This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
NIST 800-53 (r4) Supplemental Guidance:
Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles.
NIST 800-53 (r5) Discussion:
Priority protection prevents lower-priority processes from delaying or interfering with the system that services higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources.
38North Guidance:
Meets Minimum Requirement:
Identify critical system components (e.g., servers, databases, etc.).
Develop and implement a process for characterizing workload performance and usage patterns. The process should estimate the utilization rate for each of the following system resources: CPU; Memory; Storage; and Network Capacity.
Select an appropriate resource type (e.g., instance type/size, database type/size, Storage IOPS/throughput, etc.) to support the estimated utilization rates of system components.
Best Practice:
If applicable, consider existing customer usage patterns (e.g., internal users, commercial environments, etc.) when conducting capacity planning.
Implement continuous monitoring of performance metrics with threshold alerting. For example, when CPU utilization meets or exceeds 75% on a virtual machine, send an alert to the Operations/Security teams.
Integrate auto scaling with your performance monitoring system. Configure your system to automatically add new resources in response to threshold breaches, and remove resources when usage returns to the baseline (i.e., after a usage spike).
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Capacity planning documentation.
Screenshots showing configuration settings for performance monitoring, threshold level rule sets, alerting, and auto scaling.
CSP Implementation Tips:
Amazon Web Services (AWS):
Useful Links:
Microsoft Azure: TBD
Google Cloud Platform: TBD