FedRAMP Compliance
This document describes a system's security controls, data flows, components, and boundary.
What is the System Security Plan SSP?
This red-nosed reindeer is known for excellent nighttime visibility—a great asset for security patrols.
Who is Rudolph?
This family of controls covers access to systems and users, starting with AC-1.
What is Access Control?
This common email-based attack tricks users into clicking malicious links.
What is phishing?
This scanning tool category identifies missing patches and system weaknesses.
What are vulnerability scanners?
This acronym refers to the official authorization that allows a federal agency to use a cloud service.
What is an ATO (Authority to Operate)
This holiday plant is popular in December but absolutely not allowed in a data center.
What is mistletoe?
This family of controls covers policies for reacting to security events (IR-1 to IR-8).
What is Incident Response?
This form of authentication requires at least two factors—something you know, have, or are.
What is MFA (multi-factor authentication)?
FedRAMP requires moderate findings to be remediated within this number of days.
This organization maintains the FedRAMP baseline requirements and the PMO guidance.
What is the FedRAMP PMO?
This holiday character enters homes without authorization—definitely a boundary control violation.
Who is Santa Claus?
This control requires least privilege for system access and is one of the most cited (AC-6).
What is Least Privilege?
This type of attack manipulates human behavior rather than exploiting software flaws.
What is social engineering?
This document tracks vulnerabilities, mitigations, and deadlines.
What is a POA&M?
This required document tracks security weaknesses and remediation plans, and must be updated monthly.
What is a POA&M?
This festive item is hung by the chimney with care—but fails to meet FedRAMP fire safety requirements.
What is a Christmas stocking?
This control family covers protections such as encryption, boundary defenses, and secure connections.
What is SC - System & Communications Protection?
This term describes the threat posed by legitimate users who accidentally or intentionally create security risks.
What is an insider threat?
This type of vulnerability allows attackers to execute arbitrary code remotely without credentials.
What is Remote Code Execution (RCE)?
These third-party assessors evaluate a CSP’s security implementation and provide an independent assessment.
What is a 3PAO?
This classic holiday movie features a child who sets multiple physical security traps to prevent intrusion.
What is Home Alone?
This control requires routine scanning for vulnerabilities and reporting of findings.
What is RA-5 - Vulnerability Scanning?
These mandatory annual exercises ensure personnel understand their security responsibilities.
What is security awareness training?
This metric (from 0–10) rates the severity of vulnerabilities and is used for prioritization.
What is CVSS?