring | Automated Organization-Generated Alerts",
+      "description": "Employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security or privacy implications.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "UEBA (User and Entity Behavior Analytics) required for High systems. Automated detection of anomalous access patterns and data exfiltration attempts.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-4(14)",
+      "family": "SI",
+      "nist_control_id": "SI-4(14)",
+      "title": "System Monitoring | Wireless Intrusion Detection",
+      "description": "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "WIDS required at all facilities housing High system components. Rogue AP detection with automated alerting.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-4(20)",
+      "family": "SI",
+      "nist_control_id": "SI-4(20)",
+      "title": "System Monitoring | Privileged Users",
+      "description": "Implement additional monitoring of privileged users.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All privileged user sessions must be monitored and recorded. Anomalous privileged user behavior must generate immediate alerts.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-4(22)",
+      "family": "SI",
+      "nist_control_id": "SI-4(22)",
+      "title": "System Monitoring | Unauthorized Network Services",
+      "description": "Detect network services that have not been authorized or approved by the organization and audit or alert organization-defined personnel.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Automated detection of unauthorized services, ports, and protocols. Network scanning for rogue services at least weekly.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-5",
+      "family": "SI",
+      "nist_control_id": "SI-5",
+      "title": "Security Alerts, Advisories, and Directives",
+      "description": "Receive system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis. Generate internal security alerts, advisories, and directives. Disseminate security alerts, advisories, and directives to designated personnel.",
+      "fedramp_parameters": {
+        "external_sources": "US-CERT, CISA, NVD, vendor security advisories, and FedRAMP PMO"
+      },
+      "fedramp_additional_requirements": "BODs (Binding Operational Directives) from CISA must be implemented within specified timelines. FedRAMP-specific advisories must be tracked.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-6",
+      "family": "SI",
+      "nist_control_id": "SI-6",
+      "title": "Security and Privacy Function Verification",
+      "description": "Verify the correct operation of organization-defined security and privacy functions. Perform the verification at the FedRAMP-defined frequency. Alert organization-defined personnel to failed verification tests.",
+      "fedramp_parameters": {
+        "verification_frequency": "upon system startup, restart, and at least monthly",
+        "verification_functions": "authentication, access control, audit logging, encryption, and boundary protection"
+      },
+      "fedramp_additional_requirements": "Automated security function verification required. Failed security functions must trigger immediate alerts and incident response procedures.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-7",
+      "family": "SI",
+      "nist_control_id": "SI-7",
+      "title": "Software, Firmware, and Information Integrity",
+      "description": "Employ integrity verification tools to detect unauthorized changes to software, firmware, and information.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "File integrity monitoring (FIM) required on all system components. Baseline integrity must be established and changes monitored in real-time.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-7(1)",
+      "family": "SI",
+      "nist_control_id": "SI-7(1)",
+      "title": "Software, Firmware, and Information Integrity | Integrity Checks",
+      "description": "Perform an integrity check of software, firmware, and information at the FedRAMP-defined frequency.",
+      "fedramp_parameters": {
+        "integrity_check_frequency": "at startup, at least daily, and upon detection of potential compromise"
+      },
+      "fedramp_additional_requirements": "Cryptographic hash verification required. Integrity check failures must trigger automated alerts and investigation.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-7(2)",
+      "family": "SI",
+      "nist_control_id": "SI-7(2)",
+      "title": "Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations",
+      "description": "Employ automated tools that provide notification to organization-defined personnel upon discovering discrepancies during integrity verification.",
+      "fedramp_parameters": {
+        "notification_recipients": "ISSOs, system administrators, and SOC within 15 minutes"
+      },
+      "fedramp_additional_requirements": "Automated notification must include details of the integrity violation including affected component, nature of change, and timestamp.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-7(5)",
+      "family": "SI",
+      "nist_control_id": "SI-7(5)",
+      "title": "Software, Firmware, and Information Integrity | Automated Response to Integrity Violations",
+      "description": "Automatically shut down the system, restart the system, or implement organization-defined controls when integrity violations are discovered.",
+      "fedramp_parameters": {
+        "response_actions": "isolate affected component, alert SOC, and initiate incident response"
+      },
+      "fedramp_additional_requirements": "Automated containment of compromised components required. Affected containers or VMs must be isolated and replaced from known-good images.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-7(7)",
+      "family": "SI",
+      "nist_control_id": "SI-7(7)",
+      "title": "Software, Firmware, and Information Integrity | Integration of Detection and Response",
+      "description": "Incorporate the detection of unauthorized changes to software, firmware, and information into the organizational incident response capability.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "FIM alerts must be integrated with SIEM and incident response workflow. Integrity violations must be classified as security incidents.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-7(14)",
+      "family": "SI",
+      "nist_control_id": "SI-7(14)",
+      "title": "Software, Firmware, and Information Integrity | Binary or Machine Executable Code",
+      "description": "Prohibit the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All binary code must come from trusted, verified sources. Code signing verification required before deployment. Third-party binaries require security review.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-7(15)",
+      "family": "SI",
+      "nist_control_id": "SI-7(15)",
+      "title": "Software, Firmware, and Information Integrity | Code Authentication",
+      "description": "Implement cryptographic mechanisms to authenticate software or firmware components prior to installation.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Code signing required for all deployable artifacts. Container image signing and verification required. Package signature verification mandatory.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-8",
+      "family": "SI",
+      "nist_control_id": "SI-8",
+      "title": "Spam Protection",
+      "description": "Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Email filtering must include spam, phishing, and malware detection. Inbound and outbound email scanning required.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-10",
+      "family": "SI",
