Control Handbook Overview

Purpose: To establish a common place for 38N employees to reference FedRAMP control guidance, best practices, assessment evidence, and CSP implementation tips.

Assumptions:

• "FedRAMP Assignments" are specified throughout the NIST 800-53 controls to note where FedRAMP has defined control parameter values. For non-FedRAMP frameworks, insert the appropriate defined parameter. Otherwise, those NIST 800-53 "Organization-defined parameters" allow organizations to define specific values for designated parameters associated with the controls. 

• Users of this 38N Control Handbook should first read the "NIST 800-53 (r4) Supplemental Guidance" and "NIST 800-53 (r5) Discussion" to gain an understanding of the control's intent and requirements.

• Each family/domain contains controls that are related to the specific topic of the family. Control families need to be taken into account when interpreting the control's intent and requirements. 

Major Revision History:

• August 1, 2022: Initial creation of the 38N Control Handbook, consists of 421 total controls that sum up the requirements of FedRAMP High, Revision 4 of NIST 800-53.

Note: All minor revisions are listed in the "Updates to 38N Control Handbook" sheet.

Continuous Improvements: 

• All 38N employees will be expected to continuously update the 38N Control Handbook with new guidance as they come across it, including official FedRAMP guidance obtained via website, PMO, etc., "Advisory Support" Google Space conversations, best practices, unofficial FedRAMP guidance, assessment evidence, CSP implementation tips, etc. learned through BAU work.

Change Management Process: 

• Submit updates to the 38N Control Handbook by completing the form on the Update Submission Page. 

• Management reviews the request to determine if additional content is needed, may go back to the Submitter.

• Management approves updates and makes the changes to the 38N Control Handbook.

Future Enhancements:

• When FedRAMP releases final r5 controls/parameters/guidance, update/re-baseline 38N Control Handbook to new FedRAMP M/H controls/parameters based on NIST 800-53 r5 (FedRAMP PMO expected to publish 9/30/22). 

• Add relevant guidance from conversations in "Advisory Support" Google Space.

• Add risk rating to each control (work from 38N Gap template ratings based on RAR).

• Add guidance to the 38N Control Handbook for all front matter of an SSP.

• Add DoD IL 4/5/6 controls/guidance/best practices/etc.