FISMA/FedRAMP Readiness Audit

gov-fisma-fedramp · v1.1.0 · paid

Evaluates frontend security controls aligned with NIST 800-53, authentication strength, audit logging, continuous monitoring readiness, and incident response documentation.

Access Control & Authentication

access-control · weight 0.27

All authentication uses HTTPS TLS 1.2+
ab-001570
critical
No hardcoded secrets in frontend code
ab-001571
critical
Password requirements enforced
ab-001572
high
Multi-factor authentication is enforced for admin and CDE access
ab-001181
high
RBAC implemented with least privilege
ab-001574
high

Audit & Accountability

audit-accountability · weight 0.27

Sessions expire after ≤30min inactivity; re-auth for sensitive ops
ab-001575
medium
Error messages don't leak sensitive info
ab-001576
medium
Audit logging captures user actions with timestamp + user ID
ab-001577
medium
Audit logs immutable or tamper-evident
ab-001578
medium

System Protection & Monitoring

system-protection · weight 0.25

Dependency vulnerabilities tracked and remediated
ab-001579
low
All input validated frontend + backend against XSS/SQLi/LDAP injection
ab-001580
high
Security headers present (CSP, X-Frame-Options, X-Content-Type, HSTS)
ab-001581
high

Documentation & Incident Readiness

documentation-readiness · weight 0.21

Account provisioning/deprovisioning documented
ab-001582
low
Data in transit/at rest encrypted
ab-001583
low
Privacy policy published
ab-001584
low
Incident response plan drafted
ab-001585
low
security.txt present
ab-001586
info
Backup and recovery procedures documented
ab-001587
low
FISMA/FedRAMP compliance roadmap drafted
ab-001588
info
Continuous monitoring plan documented
ab-001589
info