+      "nist_control_id": "SI-10",
+      "title": "Information Input Validation",
+      "description": "Check the validity of information inputs to the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "All user inputs must be validated, sanitized, and encoded. OWASP input validation guidelines must be followed. Parameterized queries required for database access.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-10(1)",
+      "family": "SI",
+      "nist_control_id": "SI-10(1)",
+      "title": "Information Input Validation | Manual Override Capability",
+      "description": "Provide a manual override capability for input validation of organization-defined inputs. Restrict the use of the manual override capability to only organization-defined authorized individuals. Audit the use of the manual override capability.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Manual override of input validation must require ISSO approval and be logged in audit trail. Override usage must be reviewed quarterly.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-10(3)",
+      "family": "SI",
+      "nist_control_id": "SI-10(3)",
+      "title": "Information Input Validation | Predictable Behavior",
+      "description": "Verify that the system behaves in a predictable and documented manner when invalid inputs are received.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Error handling must not reveal system internals. Custom error pages required. Graceful degradation on invalid input mandatory.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SI-11",
+      "family": "SI",
+      "nist_control_id": "SI-11",
+      "title": "Error Handling",
+      "description": "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited. Reveal error messages only to designated personnel.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Detailed error messages must only appear in server-side logs, not in user-facing responses. Stack traces prohibited in production. Custom error pages required.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-12",
+      "family": "SI",
+      "nist_control_id": "SI-12",
+      "title": "Information Management and Retention",
+      "description": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Data retention policies must comply with NARA requirements. CUI must be handled and retained per 32 CFR Part 2002.",
+      "priority": "P2",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SI-16",
+      "family": "SI",
+      "nist_control_id": "SI-16",
+      "title": "Memory Protection",
+      "description": "Implement organization-defined controls to protect the system memory from unauthorized code execution.",
+      "fedramp_parameters": {
+        "memory_protections": "DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), stack canaries, and control flow integrity"
+      },
+      "fedramp_additional_requirements": "All system components must enable hardware and software memory protections. Container runtime must enforce memory isolation between containers.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": false
+    },
+    {
+      "id": "FRM-H-SR-1",
+      "family": "SR",
+      "nist_control_id": "SR-1",
+      "title": "Supply Chain Risk Management Policy and Procedures",
+      "description": "Develop, document, and disseminate a supply chain risk management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.",
+      "fedramp_parameters": {
+        "policy_review_frequency": "at least every 3 years",
+        "procedure_review_frequency": "at least annually"
+      },
+      "fedramp_additional_requirements": "Policy must address cloud supply chain risks, third-party service dependencies, and open source component governance.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-2",
+      "family": "SR",
+      "nist_control_id": "SR-2",
+      "title": "Supply Chain Risk Management Plan",
+      "description": "Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems, system components, or system services.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "SCRM plan must identify critical supply chain elements, assess risks, and define mitigation strategies. Plan must be reviewed annually.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-3",
+      "family": "SR",
+      "nist_control_id": "SR-3",
+      "title": "Supply Chain Controls and Processes",
+      "description": "Establish and apply a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Vendor security assessments required for critical suppliers. Software composition analysis (SCA) required for all third-party components.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-5",
+      "family": "SR",
+      "nist_control_id": "SR-5",
+      "title": "Acquisition Strategies, Tools, and Methods",
+      "description": "Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Acquisition contracts must include SCRM requirements. Vendor supply chain attestations required for critical components.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-6",
+      "family": "SR",
+      "nist_control_id": "SR-6",
+      "title": "Supplier Assessments and Reviews",
+      "description": "Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide.",
+      "fedramp_parameters": {
+        "assessment_frequency": "at least annually for critical suppliers"
+      },
+      "fedramp_additional_requirements": "Critical supplier assessments must include security posture review, incident history, and business continuity capabilities.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-8",
+      "family": "SR",
+      "nist_control_id": "SR-8",
+      "title": "Notification Agreements",
+      "description": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises and results of assessments or audits.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Supply chain compromise notification must be received within 72 hours. Notification agreements must be included in vendor contracts.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-10",
+      "family": "SR",
+      "nist_control_id": "SR-10",
+      "title": "Inspection of Systems or Components",
+      "description": "Inspect the organization-defined systems or system components at random, at a defined frequency, or both, to detect tampering.",
+      "fedramp_parameters": {
+        "inspection_frequency": "at least annually or upon receipt of new hardware/firmware"
+      },
+      "fedramp_additional_requirements": "Hardware integrity verification required for new equipment. Firmware validation against vendor-provided hashes required.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-11",
+      "family": "SR",
+      "nist_control_id": "SR-11",
+      "title": "Component Authenticity",
+      "description": "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system.",
+      "fedramp_parameters": {},
+      "fedramp_additional_requirements": "Hardware and software authenticity verification required. Trusted supplier programs and component provenance tracking required for High systems.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    },
+    {
+      "id": "FRM-H-SR-12",
+      "family": "SR",
+      "nist_control_id": "SR-12",
+      "title": "Component Disposal",
+      "description": "Dispose of data, documentation, tools, or system components using organization-defined techniques and methods.",
+      "fedramp_parameters": {
+        "disposal_methods": "per NIST SP 800-88 for media, documented destruction for hardware"
+      },
+      "fedramp_additional_requirements": "Component disposal must follow NIST SP 800-88. Certificates of destruction required. Chain of custody maintained through disposal.",
+      "priority": "P1",
+      "baseline": "high",
+      "moderate_also": true
+    }
+  ]
+}